Line data Source code
1 : /* SPDX-License-Identifier: LGPL-2.1+ */
2 : #pragma once
3 :
4 : typedef struct ExecStatus ExecStatus;
5 : typedef struct ExecCommand ExecCommand;
6 : typedef struct ExecContext ExecContext;
7 : typedef struct ExecRuntime ExecRuntime;
8 : typedef struct ExecParameters ExecParameters;
9 : typedef struct Manager Manager;
10 :
11 : #include <sched.h>
12 : #include <stdbool.h>
13 : #include <stdio.h>
14 : #include <sys/capability.h>
15 :
16 : #include "cgroup-util.h"
17 : #include "cpu-set-util.h"
18 : #include "exec-util.h"
19 : #include "fdset.h"
20 : #include "list.h"
21 : #include "missing_resource.h"
22 : #include "namespace.h"
23 : #include "nsflags.h"
24 : #include "time-util.h"
25 :
26 : #define EXEC_STDIN_DATA_MAX (64U*1024U*1024U)
27 :
28 : typedef enum ExecUtmpMode {
29 : EXEC_UTMP_INIT,
30 : EXEC_UTMP_LOGIN,
31 : EXEC_UTMP_USER,
32 : _EXEC_UTMP_MODE_MAX,
33 : _EXEC_UTMP_MODE_INVALID = -1
34 : } ExecUtmpMode;
35 :
36 : typedef enum ExecInput {
37 : EXEC_INPUT_NULL,
38 : EXEC_INPUT_TTY,
39 : EXEC_INPUT_TTY_FORCE,
40 : EXEC_INPUT_TTY_FAIL,
41 : EXEC_INPUT_SOCKET,
42 : EXEC_INPUT_NAMED_FD,
43 : EXEC_INPUT_DATA,
44 : EXEC_INPUT_FILE,
45 : _EXEC_INPUT_MAX,
46 : _EXEC_INPUT_INVALID = -1
47 : } ExecInput;
48 :
49 : typedef enum ExecOutput {
50 : EXEC_OUTPUT_INHERIT,
51 : EXEC_OUTPUT_NULL,
52 : EXEC_OUTPUT_TTY,
53 : EXEC_OUTPUT_SYSLOG,
54 : EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
55 : EXEC_OUTPUT_KMSG,
56 : EXEC_OUTPUT_KMSG_AND_CONSOLE,
57 : EXEC_OUTPUT_JOURNAL,
58 : EXEC_OUTPUT_JOURNAL_AND_CONSOLE,
59 : EXEC_OUTPUT_SOCKET,
60 : EXEC_OUTPUT_NAMED_FD,
61 : EXEC_OUTPUT_FILE,
62 : EXEC_OUTPUT_FILE_APPEND,
63 : _EXEC_OUTPUT_MAX,
64 : _EXEC_OUTPUT_INVALID = -1
65 : } ExecOutput;
66 :
67 : typedef enum ExecPreserveMode {
68 : EXEC_PRESERVE_NO,
69 : EXEC_PRESERVE_YES,
70 : EXEC_PRESERVE_RESTART,
71 : _EXEC_PRESERVE_MODE_MAX,
72 : _EXEC_PRESERVE_MODE_INVALID = -1
73 : } ExecPreserveMode;
74 :
75 : typedef enum ExecKeyringMode {
76 : EXEC_KEYRING_INHERIT,
77 : EXEC_KEYRING_PRIVATE,
78 : EXEC_KEYRING_SHARED,
79 : _EXEC_KEYRING_MODE_MAX,
80 : _EXEC_KEYRING_MODE_INVALID = -1,
81 : } ExecKeyringMode;
82 :
83 : /* Contains start and exit information about an executed command. */
84 : struct ExecStatus {
85 : dual_timestamp start_timestamp;
86 : dual_timestamp exit_timestamp;
87 : pid_t pid;
88 : int code; /* as in siginfo_t::si_code */
89 : int status; /* as in sigingo_t::si_status */
90 : };
91 :
92 : /* Stores information about commands we execute. Covers both configuration settings as well as runtime data. */
93 : struct ExecCommand {
94 : char *path;
95 : char **argv;
96 : ExecStatus exec_status;
97 : ExecCommandFlags flags;
98 : LIST_FIELDS(ExecCommand, command); /* useful for chaining commands */
99 : };
100 :
101 : /* Encapsulates certain aspects of the runtime environment that is to be shared between multiple otherwise separate
102 : * invocations of commands. Specifically, this allows sharing of /tmp and /var/tmp data as well as network namespaces
103 : * between invocations of commands. This is a reference counted object, with one reference taken by each currently
104 : * active command invocation that wants to share this runtime. */
105 : struct ExecRuntime {
106 : unsigned n_ref;
107 :
108 : Manager *manager;
109 :
110 : char *id; /* Unit id of the owner */
111 :
112 : char *tmp_dir;
113 : char *var_tmp_dir;
114 :
115 : /* An AF_UNIX socket pair, that contains a datagram containing a file descriptor referring to the network
116 : * namespace. */
117 : int netns_storage_socket[2];
118 : };
119 :
