X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=src%2Fcore%2Fexecute.c;h=aad11c94aa4c6e883f1217c9229d9bb61e01c2be;hp=9c2006ebc77efeba283ade75fc9c93135bcd9f28;hb=099a804b11072b6be9fd32b3aa1f90b393adef98;hpb=ec8927ca5940e809f0b72f530582c76f1db4f065 diff --git a/src/core/execute.c b/src/core/execute.c index 9c2006ebc..aad11c94a 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -38,6 +38,9 @@ #include #include #include +#include +#include +#include #ifdef HAVE_PAM #include @@ -49,6 +52,7 @@ #include "capability.h" #include "util.h" #include "log.h" +#include "sd-messages.h" #include "ioprio.h" #include "securebits.h" #include "cgroup.h" @@ -60,6 +64,9 @@ #include "def.h" #include "loopback-setup.h" #include "path-util.h" +#include "syscall-list.h" +#include "env-util.h" +#include "fileio.h" #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC) @@ -159,6 +166,26 @@ void exec_context_tty_reset(const ExecContext *context) { vt_disallocate(context->tty_path); } +static bool is_terminal_output(ExecOutput o) { + return + o == EXEC_OUTPUT_TTY || + o == EXEC_OUTPUT_SYSLOG_AND_CONSOLE || + o == EXEC_OUTPUT_KMSG_AND_CONSOLE || + o == EXEC_OUTPUT_JOURNAL_AND_CONSOLE; +} + +void exec_context_serialize(const ExecContext *context, Unit *u, FILE *f) { + assert(context); + assert(u); + assert(f); + + if (context->tmp_dir) + unit_serialize_item(u, f, "tmp-dir", context->tmp_dir); + + if (context->var_tmp_dir) + unit_serialize_item(u, f, "var-tmp-dir", context->var_tmp_dir); +} + static int open_null_as(int flags, int nfd) { int fd, r; @@ -176,9 +203,12 @@ static int open_null_as(int flags, int nfd) { return r; } -static int connect_logger_as(const ExecContext *context, ExecOutput output, const char *ident, int nfd) { +static int connect_logger_as(const ExecContext *context, ExecOutput output, const char *ident, const char *unit_id, int nfd) { int fd, r; - union sockaddr_union sa; + union sockaddr_union sa = { + .un.sun_family = AF_UNIX, + .un.sun_path = "/run/systemd/journal/stdout", + }; assert(context); assert(output < _EXEC_OUTPUT_MAX); @@ -189,10 +219,6 @@ static int connect_logger_as(const ExecContext *context, ExecOutput output, cons if (fd < 0) return -errno; - zero(sa); - sa.un.sun_family = AF_UNIX; - strncpy(sa.un.sun_path, "/run/systemd/journal/stdout", sizeof(sa.un.sun_path)); - r = connect(fd, &sa.sa, offsetof(struct sockaddr_un, sun_path) + strlen(sa.un.sun_path)); if (r < 0) { close_nointr_nofail(fd); @@ -205,6 +231,7 @@ static int connect_logger_as(const ExecContext *context, ExecOutput output, cons } dprintf(fd, + "%s\n" "%s\n" "%i\n" "%i\n" @@ -212,11 +239,12 @@ static int connect_logger_as(const ExecContext *context, ExecOutput output, cons "%i\n" "%i\n", context->syslog_identifier ? context->syslog_identifier : ident, + unit_id, context->syslog_priority, !!context->syslog_level_prefix, output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE, output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE, - output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE || output == EXEC_OUTPUT_KMSG_AND_CONSOLE || output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE); + is_terminal_output(output)); if (fd != nfd) { r = dup2(fd, nfd) < 0 ? -errno : nfd; @@ -291,7 +319,8 @@ static int setup_input(const ExecContext *context, int socket_fd, bool apply_tty tty_path(context), i == EXEC_INPUT_TTY_FAIL, i == EXEC_INPUT_TTY_FORCE, - false)) < 0) + false, + (usec_t) -1)) < 0) return fd; if (fd != STDIN_FILENO) { @@ -311,9 +340,10 @@ static int setup_input(const ExecContext *context, int socket_fd, bool apply_tty } } -static int setup_output(const ExecContext *context, int socket_fd, const char *ident, bool apply_tty_stdin) { +static int setup_output(const ExecContext *context, int fileno, int socket_fd, const char *ident, const char *unit_id, bool apply_tty_stdin) { ExecOutput o; ExecInput i; + int r; assert(context); assert(ident); @@ -321,91 +351,55 @@ static int setup_output(const ExecContext *context, int socket_fd, const char *i i = fixup_input(context->std_input, socket_fd, apply_tty_stdin); o = fixup_output(context->std_output, socket_fd); - /* This expects the input is already set up */ + if (fileno == STDERR_FILENO) { + ExecOutput e; + e = fixup_output(context->std_error, socket_fd); - switch (o) { + /* This expects the input and output are already set up */ - case