/src/systemd/src/basic/argv-util.c

Source
/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include <sched.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <sys/prctl.h>

#include "argv-util.h"
#include "capability-util.h"
#include "errno-util.h"
#include "log.h"
#include "parse-util.h"
#include "path-util.h"
#include "process-util.h"
#include "string-util.h"
#include "strv.h"

int saved_argc = 0;
char **saved_argv = NULL;

void save_argc_argv(int argc, char **argv) {
        /* Protect against CVE-2021-4034 style attacks */
        assert_se(argc > 0);
        assert_se(argv);
        assert_se(argv[0]);

        saved_argc = argc;
        saved_argv = argv;
}

bool invoked_as(char *argv[], const char *token) {
        if (!argv || isempty(argv[0]))
                return false;

        if (isempty(token))
                return false;

        return strstr(last_path_component(argv[0]), token);
}

bool invoked_by_systemd(void) {
        int r;

        /* If the process is directly executed by PID1 (e.g. ExecStart= or generator), systemd-importd,
         * or systemd-homed, then $SYSTEMD_EXEC_PID= is set, and read the command line. */
        const char *e = getenv("SYSTEMD_EXEC_PID");
        if (!e)
                return false;

        if (streq(e, "*"))
                /* For testing. */
                return true;

        pid_t p;
        r = parse_pid(e, &p);
        if (r < 0) {
                /* We know that systemd sets the variable correctly. Something else must have set it. */
                log_debug_errno(r, "Failed to parse \"SYSTEMD_EXEC_PID=%s\", ignoring: %m", e);
                return false;
        }

        return getpid_cached() == p;
}

bool argv_looks_like_help(int argc, char **argv) {
        char **l;

        /* Scans the command line for indications the user asks for help. This is supposed to be called by
         * tools that do not implement getopt() style command line parsing because they are not primarily
         * user-facing. Detects four ways of asking for help:
         *
         * 1. Passing zero arguments
         * 2. Passing "help" as first argument
         * 3. Passing --help as any argument
         * 4. Passing -h as any argument
         */

        if (argc <= 1)
                return true;

        if (streq_ptr(argv[1], "help"))
                return true;

        l = strv_skip(argv, 1);

        return strv_contains(l, "--help") ||
                strv_contains(l, "-h");
}

static int update_argv(const char name[], size_t l) {
        static int can_do = -1;
        int r;

        assert(name);
        assert(l < SIZE_MAX);

        if (can_do == 0)
                return 0;
        can_do = false; /* We'll set it to true only if the whole process works */

        /* Calling prctl() with PR_SET_MM_ARG_{START,END} requires CAP_SYS_RESOURCE so let's use this as quick bypass
         * check, to avoid calling mmap() should PR_SET_MM_ARG_{START,END} fail with EPERM later on anyway. */
        r = have_effective_cap(CAP_SYS_RESOURCE);
        if (r < 0)
                return log_debug_errno(r, "Failed to check if we have enough privileges: %m");
        if (r == 0)
                return log_debug_errno(SYNTHETIC_ERRNO(EPERM),
                                       "Skipping PR_SET_MM, as we don't have privileges.");

        static size_t mm_size = 0;
        static char *mm = NULL;

        if (mm_size < l+1) {
                size_t nn_size;
                char *nn;

                nn_size = PAGE_ALIGN(l+1);
                if (nn_size >= SIZE_MAX)
                        return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "The requested argument is too long.");

                nn = mmap(NULL, nn_size, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
                if (nn == MAP_FAILED)
                        return log_debug_errno(errno, "mmap() failed: %m");

                strncpy(nn, name, nn_size);

                /* Now, let's tell the kernel about this new memory */
                if (prctl(PR_SET_MM, PR_SET_MM_ARG_START, (unsigned long) nn, 0, 0) < 0) {
                        if (ERRNO_IS_PRIVILEGE(errno))
                                return log_debug_errno(errno, "PR_SET_MM_ARG_START failed: %m");

