/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ /*** This file is part of systemd. Copyright 2010 Lennart Poettering systemd is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. systemd is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with systemd; If not, see <http://www.gnu.org/licenses/>. ***/ #include <assert.h> #include <dirent.h> #include <errno.h> #include <fcntl.h> #include <unistd.h> #include <string.h> #include <signal.h> #include <sys/socket.h> #include <sys/un.h> #include <sys/prctl.h> #include <linux/sched.h> #include <sys/types.h> #include <sys/stat.h> #include <grp.h> #include <pwd.h> #include <sys/mount.h> #include <linux/fs.h> #include <linux/oom.h> #include <sys/poll.h> #include <glob.h> #include <sys/personality.h> #include <libgen.h> #undef basename #ifdef HAVE_PAM #include <security/pam_appl.h> #endif #ifdef HAVE_SELINUX #include <selinux/selinux.h> #endif #ifdef HAVE_SECCOMP #include <seccomp.h> #endif #ifdef HAVE_APPARMOR #include <sys/apparmor.h> #endif #include "execute.h" #include "strv.h" #include "macro.h" #include "capability.h" #include "util.h" #include "log.h" #include "sd-messages.h" #include "ioprio.h" #include "securebits.h" #include "namespace.h" #include "exit-status.h" #include "missing.h" #include "utmp-wtmp.h" #include "def.h" #include "path-util.h" #include "env-util.h" #include "fileio.h" #include "unit.h" #include "async.h" #include "selinux-util.h" #include "errno-list.h" #include "af-list.h" #include "mkdir.h" #include "apparmor-util.h" #include "smack-util.h" #include "bus-endpoint.h" #include "label.h" #include "cap-list.h" #ifdef HAVE_SECCOMP #include "seccomp-util.h" #endif #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC) #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC) /* This assumes there is a 'tty' group */ #define TTY_MODE 0620 #define SNDBUF_SIZE (8*1024*1024) static int shift_fds(int fds[], unsigned n_fds) { int start, restart_from; if (n_fds <= 0) return 0; /* Modifies the fds array! (sorts it) */ assert(fds); start = 0; for (;;) { int i; restart_from = -1; for (i = start; i < (int) n_fds; i++) { int nfd; /* Already at right index? */ if (fds[i] == i+3) continue; if ((nfd = fcntl(fds[i], F_DUPFD, i+3)) < 0) return -errno; safe_close(fds[i]); fds[i] = nfd; /* Hmm, the fd we wanted isn't free? Then * let's remember that and try again from here */ if (nfd != i+3 && restart_from < 0) restart_from = i; } if (restart_from < 0) break; start = restart_from; } return 0; } static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) { unsigned i; int r; if (n_fds <= 0) return 0; assert(fds); /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */ for (i = 0; i < n_fds; i++) { if ((r = fd_nonblock(fds[i], nonblock)) < 0) return r; /* We unconditionally drop FD_CLOEXEC from the fds, * since after all we want to pass these fds to our * children */ if ((r = fd_cloexec(fds[i], false)) < 0) return r; } return 0; } _pure_ static const char *tty_path(const ExecContext *context) { assert(context); if (context->tty_path) return context->tty_path; return "/dev/console"; } static void exec_context_tty_reset(const ExecContext *context) { assert(context); if (context->tty_vhangup) terminal_vhangup(tty_path(context)); if (context->tty_reset) reset_terminal(tty_path(context)); if (context->tty_vt_disallocate && context->tty_path) vt_disallocate(context->tty_path); } static bool is_terminal_output(ExecOutput o) { return o == EXEC_OUTPUT_TTY || o == EXEC_OUTPUT_SYSLOG_AND_CONSOLE || o == EXEC_OUTPUT_KMSG_AND_CONSOLE || o == EXEC_OUTPUT_JOURNAL_AND_CONSOLE; } static int open_null_as(int flags, int nfd) { int fd, r; assert(nfd >= 0); fd = open("/dev/null", flags|O_NOCTTY); if (fd < 0) return -errno; if (fd != nfd) { r = dup2(fd, nfd) < 0 ? -errno : nfd; safe_close(fd); } else r = nfd; return r; } static int connect_journal_socket(int fd, uid_t uid, gid_t gid) { union sockaddr_union sa = { .un.sun_family = AF_UNIX, .un.sun_path = "/run/systemd/journal/stdout", }; uid_t olduid = UID_INVALID; gid_t oldgid = GID_INVALID; int r; if (gid != GID_INVALID) { oldgid = getgid(); r = setegid(gid); if (r < 0) return -errno; } if (uid != UID_INVALID) { olduid = getuid(); r = seteuid(uid); if (r < 0) { r = -errno; goto restore_gid; } } r = connect(fd, &sa.sa, offsetof(struct sockaddr_un, sun_path) + strlen(sa.un.sun_path)); if (r < 0) r = -errno; /* If we fail to restore the uid or gid, things will likely fail later on. This should only happen if an LSM interferes. */ if (uid != UID_INVALID) (void) seteuid(olduid); restore_gid: if (gid != GID_INVALID) (void) setegid(oldgid); return r; } static int connect_logger_as(const ExecContext *context, ExecOutput output, const char *ident, const char *unit_id, int nfd, uid_t uid, gid_t gid) { int fd, r; assert(context); assert(output < _EXEC_OUTPUT_MAX); assert(ident); assert(nfd >= 0); fd = socket(AF_UNIX, SOCK_STREAM, 0); if (fd < 0) return -errno; r = connect_journal_socket(fd, uid, gid); if (r < 0) return r; if (shutdown(fd, SHUT_RD) < 0) { safe_close(fd); return -errno; } fd_inc_sndbuf(fd, SNDBUF_SIZE); dprintf(fd, "%s\n" "%s\n" "%i\n" "%i\n" "%i\n" "%i\n" "%i\n", context->syslog_identifier ? context->syslog_identifier : ident, unit_id, context->syslog_priority, !!context->syslog_level_prefix, output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE, output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE, is_terminal_output(output)); if (fd != nfd) { r = dup2(fd, nfd) < 0 ? -errno : nfd; safe_close(fd); } else r = nfd; return r; } static int open_terminal_as(const char *path, mode_t mode, int nfd) { int fd, r; assert(path); assert(nfd >= 0); if ((fd = open_terminal(path, mode | O_NOCTTY)) < 0) return fd; if (fd != nfd) { r = dup2(fd, nfd) < 0 ? -errno : nfd; safe_close(fd); } else r = nfd; return r; } static bool is_terminal_input(ExecInput i) { return i == EXEC_INPUT_TTY || i == EXEC_INPUT_TTY_FORCE || i == EXEC_INPUT_TTY_FAIL; } static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) { if (is_terminal_input(std_input) && !apply_tty_stdin) return EXEC_INPUT_NULL; if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0) return EXEC_INPUT_NULL; return std_input; } static int fixup_output(ExecOutput std_output, int socket_fd) { if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0) return EXEC_OUTPUT_INHERIT; return std_output; } static int setup_input(const ExecContext *context, int socket_fd, bool apply_tty_stdin) { ExecInput i; assert(context); i = fixup_input(context->std_input, socket_fd, apply_tty_stdin); switch (i) { case EXEC_INPUT_NULL: return open_null_as(O_RDONLY, STDIN_FILENO); case EXEC_INPUT_TTY: case EXEC_INPUT_TTY_FORCE: case EXEC_INPUT_TTY_FAIL: { int fd, r; fd = acquire_terminal(tty_path(context), i == EXEC_INPUT_TTY_FAIL, i == EXEC_INPUT_TTY_FORCE, false, USEC_INFINITY); if (fd < 0) return fd; if (fd != STDIN_FILENO) { r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO; safe_close(fd); } else r = STDIN_FILENO; return r; } case EXEC_INPUT_SOCKET: return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO; default: assert_not_reached("Unknown input type"); } } static int setup_output(const ExecContext *context, int fileno, int socket_fd, const char *ident, const char *unit_id, bool apply_tty_stdin, uid_t uid, gid_t