1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26#include "qemu/osdep.h"
27#include <sys/wait.h>
28#include <pwd.h>
29#include <grp.h>
30#include <libgen.h>
31
32#include "qemu-common.h"
33
34#include "net/slirp.h"
35#include "qemu/qemu-options.h"
36#include "qemu/error-report.h"
37#include "qemu/log.h"
38#include "sysemu/runstate.h"
39#include "qemu/cutils.h"
40
41#ifdef CONFIG_LINUX
42#include <sys/prctl.h>
43#endif
44
45
46
47
48
49static struct passwd *user_pwd;
50static uid_t user_uid = (uid_t)-1;
51static gid_t user_gid = (gid_t)-1;
52
53static const char *chroot_dir;
54static int daemonize;
55static int daemon_pipe;
56
57void os_setup_early_signal_handling(void)
58{
59 struct sigaction act;
60 sigfillset(&act.sa_mask);
61 act.sa_flags = 0;
62 act.sa_handler = SIG_IGN;
63 sigaction(SIGPIPE, &act, NULL);
64}
65
66static void termsig_handler(int signal, siginfo_t *info, void *c)
67{
68 qemu_system_killed(info->si_signo, info->si_pid);
69}
70
71void os_setup_signal_handling(void)
72{
73 struct sigaction act;
74
75 memset(&act, 0, sizeof(act));
76 act.sa_sigaction = termsig_handler;
77 act.sa_flags = SA_SIGINFO;
78 sigaction(SIGINT, &act, NULL);
79 sigaction(SIGHUP, &act, NULL);
80 sigaction(SIGTERM, &act, NULL);
81}
82
83void os_set_proc_name(const char *s)
84{
85#if defined(PR_SET_NAME)
86 char name[16];
87 if (!s)
88 return;
89 pstrcpy(name, sizeof(name), s);
90
91
92 if (prctl(PR_SET_NAME, name)) {
93 error_report("unable to change process name: %s", strerror(errno));
94 exit(1);
95 }
96#else
97 error_report("Change of process name not supported by your OS");
98 exit(1);
99#endif
100}
101
102
103static bool os_parse_runas_uid_gid(const char *optarg)
104{
105 unsigned long lv;
106 const char *ep;
107 uid_t got_uid;
108 gid_t got_gid;
109 int rc;
110
111 rc = qemu_strtoul(optarg, &ep, 0, &lv);
112 got_uid = lv;
113 if (rc || *ep != ':' || got_uid != lv || got_uid == (uid_t)-1) {
114 return false;
115 }
116
117 rc = qemu_strtoul(ep + 1, 0, 0, &lv);
118 got_gid = lv;
119 if (rc || got_gid != lv || got_gid == (gid_t)-1) {
120 return false;
121 }
122
123 user_pwd = NULL;
124 user_uid = got_uid;
125 user_gid = got_gid;
126 return true;
127}
128
129
130
131
132
133int os_parse_cmd_args(int index, const char *optarg)
134{
135 switch (index) {
136 case QEMU_OPTION_runas:
137 user_pwd = getpwnam(optarg);
138 if (user_pwd) {
139 user_uid = -1;
140 user_gid = -1;
141 } else if (!os_parse_runas_uid_gid(optarg)) {
142 error_report("User \"%s\" doesn't exist"
143 " (and is not <uid>:<gid>)",
144 optarg);
145 exit(1);
146 }
147 break;
148 case QEMU_OPTION_chroot:
149 chroot_dir = optarg;
150 break;
151 case QEMU_OPTION_daemonize:
152 daemonize = 1;
153 break;
154#if defined(CONFIG_LINUX)
155 case QEMU_OPTION_enablefips:
156 warn_report("-enable-fips is deprecated, please build QEMU with "
157 "the `libgcrypt` library as the cryptography provider "
158 "to enable FIPS compliance");
159 fips_set_state(true);
160 break;
161#endif
162 default:
163 return -1;
164 }
165
166 return 0;
167}
168
169static void change_process_uid(void)
