1
/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4
This file is part of systemd.
6
Copyright 2010 Lennart Poettering
8
systemd is free software; you can redistribute it and/or modify it
9
under the terms of the GNU General Public License as published by
10
the Free Software Foundation; either version 2 of the License, or
11
(at your option) any later version.
13
systemd is distributed in the hope that it will be useful, but
14
WITHOUT ANY WARRANTY; without even the implied warranty of
15
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16
General Public License for more details.
18
You should have received a copy of the GNU General Public License
19
along with systemd; If not, see <http://www.gnu.org/licenses/>.
29
#include <sys/socket.h>
31
#include <sys/prctl.h>
32
#include <linux/sched.h>
33
#include <sys/types.h>
37
#include <sys/mount.h>
39
#include <linux/oom.h>
42
#include <security/pam_appl.h>
51
#include "securebits.h"
53
#include "namespace.h"
55
#include "exit-status.h"
57
#include "utmp-wtmp.h"
59
#include "loopback-setup.h"
61
/* This assumes there is a 'tty' group */
64
static int shift_fds(int fds[], unsigned n_fds) {
65
int start, restart_from;
70
/* Modifies the fds array! (sorts it) */
80
for (i = start; i < (int) n_fds; i++) {
83
/* Already at right index? */
87
if ((nfd = fcntl(fds[i], F_DUPFD, i+3)) < 0)
90
close_nointr_nofail(fds[i]);
93
/* Hmm, the fd we wanted isn't free? Then
94
* let's remember that and try again from here*/
95
if (nfd != i+3 && restart_from < 0)
102
start = restart_from;
108
static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
117
/* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
119
for (i = 0; i < n_fds; i++) {
121
if ((r = fd_nonblock(fds[i], nonblock)) < 0)
124
/* We unconditionally drop FD_CLOEXEC from the fds,
125
* since after all we want to pass these fds to our
128
if ((r = fd_cloexec(fds[i], false)) < 0)
135
static const char *tty_path(const ExecContext *context) {
138
if (context->tty_path)
139
return context->tty_path;
141
return "/dev/console";
144
void exec_context_tty_reset(const ExecContext *context) {
147
if (context->tty_vhangup)
148
terminal_vhangup(tty_path(context));
150
if (context->tty_reset)
151
reset_terminal(tty_path(context));
153
if (context->tty_vt_disallocate && context->tty_path)
154
vt_disallocate(context->tty_path);
157
static int open_null_as(int flags, int nfd) {
162
if ((fd = open("/dev/null", flags|O_NOCTTY)) < 0)
166
r = dup2(fd, nfd) < 0 ? -errno : nfd;
167
close_nointr_nofail(fd);
174
static int connect_logger_as(const ExecContext *context, ExecOutput output, const char *ident, int nfd) {
176
union sockaddr_union sa;
179
assert(output < _EXEC_OUTPUT_MAX);
183
fd = socket(AF_UNIX, SOCK_STREAM, 0);
188
sa.un.sun_family = AF_UNIX;
189
strncpy(sa.un.sun_path, "/run/systemd/journal/stdout", sizeof(sa.un.sun_path));
191
r = connect(fd, &sa.sa, offsetof(struct sockaddr_un, sun_path) + strlen(sa.un.sun_path));
193
close_nointr_nofail(fd);
197
if (shutdown(fd, SHUT_RD) < 0) {
198
close_nointr_nofail(fd);
209
context->syslog_identifier ? context->syslog_identifier : ident,
210
context->syslog_priority,
211
!!context->syslog_level_prefix,
212
output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
213
output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
214
output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE || output == EXEC_OUTPUT_KMSG_AND_CONSOLE || output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE);
217
r = dup2(fd, nfd) < 0 ? -errno : nfd;
218
close_nointr_nofail(fd);
224
static int open_terminal_as(const char *path, mode_t mode, int nfd) {
230
if ((fd = open_terminal(path, mode | O_NOCTTY)) < 0)
234
r = dup2(fd, nfd) < 0 ? -errno : nfd;
235
close_nointr_nofail(fd);
242
static bool is_terminal_input(ExecInput i) {
244
i == EXEC_INPUT_TTY ||
245
i == EXEC_INPUT_TTY_FORCE ||
246
i == EXEC_INPUT_TTY_FAIL;
249
static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
251
if (is_terminal_input(std_input) && !apply_tty_stdin)
252
return EXEC_INPUT_NULL;
254
if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
255
return EXEC_INPUT_NULL;
260
static int fixup_output(ExecOutput std_output, int socket_fd) {
262
if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
263
return EXEC_OUTPUT_INHERIT;
268
static int setup_input(const ExecContext *context, int socket_fd, bool apply_tty_stdin) {
273
i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
277
case EXEC_INPUT_NULL:
278
return open_null_as(O_RDONLY, STDIN_FILENO);
281