120 : typedef enum ExecDirectoryType {
121 : EXEC_DIRECTORY_RUNTIME = 0,
122 : EXEC_DIRECTORY_STATE,
123 : EXEC_DIRECTORY_CACHE,
124 : EXEC_DIRECTORY_LOGS,
125 : EXEC_DIRECTORY_CONFIGURATION,
126 : _EXEC_DIRECTORY_TYPE_MAX,
127 : _EXEC_DIRECTORY_TYPE_INVALID = -1,
128 : } ExecDirectoryType;
129 :
130 : typedef struct ExecDirectory {
131 : char **paths;
132 : mode_t mode;
133 : } ExecDirectory;
134 :
135 : typedef enum ExecCleanMask {
136 : /* In case you wonder why the bitmask below doesn't use "directory" in its name: we want to keep this
137 : * generic so that .timer timestamp files can nicely be covered by this too, and similar. */
138 : EXEC_CLEAN_RUNTIME = 1U << EXEC_DIRECTORY_RUNTIME,
139 : EXEC_CLEAN_STATE = 1U << EXEC_DIRECTORY_STATE,
140 : EXEC_CLEAN_CACHE = 1U << EXEC_DIRECTORY_CACHE,
141 : EXEC_CLEAN_LOGS = 1U << EXEC_DIRECTORY_LOGS,
142 : EXEC_CLEAN_CONFIGURATION = 1U << EXEC_DIRECTORY_CONFIGURATION,
143 : EXEC_CLEAN_NONE = 0,
144 : EXEC_CLEAN_ALL = (1U << _EXEC_DIRECTORY_TYPE_MAX) - 1,
145 : _EXEC_CLEAN_MASK_INVALID = -1,
146 : } ExecCleanMask;
147 :
148 : /* Encodes configuration parameters applied to invoked commands. Does not carry runtime data, but only configuration
149 : * changes sourced from unit files and suchlike. ExecContext objects are usually embedded into Unit objects, and do not
150 : * change after being loaded. */
151 : struct ExecContext {
152 : char **environment;
153 : char **environment_files;
154 : char **pass_environment;
155 : char **unset_environment;
156 :
157 : struct rlimit *rlimit[_RLIMIT_MAX];
158 : char *working_directory, *root_directory, *root_image;
159 : bool working_directory_missing_ok:1;
160 : bool working_directory_home:1;
161 :
162 : bool oom_score_adjust_set:1;
163 : bool nice_set:1;
164 : bool ioprio_set:1;
165 : bool cpu_sched_set:1;
166 :
167 : /* This is not exposed to the user but available internally. We need it to make sure that whenever we
168 : * spawn /usr/bin/mount it is run in the same process group as us so that the autofs logic detects
169 : * that it belongs to us and we don't enter a trigger loop. */
170 : bool same_pgrp;
171 :
172 : bool cpu_sched_reset_on_fork;
173 : bool non_blocking;
174 :
175 : mode_t umask;
176 : int oom_score_adjust;
177 : int nice;
178 : int ioprio;
179 : int cpu_sched_policy;
180 : int cpu_sched_priority;
181 :
182 : CPUSet cpu_set;
183 : NUMAPolicy numa_policy;
184 :
185 : ExecInput std_input;
186 : ExecOutput std_output;
187 : ExecOutput std_error;
188 : bool stdio_as_fds;
189 : char *stdio_fdname[3];
190 : char *stdio_file[3];
191 :
192 : void *stdin_data;
193 : size_t stdin_data_size;
194 :
195 : nsec_t timer_slack_nsec;
196 :
197 : char *tty_path;
198 :
199 : bool tty_reset;
200 : bool tty_vhangup;
201 : bool tty_vt_disallocate;
202 :
203 : bool ignore_sigpipe;
204 :
205 : ExecKeyringMode keyring_mode;
206 :
207 : /* Since resolving these names might involve socket
208 : * connections and we don't want to deadlock ourselves these
209 : * names are resolved on execution only and in the child
210 : * process. */
211 : char *user;
212 : char *group;
213 : char **supplementary_groups;
214 :
215 : char *pam_name;
216 :
217 : char *utmp_id;
218 : ExecUtmpMode utmp_mode;
219 :
220 : bool no_new_privileges;
221 :
222 : bool selinux_context_ignore;
223 : bool apparmor_profile_ignore;
224 : bool smack_process_label_ignore;
225 :
226 : char *selinux_context;
227 : char *apparmor_profile;
228 : char *smack_process_label;
229 :
230 : char **read_write_paths, **read_only_paths, **inaccessible_paths;
231 : unsigned long mount_flags;
232 : BindMount *bind_mounts;
233 : size_t n_bind_mounts;
