summaryrefslogtreecommitdiff
path: root/src/core/execute.c
AgeCommit message (Collapse)Author
2016-05-05tree-wide: introduce new SOCKADDR_UN_LEN() macro, and use it everywhereLennart Poettering
The macro determines the right length of a AF_UNIX "struct sockaddr_un" to pass to connect() or bind(). It automatically figures out if the socket refers to an abstract namespace socket, or a socket in the file system, and properly handles the full length of the path field. This macro is not only safer, but also simpler to use, than the usual offsetof() + strlen() logic.
2016-03-21Merge pull request #2760 from ronnychevalier/rc/core_no_new_privileges_seccompv3Daniel Mack
core: set NoNewPrivileges for seccomp if we don't have CAP_SYS_ADMIN
2016-02-28core: set NoNewPrivileges for seccomp if we don't have CAP_SYS_ADMINRonny Chevalier
The manpage of seccomp specify that using seccomp with SECCOMP_SET_MODE_FILTER will return EACCES if the caller do not have CAP_SYS_ADMIN set, or if the no_new_privileges bit is not set. Hence, without NoNewPrivilege set, it is impossible to use a SystemCall* directive with a User directive set in system mode. Now, NoNewPrivileges is set if we are in user mode, or if we are in system mode and we don't have CAP_SYS_ADMIN, and SystemCall* directives are used.
2016-02-26tree-wide: indentation fixesThomas Hindoe Paaboel Andersen
2016-02-22tree-wide: make ++/-- usage consistent WRT spacingVito Caputo
Throughout the tree there's spurious use of spaces separating ++ and -- operators from their respective operands. Make ++ and -- operator consistent with the majority of existing uses; discard the spaces.
2016-02-13core: drop Capabilities= settingLennart Poettering
The setting is hardly useful (since its effect is generally reduced to zero due to file system caps), and with the advent of ambient caps an actually useful replacement exists, hence let's get rid of this. I am pretty sure this was unused and our man page already recommended against its use, hence this should be a safe thing to remove.
2016-02-11Remove kdbus custom endpoint supportDaniel Mack
This feature will not be used anytime soon, so remove a bit of cruft. The BusPolicy= config directive will stay around as compat noop.
2016-02-10tree-wide: remove Emacs lines from all filesDaniel Mack
This should be handled fine now by .dir-locals.el, so need to carry that stuff in every file.
2016-01-28core: don't reset /dev/console if stdin/stdout/stderr as passed as fd in a ↵Lennart Poettering
transient service Otherwise we might end resetting /dev/console all the time when a transient service starts or stops. Fixes #2377 Fixes #2198 Fixes #2061
2016-01-25core: normalize error handling a bit, in setup_pam()Lennart Poettering
Assign errno-style errors to a variable called "r" when they happen, the same way we do this in most other calls. It's bad enough that the error handling part of the function deals with two different error variables (pam_code and r) now, but before this fix it was even three!
2016-01-20systemd: remove dead codeZbigniew Jędrzejewski-Szmek
We only go to fail label if pam_pid <= 0. CID #1306746.
2016-01-13tree-wide: check if errno is greater than zero (2)Zbigniew Jędrzejewski-Szmek
Compare errno with zero in a way that tells gcc that (if the condition is true) errno is positive.
2016-01-13tree-wide: check if errno is greater then zeroZbigniew Jędrzejewski-Szmek
gcc is confused by the common idiom of return errno ? -errno : -ESOMETHING and thinks a positive value may be returned. Replace this condition with errno > 0 to help gcc and avoid many spurious warnings. I filed a gcc rfe a long time ago, but it hard to say if it will ever be implemented [1]. Both conventions were used in the codebase, this change makes things more consistent. This is a follow up to bcb161b0230f. [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61846
2016-01-12capabilities: added support for ambient capabilities.Ismo Puustinen
This patch adds support for ambient capabilities in service files. The idea with ambient capabilities is that the execed processes can run with non-root user and get some inherited capabilities, without having any need to add the capabilities to the executable file. You need at least Linux 4.3 to use ambient capabilities. SecureBit keep-caps is automatically added when you use ambient capabilities and wish to change the user. An example system service file might look like this: [Unit] Description=Service for testing caps [Service] ExecStart=/usr/bin/sleep 10000 User=nobody AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW After starting the service it has these capabilities: CapInh: 0000000000003000 CapPrm: 0000000000003000 CapEff: 0000000000003000 CapBnd: 0000003fffffffff CapAmb: 0000000000003000
2016-01-12capabilities: keep bounding set in non-inverted format.Ismo Puustinen
Change the capability bounding set parser and logic so that the bounding set is kept as a positive set internally. This means that the set reflects those capabilities that we want to keep instead of drop.