case EXEC_INPUT_TTY_FORCE:
282
case EXEC_INPUT_TTY_FAIL: {
285
if ((fd = acquire_terminal(
287
i == EXEC_INPUT_TTY_FAIL,
288
i == EXEC_INPUT_TTY_FORCE,
292
if (fd != STDIN_FILENO) {
293
r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
294
close_nointr_nofail(fd);
301
case EXEC_INPUT_SOCKET:
302
return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
305
assert_not_reached("Unknown input type");
309
static int setup_output(const ExecContext *context, int socket_fd, const char *ident, bool apply_tty_stdin) {
316
i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
317
o = fixup_output(context->std_output, socket_fd);
319
/* This expects the input is already set up */
323
case EXEC_OUTPUT_INHERIT:
325
/* If input got downgraded, inherit the original value */
326
if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
327
return open_terminal_as(tty_path(context), O_WRONLY, STDOUT_FILENO);
329
/* If the input is connected to anything that's not a /dev/null, inherit that... */
330
if (i != EXEC_INPUT_NULL)
331
return dup2(STDIN_FILENO, STDOUT_FILENO) < 0 ? -errno : STDOUT_FILENO;
333
/* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
335
return STDOUT_FILENO;
337
/* We need to open /dev/null here anew, to get the
338
* right access mode. So we fall through */
340
case EXEC_OUTPUT_NULL:
341
return open_null_as(O_WRONLY, STDOUT_FILENO);
343
case EXEC_OUTPUT_TTY:
344
if (is_terminal_input(i))
345
return dup2(STDIN_FILENO, STDOUT_FILENO) < 0 ? -errno : STDOUT_FILENO;
347
/* We don't reset the terminal if this is just about output */
348
return open_terminal_as(tty_path(context), O_WRONLY, STDOUT_FILENO);
350
case EXEC_OUTPUT_SYSLOG:
351
case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
352
case EXEC_OUTPUT_KMSG:
353
case EXEC_OUTPUT_KMSG_AND_CONSOLE:
354
case EXEC_OUTPUT_JOURNAL:
355
case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
356
return connect_logger_as(context, o, ident, STDOUT_FILENO);
358
case EXEC_OUTPUT_SOCKET:
359
assert(socket_fd >= 0);
360
return dup2(socket_fd, STDOUT_FILENO) < 0 ? -errno : STDOUT_FILENO;
363
assert_not_reached("Unknown output type");
367
static int setup_error(const ExecContext *context, int socket_fd, const char *ident, bool apply_tty_stdin) {
374
i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
375
o = fixup_output(context->std_output, socket_fd);
376
e = fixup_output(context->std_error, socket_fd);
378
/* This expects the input and output are already set up */
380
/* Don't change the stderr file descriptor if we inherit all
381
* the way and are not on a tty */
382
if (e == EXEC_OUTPUT_INHERIT &&
383
o == EXEC_OUTPUT_INHERIT &&
384
i == EXEC_INPUT_NULL &&
385
!is_terminal_input(context->std_input) &&
387
return STDERR_FILENO;
389
/* Duplicate from stdout if possible */
390
if (e == o || e == EXEC_OUTPUT_INHERIT)
391
return dup2(STDOUT_FILENO, STDERR_FILENO) < 0 ? -errno : STDERR_FILENO;
395
case EXEC_OUTPUT_NULL:
396
return open_null_as(O_WRONLY, STDERR_FILENO);
398
case EXEC_OUTPUT_TTY:
399
if (is_terminal_input(i))
400
return dup2(STDIN_FILENO, STDERR_FILENO) < 0 ? -errno : STDERR_FILENO;
402
/* We don't reset the terminal if this is just about output */
403
return open_terminal_as(tty_path(context), O_WRONLY, STDERR_FILENO);
405
case EXEC_OUTPUT_SYSLOG:
406
case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
407
case EXEC_OUTPUT_KMSG:
408
case EXEC_OUTPUT_KMSG_AND_CONSOLE:
409
case EXEC_OUTPUT_JOURNAL:
410
case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
411
return connect_logger_as(context, e, ident, STDERR_FILENO);
413
case EXEC_OUTPUT_SOCKET:
414
assert(socket_fd >= 0);
415
return dup2(socket_fd, STDERR_FILENO) < 0 ? -errno : STDERR_FILENO;
418
assert_not_reached("Unknown error type");
422
static int chown_terminal(int fd, uid_t uid) {
427
/* This might fail. What matters are the results. */
428
(void) fchown(fd, uid, -1);
429
(void) fchmod(fd, TTY_MODE);
431
if (fstat(fd, &st) < 0)
434
if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
440
static int setup_confirm_stdio(const ExecContext *context,
442
int *_saved_stdout) {
443
int fd = -1, saved_stdin, saved_stdout = -1, r;
446
assert(_saved_stdin);
447
assert(_saved_stdout);
449
/* This returns positive EXIT_xxx return values instead of
450
* negative errno style values! */
452
if ((saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3)) < 0)
455
if ((saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3)) < 0) {
460
if ((fd = acquire_terminal(
462
context->std_input == EXEC_INPUT_TTY_FAIL,
463
