]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/socket.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
core/socket: add socket_port_type_from_string()
[thirdparty/systemd.git] / src / core / socket.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2 /***
3 This file is part of systemd.
4
5 Copyright 2010 Lennart Poettering
6
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
11
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
16
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
19 ***/
20
21 #include <arpa/inet.h>
22 #include <errno.h>
23 #include <fcntl.h>
24 #include <mqueue.h>
25 #include <netinet/tcp.h>
26 #include <signal.h>
27 #include <sys/epoll.h>
28 #include <sys/stat.h>
29 #include <unistd.h>
30 #include <linux/sctp.h>
31
32 #include "alloc-util.h"
33 #include "bpf-firewall.h"
34 #include "bus-error.h"
35 #include "bus-util.h"
36 #include "copy.h"
37 #include "dbus-socket.h"
38 #include "def.h"
39 #include "exit-status.h"
40 #include "fd-util.h"
41 #include "format-util.h"
42 #include "fs-util.h"
43 #include "in-addr-util.h"
44 #include "io-util.h"
45 #include "label.h"
46 #include "log.h"
47 #include "missing.h"
48 #include "mkdir.h"
49 #include "parse-util.h"
50 #include "path-util.h"
51 #include "process-util.h"
52 #include "selinux-util.h"
53 #include "signal-util.h"
54 #include "smack-util.h"
55 #include "socket.h"
56 #include "special.h"
57 #include "string-table.h"
58 #include "string-util.h"
59 #include "strv.h"
60 #include "unit-name.h"
61 #include "unit.h"
62 #include "user-util.h"
63
64 struct SocketPeer {
65 unsigned n_ref;
66
67 Socket *socket;
68 union sockaddr_union peer;
69 socklen_t peer_salen;
70 };
71
72 static const UnitActiveState state_translation_table[_SOCKET_STATE_MAX] = {
73 [SOCKET_DEAD] = UNIT_INACTIVE,
74 [SOCKET_START_PRE] = UNIT_ACTIVATING,
75 [SOCKET_START_CHOWN] = UNIT_ACTIVATING,
76 [SOCKET_START_POST] = UNIT_ACTIVATING,
77 [SOCKET_LISTENING] = UNIT_ACTIVE,
78 [SOCKET_RUNNING] = UNIT_ACTIVE,
79 [SOCKET_STOP_PRE] = UNIT_DEACTIVATING,
80 [SOCKET_STOP_PRE_SIGTERM] = UNIT_DEACTIVATING,
81 [SOCKET_STOP_PRE_SIGKILL] = UNIT_DEACTIVATING,
82 [SOCKET_STOP_POST] = UNIT_DEACTIVATING,
83 [SOCKET_FINAL_SIGTERM] = UNIT_DEACTIVATING,
84 [SOCKET_FINAL_SIGKILL] = UNIT_DEACTIVATING,
85 [SOCKET_FAILED] = UNIT_FAILED
86 };
87
88 static int socket_dispatch_io(sd_event_source *source, int fd, uint32_t revents, void *userdata);
89 static int socket_dispatch_timer(sd_event_source *source, usec_t usec, void *userdata);
90
91 static void socket_init(Unit *u) {
92 Socket *s = SOCKET(u);
93
94 assert(u);
95 assert(u->load_state == UNIT_STUB);
96
97 s->backlog = SOMAXCONN;
98 s->timeout_usec = u->manager->default_timeout_start_usec;
99 s->directory_mode = 0755;
100 s->socket_mode = 0666;
101
102 s->max_connections = 64;
103
104 s->priority = -1;
105 s->ip_tos = -1;
106 s->ip_ttl = -1;
107 s->mark = -1;
108
109 s->exec_context.std_output = u->manager->default_std_output;
110 s->exec_context.std_error = u->manager->default_std_error;
111
112 s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
113
114 s->trigger_limit.interval = USEC_INFINITY;
115 s->trigger_limit.burst = (unsigned) -1;
116 }
117
118 static void socket_unwatch_control_pid(Socket *s) {
119 assert(s);
120
121 if (s->control_pid <= 0)
122 return;
123
124 unit_unwatch_pid(UNIT(s), s->control_pid);
125 s->control_pid = 0;