gid) { ExecOutput o; ExecInput i; int r; assert(context); assert(ident); i = fixup_input(context->std_input, socket_fd, apply_tty_stdin); o = fixup_output(context->std_output, socket_fd); if (fileno == STDERR_FILENO) { ExecOutput e; e = fixup_output(context->std_error, socket_fd); /* This expects the input and output are already set up */ /* Don't change the stderr file descriptor if we inherit all * the way and are not on a tty */ if (e == EXEC_OUTPUT_INHERIT && o == EXEC_OUTPUT_INHERIT && i == EXEC_INPUT_NULL && !is_terminal_input(context->std_input) && getppid () != 1) return fileno; /* Duplicate from stdout if possible */ if (e == o || e == EXEC_OUTPUT_INHERIT) return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno; o = e; } else if (o == EXEC_OUTPUT_INHERIT) { /* If input got downgraded, inherit the original value */ if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input)) return open_terminal_as(tty_path(context), O_WRONLY, fileno); /* If the input is connected to anything that's not a /dev/null, inherit that... */ if (i != EXEC_INPUT_NULL) return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno; /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */ if (getppid() != 1) return fileno; /* We need to open /dev/null here anew, to get the right access mode. */ return open_null_as(O_WRONLY, fileno); } switch (o) { case EXEC_OUTPUT_NULL: return open_null_as(O_WRONLY, fileno); case EXEC_OUTPUT_TTY: if (is_terminal_input(i)) return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno; /* We don't reset the terminal if this is just about output */ return open_terminal_as(tty_path(context), O_WRONLY, fileno); case EXEC_OUTPUT_SYSLOG: case EXEC_OUTPUT_SYSLOG_AND_CONSOLE: case EXEC_OUTPUT_KMSG: case EXEC_OUTPUT_KMSG_AND_CONSOLE: case EXEC_OUTPUT_JOURNAL: case EXEC_OUTPUT_JOURNAL_AND_CONSOLE: r = connect_logger_as(context, o, ident, unit_id, fileno, uid, gid); if (r < 0) { log_unit_struct(unit_id, LOG_ERR, LOG_MESSAGE("Failed to connect %s of %s to the journal socket: %s", fileno == STDOUT_FILENO ? "stdout" : "stderr", unit_id, strerror(-r)), LOG_ERRNO(-r), NULL); r = open_null_as(O_WRONLY, fileno); } return r; case EXEC_OUTPUT_SOCKET: assert(socket_fd >= 0); return dup2(socket_fd, fileno) < 0 ? -errno : fileno; default: assert_not_reached("Unknown error type"); } } static int chown_terminal(int fd, uid_t uid) { struct stat st; assert(fd >= 0); /* This might fail. What matters are the results. */ (void) fchown(fd, uid, -1); (void) fchmod(fd, TTY_MODE); if (fstat(fd, &st) < 0) return -errno; if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE) return -EPERM; return 0; } static int setup_confirm_stdio(int *_saved_stdin, int *_saved_stdout) { int fd = -1, saved_stdin, saved_stdout = -1, r; assert(_saved_stdin); assert(_saved_stdout); saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3); if (saved_stdin < 0) return -errno; saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3); if (saved_stdout < 0) { r = errno; goto fail; } fd = acquire_terminal( "/dev/console", false, false, false, DEFAULT_CONFIRM_USEC); if (fd < 0) { r = fd; goto fail; } r = chown_terminal(fd, getuid()); if (r < 0) goto fail; if (dup2(fd, STDIN_FILENO) < 0) { r = -errno; goto fail; } if (dup2(fd, STDOUT_FILENO) < 0) { r = -errno; goto fail; } if (fd >= 2) safe_close(fd); *_saved_stdin = saved_stdin; *_saved_stdout = saved_stdout; return 0; fail: safe_close(saved_stdout); safe_close(saved_stdin); safe_close(fd); return r; } _printf_(1, 2) static int write_confirm_message(const char *format, ...) { _cleanup_close_ int fd = -1; va_list ap; assert(format); fd = open_terminal("/dev/console", O_WRONLY|O_NOCTTY|O_CLOEXEC); if (fd < 0) return fd; va_start(ap, format); vdprintf(fd, format, ap); va_end(ap); return 0; } static int restore_confirm_stdio(int *saved_stdin, int *saved_stdout) { int r = 0; assert(saved_stdin); assert(saved_stdout); release_terminal(); if (*saved_stdin >= 0) if (dup2(*saved_stdin, STDIN_FILENO) < 0) r = -errno; if (*saved_stdout >= 0) if (dup2(*saved_stdout, STDOUT_FILENO) < 0) r = -errno; safe_close(*saved_stdin); safe_close(*saved_stdout); return r; } static int ask_for_confirmation(char *response, char **argv) { int saved_stdout = -1, saved_stdin = -1, r; _cleanup_free_ char *line = NULL; r = setup_confirm_stdio(&saved_stdin, &saved_stdout); if (r < 0) return r; line = exec_command_line(argv); if (!line) return -ENOMEM; r = ask_char(response, "yns", "Execute %s? [Yes, No, Skip] ", line); restore_confirm_stdio(&saved_stdin, &saved_stdout); return r; } static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) { bool keep_groups = false; int r; assert(context); /* Lookup and set GID and supplementary group list. Here too * we avoid NSS lookups for gid=0. */ if (context->group || username) { if (context->group) { const char *g = context->group; if ((r = get_group_creds(&g, &gid)) < 0) return r; } /* First step, initialize groups from /etc/groups */ if (username && gid != 0) { if (initgroups(username, gid) < 0) return -errno; keep_groups = true; } /* Second step, set our gids */ if (setresgid(gid, gid, gid) < 0) return -errno; } if (context->supplementary_groups) { int ngroups_max, k; gid_t *gids; char **i; /* Final step, initialize any manually set supplementary groups */ assert_se((ngroups_max = (int) sysconf(_SC_NGROUPS_MAX)) > 0); if (!(gids = new(gid_t, ngroups_max))) return -ENOMEM; if (keep_groups) { if ((k = getgroups(ngroups_max, gids)) < 0) { free(gids); return -errno; } } else k = 0; STRV_FOREACH(i, context->supplementary_groups) { const char *g; if (k >= ngroups_max) { free(gids); return -E2BIG; } g = *i; r = get_group_creds(&g, gids+k); if (r < 0) { free(gids); return r; } k++; } if (setgroups(k, gids) < 0) { free(gids); return -errno; } free(gids); } return 0; } static int enforce_user(const ExecContext *context, uid_t uid) { assert(context); /* Sets (but doesn't lookup) the uid and make sure we keep the * capabilities while doing so. */ if (context->capabilities) { _cleanup_cap_free_ cap_t d = NULL; static const cap_value_t bits[] = { CAP_SETUID, /* Necessary so that we can run setresuid() below */ CAP_SETPCAP /* Necessary so that we can set PR_SET_SECUREBITS later on */ }; /* First step: If we need to keep capabilities but * drop privileges we need to make sure we keep our * caps, while we drop privileges. */ if (uid != 0) { int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS; if (prctl(PR_GET_SECUREBITS) != sb) if (prctl(PR_SET_SECUREBITS, sb) < 0) return -errno; } /* Second step: set the capabilities. This will reduce * the capabilities to the minimum we need. */ d = cap_dup(context->capabilities); if (!d) return -errno; if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 || cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0) return -errno; if (cap_set_proc(d) < 0) return -errno; } /* Third step: actually set the uids */ if (setresuid(uid, uid, uid) < 0) return -errno; /* At this point we should have all necessary capabilities but are otherwise a normal user. However, the caps might got corrupted due to the setresuid() so we need clean them up later. This is done outside of this call. */ return 0; } #ifdef HAVE_PAM static int null_conv( int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr) { /* We don't