170{
171 assert((user_uid == (uid_t)-1) || user_pwd == NULL);
172 assert((user_uid == (uid_t)-1) ==
173 (user_gid == (gid_t)-1));
174
175 if (user_pwd || user_uid != (uid_t)-1) {
176 gid_t intended_gid = user_pwd ? user_pwd->pw_gid : user_gid;
177 uid_t intended_uid = user_pwd ? user_pwd->pw_uid : user_uid;
178 if (setgid(intended_gid) < 0) {
179 error_report("Failed to setgid(%d)", intended_gid);
180 exit(1);
181 }
182 if (user_pwd) {
183 if (initgroups(user_pwd->pw_name, user_pwd->pw_gid) < 0) {
184 error_report("Failed to initgroups(\"%s\", %d)",
185 user_pwd->pw_name, user_pwd->pw_gid);
186 exit(1);
187 }
188 } else {
189 if (setgroups(1, &user_gid) < 0) {
190 error_report("Failed to setgroups(1, [%d])",
191 user_gid);
192 exit(1);
193 }
194 }
195 if (setuid(intended_uid) < 0) {
196 error_report("Failed to setuid(%d)", intended_uid);
197 exit(1);
198 }
199 if (setuid(0) != -1) {
200 error_report("Dropping privileges failed");
201 exit(1);
202 }
203 }
204}
205
206static void change_root(void)
207{
208 if (chroot_dir) {
209 if (chroot(chroot_dir) < 0) {
210 error_report("chroot failed");
211 exit(1);
212 }
213 if (chdir("/")) {
214 error_report("not able to chdir to /: %s", strerror(errno));
215 exit(1);
216 }
217 }
218
219}
220
221void os_daemonize(void)
222{
223 if (daemonize) {
224 pid_t pid;
225 int fds[2];
226
227 if (pipe(fds) == -1) {
228 exit(1);
229 }
230
231 pid = fork();
232 if (pid > 0) {
233 uint8_t status;
234 ssize_t len;
235
236 close(fds[1]);
237
238 do {
239 len = read(fds[0], &status, 1);
240 } while (len < 0 && errno == EINTR);
241
242
243
244 exit(len == 1 && status == 0 ? 0 : 1);
245
246 } else if (pid < 0) {
247 exit(1);
248 }
249
250 close(fds[0]);
251 daemon_pipe = fds[1];
252 qemu_set_cloexec(daemon_pipe);
253
254 setsid();
255
256 pid = fork();
257 if (pid > 0) {
258 exit(0);
259 } else if (pid < 0) {
260 exit(1);
261 }
262 umask(027);
263
264 signal(SIGTSTP, SIG_IGN);
265 signal(SIGTTOU, SIG_IGN);
266 signal(SIGTTIN, SIG_IGN);
267 }
268}
269
270void os_setup_post(void)
271{
272 int fd = 0;
273
274 if (daemonize) {
275 if (chdir("/")) {
276 error_report("not able to chdir to /: %s", strerror(errno));
277 exit(1);
278 }
279 TFR(fd = qemu_open_old("/dev/null", O_RDWR));
280 if (fd == -1) {
281 exit(1);
282 }
283 }
284
285 change_root();
286 change_process_uid();
287
288 if (daemonize) {
289 uint8_t status = 0;
290 ssize_t len;
291
292 dup2(fd, 0);
293 dup2(fd, 1);
294
295 if (!qemu_logfile) {
296 dup2(fd, 2);
297 }
298
299 close(fd);
300
301 do {
302 len = write(daemon_pipe, &status, 1);
303 } while (len < 0 && errno == EINTR);
304 if (len != 1) {
305 exit(1);
306 }
307 }
308}
309
310void os_set_line_buffering(void)
311{
312 setvbuf(stdout, NULL, _IOLBF, 0);
313}
314
315bool is_daemonized(void)
316{
317 return daemonize;
318}
319
320int os_mlock(void)
321{
322#ifdef HAVE_MLOCKALL
323 int ret = 0;
324
325 ret = mlockall(MCL_CURRENT | MCL_FUTURE);
326 if (ret < 0) {
327 error_report("mlockall: %s", strerror(errno));
328 }
329
330 return ret;
331#else
332 return -ENOSYS;
333#endif
334}
335