context->std_input == EXEC_INPUT_TTY_FORCE,
469
if (chown_terminal(fd, getuid()) < 0) {
474
if (dup2(fd, STDIN_FILENO) < 0) {
479
if (dup2(fd, STDOUT_FILENO) < 0) {
485
close_nointr_nofail(fd);
487
*_saved_stdin = saved_stdin;
488
*_saved_stdout = saved_stdout;
493
if (saved_stdout >= 0)
494
close_nointr_nofail(saved_stdout);
496
if (saved_stdin >= 0)
497
close_nointr_nofail(saved_stdin);
500
close_nointr_nofail(fd);
505
static int restore_confirm_stdio(const ExecContext *context,
513
assert(*saved_stdin >= 0);
514
assert(saved_stdout);
515
assert(*saved_stdout >= 0);
517
/* This returns positive EXIT_xxx return values instead of
518
* negative errno style values! */
520
if (is_terminal_input(context->std_input)) {
522
/* The service wants terminal input. */
526
context->std_output == EXEC_OUTPUT_INHERIT ||
527
context->std_output == EXEC_OUTPUT_TTY;
530
/* If the service doesn't want a controlling terminal,
531
* then we need to get rid entirely of what we have
534
if (release_terminal() < 0)
537
if (dup2(*saved_stdin, STDIN_FILENO) < 0)
540
if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
543
*keep_stdout = *keep_stdin = false;
549
static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) {
550
bool keep_groups = false;
555
/* Lookup and set GID and supplementary group list. Here too
556
* we avoid NSS lookups for gid=0. */
558
if (context->group || username) {
560
if (context->group) {
561
const char *g = context->group;
563
if ((r = get_group_creds(&g, &gid)) < 0)
567
/* First step, initialize groups from /etc/groups */
568
if (username && gid != 0) {
569
if (initgroups(username, gid) < 0)
575
/* Second step, set our gids */
576
if (setresgid(gid, gid, gid) < 0)
580
if (context->supplementary_groups) {
585
/* Final step, initialize any manually set supplementary groups */
586
assert_se((ngroups_max = (int) sysconf(_SC_NGROUPS_MAX)) > 0);
588
if (!(gids = new(gid_t, ngroups_max)))
592
if ((k = getgroups(ngroups_max, gids)) < 0) {
599
STRV_FOREACH(i, context->supplementary_groups) {
602
if (k >= ngroups_max) {
608
r = get_group_creds(&g, gids+k);
617
if (setgroups(k, gids) < 0) {
628
static int enforce_user(const ExecContext *context, uid_t uid) {
632
/* Sets (but doesn't lookup) the uid and make sure we keep the
633
* capabilities while doing so. */
635
if (context->capabilities) {
637
static const cap_value_t bits[] = {
638
CAP_SETUID, /* Necessary so that we can run setresuid() below */
639
CAP_SETPCAP /* Necessary so that we can set PR_SET_SECUREBITS later on */
642
/* First step: If we need to keep capabilities but
643
* drop privileges we need to make sure we keep our
644
* caps, whiel we drop privileges. */
646
int sb = context->secure_bits|SECURE_KEEP_CAPS;
648
if (prctl(PR_GET_SECUREBITS) != sb)
649
if (prctl(PR_SET_SECUREBITS, sb) < 0)
653
/* Second step: set the capabilities. This will reduce
654
* the capabilities to the minimum we need. */
656
if (!(d = cap_dup(context->capabilities)))
659
if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 ||
660
cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0) {
666
if (cap_set_proc(d) < 0) {
675
/* Third step: actually set the uids */
676
if (setresuid(uid, uid, uid) < 0)
679
/* At this point we should have all necessary capabilities but
680
are otherwise a normal user. However, the caps might got
681
corrupted due to the setresuid() so we need clean them up
682
later. This is done outside of this call. */
689
static int null_conv(
691
const struct pam_message **msg,
692
struct pam_response **resp,
695
/* We don't support conversations */
700
static int setup_pam(
705
int fds[], unsigned n_fds) {
707
static const struct pam_conv conv = {
712
pam_handle_t *handle = NULL;
714
int pam_code = PAM_SUCCESS;
717
bool close_session = false;
718
pid_t pam_pid = 0, parent_pid;
724
/* We set up PAM in the parent process, then fork. The child
725
* will then stay around until killed via PR_GET_PDEATHSIG or
726
* systemd via the cgroup logic. It will then remove the PAM
727
* session again. The parent process will exec() the actual
728
* daemon. We do things this way to ensure that the main PID
729
* of the daemon is the one we initially fork()ed. */
731
if ((pam_code = pam_start(name, user, &conv, &handle)) != PAM_SUCCESS) {
737
if ((pam_code = pam_set_item(handle, PAM_TTY, tty)) != PAM_SUCCESS)
740
if ((pam_code = pam_acct_mgmt(handle, PAM_SILENT)) != PAM_SUCCESS)
743
if ((pam_code = pam_open_session(handle, PAM_SILENT)) != PAM_SUCCESS)
746
close_session = true;
748
if ((!(e = pam_getenvlist(handle)))) {
749