                        /* HACK: prctl() API is kind of dumb on this point.  The existing end address may already be
                         * below the desired start address, in which case the kernel may have kicked this back due
                         * to a range-check failure (see linux/kernel/sys.c:validate_prctl_map() to see this in
                         * action).  The proper solution would be to have a prctl() API that could set both start+end
                         * simultaneously, or at least let us query the existing address to anticipate this condition
                         * and respond accordingly.  For now, we can only guess at the cause of this failure and try
                         * a workaround--which will briefly expand the arg space to something potentially huge before
                         * resizing it to what we want. */
                        log_debug_errno(errno, "PR_SET_MM_ARG_START failed, attempting PR_SET_MM_ARG_END hack: %m");

                        if (prctl(PR_SET_MM, PR_SET_MM_ARG_END, (unsigned long) nn + l + 1, 0, 0) < 0) {
                                r = log_debug_errno(errno, "PR_SET_MM_ARG_END hack failed, proceeding without: %m");
                                (void) munmap(nn, nn_size);
                                return r;
                        }

                        if (prctl(PR_SET_MM, PR_SET_MM_ARG_START, (unsigned long) nn, 0, 0) < 0)
                                return log_debug_errno(errno, "PR_SET_MM_ARG_START still failed, proceeding without: %m");
                } else {
                        /* And update the end pointer to the new end, too. If this fails, we don't really know what
                         * to do, it's pretty unlikely that we can rollback, hence we'll just accept the failure,
                         * and continue. */
                        if (prctl(PR_SET_MM, PR_SET_MM_ARG_END, (unsigned long) nn + l + 1, 0, 0) < 0)
                                log_debug_errno(errno, "PR_SET_MM_ARG_END failed, proceeding without: %m");
                }

                if (mm)
                        (void) munmap(mm, mm_size);

                mm = nn;
                mm_size = nn_size;
        } else {
                strncpy(mm, name, mm_size);

                /* Update the end pointer, continuing regardless of any failure. */
                if (prctl(PR_SET_MM, PR_SET_MM_ARG_END, (unsigned long) mm + l + 1, 0, 0) < 0)
                        log_debug_errno(errno, "PR_SET_MM_ARG_END failed, proceeding without: %m");
        }

        can_do = true;
        return 0;
}

int rename_process_full(const char *comm, const char *invocation) {
        bool truncated = false;

        /* This is a like a poor man's setproctitle(). It changes the comm field by the name specified by
         * 'comm', and changes argv[0] and the glibc's internally used names of the process
         * (program_invocation_name and program_invocation_short_name) by the name specified by 'invocation'.
         * For the first one a limit of 16 chars applies; to the second one in many cases one of 10 (i.e.
         * length of "/sbin/init") — however if we have CAP_SYS_RESOURCES it is unbounded; to the third one
         * 7 (i.e. the length of "systemd". If you pass a longer string it will likely be truncated.
         *
         * Returns 0 if a name was set but truncated, > 0 if it was set but not truncated. */

        if (isempty(comm))
                return -EINVAL; /* let's not confuse users unnecessarily with an empty name */

        if (!is_main_thread())
                return -EPERM; /* Let's not allow setting the process name from other threads than the main one, as we
                                * cache things without locking, and we make assumptions that PR_SET_NAME sets the
                                * process name that isn't correct on any other threads */

        size_t l = strlen(comm);

        /* First step, change the comm field. The main thread's comm is identical to the process comm. This means we
         * can use PR_SET_NAME, which sets the thread name for the calling thread. */
        if (prctl(PR_SET_NAME, comm) < 0)
                log_debug_errno(errno, "PR_SET_NAME failed: %m");
        if (l >= TASK_COMM_LEN) /* Linux userspace process names can be 15 chars at max */
                truncated = true;

        /* If nothing specified, fall back to comm. */
        if (isempty(invocation))
                invocation = comm;

        l = strlen(invocation);