support conversations */ return PAM_CONV_ERR; } static int setup_pam( const char *name, const char *user, uid_t uid, const char *tty, char ***pam_env, int fds[], unsigned n_fds) { static const struct pam_conv conv = { .conv = null_conv, .appdata_ptr = NULL }; pam_handle_t *handle = NULL; sigset_t ss, old_ss; int pam_code = PAM_SUCCESS; int err; char **e = NULL; bool close_session = false; pid_t pam_pid = 0, parent_pid; int flags = 0; assert(name); assert(user); assert(pam_env); /* We set up PAM in the parent process, then fork. The child * will then stay around until killed via PR_GET_PDEATHSIG or * systemd via the cgroup logic. It will then remove the PAM * session again. The parent process will exec() the actual * daemon. We do things this way to ensure that the main PID * of the daemon is the one we initially fork()ed. */ if (log_get_max_level() < LOG_DEBUG) flags |= PAM_SILENT; pam_code = pam_start(name, user, &conv, &handle); if (pam_code != PAM_SUCCESS) { handle = NULL; goto fail; } if (tty) { pam_code = pam_set_item(handle, PAM_TTY, tty); if (pam_code != PAM_SUCCESS) goto fail; } pam_code = pam_acct_mgmt(handle, flags); if (pam_code != PAM_SUCCESS) goto fail; pam_code = pam_open_session(handle, flags); if (pam_code != PAM_SUCCESS) goto fail; close_session = true; e = pam_getenvlist(handle); if (!e) { pam_code = PAM_BUF_ERR; goto fail; } /* Block SIGTERM, so that we know that it won't get lost in * the child */ if (sigemptyset(&ss) < 0 || sigaddset(&ss, SIGTERM) < 0 || sigprocmask(SIG_BLOCK, &ss, &old_ss) < 0) goto fail; parent_pid = getpid(); pam_pid = fork(); if (pam_pid < 0) goto fail; if (pam_pid == 0) { int sig; int r = EXIT_PAM; /* The child's job is to reset the PAM session on * termination */ /* This string must fit in 10 chars (i.e. the length * of "/sbin/init"), to look pretty in /bin/ps */ rename_process("(sd-pam)"); /* Make sure we don't keep open the passed fds in this child. We assume that otherwise only those fds are open here that have been opened by PAM. */ close_many(fds, n_fds); /* Drop privileges - we don't need any to pam_close_session * and this will make PR_SET_PDEATHSIG work in most cases. * If this fails, ignore the error - but expect sd-pam threads * to fail to exit normally */ if (setresuid(uid, uid, uid) < 0) log_error_errno(r, "Error: Failed to setresuid() in sd-pam: %m"); /* Wait until our parent died. This will only work if * the above setresuid() succeeds, otherwise the kernel * will not allow unprivileged parents kill their privileged * children this way. We rely on the control groups kill logic * to do the rest for us. */ if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0) goto child_finish; /* Check if our parent process might already have * died? */ if (getppid() == parent_pid) { for (;;) { if (sigwait(&ss, &sig) < 0) { if (errno == EINTR) continue; goto child_finish; } assert(sig == SIGTERM); break; } } /* If our parent died we'll end the session */ if (getppid() != parent_pid) { pam_code = pam_close_session(handle, flags); if (pam_code != PAM_SUCCESS) goto child_finish; } r = 0; child_finish: pam_end(handle, pam_code | flags); _exit(r); } /* If the child was forked off successfully it will do all the * cleanups, so forget about the handle here. */ handle = NULL; /* Unblock SIGTERM again in the parent */ if (sigprocmask(SIG_SETMASK, &old_ss, NULL) < 0) goto fail; /* We close the log explicitly here, since the PAM modules * might have opened it, but we don't want this fd around. */ closelog(); *pam_env = e; e = NULL; return 0; fail: if (pam_code != PAM_SUCCESS) { log_error("PAM failed: %s", pam_strerror(handle, pam_code)); err = -EPERM; /* PAM errors do not map to errno */ } else { log_error_errno(errno, "PAM failed: %m"); err = -errno; } if (handle) { if (close_session) pam_code = pam_close_session(handle, flags); pam_end(handle, pam_code | flags); } strv_free(e); closelog(); if (pam_pid > 1) { kill(pam_pid, SIGTERM); kill(pam_pid, SIGCONT); } return err; } #endif static void rename_process_from_path(const char *path) { char process_name[11]; const char *p; size_t l; /* This resulting string must fit in 10 chars (i.e. the length * of "/sbin/init") to look pretty in /bin/ps */ p = basename(path); if (isempty(p)) { rename_process("(...)"); return; } l = strlen(p); if (l > 8) { /* The end of the process name is usually more * interesting, since the first bit might just be * "systemd-" */ p = p + l - 8; l = 8; } process_name[0] = '('; memcpy(process_name+1, p, l); process_name[1+l] = ')'; process_name[1+l+1] = 0; rename_process(process_name); } #ifdef HAVE_SECCOMP static int apply_seccomp(const ExecContext *c) { uint32_t negative_action, action; scmp_filter_ctx *seccomp; Iterator i; void *id; int r; assert(c); negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno); seccomp = seccomp_init(c->syscall_whitelist ? negative_action : SCMP_ACT_ALLOW); if (!seccomp) return -ENOMEM; if (c->syscall_archs) { SET_FOREACH(id, c->syscall_archs, i) { r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1); if (r == -EEXIST) continue; if (r < 0) goto finish; } } else { r = seccomp_add_secondary_archs(seccomp); if (r < 0) goto finish; } action = c->syscall_whitelist ? SCMP_ACT_ALLOW : negative_action; SET_FOREACH(id, c->syscall_filter, i) { r = seccomp_rule_add(seccomp, action, PTR_TO_INT(id) - 1, 0); if (r < 0) goto finish; } r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0); if (r < 0) goto finish; r = seccomp_load(seccomp); finish: seccomp_release(seccomp); return r; } static int apply_address_families(const ExecContext *c) { scmp_filter_ctx *seccomp; Iterator i; int r; assert(c); seccomp = seccomp_init(SCMP_ACT_ALLOW); if (!seccomp) return -ENOMEM; r = seccomp_add_secondary_archs(seccomp); if (r < 0) goto finish; if (c->address_families_whitelist) { int af, first = 0, last = 0; void *afp; /* If this is a whitelist, we first block the address * families that are out of range and then everything * that is not in the set. First, we find the lowest * and highest address family in the set. */ SET_FOREACH(afp, c->address_families, i) { af = PTR_TO_INT(afp); if (af <= 0 || af >= af_max()) continue; if (first == 0 || af < first) first = af; if (last == 0 || af > last) last = af; } assert((first == 0) == (last == 0)); if (first == 0) { /* No entries in the valid range, block everything */ r = seccomp_rule_add( seccomp, SCMP_ACT_ERRNO(EPROTONOSUPPORT), SCMP_SYS(socket), 0); if (r < 0) goto finish; } else { /* Block everything below the first entry */ r = seccomp_rule_add( seccomp, SCMP_ACT_ERRNO(EPROTONOSUPPORT), SCMP_SYS(socket), 1, SCMP_A0(SCMP_CMP_LT, first)); if (r < 0) goto finish; /* Block everything above the last entry */ r = seccomp_rule_add( seccomp, SCMP_ACT_ERRNO(EPROTONOSUPPORT), SCMP_SYS(socket), 1, SCMP_A0(SCMP_CMP_GT, last)); if (r < 0) goto finish; /* Block everything between the first and last * entry */ for (af = 1; af < af_max(); af++) { if (set_contains(c->address_families, INT_TO_PTR(af))) continue; r = seccomp_rule_add( seccomp, SCMP_ACT_ERRNO(EPROTONOSUPPORT), SCMP_SYS(socket), 1, SCMP_A0(SCMP_CMP_EQ, af)); if (r < 0) goto finish; } } } else { void *af; /* If this is a blacklist, then generate one rule for * each address family that are then combined in OR * checks. */ SET_FOREACH(af, c->address_families, i) { r = seccomp_rule_add( seccomp, SCMP_ACT_ERRNO(EPROTONOSUPPORT), SCMP_SYS(socket), 1, SCMP_A0(SCMP_CMP_EQ, PTR_TO_INT(af))); if (r < 0) goto finish; } } r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0); if (r < 0) goto finish; r = seccomp_load(seccomp); finish: seccomp_release(seccomp); return r; } #endif static void do_idle_pipe_dance(int idle_pipe[4]) { assert(idle_pipe); safe_close(idle_pipe[1]); safe_close(idle_pipe[2]); if (idle_pipe[0] >= 0) { int r; r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC); if (idle_pipe[3] >= 0 && r == 0 /* timeout */) { /* Signal systemd that we are bored and want to continue. */ write(idle_pipe[3], "x", 1); /* Wait for systemd to react to the signal above. */ fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC); } safe_close(idle_pipe[0]); } safe_close(idle_pipe[3]); } static int build_environment( const ExecContext *c, unsigned n_fds, usec_t watchdog_usec, const char *home, const char *username, const char *shell, char ***ret) { _cleanup_strv_free_ char **our_env = NULL; unsigned n_env = 0; char *x; assert(c); assert(ret); our_env = new0(char*, 10); if (!our_env) return -ENOMEM; if (n_fds > 0) { if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid()) < 0) return -ENOMEM; our_env[n_env++] = x; if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0) return -ENOMEM; our_env[n_env++] = x; } if (watchdog_usec > 0) { if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid()) < 0) return -ENOMEM; our_env[n_env++] = x; if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, watchdog_usec) < 0) return -ENOMEM; our_env[n_env++] = x; } if (home) { x = strappend("HOME=", home); if (!x) return -ENOMEM; our_env[n_env++] = x; } if (username) { x = strappend("LOGNAME=", username); if (!x) return -ENOMEM; our_env[n_env++] = x; x = strappend("USER=", username); if (!x) return -ENOMEM; our_env[n_env++] = x; } if (shell) { x = strappend("SHELL=", shell); if (!x) return -ENOMEM; our_env[n_env++] = x; } if (is_terminal_input(c->std_input) || c->std_output == EXEC_OUTPUT_TTY || c->std_error == EXEC_OUTPUT_TTY || c->tty_path) { x = strdup(default_term_for_tty(tty_path(c))); if (!x) return -ENOMEM; our_env[n_env++] = x; } our_env[n_env++] = NULL; assert(n_env <= 10); *ret = our_env; our_env = NULL; return 0; } static int exec_child( ExecCommand *command, const ExecContext *context, const ExecParameters *params, ExecRuntime *runtime, char **argv, int socket_fd, int *fds, unsigned n_fds, char **files_env, int *exit_status) { _cleanup_strv_free_ char **our_env = NULL, **pam_env = NULL, **final_env = NULL, **final_argv = NULL; _cleanup_free_ char *mac_selinux_context_net = NULL; const char *username = NULL, *home = NULL, *shell = NULL; unsigned n_dont_close = 0; int dont_close[n_fds + 4]; uid_t uid = UID_INVALID; gid_t gid = GID_INVALID; int i, r; assert(command); assert(context); assert(params); assert(exit_status); rename_process_from_path(command->path); /* We reset exactly these signals, since they are the * only ones we set to SIG_IGN in the main daemon. All * others we leave untouched because we set them to * SIG_DFL or a valid handler initially, both of which * will be demoted to SIG_DFL. */ default_signals(SIGNALS_CRASH_HANDLER, SIGNALS_IGNORE, -1); if (context->ignore_sigpipe) ignore_signals(SIGPIPE, -1); r = reset_signal_mask(); if (r < 0) { *exit_status = EXIT_SIGNAL_MASK; return r; } if (params->idle_pipe) do_idle_pipe_dance(params->idle_pipe); /* Close sockets very early to make sure we don't * block init reexecution because it cannot bind its * sockets */ log_forget_fds(); if (socket_fd >= 0) dont_close[n_dont_close++] = socket_fd; if (n_fds > 0) { memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds); n_dont_close += n_fds; } if (params->bus_endpoint_fd >= 0) dont_close[n_dont_close++] = params->bus_endpoint_fd; if (runtime) { if (runtime->netns_storage_socket[0] >= 0) dont_close[n_dont_close++] = runtime->netns_storage_socket[0]; if (runtime->netns_storage_socket[1] >= 0) dont_close[n_dont_close++] = runtime->netns_storage_socket[1]; } r = close_all_fds(dont_close, n_dont_close); if (r < 0) { *exit_status = EXIT_FDS; return r; } if (!context->same_pgrp) if (setsid() < 0) { *exit_status = EXIT_SETSID; return -errno; } exec_context_tty_reset(context); if (params->confirm_spawn) { char response; r = ask_for_confirmation(&response, argv); if (r == -ETIMEDOUT) write_confirm_message("Confirmation question timed out, assuming positive response.\n"); else if (r < 0) write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-r)); else if (response == 's') { write_confirm_message("Skipping execution.\n"); *exit_status = EXIT_CONFIRM; return -ECANCELED; } else if (response == 'n') { write_confirm_message("Failing execution.\n"); *exit_status = 0; return 0; } } if (context->user) { username = context->user; r = get_user_creds(&username, &uid, &gid, &home, &shell); if (r < 0) { *exit_status = EXIT_USER; return r; } } /* If a socket is connected to STDIN/STDOUT/STDERR, we * must sure to drop O_NONBLOCK */ if (socket_fd >= 0) fd_nonblock(socket_fd, false); r = setup_input(context, socket_fd, params->apply_tty_stdin); if (r < 0) { *exit_status = EXIT_STDIN; return r; } r = setup_output(context, STDOUT_FILENO, socket_fd, basename(command->path), params->unit_id, params->apply_tty_stdin, uid, gid); if (r < 0) { *exit_status = EXIT_STDOUT; return r; } r = setup_output(context, STDERR_FILENO, socket_fd, basename(command->path), params->unit_id, params->apply_tty_stdin, uid, gid); if (r < 0) { *exit_status = EXIT_STDERR; return r; } if (params->cgroup_path) { r = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0, NULL, NULL); if (r < 0) { *exit_status = EXIT_CGROUP; return r; } } if (context->oom_score_adjust_set) { char t[DECIMAL_STR_MAX(context->oom_score_adjust)]; /* When we can't make this change due to EPERM, then * let's silently skip over it. User namespaces * prohibit write access to this file, and we * shouldn't trip up over that. */ sprintf(t, "%i", context->oom_score_adjust); r = write_string_file("/proc/self/oom_score_adj", t); if (r == -EPERM || r == -EACCES) { log_open(); log_unit_debug_errno(params->unit_id, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m"); log_close(); } else if (r < 0) { *exit_status = EXIT_OOM_ADJUST; return -errno; } } if (context->nice_set) if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) { *exit_status = EXIT_NICE; return -errno; } if (context->cpu_sched_set) { struct sched_param param = { .sched_priority = context->cpu_sched_priority, }; r = sched_setscheduler(0, context->cpu_sched_policy | (context->cpu_sched_reset_on_fork ? SCHED_RESET_ON_FORK : 0), ¶m); if (r < 0) { *exit_status = EXIT_SETSCHEDULER; return -errno; } } if (context->cpuset) if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) { *exit_status = EXIT_CPUAFFINITY; return -errno; } if (context->ioprio_set) if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) { *exit_status = EXIT_IOPRIO; return -errno; } if (context->timer_slack_nsec != NSEC_INFINITY) if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) { *exit_status = EXIT_TIMERSLACK; return -errno; } if (context->personality != 0xffffffffUL) if (personality(context->personality) < 0) { *exit_status = EXIT_PERSONALITY; return -errno; } if (context->utmp_id) utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path); if (context->user && is_terminal_input(context->std_input)) { r = chown_terminal(STDIN_FILENO, uid); if (r < 0) { *exit_status = EXIT_STDIN; return r; } } #ifdef ENABLE_KDBUS if (params->bus_endpoint_fd >= 0 && context->bus_endpoint) { uid_t ep_uid = (uid == UID_INVALID) ? 