pam_code = PAM_BUF_ERR;
753
/* Block SIGTERM, so that we know that it won't get lost in
755
if (sigemptyset(&ss) < 0 ||
756
sigaddset(&ss, SIGTERM) < 0 ||
757
sigprocmask(SIG_BLOCK, &ss, &old_ss) < 0)
760
parent_pid = getpid();
762
if ((pam_pid = fork()) < 0)
769
/* The child's job is to reset the PAM session on
772
/* This string must fit in 10 chars (i.e. the length
773
* of "/sbin/init"), to look pretty in /bin/ps */
774
rename_process("(sd-pam)");
776
/* Make sure we don't keep open the passed fds in this
777
child. We assume that otherwise only those fds are
778
open here that have been opened by PAM. */
779
close_many(fds, n_fds);
781
/* Wait until our parent died. This will most likely
782
* not work since the kernel does not allow
783
* unprivileged parents kill their privileged children
784
* this way. We rely on the control groups kill logic
785
* to do the rest for us. */
786
if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
789
/* Check if our parent process might already have
791
if (getppid() == parent_pid) {
793
if (sigwait(&ss, &sig) < 0) {
800
assert(sig == SIGTERM);
805
/* If our parent died we'll end the session */
806
if (getppid() != parent_pid)
807
if ((pam_code = pam_close_session(handle, PAM_DATA_SILENT)) != PAM_SUCCESS)
813
pam_end(handle, pam_code | PAM_DATA_SILENT);
817
/* If the child was forked off successfully it will do all the
818
* cleanups, so forget about the handle here. */
821
/* Unblock SIGTERM again in the parent */
822
if (sigprocmask(SIG_SETMASK, &old_ss, NULL) < 0)
825
/* We close the log explicitly here, since the PAM modules
826
* might have opened it, but we don't want this fd around. */
835
if (pam_code != PAM_SUCCESS)
836
err = -EPERM; /* PAM errors do not map to errno */
842
pam_code = pam_close_session(handle, PAM_DATA_SILENT);
844
pam_end(handle, pam_code | PAM_DATA_SILENT);
852
kill(pam_pid, SIGTERM);
853
kill(pam_pid, SIGCONT);
860
static int do_capability_bounding_set_drop(uint64_t drop) {
862
cap_t old_cap = NULL, new_cap = NULL;
866
/* If we are run as PID 1 we will lack CAP_SETPCAP by default
867
* in the effective set (yes, the kernel drops that when
868
* executing init!), so get it back temporarily so that we can
869
* call PR_CAPBSET_DROP. */
871
old_cap = cap_get_proc();
875
if (cap_get_flag(old_cap, CAP_SETPCAP, CAP_EFFECTIVE, &fv) < 0) {
881
static const cap_value_t v = CAP_SETPCAP;
883
new_cap = cap_dup(old_cap);
889
if (cap_set_flag(new_cap, CAP_EFFECTIVE, 1, &v, CAP_SET) < 0) {
894
if (cap_set_proc(new_cap) < 0) {
900
for (i = 0; i <= cap_last_cap(); i++)
901
if (drop & ((uint64_t) 1ULL << (uint64_t) i)) {
902
if (prctl(PR_CAPBSET_DROP, i) < 0) {
915
cap_set_proc(old_cap);
922
static void rename_process_from_path(const char *path) {
923
char process_name[11];
927
/* This resulting string must fit in 10 chars (i.e. the length
928
* of "/sbin/init") to look pretty in /bin/ps */
930
p = file_name_from_path(path);
932
rename_process("(...)");
938
/* The end of the process name is usually more
939
* interesting, since the first bit might just be
945
process_name[0] = '(';
946
memcpy(process_name+1, p, l);
947
process_name[1+l] = ')';
948
process_name[1+l+1] = 0;
950
rename_process(process_name);
953
int exec_spawn(ExecCommand *command,
955
const ExecContext *context,
956
int fds[], unsigned n_fds,
958
bool apply_permissions,
960
bool apply_tty_stdin,
962
CGroupBonding *cgroup_bondings,
963
CGroupAttribute *cgroup_attributes,
970
char **files_env = NULL;
975
assert(fds || n_fds <= 0);
977
if (context->std_input == EXEC_INPUT_SOCKET ||
978
context->std_output == EXEC_OUTPUT_SOCKET ||
979
context->std_error == EXEC_OUTPUT_SOCKET) {
991
if ((r = exec_context_load_environment(context, &files_env)) < 0) {
992
log_error("Failed to load environment files: %s", strerror(-r));
997
argv = command->argv;
999
if (!(line = exec_command_line(argv))) {
1004
log_debug("About to execute: %s", line);
1007
r = cgroup_bonding_realize_list(cgroup_bondings);
1011
cgroup_attribute_apply_list(cgroup_attributes, cgroup_bondings);
1013
if ((pid = fork()) < 0) {
1021
const char *username = NULL, *home = NULL;
1022
uid_t uid = (uid_t) -1;
1023
gid_t gid = (gid_t) -1;
1024
char **our_env = NULL, **pam_env = NULL, **final_env = NULL, **final_argv = NULL;
1026
int saved_stdout = -1, saved_stdin = -1;
1027
bool keep_stdout = false, keep_stdin = false, set_access = false;
1031
rename_process_from_path(command->path);
1033
/* We reset exactly these signals, since they are the
1034
* only ones we set to SIG_IGN in the main daemon. All