126 }
127
128 static void socket_cleanup_fd_list(SocketPort *p) {
129 assert(p);
130
131 close_many(p->auxiliary_fds, p->n_auxiliary_fds);
132 p->auxiliary_fds = mfree(p->auxiliary_fds);
133 p->n_auxiliary_fds = 0;
134 }
135
136 void socket_free_ports(Socket *s) {
137 SocketPort *p;
138
139 assert(s);
140
141 while ((p = s->ports)) {
142 LIST_REMOVE(port, s->ports, p);
143
144 sd_event_source_unref(p->event_source);
145
146 socket_cleanup_fd_list(p);
147 safe_close(p->fd);
148 free(p->path);
149 free(p);
150 }
151 }
152
153 static void socket_done(Unit *u) {
154 Socket *s = SOCKET(u);
155 SocketPeer *p;
156
157 assert(s);
158
159 socket_free_ports(s);
160
161 while ((p = set_steal_first(s->peers_by_address)))
162 p->socket = NULL;
163
164 s->peers_by_address = set_free(s->peers_by_address);
165
166 s->exec_runtime = exec_runtime_unref(s->exec_runtime);
167 exec_command_free_array(s->exec_command, _SOCKET_EXEC_COMMAND_MAX);
168 s->control_command = NULL;
169
170 dynamic_creds_unref(&s->dynamic_creds);
171
172 socket_unwatch_control_pid(s);
173
174 unit_ref_unset(&s->service);
175
176 s->tcp_congestion = mfree(s->tcp_congestion);
177 s->bind_to_device = mfree(s->bind_to_device);
178
179 s->smack = mfree(s->smack);
180 s->smack_ip_in = mfree(s->smack_ip_in);
181 s->smack_ip_out = mfree(s->smack_ip_out);
182
183 strv_free(s->symlinks);
184
185 s->user = mfree(s->user);
186 s->group = mfree(s->group);
187
188 s->fdname = mfree(s->fdname);
189
190 s->timer_event_source = sd_event_source_unref(s->timer_event_source);
191 }
192
193 static int socket_arm_timer(Socket *s, usec_t usec) {
194 int r;
195
196 assert(s);
197
198 if (s->timer_event_source) {
199 r = sd_event_source_set_time(s->timer_event_source, usec);
200 if (r < 0)
201 return r;
202
203 return sd_event_source_set_enabled(s->timer_event_source, SD_EVENT_ONESHOT);
204 }
205
206 if (usec == USEC_INFINITY)
207 return 0;
208
209 r = sd_event_add_time(
210 UNIT(s)->manager->event,
211 &s->timer_event_source,
212 CLOCK_MONOTONIC,
213 usec, 0,
214 socket_dispatch_timer, s);
215 if (r < 0)
216 return r;
217
218 (void) sd_event_source_set_description(s->timer_event_source, "socket-timer");
219
220 return 0;
221 }
222
223 int socket_instantiate_service(Socket *s) {
224 _cleanup_free_ char *prefix = NULL, *name = NULL;
225 int r;
226 Unit *u;
227
228 assert(s);
229
230 /* This fills in s->service if it isn't filled in yet. For
231 * Accept=yes sockets we create the next connection service
232 * here. For Accept=no this is mostly a NOP since the service
233 * is figured out at load time anyway. */
234
235 if (UNIT_DEREF(s->service))
236 return 0;
237
238 if (!s->accept)
239 return 0;
240
241 r = unit_name_to_prefix(UNIT(s)->id, &prefix);
242 if (r < 0)
243 return r;
244
245 if (asprintf(&name, "%s@%u.service", prefix, s->n_accepted) < 0)
246 return -ENOMEM;
247
248 r = manager_load_unit(UNIT(s)->manager, name, NULL, NULL, &u);
249 if (r < 0)
250 return r;
251
252 unit_ref_set(&s->service, u);
253
254 return unit_add_two_dependencies(UNIT(s), UNIT_BEFORE, UNIT_TRIGGERS, u, false, UNIT_DEPENDENCY_IMPLICIT);
255 }
256
257 static bool have_non_accept_socket(Socket *s) {
258 SocketPort *p;
259
260 assert(s);
261
262 if (!s->accept)
263 return true;
264
265 LIST_FOREACH(port, p, s->ports) {
266
267 if (p->type != SOCKET_SOCKET)
268 return true;
269
270 if (!socket_address_can_accept(&p->address))