EXEC_OUTPUT_INHERIT: + /* Don't change the stderr file descriptor if we inherit all + * the way and are not on a tty */ + if (e == EXEC_OUTPUT_INHERIT && + o == EXEC_OUTPUT_INHERIT && + i == EXEC_INPUT_NULL && + !is_terminal_input(context->std_input) && + getppid () != 1) + return fileno; + /* Duplicate from stdout if possible */ + if (e == o || e == EXEC_OUTPUT_INHERIT) + return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno; + + o = e; + + } else if (o == EXEC_OUTPUT_INHERIT) { /* If input got downgraded, inherit the original value */ if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input)) - return open_terminal_as(tty_path(context), O_WRONLY, STDOUT_FILENO); + return open_terminal_as(tty_path(context), O_WRONLY, fileno); /* If the input is connected to anything that's not a /dev/null, inherit that... */ if (i != EXEC_INPUT_NULL) - return dup2(STDIN_FILENO, STDOUT_FILENO) < 0 ? -errno : STDOUT_FILENO; + return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno; /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */ if (getppid() != 1) - return STDOUT_FILENO; - - /* We need to open /dev/null here anew, to get the - * right access mode. So we fall through */ - - case EXEC_OUTPUT_NULL: - return open_null_as(O_WRONLY, STDOUT_FILENO); - - case EXEC_OUTPUT_TTY: - if (is_terminal_input(i)) - return dup2(STDIN_FILENO, STDOUT_FILENO) < 0 ? -errno : STDOUT_FILENO; - - /* We don't reset the terminal if this is just about output */ - return open_terminal_as(tty_path(context), O_WRONLY, STDOUT_FILENO); + return fileno; - case EXEC_OUTPUT_SYSLOG: - case EXEC_OUTPUT_SYSLOG_AND_CONSOLE: - case EXEC_OUTPUT_KMSG: - case EXEC_OUTPUT_KMSG_AND_CONSOLE: - case EXEC_OUTPUT_JOURNAL: - case EXEC_OUTPUT_JOURNAL_AND_CONSOLE: - return connect_logger_as(context, o, ident, STDOUT_FILENO); - - case EXEC_OUTPUT_SOCKET: - assert(socket_fd >= 0); - return dup2(socket_fd, STDOUT_FILENO) < 0 ? -errno : STDOUT_FILENO; - - default: - assert_not_reached("Unknown output type"); + /* We need to open /dev/null here anew, to get the right access mode. */ + return open_null_as(O_WRONLY, fileno); } -} - -static int setup_error(const ExecContext *context, int socket_fd, const char *ident, bool apply_tty_stdin) { - ExecOutput o, e; - ExecInput i; - assert(context); - assert(ident); - - i = fixup_input(context->std_input, socket_fd, apply_tty_stdin); - o = fixup_output(context->std_output, socket_fd); - e = fixup_output(context->std_error, socket_fd); - - /* This expects the input and output are already set up */ - - /* Don't change the stderr file descriptor if we inherit all - * the way and are not on a tty */ - if (e == EXEC_OUTPUT_INHERIT && - o == EXEC_OUTPUT_INHERIT && - i == EXEC_INPUT_NULL && - !is_terminal_input(context->std_input) && - getppid () != 1) - return STDERR_FILENO; - - /* Duplicate from stdout if possible */ - if (e == o || e == EXEC_OUTPUT_INHERIT) - return dup2(STDOUT_FILENO, STDERR_FILENO) < 0 ? -errno : STDERR_FILENO; - - switch (e) { + switch (o) { case EXEC_OUTPUT_NULL: - return open_null_as(O_WRONLY, STDERR_FILENO); + return open_null_as(O_WRONLY, fileno); case EXEC_OUTPUT_TTY: if (is_terminal_input(i)) - return dup2(STDIN_FILENO, STDERR_FILENO) < 0 ? -errno : STDERR_FILENO; + return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno; /* We don't reset the terminal if this is just about output */ - return open_terminal_as(tty_path(context), O_WRONLY, STDERR_FILENO); + return open_terminal_as(tty_path(context), O_WRONLY, fileno); case EXEC_OUTPUT_SYSLOG: case EXEC_OUTPUT_SYSLOG_AND_CONSOLE: @@ -413,11 +407,21 @@ static int setup_error(const ExecContext *context, int socket_fd, const char *id case EXEC_OUTPUT_KMSG_AND_CONSOLE: case EXEC_OUTPUT_JOURNAL: case EXEC_OUTPUT_JOURNAL_AND_CONSOLE: - return connect_logger_as(context, e, ident, STDERR_FILENO); + r = connect_logger_as(context, o, ident, unit_id, fileno); + if (r < 0) { + log_struct_unit(LOG_CRIT, unit_id, + "MESSAGE=Failed to connect std%s of %s to the journal socket: %s", + fileno == STDOUT_FILENO ? "out" : "err", + unit_id, strerror(-r), + "ERRNO=%d", -r, + NULL); + r = open_null_as(O_WRONLY, fileno); + } + return r; case EXEC_OUTPUT_SOCKET: assert(socket_fd >= 0); - return dup2(socket_fd, STDERR_FILENO) < 0 ? -errno : STDERR_FILENO; + return dup2(socket_fd, fileno) < 0 ? -errno : fileno; default: assert_not_reached("Unknown