1035
* others we leave untouched because we set them to
1036
* SIG_DFL or a valid handler initially, both of which
1037
* will be demoted to SIG_DFL. */
1038
default_signals(SIGNALS_CRASH_HANDLER,
1039
SIGNALS_IGNORE, -1);
1041
if (context->ignore_sigpipe)
1042
ignore_signals(SIGPIPE, -1);
1044
assert_se(sigemptyset(&ss) == 0);
1045
if (sigprocmask(SIG_SETMASK, &ss, NULL) < 0) {
1047
r = EXIT_SIGNAL_MASK;
1051
/* Close sockets very early to make sure we don't
1052
* block init reexecution because it cannot bind its
1055
err = close_all_fds(socket_fd >= 0 ? &socket_fd : fds,
1056
socket_fd >= 0 ? 1 : n_fds);
1062
if (!context->same_pgrp)
1069
if (context->tcpwrap_name) {
1071
if (!socket_tcpwrap(socket_fd, context->tcpwrap_name)) {
1077
for (i = 0; i < (int) n_fds; i++) {
1078
if (!socket_tcpwrap(fds[i], context->tcpwrap_name)) {
1086
exec_context_tty_reset(context);
1088
/* We skip the confirmation step if we shall not apply the TTY */
1089
if (confirm_spawn &&
1090
(!is_terminal_input(context->std_input) || apply_tty_stdin)) {
1093
/* Set up terminal for the question */
1094
if ((r = setup_confirm_stdio(context,
1095
&saved_stdin, &saved_stdout))) {
1100
/* Now ask the question. */
1101
if (!(line = exec_command_line(argv))) {
1107
r = ask(&response, "yns", "Execute %s? [Yes, No, Skip] ", line);
1110
if (r < 0 || response == 'n') {
1114
} else if (response == 's') {
1119
/* Release terminal for the question */
1120
if ((r = restore_confirm_stdio(context,
1121
&saved_stdin, &saved_stdout,
1122
&keep_stdin, &keep_stdout))) {
1128
/* If a socket is connected to STDIN/STDOUT/STDERR, we
1129
* must sure to drop O_NONBLOCK */
1131
fd_nonblock(socket_fd, false);
1134
err = setup_input(context, socket_fd, apply_tty_stdin);
1142
err = setup_output(context, socket_fd, file_name_from_path(command->path), apply_tty_stdin);
1149
err = setup_error(context, socket_fd, file_name_from_path(command->path), apply_tty_stdin);
1155
if (cgroup_bondings) {
1156
err = cgroup_bonding_install_list(cgroup_bondings, 0);
1163
if (context->oom_score_adjust_set) {
1166
snprintf(t, sizeof(t), "%i", context->oom_score_adjust);
1169
if (write_one_line_file("/proc/self/oom_score_adj", t) < 0) {
1170
/* Compatibility with Linux <= 2.6.35 */
1174
adj = (context->oom_score_adjust * -OOM_DISABLE) / OOM_SCORE_ADJ_MAX;
1175
adj = CLAMP(adj, OOM_DISABLE, OOM_ADJUST_MAX);
1177
snprintf(t, sizeof(t), "%i", adj);
1180
if (write_one_line_file("/proc/self/oom_adj", t) < 0
1181
&& errno != EACCES) {
1183
r = EXIT_OOM_ADJUST;
1189
if (context->nice_set)
1190
if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
1196
if (context->cpu_sched_set) {
1197
struct sched_param param;
1200
param.sched_priority = context->cpu_sched_priority;
1202
if (sched_setscheduler(0, context->cpu_sched_policy |
1203
(context->cpu_sched_reset_on_fork ? SCHED_RESET_ON_FORK : 0), ¶m) < 0) {
1205
r = EXIT_SETSCHEDULER;
1210
if (context->cpuset)
1211
if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
1213
r = EXIT_CPUAFFINITY;
1217
if (context->ioprio_set)
1218
if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
1224
if (context->timer_slack_nsec_set)
1225
if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
1227
r = EXIT_TIMERSLACK;
1231
if (context->utmp_id)
1232
utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path);
1234
if (context->user) {
1235
username = context->user;
1236
err = get_user_creds(&username, &uid, &gid, &home);
1242
if (is_terminal_input(context->std_input)) {
1243
err = chown_terminal(STDIN_FILENO, uid);
1250
if (cgroup_bondings && context->control_group_modify) {
1251
err = cgroup_bonding_set_group_access_list(cgroup_bondings, 0755, uid, gid);
1253
err = cgroup_bonding_set_task_access_list(cgroup_bondings, 0644, uid, gid, context->control_group_persistent);
1263
if (cgroup_bondings && !set_access && context->control_group_persistent >= 0) {
1264
err = cgroup_bonding_set_task_access_list(cgroup_bondings, (mode_t) -1, (uid_t) -1, (uid_t) -1, context->control_group_persistent);
1271
if (apply_permissions) {
1272
err = enforce_groups(context, username, gid);
1279
umask(context->umask);
1282
if (context->pam_name && username) {
1283
err = setup_pam(context->pam_name, username, context->tty_path, &pam_env, fds, n_fds);
1290
if (context->private_network) {
1291
if (unshare(CLONE_NEWNET) < 0) {
1300
if (strv_length(context->read_write_dirs) > 0 ||
1301
strv_length(context->read_only_dirs) > 0 ||
1302
strv_length(context->inaccessible_dirs) > 0 ||
1303
context->mount_flags != MS_SHARED ||
1304