0 : uid; r = bus_kernel_set_endpoint_policy(params->bus_endpoint_fd, ep_uid, context->bus_endpoint); if (r < 0) { *exit_status = EXIT_BUS_ENDPOINT; return r; } } #endif /* If delegation is enabled we'll pass ownership of the cgroup * (but only in systemd's own controller hierarchy!) to the * user of the new process. */ if (params->cgroup_path && context->user && params->cgroup_delegate) { r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid); if (r < 0) { *exit_status = EXIT_CGROUP; return r; } r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0755, uid, gid); if (r < 0) { *exit_status = EXIT_CGROUP; return r; } } if (!strv_isempty(context->runtime_directory) && params->runtime_prefix) { char **rt; STRV_FOREACH(rt, context->runtime_directory) { _cleanup_free_ char *p; p = strjoin(params->runtime_prefix, "/", *rt, NULL); if (!p) { *exit_status = EXIT_RUNTIME_DIRECTORY; return -ENOMEM; } r = mkdir_safe(p, context->runtime_directory_mode, uid, gid); if (r < 0) { *exit_status = EXIT_RUNTIME_DIRECTORY; return r; } } } if (params->apply_permissions) { r = enforce_groups(context, username, gid); if (r < 0) { *exit_status = EXIT_GROUP; return r; } } umask(context->umask); #ifdef HAVE_PAM if (params->apply_permissions && context->pam_name && username) { r = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds); if (r < 0) { *exit_status = EXIT_PAM; return r; } } #endif if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) { r = setup_netns(runtime->netns_storage_socket); if (r < 0) { *exit_status = EXIT_NETWORK; return r; } } if (!strv_isempty(context->read_write_dirs) || !strv_isempty(context->read_only_dirs) || !strv_isempty(context->inaccessible_dirs) || context->mount_flags != 0 || (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir)) || params->bus_endpoint_path || context->private_devices || context->protect_system != PROTECT_SYSTEM_NO || context->protect_home != PROTECT_HOME_NO) { char *tmp = NULL, *var = NULL; /* The runtime struct only contains the parent * of the private /tmp, which is * non-accessible to world users. Inside of it * there's a /tmp that is sticky, and that's * the one we want to use here. */ if (context->private_tmp && runtime) { if (runtime->tmp_dir) tmp = strappenda(runtime->tmp_dir, "/tmp"); if (runtime->var_tmp_dir) var = strappenda(runtime->var_tmp_dir, "/tmp"); } r = setup_namespace( context->read_write_dirs, context->read_only_dirs, context->inaccessible_dirs, tmp, var, params->bus_endpoint_path, context->private_devices, context->protect_home, context->protect_system, context->mount_flags); /* If we couldn't set up the namespace this is * probably due to a missing capability. In this case, * silently proceeed. */ if (r == -EPERM || r == -EACCES) { log_open(); log_unit_debug_errno(params->unit_id, r, "Failed to set up namespace, assuming containerized execution, ignoring: %m"); log_close(); } else if (r < 0) { *exit_status = EXIT_NAMESPACE; return r; } } if (params->apply_chroot) { if (context->root_directory) if (chroot(context->root_directory) < 0) { *exit_status = EXIT_CHROOT; return -errno; } if (chdir(context->working_directory ? context->working_directory : "/") < 0) { *exit_status = EXIT_CHDIR; return -errno; } } else { _cleanup_free_ char *d = NULL; if (asprintf(&d, "%s/%s", context->root_directory ? context->root_directory : "", context->working_directory ? context->working_directory : "") < 0) { *exit_status = EXIT_MEMORY; return -ENOMEM; } if (chdir(d) < 0) { *exit_status = EXIT_CHDIR; return -errno; } } #ifdef HAVE_SELINUX if (params->apply_permissions && mac_selinux_use() && params->selinux_context_net && socket_fd >= 0) { r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net); if (r < 0) { *exit_status = EXIT_SELINUX_CONTEXT; return r; } } #endif /* We repeat the fd closing here, to make sure that * nothing is leaked from the PAM modules. Note that * we are more aggressive this time since socket_fd * and the netns fds we don't need anymore. The custom * endpoint fd was needed to upload the policy and can * now be closed as well. */ r = close_all_fds(fds, n_fds); if (r >= 0) r = shift_fds(fds, n_fds); if (r >= 0) r = flags_fds(fds, n_fds, context->non_blocking); if (r < 0) { *exit_status = EXIT_FDS; return r; } if (params->apply_permissions) { for (i = 0; i < _RLIMIT_MAX; i++) { if (!context->rlimit[i]) continue; if (setrlimit_closest(i, context->rlimit[i]) < 0) { *exit_status = EXIT_LIMITS; return -errno; } } if (context->capability_bounding_set_drop) { r = capability_bounding_set_drop(context->capability_bounding_set_drop, false); if (r < 0) { *exit_status = EXIT_CAPABILITIES; return r; } } #ifdef HAVE_SMACK if (context->smack_process_label) { r = mac_smack_apply_pid(0, context->smack_process_label); if (r < 0) { *exit_status = EXIT_SMACK_PROCESS_LABEL; return r; } } #endif if (context->user) { r = enforce_user(context, uid); if (r < 0) { *exit_status = EXIT_USER; return r; } } /* PR_GET_SECUREBITS is not privileged, while * PR_SET_SECUREBITS is. So to suppress * potential EPERMs we'll try not to call * PR_SET_SECUREBITS unless necessary. */ if (prctl(PR_GET_SECUREBITS) != context->secure_bits) if (prctl(PR_SET_SECUREBITS, context->secure_bits) < 0) { *exit_status = EXIT_SECUREBITS; return -errno; } if (context->capabilities) if (cap_set_proc(context->capabilities) < 0) { *exit_status = EXIT_CAPABILITIES; return -errno; } if (context->no_new_privileges) if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) { *exit_status = EXIT_NO_NEW_PRIVILEGES; return -errno; } #ifdef HAVE_SECCOMP if (context->address_families_whitelist || !set_isempty(context->address_families)) { r = apply_address_families(context); if (r < 0) { *exit_status = EXIT_ADDRESS_FAMILIES; return r; } } if (context->syscall_whitelist || !set_isempty(context->syscall_filter) || !set_isempty(context->syscall_archs)) { r = apply_seccomp(context); if (r < 0) { *exit_status = EXIT_SECCOMP; return r; } } #endif #ifdef HAVE_SELINUX if (mac_selinux_use()) { char *exec_context = mac_selinux_context_net ?: context->selinux_context; if (exec_context) { r = setexeccon(exec_context); if (r < 0) { *exit_status = EXIT_SELINUX_CONTEXT; return r; } } } #endif #ifdef HAVE_APPARMOR if (context->apparmor_profile && mac_apparmor_use()) { r = aa_change_onexec(context->apparmor_profile); if (r < 0 && !context->apparmor_profile_ignore) { *exit_status = EXIT_APPARMOR_PROFILE; return -errno; } } #endif } r = build_environment(context, n_fds, params->watchdog_usec, home, username, shell, &our_env); if (r < 0) { *exit_status = EXIT_MEMORY; return r; } final_env = strv_env_merge(5, params->environment, our_env, context->environment, files_env, pam_env, NULL); if (!final_env) { *exit_status = EXIT_MEMORY; return -ENOMEM; } final_argv = replace_env_argv(argv, final_env); if (!final_argv) { *exit_status = EXIT_MEMORY; return -ENOMEM; } final_env = strv_env_clean(final_env); if (_unlikely_(log_get_max_level() >= LOG_DEBUG)) { _cleanup_free_ char *line; line = exec_command_line(final_argv); if (line) { log_open(); log_unit_struct(params->unit_id, LOG_DEBUG, "EXECUTABLE=%s", command->path, LOG_MESSAGE("Executing: %s", line), NULL); log_close(); } } execve(command->path, final_argv, final_env); *exit_status = EXIT_EXEC; return -errno; } int exec_spawn(ExecCommand *command, const ExecContext *context, const ExecParameters *params, ExecRuntime *runtime, pid_t *ret) { _cleanup_strv_free_ char **files_env = NULL; int *fds = NULL; unsigned n_fds = 0; _cleanup_free_ char *line = NULL; int socket_fd, r; char **argv; pid_t pid; assert(command); assert(context); assert(ret); assert(params); assert(params->fds || params->n_fds <= 0); if (context->std_input == EXEC_INPUT_SOCKET || context->std_output == EXEC_OUTPUT_SOCKET || context->std_error == EXEC_OUTPUT_SOCKET) { if (params->n_fds != 1) { log_unit_error(params->unit_id, "Got more than one socket."); return -EINVAL; } socket_fd = params->fds[0]; } else { socket_fd = -1; fds = params->fds; n_fds = params->n_fds; } r = exec_context_load_environment(context, params->unit_id, &files_env); if (r < 0) return log_unit_error_errno(params->unit_id, r, "Failed to load environment files: %m"); argv = params->argv ?: command->argv; line = exec_command_line(argv); if (!line) return log_oom(); log_unit_struct(params->unit_id, LOG_DEBUG, "EXECUTABLE=%s", command->path, LOG_MESSAGE("About to execute: %s", line), NULL); pid = fork(); if (pid < 0) return log_unit_error_errno(params->unit_id, r, "Failed to fork: %m"); if (pid == 0) { int exit_status; r = exec_child(command, context, params, runtime, argv, socket_fd, fds, n_fds, files_env, &exit_status); if (r < 0) { log_open(); log_unit_struct(params->unit_id, LOG_ERR, LOG_MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED), "EXECUTABLE=%s", command->path, LOG_MESSAGE("Failed at step %s spawning %s: %s", exit_status_to_string(exit_status, EXIT_STATUS_SYSTEMD), command->path, strerror(-r)), LOG_ERRNO(r), NULL); } _exit(exit_status); } log_unit_debug(params->unit_id, "Forked %s as "PID_FMT, command->path, pid); /* We add the new process to the cgroup both in the child (so * that we can be sure that no user code is ever executed * outside of the cgroup) and in the parent (so that we can be * sure that when we kill the cgroup the process will be * killed too). */ if (params->cgroup_path) cg_attach(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, pid); exec_status_start(&command->exec_status, pid); *ret = pid; return 0; } void exec_context_init(ExecContext *c) { assert(c); c->umask = 0022; c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0); c->cpu_sched_policy = SCHED_OTHER; c->syslog_priority = LOG_DAEMON|LOG_INFO; c->syslog_level_prefix = true; c->ignore_sigpipe = true; c->timer_slack_nsec = NSEC_INFINITY; c->personality = 0xffffffffUL; c->runtime_directory_mode = 0755; } void exec_context_done(ExecContext *c) { unsigned l; assert(c); strv_free(c->environment); c->environment = NULL; strv_free(c->environment_files); c->environment_files = NULL; for (l = 0; l < ELEMENTSOF(c->rlimit); l++) { free(c->rlimit[l]); c->rlimit[l] = NULL; } free(c->working_directory); c->working_directory = NULL; free(c->root_directory); c->root_directory = NULL; free(c->tty_path); c->tty_path = NULL; free(c->syslog_identifier); c->syslog_identifier = NULL; free(c->user); c->user = NULL; free(c->group); c->group = NULL; strv_free(c->supplementary_groups); c->supplementary_groups = NULL; free(c->pam_name); c->pam_name = NULL; if (c->capabilities) { cap_free(c->capabilities); c->capabilities = NULL; } strv_free(c->read_only_dirs); c->read_only_dirs = NULL; strv_free(c->read_write_dirs); c->read_write_dirs = NULL; strv_free(c->inaccessible_dirs); c->inaccessible_dirs = NULL; if (c->cpuset) CPU_FREE(c->cpuset); free(c->utmp_id); c->utmp_id = NULL; free(c->selinux_context); c->selinux_context = NULL; free(c->apparmor_profile); c->apparmor_profile = NULL; set_free(c->syscall_filter); c->syscall_filter = NULL; set_free(c->syscall_archs); c->syscall_archs = NULL; set_free(c->address_families); c->address_families = NULL; strv_free(c->runtime_directory); c->runtime_directory = NULL; bus_endpoint_free(c->bus_endpoint); c->bus_endpoint = NULL; } int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_prefix) { char **i; assert(c); if (!runtime_prefix) return 0; STRV_FOREACH(i, c->runtime_directory) { _cleanup_free_ char *p; p = strjoin(runtime_prefix, "/", *i, NULL); if (!p) return -ENOMEM; /* We execute this synchronously, since we need to be * sure this is gone when we start the service * next. */ rm_rf(p, false, true, false); } return 0; } void exec_command_done(ExecCommand *c) { assert(c); free(c->path); c->path = NULL; strv_free(c->argv); c->argv = NULL; } void exec_command_done_array(ExecCommand *c, unsigned n) { unsigned i; for (i = 0; i < n; i++) exec_command_done(c+i); } ExecCommand* exec_command_free_list(ExecCommand *c) { ExecCommand *i; while ((i = c)) { LIST_REMOVE(command, c, i); exec_command_done(i); free(i); } return NULL; } void exec_command_free_array(ExecCommand **c, unsigned n) { unsigned i; for (i = 0; i < n; i++) c[i] = exec_command_free_list(c[i]); } typedef struct InvalidEnvInfo { const char *unit_id; const char *path; } InvalidEnvInfo; static void invalid_env(const char *p, void *userdata) { InvalidEnvInfo *info = userdata; log_unit_error(info->unit_id, "Ignoring invalid environment assignment '%s': %s", p, info->path); } int exec_context_load_environment(const ExecContext *c, const char *unit_id, char ***l) { char **i, **r = NULL; assert(c); assert(l); STRV_FOREACH(i, c->environment_files) { char *fn; int k; bool ignore = false; char **p; _cleanup_globfree_ glob_t pglob = {}; int count, n; fn = *i; if (fn[0] == '-') { ignore = true; fn ++; } if (!path_is_absolute(fn)) { if (ignore) continue; strv_free(r); return -EINVAL; } /* Filename supports globbing, take all matching files */ errno = 0; if (glob(fn, 0, NULL, &pglob) != 0) { if (ignore) continue; strv_free(r); return errno ? -errno : -EINVAL; } count = pglob.gl_pathc; if (count == 0) { if (ignore) continue; strv_free(r); return -EINVAL; } for (n = 0; n < count; n++) { k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p); if (k < 0) { if (ignore) continue; strv_free(r); return k; } /* Log invalid environment variables with filename */ if (p) { InvalidEnvInfo info = { .unit_id = unit_id, .path = pglob.gl_pathv[n] }; p = strv_env_clean_with_callback(p, invalid_env, &info); } if (r == NULL) r = p; else { char **m; m = strv_env_merge(2, r, p); strv_free(r); strv_free(p); if (!m) return -ENOMEM; r = m; } } } *l = r; return 0; } static bool tty_may_match_dev_console(const char *tty) { _cleanup_free_ char *active = NULL; char *console; if (startswith(tty, "/dev/")) tty += 5; /* trivial identity? */ if (streq(tty, "console")) return true; console = resolve_dev_console(&active); /* if we could not resolve, assume it may */ if (!console) return true; /* "tty0" means the active VC, so it may be the same sometimes */ return streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty)); } bool exec_context_may_touch_console(ExecContext *ec) { return (ec->tty_reset || ec->tty_vhangup || ec->tty_vt_disallocate || is_terminal_input(ec->std_input) || is_terminal_output(ec->std_output) || is_terminal_output(ec->std_error)) && tty_may_match_dev_console(tty_path(ec)); } static void strv_fprintf(FILE *f, char **l) { char **g; assert(f); STRV_FOREACH(g, l) fprintf(f, " %s", *g); } void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { char **e; unsigned i; assert(c); assert(f); prefix = strempty(prefix); fprintf(f, "%sUMask: %04o\n" "%sWorkingDirectory: %s\n" "%sRootDirectory: %s\n" "%sNonBlocking: %s\n" "%sPrivateTmp: %s\n" "%sPrivateNetwork: %s\n" "%sPrivateDevices: %s\n" "%sProtectHome: %s\n" "%sProtectSystem: %s\n" "%sIgnoreSIGPIPE: %s\n", prefix, c->umask, prefix, c->working_directory ? c->working_directory : "/", prefix, c->root_directory ? c->root_directory : "/", prefix, yes_no(c->non_blocking), prefix, yes_no(c->private_tmp), prefix, yes_no(c->private_network), prefix, yes_no(c->private_devices), prefix, protect_home_to_string(c->protect_home), prefix, protect_system_to_string(c->protect_system), prefix, yes_no(c->ignore_sigpipe)); STRV_FOREACH(e, c->environment) fprintf(f, "%sEnvironment: %s\n", prefix, *e); STRV_FOREACH(e, c->environment_files) fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e); if (c->nice_set) fprintf(f, "%sNice: %i\n", prefix, c->nice); if (c->oom_score_adjust_set) fprintf(f, "%sOOMScoreAdjust: %i\n", prefix, c->oom_score_adjust); for (i = 0; i < RLIM_NLIMITS; i++) if (c->rlimit[i]) fprintf(f, "%s%s: "RLIM_FMT"\n", prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max); if (c->ioprio_set) { _cleanup_free_ char *class_str = NULL; ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str); fprintf(f, "%sIOSchedulingClass: %s\n" "%sIOPriority: %i\n", prefix, strna(class_str), prefix, (int) IOPRIO_PRIO_DATA(c->ioprio)); } if (c->cpu_sched_set) { _cleanup_free_ char *policy_str = NULL; sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str); fprintf(f, "%sCPUSchedulingPolicy: %s\n" "%sCPUSchedulingPriority: %i\n" "%sCPUSchedulingResetOnFork: %s\n", prefix, strna(policy_str), prefix, c->cpu_sched_priority, prefix, yes_no(c->cpu_sched_reset_on_fork)); } if (c->cpuset) { fprintf(f, "%sCPUAffinity:", prefix); for (i = 0; i < c->cpuset_ncpus; i++) if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset)) fprintf(f, " %u", i); fputs("\n", f); } if (c->timer_slack_nsec != NSEC_INFINITY) fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec); fprintf(f, "%sStandardInput: %s\n" "%sStandardOutput: %s\n" "%sStandardError: %s\n", prefix, exec_input_to_string(c->std_input), prefix, exec_output_to_string(c->std_output), prefix, exec_output_to_string(c->std_error)); if (c->tty_path) fprintf(f, "%sTTYPath: %s\n" "%sTTYReset: %s\n" "%sTTYVHangup: %s\n" "%sTTYVTDisallocate: %s\n", prefix, c->tty_path, prefix, yes_no(c->tty_reset), prefix, yes_no(c->tty_vhangup), prefix, yes_no(c->tty_vt_disallocate)); if (c->std_output == EXEC_OUTPUT_SYSLOG || c->std_output == EXEC_OUTPUT_KMSG || c->std_output == EXEC_OUTPUT_JOURNAL || c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE || c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE || c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE || c->std_error == EXEC_OUTPUT_SYSLOG || c->std_error == EXEC_OUTPUT_KMSG || c->std_error == EXEC_OUTPUT_JOURNAL || c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE || c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE || c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) { _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL; log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str); log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str); fprintf(f, "%sSyslogFacility: %s\n" "%sSyslogLevel: %s\n", prefix, strna(fac_str), prefix, strna(lvl_str)); } if (c->capabilities) { _cleanup_cap_free_charp_ char *t; t = cap_to_text(c->capabilities, NULL); if (t) fprintf(f, "%sCapabilities: %s\n", prefix, t); } if (c->secure_bits) fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n", prefix, (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "", (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "", (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "", (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "", (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "", (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : ""); if (c->capability_bounding_set_drop) { unsigned long l; fprintf(f, "%sCapabilityBoundingSet:", prefix); for (l = 0; l <= cap_last_cap(); l++) if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l))) fprintf(f, " %s", strna(capability_to_name(l))); fputs("\n", f); } if (c->user) fprintf(f, "%sUser: %s\n", prefix, c->user); if (c->group) fprintf(f, "%sGroup: %s\n", prefix, c->group); if (strv_length(c->supplementary_groups) > 0) { fprintf(f, "%sSupplementaryGroups:", prefix); strv_fprintf(f, c->supplementary_groups); fputs("\n", f); } if (c->pam_name) fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name); if (strv_length(c->read_write_dirs) > 0) { fprintf(f, "%sReadWriteDirs:", prefix); strv_fprintf(f, c->read_write_dirs); fputs("\n", f); } if (strv_length(c->read_only_dirs) > 0) { fprintf(f, "%sReadOnlyDirs:", prefix); strv_fprintf(f, c->read_only_dirs); fputs("\n", f); } if (strv_length(c->inaccessible_dirs) > 0) { fprintf(f, "%sInaccessibleDirs:", prefix); strv_fprintf(f, c->inaccessible_dirs); fputs("\n", f); } if (c->utmp_id) fprintf(f, "%sUtmpIdentifier: %s\n", prefix, c->utmp_id); if (c->selinux_context) fprintf(f, "%sSELinuxContext: %s%s\n", prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context); if (c->personality != 0xffffffffUL) fprintf(f, "%sPersonality: %s\n", prefix, strna(personality_to_string(c->personality))); if (c->syscall_filter) { #ifdef HAVE_SECCOMP Iterator j; void *id; bool first = true; #endif fprintf(f, "%sSystemCallFilter: ", prefix); if (!c->syscall_whitelist) fputc('~', f); #ifdef HAVE_SECCOMP SET_FOREACH(id, c->syscall_filter, j) { _cleanup_free_ char *name = NULL; if (first) first = false; else fputc(' ', f); name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1); fputs(strna(name), f); } #endif fputc('\n', f); } if (c->syscall_archs) { #ifdef HAVE_SECCOMP Iterator j; void *id; #endif fprintf(f, "%sSystemCallArchitectures:", prefix); #ifdef HAVE_SECCOMP SET_FOREACH(id, c->syscall_archs, j) fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1))); #endif fputc('\n', f); } if (c->syscall_errno != 0) fprintf(f, "%sSystemCallErrorNumber: %s\n", prefix, strna(errno_to_name(c->syscall_errno))); if (c->apparmor_profile) fprintf(f, "%sAppArmorProfile: %s%s\n", prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile); } bool exec_context_maintains_privileges(ExecContext *c) { assert(c); /* Returns true if the process forked off would run run under * an unchanged UID or as root. */ if (!c->user) return true; if (streq(c->user, "root") || streq(c->user, "0")) return true; return false; } void exec_status_start(ExecStatus *s, pid_t pid) { assert(s); zero(*s); s->pid = pid; dual_timestamp_get(&s->start_timestamp); } void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) { assert(s); if (s->pid && s->pid != pid) zero(*s); s->pid = pid; dual_timestamp_get(&s->exit_timestamp); s->code = code; s->status = status; if (context) { if (context->utmp_id) utmp_put_dead_process(context->utmp_id, pid, code, status); exec_context_tty_reset(context); } } void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) { char buf[FORMAT_TIMESTAMP_MAX]; assert(s); assert(f); if (s->pid <= 0) return; prefix = strempty(prefix); fprintf(f, "%sPID: "PID_FMT"\n", prefix, s->pid); if (s->start_timestamp.realtime > 0) fprintf(f, "%sStart Timestamp: %s\n", prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime)); if (s->exit_timestamp.realtime > 0) fprintf(f, "%sExit Timestamp: %s\n" "%sExit Code: %s\n" "%sExit Status: %i\n", prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime), prefix, sigchld_code_to_string(s->code), prefix, s->status); } char *exec_command_line(char **argv) { size_t k; char *n, *p, **a; bool first = true; assert(argv); k = 1; STRV_FOREACH(a, argv) k += strlen(*a)+3; if (!