error type"); @@ -442,47 +446,45 @@ static int chown_terminal(int fd, uid_t uid) { return 0; } -static int setup_confirm_stdio(const ExecContext *context, - int *_saved_stdin, +static int setup_confirm_stdio(int *_saved_stdin, int *_saved_stdout) { int fd = -1, saved_stdin, saved_stdout = -1, r; - assert(context); assert(_saved_stdin); assert(_saved_stdout); - /* This returns positive EXIT_xxx return values instead of - * negative errno style values! */ - - if ((saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3)) < 0) - return EXIT_STDIN; + saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3); + if (saved_stdin < 0) + return -errno; - if ((saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3)) < 0) { - r = EXIT_STDOUT; + saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3); + if (saved_stdout < 0) { + r = errno; goto fail; } - if ((fd = acquire_terminal( - tty_path(context), - context->std_input == EXEC_INPUT_TTY_FAIL, - context->std_input == EXEC_INPUT_TTY_FORCE, - false)) < 0) { - r = EXIT_STDIN; + fd = acquire_terminal( + "/dev/console", + false, + false, + false, + DEFAULT_CONFIRM_USEC); + if (fd < 0) { + r = fd; goto fail; } - if (chown_terminal(fd, getuid()) < 0) { - r = EXIT_STDIN; + r = chown_terminal(fd, getuid()); + if (r < 0) goto fail; - } if (dup2(fd, STDIN_FILENO) < 0) { - r = EXIT_STDIN; + r = -errno; goto fail; } if (dup2(fd, STDOUT_FILENO) < 0) { - r = EXIT_STDOUT; + r = -errno; goto fail; } @@ -507,48 +509,70 @@ fail: return r; } -static int restore_confirm_stdio(const ExecContext *context, - int *saved_stdin, - int *saved_stdout, - bool *keep_stdin, - bool *keep_stdout) { +static int write_confirm_message(const char *format, ...) { + int fd; + va_list ap; - assert(context); - assert(saved_stdin); - assert(*saved_stdin >= 0); - assert(saved_stdout); - assert(*saved_stdout >= 0); + assert(format); + + fd = open_terminal("/dev/console", O_WRONLY|O_NOCTTY|O_CLOEXEC); + if (fd < 0) + return fd; - /* This returns positive EXIT_xxx return values instead of - * negative errno style values! */ + va_start(ap, format); + vdprintf(fd, format, ap); + va_end(ap); - if (is_terminal_input(context->std_input)) { + close_nointr_nofail(fd); - /* The service wants terminal input. */ + return 0; +} - *keep_stdin = true; - *keep_stdout = - context->std_output == EXEC_OUTPUT_INHERIT || - context->std_output == EXEC_OUTPUT_TTY; +static int restore_confirm_stdio(int *saved_stdin, + int *saved_stdout) { - } else { - /* If the service doesn't want a controlling terminal, - * then we need to get rid entirely of what we have - * already. */ + int r = 0; - if (release_terminal() < 0) - return EXIT_STDIN; + assert(saved_stdin); + assert(saved_stdout); + release_terminal(); + + if (*saved_stdin >= 0) if (dup2(*saved_stdin, STDIN_FILENO) < 0) - return EXIT_STDIN; + r = -errno; + if (*saved_stdout >= 0) if (dup2(*saved_stdout, STDOUT_FILENO) < 0) - return EXIT_STDOUT; + r = -errno; - *keep_stdout = *keep_stdin = false; - } + if (*saved_stdin >= 0) + close_nointr_nofail(*saved_stdin); - return 0; + if (*saved_stdout >= 0) + close_nointr_nofail(*saved_stdout); + + return r; +} + +static int ask_for_confirmation(char *response, char **argv) { + int saved_stdout = -1, saved_stdin = -1, r; + char *line; + + r = setup_confirm_stdio(&saved_stdin, &saved_stdout); + if (r < 0) + return r; + + line = exec_command_line(argv); + if (!line) + return -ENOMEM; + + r = ask(response, "yns", "Execute %s? [Yes, No, Skip] ", line); + free(line); + + restore_confirm_stdio(&saved_stdin, &saved_stdout); + + return r; } static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) { @@ -646,9 +670,9 @@ static int enforce_user(const ExecContext *context, uid_t uid) { /* First step: If we need to keep capabilities but * drop privileges we need to make sure we keep our - * caps, whiel we drop privileges. */ + * caps, while we drop privileges. */ if (uid != 0) { - int sb = context->secure_bits|SECURE_KEEP_CAPS; + int sb = context->secure_bits | 1<> 4] & (1 << (i & 31))) + n++; + + /* Second: build the filter program from a header the syscall + * matches and the footer */ + f = alloca(sizeof(struct sock_filter) * (ELEMENTSOF(header) + 2*n + ELEMENTSOF(footer))); + memcpy(f, header, sizeof(header)); + + for (i = 0, n = 0; i < syscall_max(); i++) + if (syscall_filter[i >> 4] & (1 << (i & 31))) { + struct