context->private_tmp) {
1305
err = setup_namespace(context->read_write_dirs,
1306
context->read_only_dirs,
1307
context->inaccessible_dirs,
1308
context->private_tmp,
1309
context->mount_flags);
1317
if (context->root_directory)
1318
if (chroot(context->root_directory) < 0) {
1324
if (chdir(context->working_directory ? context->working_directory : "/") < 0) {
1333
if (asprintf(&d, "%s/%s",
1334
context->root_directory ? context->root_directory : "",
1335
context->working_directory ? context->working_directory : "") < 0) {
1351
/* We repeat the fd closing here, to make sure that
1352
* nothing is leaked from the PAM modules */
1353
err = close_all_fds(fds, n_fds);
1355
err = shift_fds(fds, n_fds);
1357
err = flags_fds(fds, n_fds, context->non_blocking);
1363
if (apply_permissions) {
1365
for (i = 0; i < RLIMIT_NLIMITS; i++) {
1366
if (!context->rlimit[i])
1369
if (setrlimit(i, context->rlimit[i]) < 0) {
1376
if (context->capability_bounding_set_drop) {
1377
err = do_capability_bounding_set_drop(context->capability_bounding_set_drop);
1379
r = EXIT_CAPABILITIES;
1384
if (context->user) {
1385
err = enforce_user(context, uid);
1392
/* PR_GET_SECUREBITS is not privileged, while
1393
* PR_SET_SECUREBITS is. So to suppress
1394
* potential EPERMs we'll try not to call
1395
* PR_SET_SECUREBITS unless necessary. */
1396
if (prctl(PR_GET_SECUREBITS) != context->secure_bits)
1397
if (prctl(PR_SET_SECUREBITS, context->secure_bits) < 0) {
1399
r = EXIT_SECUREBITS;
1403
if (context->capabilities)
1404
if (cap_set_proc(context->capabilities) < 0) {
1406
r = EXIT_CAPABILITIES;
1411
if (!(our_env = new0(char*, 7))) {
1418
if (asprintf(our_env + n_env++, "LISTEN_PID=%lu", (unsigned long) getpid()) < 0 ||
1419
asprintf(our_env + n_env++, "LISTEN_FDS=%u", n_fds) < 0) {
1426
if (asprintf(our_env + n_env++, "HOME=%s", home) < 0) {
1433
if (asprintf(our_env + n_env++, "LOGNAME=%s", username) < 0 ||
1434
asprintf(our_env + n_env++, "USER=%s", username) < 0) {
1440
if (is_terminal_input(context->std_input) ||
1441
context->std_output == EXEC_OUTPUT_TTY ||
1442
context->std_error == EXEC_OUTPUT_TTY)
1443
if (!(our_env[n_env++] = strdup(default_term_for_tty(tty_path(context))))) {
1451
if (!(final_env = strv_env_merge(
1455
context->environment,
1464
if (!(final_argv = replace_env_argv(argv, final_env))) {
1470
final_env = strv_env_clean(final_env);
1472
execve(command->path, final_argv, final_env);
1479
log_warning("Failed at step %s spawning %s: %s",
1480
exit_status_to_string(r, EXIT_STATUS_SYSTEMD),
1481
command->path, strerror(-err));
1485
strv_free(final_env);
1487
strv_free(files_env);
1488
strv_free(final_argv);
1490
if (saved_stdin >= 0)
1491
close_nointr_nofail(saved_stdin);
1493
if (saved_stdout >= 0)
1494
close_nointr_nofail(saved_stdout);
1499
strv_free(files_env);
1501
/* We add the new process to the cgroup both in the child (so
1502
* that we can be sure that no user code is ever executed
1503
* outside of the cgroup) and in the parent (so that we can be
1504
* sure that when we kill the cgroup the process will be
1506
if (cgroup_bondings)
1507
cgroup_bonding_install_list(cgroup_bondings, pid);
1509
log_debug("Forked %s as %lu", command->path, (unsigned long) pid);
1511
exec_status_start(&command->exec_status, pid);
1517
strv_free(files_env);
1522
void exec_context_init(ExecContext *c) {
1526
c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
1527
c->cpu_sched_policy = SCHED_OTHER;
1528
c->syslog_priority = LOG_DAEMON|LOG_INFO;
1529
c->syslog_level_prefix = true;
1530
c->mount_flags = MS_SHARED;
1531
c->kill_signal = SIGTERM;
1532
c->send_sigkill = true;
1533
c->control_group_persistent = -1;
1534
c->ignore_sigpipe = true;
1537
void exec_context_done(ExecContext *c) {
1542
strv_free(c->environment);
1543
c->environment = NULL;
1545
strv_free(c->environment_files);
1546
c->environment_files = NULL;
1548
for (l = 0; l < ELEMENTSOF(c->rlimit); l++) {
1550
c->rlimit[l] = NULL;
1553
free(c->working_directory);
1554
c->working_directory = NULL;
1555
free(c->root_directory);
1556
c->root_directory = NULL;
1561
free(c->tcpwrap_name);
1562
c->tcpwrap_name = NULL;
1564
free(c->syslog_identifier);
1565
c->syslog_identifier = NULL;
1573
strv_free(c->supplementary_groups);
1574
c->supplementary_groups = NULL;
1579
if (c->capabilities) {
1580
cap_free(c->capabilities);
1581
c->capabilities = NULL;
1584
strv_free(c->read_only_dirs);
1585
c->read_only_dirs = NULL;
1587
strv_free(c->read_write_dirs);
1588
c->read_write_dirs = NULL;
1590
strv_free(c->inaccessible_dirs);
1591