271 return true;
272 }
273
274 return false;
275 }
276
277 static int socket_add_mount_dependencies(Socket *s) {
278 SocketPort *p;
279 int r;
280
281 assert(s);
282
283 LIST_FOREACH(port, p, s->ports) {
284 const char *path = NULL;
285
286 if (p->type == SOCKET_SOCKET)
287 path = socket_address_get_path(&p->address);
288 else if (IN_SET(p->type, SOCKET_FIFO, SOCKET_SPECIAL, SOCKET_USB_FUNCTION))
289 path = p->path;
290
291 if (!path)
292 continue;
293
294 r = unit_require_mounts_for(UNIT(s), path, UNIT_DEPENDENCY_FILE);
295 if (r < 0)
296 return r;
297 }
298
299 return 0;
300 }
301
302 static int socket_add_device_dependencies(Socket *s) {
303 char *t;
304
305 assert(s);
306
307 if (!s->bind_to_device || streq(s->bind_to_device, "lo"))
308 return 0;
309
310 t = strjoina("/sys/subsystem/net/devices/", s->bind_to_device);
311 return unit_add_node_dependency(UNIT(s), t, false, UNIT_BINDS_TO, UNIT_DEPENDENCY_FILE);
312 }
313
314 static int socket_add_default_dependencies(Socket *s) {
315 int r;
316 assert(s);
317
318 if (!UNIT(s)->default_dependencies)
319 return 0;
320
321 r = unit_add_dependency_by_name(UNIT(s), UNIT_BEFORE, SPECIAL_SOCKETS_TARGET, NULL, true, UNIT_DEPENDENCY_DEFAULT);
322 if (r < 0)
323 return r;
324
325 if (MANAGER_IS_SYSTEM(UNIT(s)->manager)) {
326 r = unit_add_two_dependencies_by_name(UNIT(s), UNIT_AFTER, UNIT_REQUIRES, SPECIAL_SYSINIT_TARGET, NULL, true, UNIT_DEPENDENCY_DEFAULT);
327 if (r < 0)
328 return r;
329 }
330
331 return unit_add_two_dependencies_by_name(UNIT(s), UNIT_BEFORE, UNIT_CONFLICTS, SPECIAL_SHUTDOWN_TARGET, NULL, true, UNIT_DEPENDENCY_DEFAULT);
332 }
333
334 _pure_ static bool socket_has_exec(Socket *s) {
335 unsigned i;
336 assert(s);
337
338 for (i = 0; i < _SOCKET_EXEC_COMMAND_MAX; i++)
339 if (s->exec_command[i])
340 return true;
341
342 return false;
343 }
344
345 static int socket_add_extras(Socket *s) {
346 Unit *u = UNIT(s);
347 int r;
348
349 assert(s);
350
351 /* Pick defaults for the trigger limit, if nothing was explicitly configured. We pick a relatively high limit
352 * in Accept=yes mode, and a lower limit for Accept=no. Reason: in Accept=yes mode we are invoking accept()
353 * ourselves before the trigger limit can hit, thus incoming connections are taken off the socket queue quickly
354 * and reliably. This is different for Accept=no, where the spawned service has to take the incoming traffic
355 * off the queues, which it might not necessarily do. Moreover, while Accept=no services are supposed to
356 * process whatever is queued in one go, and thus should normally never have to be started frequently. This is
357 * different for Accept=yes where each connection is processed by a new service instance, and thus frequent
358 * service starts are typical. */
359
360 if (s->trigger_limit.interval == USEC_INFINITY)
361 s->trigger_limit.interval = 2 * USEC_PER_SEC;
362
363 if (s->trigger_limit.burst == (unsigned) -1) {
364 if (s->accept)
365 s->trigger_limit.burst = 200;
366 else
367 s->trigger_limit.burst = 20;
368 }
369
370 if (have_non_accept_socket(s)) {
371
372 if (!UNIT_DEREF(s->service)) {
373 Unit *x;
374
375 r = unit_load_related_unit(u, ".service", &x);
376 if (r < 0)
377 return r;
378
379 unit_ref_set(&s->service, x);
380 }
381
382 r = unit_add_two_dependencies(u, UNIT_BEFORE, UNIT_TRIGGERS, UNIT_DEREF(s->service), true, UNIT_DEPENDENCY_IMPLICIT);