sock_filter item[] = { + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, INDEX_TO_SYSCALL(i), 0, 1), + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) + }; + + assert_cc(ELEMENTSOF(item) == 2); + + f[ELEMENTSOF(header) + 2*n] = item[0]; + f[ELEMENTSOF(header) + 2*n+1] = item[1]; + + n++; + } + + memcpy(f + (ELEMENTSOF(header) + 2*n), footer, sizeof(footer)); + + /* Third: install the filter */ + prog.len = ELEMENTSOF(header) + ELEMENTSOF(footer) + 2*n; + prog.filter = f; + if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) < 0) + return -errno; + + return 0; +} + int exec_spawn(ExecCommand *command, char **argv, - const ExecContext *context, + ExecContext *context, int fds[], unsigned n_fds, char **environment, bool apply_permissions, @@ -913,6 +989,7 @@ int exec_spawn(ExecCommand *command, CGroupBonding *cgroup_bondings, CGroupAttribute *cgroup_attributes, const char *cgroup_suffix, + const char *unit_id, int idle_pipe[2], pid_t *ret) { @@ -920,7 +997,7 @@ int exec_spawn(ExecCommand *command, int r; char *line; int socket_fd; - char **files_env = NULL; + char _cleanup_strv_free_ **files_env = NULL; assert(command); assert(context); @@ -941,43 +1018,61 @@ int exec_spawn(ExecCommand *command, } else socket_fd = -1; - if ((r = exec_context_load_environment(context, &files_env)) < 0) { - log_error("Failed to load environment files: %s", strerror(-r)); + r = exec_context_load_environment(context, &files_env); + if (r < 0) { + log_struct_unit(LOG_ERR, + unit_id, + "MESSAGE=Failed to load environment files: %s", strerror(-r), + "ERRNO=%d", -r, + NULL); return r; } if (!argv) argv = command->argv; - if (!(line = exec_command_line(argv))) { - r = -ENOMEM; - goto fail_parent; - } + line = exec_command_line(argv); + if (!line) + return log_oom(); - log_debug("About to execute: %s", line); + log_struct_unit(LOG_DEBUG, + unit_id, + "EXECUTABLE=%s", command->path, + "MESSAGE=About to execute: %s", line, + NULL); free(line); r = cgroup_bonding_realize_list(cgroup_bondings); if (r < 0) - goto fail_parent; + return r; + /* We must initialize the attributes in the parent, before we + fork, because we really need them initialized before making + the process a member of the group (which we do in both the + child and the parent), and we cannot really apply them twice + (due to 'append' style attributes) */ cgroup_attribute_apply_list(cgroup_attributes, cgroup_bondings); - if ((pid = fork()) < 0) { - r = -errno; - goto fail_parent; + if (context->private_tmp && !context->tmp_dir && !context->var_tmp_dir) { + r = setup_tmpdirs(&context->tmp_dir, &context->var_tmp_dir); + if (r < 0) + return r; } + pid = fork(); + if (pid < 0) + return -errno; + if (pid == 0) { int i, err; sigset_t ss; const char *username = NULL, *home = NULL; uid_t uid = (uid_t) -1; gid_t gid = (gid_t) -1; - char **our_env = NULL, **pam_env = NULL, **final_env = NULL, **final_argv = NULL; + char _cleanup_strv_free_ **our_env = NULL, **pam_env = NULL, + **final_env = NULL, **final_argv = NULL; unsigned n_env = 0; - int saved_stdout = -1, saved_stdin = -1; - bool keep_stdout = false, keep_stdin = false, set_access = false; + bool set_access = false; /* child */ @@ -1047,44 +1142,24 @@ int exec_spawn(ExecCommand *command, exec_context_tty_reset(context); - /* We skip the confirmation step if we shall not apply the TTY */ - if (confirm_spawn && - (!is_terminal_input(context->std_input) || apply_tty_stdin)) { + if (confirm_spawn) { char response; - /* Set up terminal for the question */ - if ((r = setup_confirm_stdio(context, - &saved_stdin, &saved_stdout))) { - err = -errno; - goto fail_child; - } - - /* Now ask the question. */ - if (!(line = exec_command_line(argv))) { - err = -ENOMEM; - r = EXIT_MEMORY; - goto fail_child; - } - - r = ask(&response, "yns", "Execute %s? [Yes, No, Skip] ", line); - free(line); - - if (r < 0 || response == 'n') { + err = ask_for_confirmation(&response, argv); + if (err == -ETIMEDOUT) + write_confirm_message("Confirmation question timed out, assuming positive response.\n"); + else if (err < 0) + write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-err)); + else if (response == 's') { + write_confirm_message("Skipping execution.\n"); err = -ECANCELED; r = EXIT_CONFIRM; goto fail_child; - } else if (response == 's') { + } else if (response == 'n') { + write_confirm_message("Failing execution.