        /* Second step, change glibc's ID of the process name. */
        if (program_invocation_name) {
                size_t k;

                k = strlen(program_invocation_name);
                strncpy(program_invocation_name, invocation, k);
                if (l > k)
                        truncated = true;

                /* Also update the short name. */
                char *p = strrchr(program_invocation_name, '/');
                program_invocation_short_name = p ? p + 1 : program_invocation_name;
        }

        /* Third step, completely replace the argv[] array the kernel maintains for us. This requires privileges, but
         * has the advantage that the argv[] array is exactly what we want it to be, and not filled up with zeros at
         * the end. This is the best option for changing /proc/self/cmdline. */
        (void) update_argv(invocation, l);

        /* Fourth step: in all cases we'll also update the original argv[], so that our own code gets it right too if
         * it still looks here */
        if (saved_argc > 0) {
                if (saved_argv[0]) {
                        size_t k;

                        k = strlen(saved_argv[0]);
                        strncpy(saved_argv[0], invocation, k);
                        if (l > k)
                                truncated = true;
                }

                for (int i = 1; i < saved_argc; i++) {
                        if (!saved_argv[i])
                                break;

                        memzero(saved_argv[i], strlen(saved_argv[i]));
                }
        }

        return !truncated;
}

Coverage Report

Created: 2025-11-16 06:36

Line	Count	Source
1		/* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3		#include <sched.h>
4		#include <stdlib.h>
5		#include <sys/mman.h>
6		#include <sys/prctl.h>
7
8		#include "argv-util.h"
9		#include "capability-util.h"
10		#include "errno-util.h"
11		#include "log.h"
12		#include "parse-util.h"
13		#include "path-util.h"
14		#include "process-util.h"
15		#include "string-util.h"
16		#include "strv.h"
17
18		int saved_argc = 0;
19		char **saved_argv = NULL;
20
21	0	void save_argc_argv(int argc, char **argv) {
22		/* Protect against CVE-2021-4034 style attacks */
23	0	assert_se(argc > 0);
24	0	assert_se(argv);
25	0	assert_se(argv[0]);
26
27	0	saved_argc = argc;
28	0	saved_argv = argv;
29	0	}
30
31	24.0k	bool invoked_as(char argv[], const char token) {
32	24.0k	if (!argv \|\| isempty(argv[0]))
33	20.3k	return false;
34
35	3.66k	if (isempty(token))
36	0	return false;
37
38	3.66k	return strstr(last_path_component(argv[0]), token);
39	3.66k	}
40
41	202k	bool invoked_by_systemd(void) {
42	202k	int r;
43
44		/* If the process is directly executed by PID1 (e.g. ExecStart= or generator), systemd-importd,
45		* or systemd-homed, then $SYSTEMD_EXEC_PID= is set, and read the command line. */
46	202k	const char *e = getenv("SYSTEMD_EXEC_PID");
47	202k	if (!e)
48	202k	return false;
49
50	0	if (streq(e, "*"))
51		/* For testing. */
52	0	return true;
53
54	0	pid_t p;
55	0	r = parse_pid(e, &p);
56	0	if (r < 0) {
57		/* We know that systemd sets the variable correctly. Something else must have set it. */
58	0	log_debug_errno(r, "Failed to parse \"SYSTEMD_EXEC_PID=%s\", ignoring: %m", e);
59	0	return false;
60	0	}
61
62	0	return getpid_cached() == p;
63	0	}
64
65	0	bool argv_looks_like_help(int argc, char **argv) {
66	0	char **l;
67
68		/* Scans the command line for indications the user asks for help. This is supposed to be called by
69		* tools that do not implement getopt() style command line parsing because they are not primarily