c->inaccessible_dirs = NULL;
1594
CPU_FREE(c->cpuset);
1600
void exec_command_done(ExecCommand *c) {
1610
void exec_command_done_array(ExecCommand *c, unsigned n) {
1613
for (i = 0; i < n; i++)
1614
exec_command_done(c+i);
1617
void exec_command_free_list(ExecCommand *c) {
1621
LIST_REMOVE(ExecCommand, command, c, i);
1622
exec_command_done(i);
1627
void exec_command_free_array(ExecCommand **c, unsigned n) {
1630
for (i = 0; i < n; i++) {
1631
exec_command_free_list(c[i]);
1636
int exec_context_load_environment(const ExecContext *c, char ***l) {
1637
char **i, **r = NULL;
1642
STRV_FOREACH(i, c->environment_files) {
1645
bool ignore = false;
1655
if (!path_is_absolute(fn)) {
1664
if ((k = load_env_file(fn, &p)) < 0) {
1678
m = strv_env_merge(2, r, p);
1694
static void strv_fprintf(FILE *f, char **l) {
1700
fprintf(f, " %s", *g);
1703
void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
1715
"%sWorkingDirectory: %s\n"
1716
"%sRootDirectory: %s\n"
1717
"%sNonBlocking: %s\n"
1718
"%sPrivateTmp: %s\n"
1719
"%sControlGroupModify: %s\n"
1720
"%sControlGroupPersistent: %s\n"
1721
"%sPrivateNetwork: %s\n",
1723
prefix, c->working_directory ? c->working_directory : "/",
1724
prefix, c->root_directory ? c->root_directory : "/",
1725
prefix, yes_no(c->non_blocking),
1726
prefix, yes_no(c->private_tmp),
1727
prefix, yes_no(c->control_group_modify),
1728
prefix, yes_no(c->control_group_persistent),
1729
prefix, yes_no(c->private_network));
1731
STRV_FOREACH(e, c->environment)
1732
fprintf(f, "%sEnvironment: %s\n", prefix, *e);
1734
STRV_FOREACH(e, c->environment_files)
1735
fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
1737
if (c->tcpwrap_name)
1739
"%sTCPWrapName: %s\n",
1740
prefix, c->tcpwrap_name);
1747
if (c->oom_score_adjust_set)
1749
"%sOOMScoreAdjust: %i\n",
1750
prefix, c->oom_score_adjust);
1752
for (i = 0; i < RLIM_NLIMITS; i++)
1754
fprintf(f, "%s%s: %llu\n", prefix, rlimit_to_string(i), (unsigned long long) c->rlimit[i]->rlim_max);
1758
"%sIOSchedulingClass: %s\n"
1759
"%sIOPriority: %i\n",
1760
prefix, ioprio_class_to_string(IOPRIO_PRIO_CLASS(c->ioprio)),
1761
prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
1763
if (c->cpu_sched_set)
1765
"%sCPUSchedulingPolicy: %s\n"
1766
"%sCPUSchedulingPriority: %i\n"
1767
"%sCPUSchedulingResetOnFork: %s\n",
1768
prefix, sched_policy_to_string(c->cpu_sched_policy),
1769
prefix, c->cpu_sched_priority,
1770
prefix, yes_no(c->cpu_sched_reset_on_fork));
1773
fprintf(f, "%sCPUAffinity:", prefix);
1774
for (i = 0; i < c->cpuset_ncpus; i++)
1775
if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
1776
fprintf(f, " %i", i);
1780
if (c->timer_slack_nsec_set)
1781
fprintf(f, "%sTimerSlackNSec: %lu\n", prefix, c->timer_slack_nsec);
1784
"%sStandardInput: %s\n"
1785
"%sStandardOutput: %s\n"
1786
"%sStandardError: %s\n",
1787
prefix, exec_input_to_string(c->std_input),
1788
prefix, exec_output_to_string(c->std_output),
1789
prefix, exec_output_to_string(c->std_error));
1795
"%sTTYVHangup: %s\n"
1796
"%sTTYVTDisallocate: %s\n",
1797
prefix, c->tty_path,
1798
prefix, yes_no(c->tty_reset),
1799
prefix, yes_no(c->tty_vhangup),
1800
prefix, yes_no(c->tty_vt_disallocate));
1802
if (c->std_output == EXEC_OUTPUT_SYSLOG || c->std_output == EXEC_OUTPUT_KMSG || c->std_output == EXEC_OUTPUT_JOURNAL ||
1803
c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE || c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE || c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
1804
c->std_error == EXEC_OUTPUT_SYSLOG || c->std_error == EXEC_OUTPUT_KMSG || c->std_error == EXEC_OUTPUT_JOURNAL ||
1805
c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE || c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE || c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE)
1807
"%sSyslogFacility: %s\n"
1808
"%sSyslogLevel: %s\n",
1809
prefix, log_facility_unshifted_to_string(c->syslog_priority >> 3),
1810
prefix, log_level_to_string(LOG_PRI(c->syslog_priority)));
1812
if (c->capabilities) {
1814
if ((t = cap_to_text(c->capabilities, NULL))) {
1815
fprintf(f, "%sCapabilities: %s\n",
1822
fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
1824
(c->secure_bits & SECURE_KEEP_CAPS) ? " keep-caps" : "",
1825
(c->secure_bits & SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
1826
(c->secure_bits & SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
1827
(c->secure_bits & SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
1828
(c->secure_bits & SECURE_NOROOT) ? " noroot" : "",
1829
(c->secure_bits & SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