234 : TemporaryFileSystem *temporary_filesystems;
235 : size_t n_temporary_filesystems;
236 :
237 : uint64_t capability_bounding_set;
238 : uint64_t capability_ambient_set;
239 : int secure_bits;
240 :
241 : int syslog_priority;
242 : bool syslog_level_prefix;
243 : char *syslog_identifier;
244 :
245 : struct iovec* log_extra_fields;
246 : size_t n_log_extra_fields;
247 :
248 : usec_t log_rate_limit_interval_usec;
249 : unsigned log_rate_limit_burst;
250 :
251 : int log_level_max;
252 :
253 : bool private_tmp;
254 : bool private_network;
255 : bool private_devices;
256 : bool private_users;
257 : bool private_mounts;
258 : bool protect_kernel_tunables;
259 : bool protect_kernel_modules;
260 : bool protect_control_groups;
261 : ProtectSystem protect_system;
262 : ProtectHome protect_home;
263 : bool protect_hostname;
264 : bool mount_apivfs;
265 :
266 : bool dynamic_user;
267 : bool remove_ipc;
268 :
269 : bool memory_deny_write_execute;
270 : bool restrict_realtime;
271 : bool restrict_suid_sgid;
272 :
273 : bool lock_personality;
274 : unsigned long personality;
275 :
276 : unsigned long restrict_namespaces; /* The CLONE_NEWxyz flags permitted to the unit's processes */
277 :
278 : Hashmap *syscall_filter;
279 : Set *syscall_archs;
280 : int syscall_errno;
281 : bool syscall_whitelist:1;
282 :
283 : bool address_families_whitelist:1;
284 : Set *address_families;
285 :
286 : char *network_namespace_path;
287 :
288 : ExecDirectory directories[_EXEC_DIRECTORY_TYPE_MAX];
289 : ExecPreserveMode runtime_directory_preserve_mode;
290 : };
291 :
292 171 : static inline bool exec_context_restrict_namespaces_set(const ExecContext *c) {
293 171 : assert(c);
294 :
295 171 : return (c->restrict_namespaces & NAMESPACE_FLAGS_ALL) != NAMESPACE_FLAGS_ALL;
296 : }
297 :
298 : typedef enum ExecFlags {
299 : EXEC_APPLY_SANDBOXING = 1 << 0,
300 : EXEC_APPLY_CHROOT = 1 << 1,
301 : EXEC_APPLY_TTY_STDIN = 1 << 2,
302 : EXEC_PASS_LOG_UNIT = 1 << 3, /* Whether to pass the unit name to the service's journal stream connection */
303 : EXEC_CHOWN_DIRECTORIES = 1 << 4, /* chown() the runtime/state/cache/log directories to the user we run as, under all conditions */
304 : EXEC_NSS_BYPASS_BUS = 1 << 5, /* Set the SYSTEMD_NSS_BYPASS_BUS environment variable, to disable nss-systemd for dbus */
305 : EXEC_CGROUP_DELEGATE = 1 << 6,
306 : EXEC_IS_CONTROL = 1 << 7,
307 : EXEC_CONTROL_CGROUP = 1 << 8, /* Place the process not in the indicated cgroup but in a subcgroup '/.control', but only EXEC_CGROUP_DELEGATE and EXEC_IS_CONTROL is set, too */
308 :
309 : /* The following are not used by execute.c, but by consumers internally */
310 : EXEC_PASS_FDS = 1 << 9,
311 : EXEC_SETENV_RESULT = 1 << 10,
312 : EXEC_SET_WATCHDOG = 1 << 11,
313 : } ExecFlags;
314 :
315 : /* Parameters for a specific invocation of a command. This structure is put together right before a command is
316 : * executed. */
317 : struct ExecParameters {
318 : char **environment;
319 :
320 : int *fds;
321 : char **fd_names;
322 : size_t n_socket_fds;
323 : size_t n_storage_fds;
324 :
325 : ExecFlags flags;
326 : bool selinux_context_net:1;
327 :
328 : CGroupMask cgroup_supported;
329 : const char *cgroup_path;
330 :
331 : char **prefix;
332 :
333 : const char *confirm_spawn;
334 :
335 : usec_t watchdog_usec;
336 :
337 : int *idle_pipe;
338 :
339 : int stdin_fd;
340 : int stdout_fd;
341 : int stderr_fd;
342 :
343 : /* An fd that is closed by the execve(), and thus will result in EOF when the execve() is done */
344 : int exec_fd;
345 : };
346 :
347 : #include "unit.h"
348 : #include "dynamic-user.h"
349 :