2015-11-30core: dump soft limits tooEvgeny Vereshchagin
2015-11-27core:execute: fix fork() fail handling in exec_spawn()lc85446
If pid < 0 after fork(), 0 is always returned because r = exec_context_load_environment() has exited successfully. This will make the caller of exec_spawn() not able to handle the fork() error case and make systemd abort assert() possibly.
2015-11-27core: dump rlim_cur tooEvgeny Vereshchagin
2015-11-11execute: Add new PassEnvironment= directiveFilipe Brandenburger
This directive allows passing environment variables from the system manager to spawned services. Variables in the system manager can be set inside a container by passing `--set-env=...` options to systemd-spawn. Tested with an on-disk test.service unit. Tested using multiple variable names on a single line, with an empty setting to clear the current list of variables, with non-existing variables. Tested using `systemd-run -p PassEnvironment=VARNAME` to confirm it works with transient units. Confirmed that `systemctl show` will display the PassEnvironment settings. Checked that man pages are generated correctly. No regressions in `make check`.
2015-10-27util-lib: split out allocation calls into alloc-util.[ch]Lennart Poettering
2015-10-27util-lib: split out globbing related calls into glob-util.[ch]Lennart Poettering
2015-10-27util-lib: split out syslog-related calls into syslog-util.[ch]Lennart Poettering
2015-10-27src/basic: rename audit.[ch] → audit-util.[ch] and capability.[ch] → ↵Lennart Poettering
capability-util.[ch] The files are named too generically, so that they might conflict with the upstream project headers. Hence, let's add a "-util" suffix, to clarify that this are just our utility headers and not any official upstream headers.
2015-10-27util-lib: move string table stuff into its own string-table.[ch]Lennart Poettering
2015-10-27util-lib: move a number of fs operations into fs-util.[ch]Lennart Poettering
2015-10-27util-lib: split out resource limits related calls into rlimit-util.[ch]Lennart Poettering
2015-10-27util-lib: split string parsing related calls from util.[ch] into parse-util.[ch]Lennart Poettering
2015-10-26util-lib: split out user/group/uid/gid calls into user-util.[ch]Lennart Poettering
2015-10-26util-lib: split out IO related calls to io-util.[ch]Lennart Poettering
2015-10-25util-lib: split out fd-related operations into fd-util.[ch]Lennart Poettering
There are more than enough to deserve their own .c file, hence move them over.
2015-10-24util-lib: split our string related calls from util.[ch] into its own file ↵Lennart Poettering
string-util.[ch] There are more than enough calls doing string manipulations to deserve its own files, hence do something about it. This patch also sorts the #include blocks of all files that needed to be updated, according to the sorting suggestions from CODING_STYLE. Since pretty much every file needs our string manipulation functions this effectively means that most files have sorted #include blocks now. Also touches a few unrelated include files.
2015-10-16core: dump RuntimeDirectories and RuntimeDirectoryMode tooEvgeny Vereshchagin
2015-10-08util: do not reset terminal in acquire_terminal()Lennart Poettering
Before, we'd always reset acquired terminals, which is not really desired, as we expose a setting TTYReset= which is supposed to control whether the TTY is reset or not. Previously that setting would only enable a second resetting of the TTY, which is of course pointless... Hence, move the implicit resetting out of acquire_terminal() and make the callers do it if they need it.
2015-10-08core: add support for setting stdin/stdout/stderr for transient servicesLennart Poettering
When starting a transient service, allow setting stdin/stdout/stderr fds for it, by passing them in via the bus. This also simplifies some of the serialization code for units.
2015-10-07ask-password: add support for caching passwords in the kernel keyringLennart Poettering
This adds support for caching harddisk passwords in the kernel keyring if it is available, thus supporting caching without Plymouth being around. This is also useful for hooking up "gdm-auto-login" with the collected boot-time harddisk password, in order to support gnome keyring passphrase unlocking via the HDD password, if it is the same. Any passwords added to the kernel keyring this way have a timeout of 2.5min at which time they are purged from the kernel.