1831
if (c->capability_bounding_set_drop) {
1833
fprintf(f, "%sCapabilityBoundingSet:", prefix);
1835
for (l = 0; l <= cap_last_cap(); l++)
1836
if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l))) {
1839
if ((t = cap_to_name(l))) {
1840
fprintf(f, " %s", t);
1849
fprintf(f, "%sUser: %s\n", prefix, c->user);
1851
fprintf(f, "%sGroup: %s\n", prefix, c->group);
1853
if (strv_length(c->supplementary_groups) > 0) {
1854
fprintf(f, "%sSupplementaryGroups:", prefix);
1855
strv_fprintf(f, c->supplementary_groups);
1860
fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
1862
if (strv_length(c->read_write_dirs) > 0) {
1863
fprintf(f, "%sReadWriteDirs:", prefix);
1864
strv_fprintf(f, c->read_write_dirs);
1868
if (strv_length(c->read_only_dirs) > 0) {
1869
fprintf(f, "%sReadOnlyDirs:", prefix);
1870
strv_fprintf(f, c->read_only_dirs);
1874
if (strv_length(c->inaccessible_dirs) > 0) {
1875
fprintf(f, "%sInaccessibleDirs:", prefix);
1876
strv_fprintf(f, c->inaccessible_dirs);
1882
"%sKillSignal: SIG%s\n"
1883
"%sSendSIGKILL: %s\n"
1884
"%sIgnoreSIGPIPE: %s\n",
1885
prefix, kill_mode_to_string(c->kill_mode),
1886
prefix, signal_to_string(c->kill_signal),
1887
prefix, yes_no(c->send_sigkill),
1888
prefix, yes_no(c->ignore_sigpipe));
1892
"%sUtmpIdentifier: %s\n",
1893
prefix, c->utmp_id);
1896
void exec_status_start(ExecStatus *s, pid_t pid) {
1901
dual_timestamp_get(&s->start_timestamp);
1904
void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
1907
if (s->pid && s->pid != pid)
1911
dual_timestamp_get(&s->exit_timestamp);
1917
if (context->utmp_id)
1918
utmp_put_dead_process(context->utmp_id, pid, code, status);
1920
exec_context_tty_reset(context);
1924
void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
1925
char buf[FORMAT_TIMESTAMP_MAX];
1938
prefix, (unsigned long) s->pid);
1940
if (s->start_timestamp.realtime > 0)
1942
"%sStart Timestamp: %s\n",
1943
prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
1945
if (s->exit_timestamp.realtime > 0)
1947
"%sExit Timestamp: %s\n"
1949
"%sExit Status: %i\n",
1950
prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
1951
prefix, sigchld_code_to_string(s->code),
1955
char *exec_command_line(char **argv) {
1963
STRV_FOREACH(a, argv)
1966
if (!(n = new(char, k)))
1970
STRV_FOREACH(a, argv) {
1977
if (strpbrk(*a, WHITESPACE)) {
1988
/* FIXME: this doesn't really handle arguments that have
1989
* spaces and ticks in them */
1994
void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
1996
const char *prefix2;
2005
p2 = strappend(prefix, "\t");
2006
prefix2 = p2 ? p2 : prefix;
2008
cmd = exec_command_line(c->argv);
2011
"%sCommand Line: %s\n",
2012
prefix, cmd ? cmd : strerror(ENOMEM));
2016
exec_status_dump(&c->exec_status, f, prefix2);
2021
void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
2027
LIST_FOREACH(command, c, c)
2028
exec_command_dump(c, f, prefix);
2031
void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
2038
/* It's kind of important, that we keep the order here */
2039
LIST_FIND_TAIL(ExecCommand, command, *l, end);
2040
LIST_INSERT_AFTER(ExecCommand, command, *l, end, e);
2045
int exec_command_set(ExecCommand *c, const char *path, ...) {
2053
l = strv_new_ap(path, ap);
2059
if (!(p = strdup(path))) {
2073
static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
2074
[EXEC_INPUT_NULL] = "null",
2075
[EXEC_INPUT_TTY] = "tty",
2076
[EXEC_INPUT_TTY_FORCE] = "tty-force",
2077
[EXEC_INPUT_TTY_FAIL] = "tty-fail",
2078
[EXEC_INPUT_SOCKET] = "socket"
2081
DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
2083
static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
2084
[EXEC_OUTPUT_INHERIT] = "inherit",
2085
[EXEC_OUTPUT_NULL] = "null",
2086
[EXEC_OUTPUT_TTY] = "tty",
2087
[EXEC_OUTPUT_SYSLOG] = "syslog",
2088
[EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
2089
[EXEC_OUTPUT_KMSG] = "kmsg",
2090
[EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
2091
[EXEC_OUTPUT_JOURNAL] = "journal",
2092
[EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
2093
[EXEC_OUTPUT_SOCKET] = "socket"
2096
DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
2098
static const char* const kill_mode_table[_KILL_MODE_MAX] = {
2099
[KILL_CONTROL_GROUP] = "control-group",
2100
[KILL_PROCESS] = "process",
2101
[KILL_NONE] = "none"
2104
DEFINE_STRING_TABLE_LOOKUP(kill_mode, KillMode);
2106
static const char* const kill_who_table[_KILL_WHO_MAX] = {
2107
[KILL_MAIN] = "main",
2108
[KILL_CONTROL] = "control",
2112
DEFINE_STRING_TABLE_LOOKUP(kill_who, KillWho);