70		* user-facing. Detects four ways of asking for help:
71		*
72		* 1. Passing zero arguments
73		* 2. Passing "help" as first argument
74		* 3. Passing --help as any argument
75		* 4. Passing -h as any argument
76		*/
77
78	0	if (argc <= 1)
79	0	return true;
80
81	0	if (streq_ptr(argv[1], "help"))
82	0	return true;
83
84	0	l = strv_skip(argv, 1);
85
86	0	return strv_contains(l, "--help") \|\|
87	0	strv_contains(l, "-h");
88	0	}
89
90	0	static int update_argv(const char name[], size_t l) {
91	0	static int can_do = -1;
92	0	int r;
93
94	0	assert(name);
95	0	assert(l < SIZE_MAX);
96
97	0	if (can_do == 0)
98	0	return 0;
99	0	can_do = false; /* We'll set it to true only if the whole process works */
100
101		/* Calling prctl() with PR_SET_MM_ARG_{START,END} requires CAP_SYS_RESOURCE so let's use this as quick bypass
102		* check, to avoid calling mmap() should PR_SET_MM_ARG_{START,END} fail with EPERM later on anyway. */
103	0	r = have_effective_cap(CAP_SYS_RESOURCE);
104	0	if (r < 0)
105	0	return log_debug_errno(r, "Failed to check if we have enough privileges: %m");
106	0	if (r == 0)
107	0	return log_debug_errno(SYNTHETIC_ERRNO(EPERM),
108	0	"Skipping PR_SET_MM, as we don't have privileges.");
109
110	0	static size_t mm_size = 0;
111	0	static char *mm = NULL;
112
113	0	if (mm_size < l+1) {
114	0	size_t nn_size;
115	0	char *nn;
116
117	0	nn_size = PAGE_ALIGN(l+1);
118	0	if (nn_size >= SIZE_MAX)
119	0	return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "The requested argument is too long.");
120
121	0	nn = mmap(NULL, nn_size, PROT_READ\|PROT_WRITE, MAP_PRIVATE\|MAP_ANONYMOUS, -1, 0);
122	0	if (nn == MAP_FAILED)
123	0	return log_debug_errno(errno, "mmap() failed: %m");
124
125	0	strncpy(nn, name, nn_size);
126
127		/* Now, let's tell the kernel about this new memory */
128	0	if (prctl(PR_SET_MM, PR_SET_MM_ARG_START, (unsigned long) nn, 0, 0) < 0) {
129	0	if (ERRNO_IS_PRIVILEGE(errno))
130	0	return log_debug_errno(errno, "PR_SET_MM_ARG_START failed: %m");
131
132		/* HACK: prctl() API is kind of dumb on this point. The existing end address may already be
133		* below the desired start address, in which case the kernel may have kicked this back due
134		* to a range-check failure (see linux/kernel/sys.c:validate_prctl_map() to see this in
135		* action). The proper solution would be to have a prctl() API that could set both start+end
136		* simultaneously, or at least let us query the existing address to anticipate this condition
137		* and respond accordingly. For now, we can only guess at the cause of this failure and try
138		* a workaround--which will briefly expand the arg space to something potentially huge before
139		* resizing it to what we want. */
140	0	log_debug_errno(errno, "PR_SET_MM_ARG_START failed, attempting PR_SET_MM_ARG_END hack: %m");
141
142	0	if (prctl(PR_SET_MM, PR_SET_MM_ARG_END, (unsigned long) nn + l + 1, 0, 0) < 0) {
143	0	r = log_debug_errno(errno, "PR_SET_MM_ARG_END hack failed, proceeding without: %m");
144	0	(void) munmap(nn, nn_size);
145	0	return r;
146	0	}
147
148	0	if (prctl(PR_SET_MM, PR_SET_MM_ARG_START, (unsigned long) nn, 0, 0) < 0)
149	0	return log_debug_errno(errno, "PR_SET_MM_ARG_START still failed, proceeding without: %m");
150	0	} else {
151		/* And update the end pointer to the new end, too. If this fails, we don't really know what
152		* to do, it's pretty unlikely that we can rollback, hence we'll just accept the failure,
153		* and continue. */
154	0	if (prctl(PR_SET_MM, PR_SET_MM_ARG_END, (unsigned long) nn + l + 1, 0, 0) < 0)
155	0	log_debug_errno(errno, "PR_SET_MM_ARG_END failed, proceeding without: %m");