2015-10-06core: add support for naming file descriptors passed using socket activationLennart Poettering
This adds support for naming file descriptors passed using socket activation. The names are passed in a new $LISTEN_FDNAMES= environment variable, that matches the existign $LISTEN_FDS= one and contains a colon-separated list of names. This also adds support for naming fds submitted to the per-service fd store using FDNAME= in the sd_notify() message. This also adds a new FileDescriptorName= setting for socket unit files to set the name for fds created by socket units. This also adds a new call sd_listen_fds_with_names(), that is similar to sd_listen_fds(), but also returns the names of the fds. systemd-activate gained the new --fdname= switch to specify a name for testing socket activation. This is based on #1247 by Maciej Wereski. Fixes #1247.
2015-09-29core: allow setting WorkingDirectory= to the special value ~Lennart Poettering
If set to ~ the working directory is set to the home directory of the user configured in User=. This change also exposes the existing switch for the working directory that allowed making missing working directories non-fatal. This also changes "machinectl shell" to make use of this to ensure that the invoked shell is by default in the user's home directory. Fixes #1268.
2015-09-23Merge pull request #1349 from dvdhrm/sync-pamLennart Poettering
core: make setup_pam() synchronous
2015-09-23exec: move mac_smack_apply_pid() and setup_pam() to same condition blockSangjung Woo
This cleans up exec_child() function by moving mac_smack_apply_pid() and setup_pam() to the same condition block, since both of them have the same condition (i.e params->apply_permissions). It improves readability without changing its operation.
2015-09-23exec: call setup_pam() after SMACK labelingSangjung Woo
When 'SmackProcessLabel=' is used in user@.service file, all processes launched in systemd user session should be labeled as the designated name of 'SmackProcessLabel' directive. However, if systemd has its own smack label using '--with-smack-run-label' configuration, '(sd-pam)' is labeled as the specific name of '--with-smack-run-label'. If 'SmackProcessLabel=' is used in user@.service file without '--with-smack-run-label' configuration, (sd-pam) is labeled as "_" since systemd (i.e. pid=1) is labeled as "_". This is mainly because setup_pam() function is called before applying smack label to child process. This patch fixes it by calling setup_pam() after setting the smack label.
2015-09-23core: make setup_pam() synchronousDavid Herrmann
If we spawn a unit with a non-empty 'PAMName=', we fork off a child-process _inside_ the unit, known as '(sd-pam)', which watches the session. It waits for the main-process to exit and then finishes it via pam_close_session(3). However, the '(sd-pam)' setup is highly asynchronous. There is no guarantee that process gets spawned before we finish the unit setup. Therefore, there might be a root-owned process inside of the cgroup of the unit, thus causing cg_migrate() to error-out with EPERM. This patch makes setup_pam() synchronous and waits for the '(sd-pam)' setup to finish before continuing. This guarantees that setresuid(2) was at least tried before we continue with the child setup of the real unit. Note that if setresuid(2) fails, we already warn loudly about it. You really must make sure that you own the passed user if using 'PAMName='. It seems very plausible to rely on that assumption.
2015-09-21core: fix group ownership when Group is setRonny Chevalier
When Group is set in the unit, the runtime directories are owned by this group and not the default group of the user (same for cgroup paths and standard outputs) Fix #1231
2015-09-11execute: fix return type from write()Lennart Poettering
2015-09-11execute: invalidate idle pipe after useLennart Poettering
Not strictly necessary, but makes clear the fds are invalidated. Make sure we do the same here as in most other cases.
2015-09-09tree-wide: take benefit of the fact that hashmap_free() returns NULLLennart Poettering
And set_free() too. Another Coccinelle patch.
2015-09-09tree-wide: make use of the fact that strv_free() returns NULLLennart Poettering
Another Coccinelle patch.
2015-09-09tree-wide: update empty-if coccinelle script to cover empty-while and moreLennart Poettering
Let's also clean up single-line while and for blocks.
2015-09-09tree-wide: make use of log_error_errno() return valueLennart Poettering
Turns this: r = -errno; log_error_errno(errno, "foo"); into this: r = log_error_errno(errno, "foo"); and this: r = log_error_errno(errno, "foo"); return r; into this: return log_error_errno(errno, "foo");
2015-09-09tree-wide: don't do assignments within if checksLennart Poettering
Turn this: if ((r = foo()) < 0) { ... into this: r = foo(); if (r < 0) { ...
2015-09-09tree-wide: use coccinelle to patch a lot of code to use mfree()Lennart Poettering
This replaces this: free(p); p = NULL; by this: p = mfree(p); Change generated using coccinelle. Semantic patch is added to the sources.