\n"); err = r = 0; goto fail_child; } - - /* Release terminal for the question */ - if ((r = restore_confirm_stdio(context, - &saved_stdin, &saved_stdout, - &keep_stdin, &keep_stdout))) { - err = -errno; - goto fail_child; - } } /* If a socket is connected to STDIN/STDOUT/STDERR, we @@ -1092,23 +1167,19 @@ int exec_spawn(ExecCommand *command, if (socket_fd >= 0) fd_nonblock(socket_fd, false); - if (!keep_stdin) { - err = setup_input(context, socket_fd, apply_tty_stdin); - if (err < 0) { - r = EXIT_STDIN; - goto fail_child; - } + err = setup_input(context, socket_fd, apply_tty_stdin); + if (err < 0) { + r = EXIT_STDIN; + goto fail_child; } - if (!keep_stdout) { - err = setup_output(context, socket_fd, path_get_file_name(command->path), apply_tty_stdin); - if (err < 0) { - r = EXIT_STDOUT; - goto fail_child; - } + err = setup_output(context, STDOUT_FILENO, socket_fd, path_get_file_name(command->path), unit_id, apply_tty_stdin); + if (err < 0) { + r = EXIT_STDOUT; + goto fail_child; } - err = setup_error(context, socket_fd, path_get_file_name(command->path), apply_tty_stdin); + err = setup_output(context, STDERR_FILENO, socket_fd, path_get_file_name(command->path), unit_id, apply_tty_stdin); if (err < 0) { r = EXIT_STDERR; goto fail_child; @@ -1128,23 +1199,10 @@ int exec_spawn(ExecCommand *command, snprintf(t, sizeof(t), "%i", context->oom_score_adjust); char_array_0(t); - if (write_one_line_file("/proc/self/oom_score_adj", t) < 0) { - /* Compatibility with Linux <= 2.6.35 */ - - int adj; - - adj = (context->oom_score_adjust * -OOM_DISABLE) / OOM_SCORE_ADJ_MAX; - adj = CLAMP(adj, OOM_DISABLE, OOM_ADJUST_MAX); - - snprintf(t, sizeof(t), "%i", adj); - char_array_0(t); - - if (write_one_line_file("/proc/self/oom_adj", t) < 0 - && errno != EACCES) { - err = -errno; - r = EXIT_OOM_ADJUST; - goto fail_child; - } + if (write_string_file("/proc/self/oom_score_adj", t) < 0) { + err = -errno; + r = EXIT_OOM_ADJUST; + goto fail_child; } } @@ -1156,13 +1214,16 @@ int exec_spawn(ExecCommand *command, } if (context->cpu_sched_set) { - struct sched_param param; - - zero(param); - param.sched_priority = context->cpu_sched_priority; - - if (sched_setscheduler(0, context->cpu_sched_policy | - (context->cpu_sched_reset_on_fork ? SCHED_RESET_ON_FORK : 0), ¶m) < 0) { + struct sched_param param = { + .sched_priority = context->cpu_sched_priority, + }; + + r = sched_setscheduler(0, + context->cpu_sched_policy | + (context->cpu_sched_reset_on_fork ? + SCHED_RESET_ON_FORK : 0), + ¶m); + if (r < 0) { err = -errno; r = EXIT_SETSCHEDULER; goto fail_child; @@ -1183,7 +1244,7 @@ int exec_spawn(ExecCommand *command, goto fail_child; } - if (context->timer_slack_nsec_set) + if (context->timer_slack_nsec != (nsec_t) -1) if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) { err = -errno; r = EXIT_TIMERSLACK; @@ -1195,7 +1256,7 @@ int exec_spawn(ExecCommand *command, if (context->user) { username = context->user; - err = get_user_creds(&username, &uid, &gid, &home); + err = get_user_creds(&username, &uid, &gid, &home, NULL); if (err < 0) { r = EXIT_USER; goto fail_child; @@ -1212,7 +1273,12 @@ int exec_spawn(ExecCommand *command, if (cgroup_bondings && context->control_group_modify) { err = cgroup_bonding_set_group_access_list(cgroup_bondings, 0755, uid, gid); if (err >= 0) - err = cgroup_bonding_set_task_access_list(cgroup_bondings, 0644, uid, gid, context->control_group_persistent); + err = cgroup_bonding_set_task_access_list( + cgroup_bondings, + 0644, + uid, + gid, + context->control_group_persistent); if (err < 0) { r = EXIT_CGROUP; goto fail_child; @@ -1223,7 +1289,12 @@ int exec_spawn(ExecCommand *command, } if (cgroup_bondings && !set_access && context->control_group_persistent >= 0) { - err = cgroup_bonding_set_task_access_list(cgroup_bondings, (mode_t) -1, (uid_t) -1, (uid_t) -1, context->control_group_persistent); + err = cgroup_bonding_set_task_access_list( + cgroup_bondings, + (mode_t) -1, + (uid_t) -1, + (uid_t) -1, + context->control_group_persistent); if (err < 0) { r = EXIT_CGROUP; goto fail_child; @@ -1241,7 +1312,7 @@ int exec_spawn(ExecCommand *command, umask(context->umask); #ifdef HAVE_PAM - if (context->pam_name && username) { + if (apply_permissions && context->pam_name && username) { err = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds); if (err < 0) { r = EXIT_PAM; @@ -1262,11 +1333,13 @@ int exec_spawn(ExecCommand *command, if (strv_length(context->read_write_dirs) > 0 || strv_length(context->read_only_dirs) > 0 || strv_length(context->inaccessible_dirs) > 0 || - context->mount_flags != MS_SHARED || + context->mount_flags != 0 || context->private_tmp) { err = setup_namespace(context->read_write_dirs, context->read_only_dirs, context->inaccessible_dirs, + context->tmp_dir, + context->var_tmp_dir, context->private_tmp, context->mount_flags); if (err < 0) { @@ -1289,8 +1362,7 @@ int exec_spawn(ExecCommand *command, goto fail_child; } } else { - - char *d; + char _cleanup_free_ *d = NULL; if (asprintf(&d, "%s/%s", context->root_directory ? context->root_directory : "", @@ -1302,12 +1374,9 @@ int exec_spawn(ExecCommand *command, if (chdir(d) < 0) { err = -errno; - free(d); r = EXIT_CHDIR; goto fail_child; } - - free(d); } /* We repeat the fd closing here, to make sure that @@ -1368,9 +1437,25 @@ int exec_spawn(ExecCommand *command, r = EXIT_CAPABILITIES; goto fail_child; } + + if (context->no_new_privileges) + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) { + err = -errno; + r = EXIT_NO_NEW_PRIVILEGES; + goto fail_child; + } + + if (context->syscall_filter) { + err = apply_seccomp(context->syscall_filter); + if (err < 0) { + r = EXIT_SECCOMP; + goto fail_child; + } + } } - if (!(our_env = new0(char*, 7))) { + our_env = new0(char*, 7); + if (!our_env) { err = -ENOMEM; r = EXIT_MEMORY; goto fail_child; @@ -1410,20 +1495,21 @@ int exec_spawn(ExecCommand *command, assert(n_env <= 7); - if (!(final_env = strv_env_merge( - 5, - environment, - our_env, - context->environment, - files_env, - pam_env, - NULL))) { + final_env = strv_env_merge(5, + environment, + our_env, + context->environment, + files_env, + pam_env, + NULL); + if (!final_env) { err = -ENOMEM; r = EXIT_MEMORY; goto fail_child; } - if (!(final_argv = replace_env_argv(argv, final_env))) { + final_argv = replace_env_argv(argv, final_env); + if (!final_argv) { err = -ENOMEM; r = EXIT_MEMORY; goto fail_child; @@ -1431,6 +1517,20 @@ int exec_spawn(ExecCommand *command, final_env = strv_env_clean(final_env); + if (_unlikely_(log_get_max_level() >= LOG_PRI(LOG_DEBUG))) { + line = exec_command_line(final_argv); + if (line) { + log_open(); + log_struct_unit(LOG_DEBUG, + unit_id, + "EXECUTABLE=%s", command->path, + "MESSAGE=Executing: %s", line, + NULL); + log_close(); + free(line); + line = NULL; + } + } execve(command->path, final_argv, final_env); err = -errno; r = EXIT_EXEC; @@ -1438,47 +1538,36 @@ int exec_spawn(ExecCommand *command, fail_child: if (r != 0) { log_open(); - log_warning("Failed at step %s spawning %s: %s", - exit_status_to_string(r, EXIT_STATUS_SYSTEMD), - command->path, strerror(-err)); + log_struct(LOG_ERR, MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED), + "EXECUTABLE=%s", command->path, + "MESSAGE=Failed at step %s spawning %s: %s", + exit_status_to_string(r, EXIT_STATUS_SYSTEMD), + command->path, strerror(-err), + "ERRNO=%d", -err, + NULL); + log_close(); } - strv_free(our_env); - strv_free(final_env); - strv_free(pam_env); - strv_free(files_env); - strv_free(final_argv); - - if (saved_stdin >= 0) - close_nointr_nofail(saved_stdin); - - if (saved_stdout >= 0) - close_nointr_nofail(saved_stdout); - _exit(r); } - strv_free(files_env); + log_struct_unit(LOG_DEBUG, + unit_id, + "MESSAGE=Forked %s as %lu", + command->path, (unsigned long) pid, + NULL); /* We add the new process to the cgroup both in the child (so * that we can be sure that no user code is ever executed * outside of the cgroup) and in the parent (so that we can be * sure that when we kill the cgroup the process will be * killed too). */ - if (cgroup_bondings) - cgroup_bonding_install_list(cgroup_bondings, pid, cgroup_suffix); - - log_debug("Forked %s as %lu", command->path, (unsigned long) pid); + cgroup_bonding_install_list(cgroup_bondings, pid, cgroup_suffix); exec_status_start(&command->exec_status, pid); *ret = pid; return 0; - -fail_parent: - strv_free(files_env); - - return r; } void exec_context_init(ExecContext *c) { @@ -1489,14 +1578,40 @@ void exec_context_init(ExecContext *c) { c->cpu_sched_policy = SCHED_OTHER; c->syslog_priority = LOG_DAEMON|LOG_INFO; c->syslog_level_prefix = true; - c->mount_flags = MS_SHARED; - c->kill_signal = SIGTERM; - c->send_sigkill = true; c->control_group_persistent = -1; c->ignore_sigpipe = true; + c->timer_slack_nsec = (nsec_t) -1; +} + +void exec_context_tmp_dirs_done(ExecContext *c) { + char* dirs[] = {c->tmp_dir ? c->tmp_dir : c->var_tmp_dir, + c->tmp_dir ? c->var_tmp_dir : NULL, + NULL}; + char **dirp; + + for(dirp = dirs; *dirp; dirp++) { + char *dir; + int r; + + r = rm_rf_dangerous(*dirp, false, true, false); + dir = dirname(*dirp); + if (r < 0) + log_warning("Failed to remove content of temporary directory %s: %s", + dir, strerror(-r)); + else { + r = rmdir(dir); + if (r < 0) + log_warning("Failed to remove temporary directory %s: %s", + dir, strerror(-r)); + } + + free(*dirp); + } + + c->tmp_dir = c->var_tmp_dir = NULL; } -void exec_context_done(ExecContext *c) { +void exec_context_done(ExecContext *c, bool reloading_or_reexecuting) { unsigned l; assert(c); @@ -1557,6 +1672,12 @@ void exec_context_done(ExecContext *c) { free(c->utmp_id); c->utmp_id = NULL; + + free(c->syscall_filter); + c->syscall_filter = NULL; + + if (!reloading_or_reexecuting) + exec_context_tmp_dirs_done(c); } void exec_command_done(ExecCommand *c) { @@ -1606,6 +1727,8 @@ int exec_context_load_environment(const ExecContext *c, char ***l) { int k; bool ignore = false; char **p; + glob_t _cleanup_globfree_ pglob = {}; + int count, n; fn = *i; @@ -1615,7 +1738,6 @@ int exec_context_load_environment(const ExecContext *c, char ***l) { } if (!path_is_absolute(fn)) { - if (ignore) continue; @@ -1623,28 +1745,48 @@ int exec_context_load_environment(const ExecContext *c, char ***l) { return -EINVAL; } - if ((k = load_env_file(fn, &p)) < 0) { + /* Filename supports globbing, take all matching files */ + errno = 0; + if (glob(fn, 0, NULL, &pglob) != 0) { + if (ignore) + continue; + strv_free(r); + return errno ? -errno : -EINVAL; + } + count = pglob.gl_pathc; + if (count == 0) { if (ignore) continue; strv_free(r); - return k; + return -EINVAL; } + for (n = 0; n < count; n++) { + k = load_env_file(pglob.gl_pathv[n], NULL, &p); + if (k < 0) { + if (ignore) + continue; - if (r == NULL) - r = p; - else { - char **m; + strv_free(r); + return k; + } + /* Log invalid environment variables with filename */ + p = strv_env_clean_log(p, pglob.gl_pathv[n]); - m = strv_env_merge(2, r, p); - strv_free(r); - strv_free(p); + if (r == NULL) + r = p; + else { + char **m; - if (!m) - return -ENOMEM; + m = strv_env_merge(2, r, p); + strv_free(r); + strv_free(p); + if (!m) + return -ENOMEM; - r = m; + r = m; + } } } @@ -1653,6 +1795,37 @@ int exec_context_load_environment(const ExecContext *c, char ***l) { return 0; } +static bool tty_may_match_dev_console(const char *tty) { + char *active = NULL, *console; + bool b; + + if (startswith(tty, "/dev/")) + tty += 5; + + /* trivial identity? */ + if (streq(tty, "console")) + return true; + + console = resolve_dev_console(&active); + /* if we could not resolve, assume it may */ + if (!console) + return true; + + /* "tty0" means the active VC, so it may be the same sometimes */ + b = streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty)); + free(active); + + return b; +} + +bool exec_context_may_touch_console(ExecContext *ec) { + return (ec->tty_reset || ec->tty_vhangup || ec->tty_vt_disallocate || + is_terminal_input(ec->std_input) || + is_terminal_output(ec->std_output) || + is_terminal_output(ec->std_error)) && + tty_may_match_dev_console(tty_path(ec)); +} + static void strv_fprintf(FILE *f, char **l) { char **g; @@ -1680,7 +1853,8 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { "%sPrivateTmp: %s\n" "%sControlGroupModify: %s\n" "%sControlGroupPersistent: %s\n" - "%sPrivateNetwork: %s\n", + "%sPrivateNetwork: %s\n" + "%sIgnoreSIGPIPE: %s\n", prefix, c->umask, prefix, c->working_directory ? c->working_directory : "/", prefix, c->root_directory ? c->root_directory : "/", @@ -1688,7 +1862,8 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { prefix, yes_no(c->private_tmp), prefix, yes_no(c->control_group_modify), prefix, yes_no(c->control_group_persistent), - prefix, yes_no(c->private_network)); + prefix, yes_no(c->private_network), + prefix, yes_no(c->ignore_sigpipe)); STRV_FOREACH(e, c->environment) fprintf(f, "%sEnvironment: %s\n", prefix, *e); @@ -1715,21 +1890,37 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { if (c->rlimit[i]) fprintf(f, "%s%s: %llu\n", prefix, rlimit_to_string(i), (unsigned long long) c->rlimit[i]->rlim_max); - if (c->ioprio_set) + if (c->ioprio_set) { + char *class_str; + int r; + + r = ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str); + if (r < 0) + class_str = NULL; fprintf(f, "%sIOSchedulingClass: %s\n" "%sIOPriority: %i\n", - prefix, ioprio_class_to_string(IOPRIO_PRIO_CLASS(c->ioprio)), + prefix, strna(class_str), prefix, (int) IOPRIO_PRIO_DATA(c->ioprio)); + free(class_str); + } - if (c->cpu_sched_set) + if (c->cpu_sched_set) { + char *policy_str; + int r; + + r = sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str); + if (r < 0) + policy_str = NULL; fprintf(f, "%sCPUSchedulingPolicy: %s\n" "%sCPUSchedulingPriority: %i\n" "%sCPUSchedulingResetOnFork: %s\n", - prefix, sched_policy_to_string(c->cpu_sched_policy), + prefix, strna(policy_str), prefix, c->cpu_sched_priority, prefix, yes_no(c->cpu_sched_reset_on_fork)); + free(policy_str); + } if (c->cpuset) { fprintf(f, "%sCPUAffinity:", prefix); @@ -1739,8 +1930,8 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { fputs("\n", f); } - if (c->timer_slack_nsec_set) - fprintf(f, "%sTimerSlackNSec: %lu\n", prefix, c->timer_slack_nsec); + if (c->timer_slack_nsec != (nsec_t) -1) + fprintf(f, "%sTimerSlackNSec: %lu\n", prefix, (unsigned long)c->timer_slack_nsec); fprintf(f, "%sStandardInput: %s\n" @@ -1764,12 +1955,26 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { if (c->std_output == EXEC_OUTPUT_SYSLOG || c->std_output == EXEC_OUTPUT_KMSG || c->std_output == EXEC_OUTPUT_JOURNAL || c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE || c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE || c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE || c->std_error == EXEC_OUTPUT_SYSLOG || c->std_error == EXEC_OUTPUT_KMSG || c->std_error == EXEC_OUTPUT_JOURNAL || - c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE || c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE || c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) + c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE || c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE || c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) { + char *fac_str, *lvl_str; + int r; + + r = log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str); + if (r < 0) + fac_str = NULL; + + r = log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str); + if (r < 0) + lvl_str = NULL; + fprintf(f, "%sSyslogFacility: %s\n" "%sSyslogLevel: %s\n", - prefix, log_facility_unshifted_to_string(c->syslog_priority >> 3), - prefix, log_level_to_string(LOG_PRI(c->syslog_priority))); + prefix, strna(fac_str), + prefix, strna(lvl_str)); + free(lvl_str); + free(fac_str); + } if (c->capabilities) { char *t; @@ -1783,12 +1988,12 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { if (c->secure_bits) fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n", prefix, - (c->secure_bits & SECURE_KEEP_CAPS) ? " keep-caps" : "", - (c->secure_bits & SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "", - (c->secure_bits & SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "", - (c->secure_bits & SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "", - (c->secure_bits & SECURE_NOROOT) ? " noroot" : "", - (c->secure_bits & SECURE_NOROOT_LOCKED) ? "noroot-locked" : ""); + (c->secure_bits & 1<secure_bits & 1<secure_bits & 1<secure_bits & 1<secure_bits & 1<secure_bits & 1<capability_bounding_set_drop) { unsigned long l; @@ -1839,16 +2044,6 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { fputs("\n", f); } - fprintf(f, - "%sKillMode: %s\n" - "%sKillSignal: SIG%s\n" - "%sSendSIGKILL: %s\n" - "%sIgnoreSIGPIPE: %s\n", - prefix, kill_mode_to_string(c->kill_mode), - prefix, signal_to_string(c->kill_signal), - prefix, yes_no(c->send_sigkill), - prefix, yes_no(c->ignore_sigpipe)); - if (c->utmp_id) fprintf(f, "%sUtmpIdentifier: %s\n", @@ -2056,19 +2251,3 @@ static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = { }; DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput); - -static const char* const kill_mode_table[_KILL_MODE_MAX] = { - [KILL_CONTROL_GROUP] = "control-group", - [KILL_PROCESS] = "process", - [KILL_NONE] = "none" -}; - -DEFINE_STRING_TABLE_LOOKUP(kill_mode, KillMode); - -static const char* const kill_who_table[_KILL_WHO_MAX] = { - [KILL_MAIN] = "main", - [KILL_CONTROL] = "control", - [KILL_ALL] = "all" -}; - -DEFINE_STRING_TABLE_LOOKUP(kill_who, KillWho);