156	0	}
157
158	0	if (mm)
159	0	(void) munmap(mm, mm_size);
160
161	0	mm = nn;
162	0	mm_size = nn_size;
163	0	} else {
164	0	strncpy(mm, name, mm_size);
165
166		/* Update the end pointer, continuing regardless of any failure. */
167	0	if (prctl(PR_SET_MM, PR_SET_MM_ARG_END, (unsigned long) mm + l + 1, 0, 0) < 0)
168	0	log_debug_errno(errno, "PR_SET_MM_ARG_END failed, proceeding without: %m");
169	0	}
170
171	0	can_do = true;
172	0	return 0;
173	0	}
174
175	0	int rename_process_full(const char comm, const char invocation) {
176	0	bool truncated = false;
177
178		/* This is a like a poor man's setproctitle(). It changes the comm field by the name specified by
179		* 'comm', and changes argv[0] and the glibc's internally used names of the process
180		* (program_invocation_name and program_invocation_short_name) by the name specified by 'invocation'.
181		* For the first one a limit of 16 chars applies; to the second one in many cases one of 10 (i.e.
182		* length of "/sbin/init") — however if we have CAP_SYS_RESOURCES it is unbounded; to the third one
183		* 7 (i.e. the length of "systemd". If you pass a longer string it will likely be truncated.
184		*
185		* Returns 0 if a name was set but truncated, > 0 if it was set but not truncated. */
186
187	0	if (isempty(comm))
188	0	return -EINVAL; /* let's not confuse users unnecessarily with an empty name */
189
190	0	if (!is_main_thread())
191	0	return -EPERM; /* Let's not allow setting the process name from other threads than the main one, as we
192		* cache things without locking, and we make assumptions that PR_SET_NAME sets the
193		* process name that isn't correct on any other threads */
194
195	0	size_t l = strlen(comm);
196
197		/* First step, change the comm field. The main thread's comm is identical to the process comm. This means we
198		* can use PR_SET_NAME, which sets the thread name for the calling thread. */
199	0	if (prctl(PR_SET_NAME, comm) < 0)
200	0	log_debug_errno(errno, "PR_SET_NAME failed: %m");
201	0	if (l >= TASK_COMM_LEN) /* Linux userspace process names can be 15 chars at max */
202	0	truncated = true;
203
204		/* If nothing specified, fall back to comm. */
205	0	if (isempty(invocation))
206	0	invocation = comm;
207
208	0	l = strlen(invocation);
209
210		/* Second step, change glibc's ID of the process name. */
211	0	if (program_invocation_name) {
212	0	size_t k;
213
214	0	k = strlen(program_invocation_name);
215	0	strncpy(program_invocation_name, invocation, k);
216	0	if (l > k)
217	0	truncated = true;
218
219		/* Also update the short name. */
220	0	char *p = strrchr(program_invocation_name, '/');
221	0	program_invocation_short_name = p ? p + 1 : program_invocation_name;
222	0	}
223
224		/* Third step, completely replace the argv[] array the kernel maintains for us. This requires privileges, but
225		* has the advantage that the argv[] array is exactly what we want it to be, and not filled up with zeros at
226		* the end. This is the best option for changing /proc/self/cmdline. */
227	0	(void) update_argv(invocation, l);
228
229		/* Fourth step: in all cases we'll also update the original argv[], so that our own code gets it right too if
230		* it still looks here */
231	0	if (saved_argc > 0) {
232	0	if (saved_argv[0]) {
233	0	size_t k;
234
235	0	k = strlen(saved_argv[0]);
236	0	strncpy(saved_argv[0], invocation, k);
237	0	if (l > k)
238	0	truncated = true;
239	0	}
240
241	0	for (int i = 1; i < saved_argc; i++) {
242	0	if (!saved_argv[i])
243	0	break;
244
245	0	memzero(saved_argv[i], strlen(saved_argv[i]));
246	0	}
247	0	}
248
249	0	return !truncated;
250	0	}