(n = new(char, k))) return NULL; p = n; STRV_FOREACH(a, argv) { if (!first) *(p++) = ' '; else first = false; if (strpbrk(*a, WHITESPACE)) { *(p++) = '\''; p = stpcpy(p, *a); *(p++) = '\''; } else p = stpcpy(p, *a); } *p = 0; /* FIXME: this doesn't really handle arguments that have * spaces and ticks in them */ return n; } void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) { _cleanup_free_ char *cmd = NULL; const char *prefix2; assert(c); assert(f); prefix = strempty(prefix); prefix2 = strappenda(prefix, "\t"); cmd = exec_command_line(c->argv); fprintf(f, "%sCommand Line: %s\n", prefix, cmd ? cmd : strerror(ENOMEM)); exec_status_dump(&c->exec_status, f, prefix2); } void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) { assert(f); prefix = strempty(prefix); LIST_FOREACH(command, c, c) exec_command_dump(c, f, prefix); } void exec_command_append_list(ExecCommand **l, ExecCommand *e) { ExecCommand *end; assert(l); assert(e); if (*l) { /* It's kind of important, that we keep the order here */ LIST_FIND_TAIL(command, *l, end); LIST_INSERT_AFTER(command, *l, end, e); } else *l = e; } int exec_command_set(ExecCommand *c, const char *path, ...) { va_list ap; char **l, *p; assert(c); assert(path); va_start(ap, path); l = strv_new_ap(path, ap); va_end(ap); if (!l) return -ENOMEM; p = strdup(path); if (!p) { strv_free(l); return -ENOMEM; } free(c->path); c->path = p; strv_free(c->argv); c->argv = l; return 0; } int exec_command_append(ExecCommand *c, const char *path, ...) { _cleanup_strv_free_ char **l = NULL; va_list ap; int r; assert(c); assert(path); va_start(ap, path); l = strv_new_ap(path, ap); va_end(ap); if (!l) return -ENOMEM; r = strv_extend_strv(&c->argv, l); if (r < 0) return r; return 0; } static int exec_runtime_allocate(ExecRuntime **rt) { if (*rt) return 0; *rt = new0(ExecRuntime, 1); if (!*rt) return -ENOMEM; (*rt)->n_ref = 1; (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1; return 0; } int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) { int r; assert(rt); assert(c); assert(id); if (*rt) return 1; if (!c->private_network && !c->private_tmp) return 0; r = exec_runtime_allocate(rt); if (r < 0) return r; if (c->private_network && (*rt)->netns_storage_socket[0] < 0) { if (socketpair(AF_UNIX, SOCK_DGRAM, 0, (*rt)->netns_storage_socket) < 0) return -errno; } if (c->private_tmp && !(*rt)->tmp_dir) { r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir); if (r < 0) return r; } return 1; } ExecRuntime *exec_runtime_ref(ExecRuntime *r) { assert(r); assert(r->n_ref > 0); r->n_ref++; return r; } ExecRuntime *exec_runtime_unref(ExecRuntime *r) { if (!r) return NULL; assert(r->n_ref > 0); r->n_ref--; if (r->n_ref <= 0) { free(r->tmp_dir); free(r->var_tmp_dir); safe_close_pair(r->netns_storage_socket); free(r); } return NULL; } int exec_runtime_serialize(ExecRuntime *rt, Unit *u, FILE *f, FDSet *fds) { assert(u); assert(f); assert(fds); if (!rt) return 0; if (rt->tmp_dir) unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir); if (rt->var_tmp_dir) unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir); if (rt->netns_storage_socket[0] >= 0) { int copy; copy = fdset_put_dup(fds, rt->netns_storage_socket[0]); if (copy < 0) return copy; unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy); } if (rt->netns_storage_socket[1] >= 0) { int copy; copy = fdset_put_dup(fds, rt->netns_storage_socket[1]); if (copy < 0) return copy; unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy); } return 0; } int exec_runtime_deserialize_item(ExecRuntime **rt, Unit *u, const char *key, const char *value, FDSet *fds) { int r; assert(rt); assert(key); assert(value); if (streq(key, "tmp-dir")) { char *copy; r = exec_runtime_allocate(rt); if (r < 0) return r; copy = strdup(value); if (!copy) return log_oom(); free((*rt)->tmp_dir); (*rt)->tmp_dir = copy; } else if (streq(key, "var-tmp-dir")) { char *copy; r = exec_runtime_allocate(rt); if (r < 0) return r; copy = strdup(value); if (!copy) return log_oom(); free((*rt)->var_tmp_dir); (*rt)->var_tmp_dir = copy; } else if (streq(key, "netns-socket-0")) { int fd; r = exec_runtime_allocate(rt); if (r < 0) return r; if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd)) log_unit_debug(u->id, "Failed to parse netns socket value %s", value); else { safe_close((*rt)->netns_storage_socket[0]); (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd); } } else if (streq(key, "netns-socket-1")) { int fd; r = exec_runtime_allocate(rt); if (r < 0) return r; if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd)) log_unit_debug(u->id, "Failed to parse netns socket value %s", value); else { safe_close((*rt)->netns_storage_socket[1]); (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd); } } else return 0; return 1; } static void *remove_tmpdir_thread(void *p) { _cleanup_free_ char *path = p; rm_rf_dangerous(path, false, true, false); return NULL; } void exec_runtime_destroy(ExecRuntime *rt) { int r; if (!rt) return; /* If there are multiple users of this, let's leave the stuff around */ if (rt->n_ref > 1) return; if (rt->tmp_dir) { log_debug("Spawning thread to nuke %s", rt->tmp_dir); r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir); if (r < 0) { log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir); free(rt->tmp_dir); } rt->tmp_dir = NULL; } if (rt->var_tmp_dir) { log_debug("Spawning thread to nuke %s", rt->var_tmp_dir); r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir); if (r < 0) { log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir); free(rt->var_tmp_dir); } rt->var_tmp_dir = NULL; } safe_close_pair(rt->netns_storage_socket); } static const char* const exec_input_table[_EXEC_INPUT_MAX] = { [EXEC_INPUT_NULL] = "null", [EXEC_INPUT_TTY] = "tty", [EXEC_INPUT_TTY_FORCE] = "tty-force", [EXEC_INPUT_TTY_FAIL] = "tty-fail", [EXEC_INPUT_SOCKET] = "socket" }; DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput); static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = { [EXEC_OUTPUT_INHERIT] = "inherit", [EXEC_OUTPUT_NULL] = "null", [EXEC_OUTPUT_TTY] = "tty", [EXEC_OUTPUT_SYSLOG] = "syslog", [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console", [EXEC_OUTPUT_KMSG] = "kmsg", [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console", [EXEC_OUTPUT_JOURNAL] = "journal", [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console", [EXEC_OUTPUT_SOCKET] = "socket" }; DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);