350 : int exec_spawn(Unit *unit,
351 : ExecCommand *command,
352 : const ExecContext *context,
353 : const ExecParameters *exec_params,
354 : ExecRuntime *runtime,
355 : DynamicCreds *dynamic_creds,
356 : pid_t *ret);
357 :
358 : void exec_command_done_array(ExecCommand *c, size_t n);
359 : ExecCommand* exec_command_free_list(ExecCommand *c);
360 : void exec_command_free_array(ExecCommand **c, size_t n);
361 : void exec_command_reset_status_array(ExecCommand *c, size_t n);
362 : void exec_command_reset_status_list_array(ExecCommand **c, size_t n);
363 : void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix);
364 : void exec_command_append_list(ExecCommand **l, ExecCommand *e);
365 : int exec_command_set(ExecCommand *c, const char *path, ...) _sentinel_;
366 : int exec_command_append(ExecCommand *c, const char *path, ...) _sentinel_;
367 :
368 : void exec_context_init(ExecContext *c);
369 : void exec_context_done(ExecContext *c);
370 : void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix);
371 :
372 : int exec_context_destroy_runtime_directory(const ExecContext *c, const char *runtime_root);
373 :
374 : const char* exec_context_fdname(const ExecContext *c, int fd_index);
375 :
376 : bool exec_context_may_touch_console(const ExecContext *c);
377 : bool exec_context_maintains_privileges(const ExecContext *c);
378 :
379 : int exec_context_get_effective_ioprio(const ExecContext *c);
380 :
381 : void exec_context_free_log_extra_fields(ExecContext *c);
382 :
383 : void exec_context_revert_tty(ExecContext *c);
384 :
385 : int exec_context_get_clean_directories(ExecContext *c, char **prefix, ExecCleanMask mask, char ***ret);
386 : int exec_context_get_clean_mask(ExecContext *c, ExecCleanMask *ret);
387 :
388 : void exec_status_start(ExecStatus *s, pid_t pid);
389 : void exec_status_exit(ExecStatus *s, const ExecContext *context, pid_t pid, int code, int status);
390 : void exec_status_dump(const ExecStatus *s, FILE *f, const char *prefix);
391 : void exec_status_reset(ExecStatus *s);
392 :
393 : int exec_runtime_acquire(Manager *m, const ExecContext *c, const char *name, bool create, ExecRuntime **ret);
394 : ExecRuntime *exec_runtime_unref(ExecRuntime *r, bool destroy);
395 :
396 : int exec_runtime_serialize(const Manager *m, FILE *f, FDSet *fds);
397 : int exec_runtime_deserialize_compat(Unit *u, const char *key, const char *value, FDSet *fds);
398 : void exec_runtime_deserialize_one(Manager *m, const char *value, FDSet *fds);
399 : void exec_runtime_vacuum(Manager *m);
400 :
401 : void exec_params_clear(ExecParameters *p);
402 :
403 : const char* exec_output_to_string(ExecOutput i) _const_;
404 : ExecOutput exec_output_from_string(const char *s) _pure_;
405 :
406 : const char* exec_input_to_string(ExecInput i) _const_;
407 : ExecInput exec_input_from_string(const char *s) _pure_;
408 :
409 : const char* exec_utmp_mode_to_string(ExecUtmpMode i) _const_;
410 : ExecUtmpMode exec_utmp_mode_from_string(const char *s) _pure_;
411 :
412 : const char* exec_preserve_mode_to_string(ExecPreserveMode i) _const_;
413 : ExecPreserveMode exec_preserve_mode_from_string(const char *s) _pure_;
414 :
415 : const char* exec_keyring_mode_to_string(ExecKeyringMode i) _const_;
416 : ExecKeyringMode exec_keyring_mode_from_string(const char *s) _pure_;
417 :
418 : const char* exec_directory_type_to_string(ExecDirectoryType i) _const_;
419 : ExecDirectoryType exec_directory_type_from_string(const char *s) _pure_;
420 :
421 : const char* exec_resource_type_to_string(ExecDirectoryType i) _const_;
422 : ExecDirectoryType exec_resource_type_from_string(const char *s) _pure_;
|