383 if (r < 0)
384 return r;
385 }
386
387 r = socket_add_mount_dependencies(s);
388 if (r < 0)
389 return r;
390
391 r = socket_add_device_dependencies(s);
392 if (r < 0)
393 return r;
394
395 r = unit_patch_contexts(u);
396 if (r < 0)
397 return r;
398
399 if (socket_has_exec(s)) {
400 r = unit_add_exec_dependencies(u, &s->exec_context);
401 if (r < 0)
402 return r;
403 }
404
405 r = unit_set_default_slice(u);
406 if (r < 0)
407 return r;
408
409 r = socket_add_default_dependencies(s);
410 if (r < 0)
411 return r;
412
413 return 0;
414 }
415
416 static const char *socket_find_symlink_target(Socket *s) {
417 const char *found = NULL;
418 SocketPort *p;
419
420 LIST_FOREACH(port, p, s->ports) {
421 const char *f = NULL;
422
423 switch (p->type) {
424
425 case SOCKET_FIFO:
426 f = p->path;
427 break;
428
429 case SOCKET_SOCKET:
430 f = socket_address_get_path(&p->address);
431 break;
432
433 default:
434 break;
435 }
436
437 if (f) {
438 if (found)
439 return NULL;
440
441 found = f;
442 }
443 }
444
445 return found;
446 }
447
448 static int socket_verify(Socket *s) {
449 assert(s);
450
451 if (UNIT(s)->load_state != UNIT_LOADED)
452 return 0;
453
454 if (!s->ports) {
455 log_unit_error(UNIT(s), "Unit has no Listen setting (ListenStream=, ListenDatagram=, ListenFIFO=, ...). Refusing.");
456 return -EINVAL;
457 }
458
459 if (s->accept && have_non_accept_socket(s)) {
460 log_unit_error(UNIT(s), "Unit configured for accepting sockets, but sockets are non-accepting. Refusing.");
461 return -EINVAL;
462 }
463
464 if (s->accept && s->max_connections <= 0) {
465 log_unit_error(UNIT(s), "MaxConnection= setting too small. Refusing.");
466 return -EINVAL;
467 }
468
469 if (s->accept && UNIT_DEREF(s->service)) {
470 log_unit_error(UNIT(s), "Explicit service configuration for accepting socket units not supported. Refusing.");
471 return -EINVAL;
472 }
473
474 if (s->exec_context.pam_name && s->kill_context.kill_mode != KILL_CONTROL_GROUP) {
475 log_unit_error(UNIT(s), "Unit has PAM enabled. Kill mode must be set to 'control-group'. Refusing.");
476 return -EINVAL;
477 }
478
479 if (!strv_isempty(s->symlinks) && !socket_find_symlink_target(s)) {
480 log_unit_error(UNIT(s), "Unit has symlinks set but none or more than one node in the file system. Refusing.");
481 return -EINVAL;
482 }
483
484 return 0;
485 }
486
487 static void peer_address_hash_func(const void *p, struct siphash *state) {
488 const SocketPeer *s = p;
489
490 assert(s);
491
492 if (s->peer.sa.sa_family == AF_INET)
493 siphash24_compress(&s->peer.in.sin_addr, sizeof(s->peer.in.sin_addr), state);
494 else if (s->peer.sa.sa_family == AF_INET6)
495 siphash24_compress(&s->peer.in6.sin6_addr, sizeof(s->peer.in6.sin6_addr), state);
496 else if (s->peer.sa.sa_family == AF_VSOCK)
497 siphash24_compress(&s->peer.vm.svm_cid, sizeof(s->peer.vm.svm_cid), state);
498 else
499 assert_not_reached("Unknown address family.");
500 }
501
502 static int peer_address_compare_func(const void *a, const void *b) {
503 const SocketPeer *x = a, *y = b;
504
505 if (x->peer.sa.sa_family < y->peer.sa.sa_family)
506 return -1;
507 if (x->peer.sa.sa_family > y->peer.sa.sa_family)
508 return 1;
509
510 switch(x->peer.sa.sa_family) {
511 case AF_INET:
512 return memcmp(&x->peer.in.sin_addr, &y->peer.in.sin_addr, sizeof(x->peer.in.sin_addr));
513 case AF_INET6:
514 return memcmp(&x->peer.in6.sin6_addr, &y->peer.in6.sin6_addr, sizeof(x->peer.in6.sin6_addr));
515 case AF_VSOCK:
516 if (x->peer.vm.svm_cid < y->peer.vm.svm_cid)
517 return -1;
518 if (x->peer.vm.svm_cid > y->peer.vm.svm_cid)
519 return 1;
520 return 0;
521 }
522 assert_not_reached("Black sheep in the family!");
523 }
524
525 const struct hash_ops peer_address_hash_ops = {
526 .hash = peer_address_hash_func,
527 .compare = peer_address_compare_func
528 };
529
530 static int socket_load(Unit *u) {
531 Socket *s = SOCKET(u);
532 int r;
533
534 assert(u);
535 assert(u->load_state == UNIT_STUB);
536
537 r = set_ensure_allocated(&s->peers_by_address, &peer_address_hash_ops);
538 if (r < 0)
539 return r;
540
541 r = unit_load_fragment_and_dropin(u);
542 if (r < 0)
543 return r;
544
545 if (u->load_state == UNIT_LOADED) {
546 /* This is a new unit? Then let's add in some extras */
547 r = socket_add_extras(s);
548 if (r < 0)
549 return r;
550 }
551
552 return socket_verify(s);
553 }
554
555 static SocketPeer *socket_peer_new(void) {
556 SocketPeer *p;
557
558 p = new0(SocketPeer, 1);
559 if (!p)
560 return NULL;
561
562 p->n_ref = 1;
563
564 return p;
565 }
566
567 SocketPeer *socket_peer_ref(SocketPeer *p) {
568 if (!p)
569 return NULL;
570
571 assert(p->n_ref > 0);
572 p->n_ref++;
573
574 return p;
575 }
576
577 SocketPeer *socket_peer_unref(SocketPeer *p) {
578 if (!p)
579 return NULL;
580
581 assert(p->n_ref > 0);
582
583 p->n_ref--;
584
585 if (p->n_ref > 0)
586 return NULL;
587
588 if (p->socket)
589 set_remove(p->socket->peers_by_address, p);
590
591 return mfree(p);
592 }
593
594 int socket_acquire_peer(Socket *s, int fd, SocketPeer **p) {
595 _cleanup_(socket_peer_unrefp) SocketPeer *remote = NULL;
596 SocketPeer sa = {}, *i;
597 socklen_t salen = sizeof(sa.peer);
598 int r;
599
600 assert(fd >= 0);
601 assert(s);
602
603 r = getpeername(fd, &sa.peer.sa, &salen);
604 if (r < 0)
605 return log_error_errno(errno, "getpeername failed: %m");
606
607 if (!IN_SET(sa.peer.sa.sa_family, AF_INET, AF_INET6, AF_VSOCK)) {
608 *p = NULL;
609 return 0;
610 }
611
612 i = set_get(s->peers_by_address, &sa);
613 if (i) {
614 *p = socket_peer_ref(i);
615 return 1;
616 }
617
618 remote = socket_peer_new();
619 if (!remote)
620 return log_oom();
621
622 remote->peer = sa.peer;
623 remote->peer_salen = salen;
624
625 r = set_put(s->peers_by_address, remote);
626 if (r < 0)
627 return r;
628
629 remote->socket = s;
630
631 *p = remote;
632 remote = NULL;
633
634 return 1;
635 }
636
637 _const_ static const char* listen_lookup(int family, int type) {
638
639 if (family == AF_NETLINK)
640 return "ListenNetlink";
641
642 if (type == SOCK_STREAM)
643 return "ListenStream";
644 else if (type == SOCK_DGRAM)
645 return "ListenDatagram";
646 else if (type == SOCK_SEQPACKET)
647 return "ListenSequentialPacket";
648
649 assert_not_reached("Unknown socket type");
650 return NULL;
651 }
652
653 static void socket_dump(Unit *u, FILE *f, const char *prefix) {
654 char time_string[FORMAT_TIMESPAN_MAX];
655 SocketExecCommand c;
656 Socket *s = SOCKET(u);
657 SocketPort *p;
658 const char *prefix2;
659
660 assert(s);
661 assert(f);
662
663 prefix = strempty(prefix);
664 prefix2 = strjoina(prefix, "\t");
665
666 fprintf(f,
667 "%sSocket State: %s\n"
668 "%sResult: %s\n"
669 "%sBindIPv6Only: %s\n"
670 "%sBacklog: %u\n"
671 "%sSocketMode: %04o\n"
672 "%sDirectoryMode: %04o\n"
673 "%sKeepAlive: %s\n"
674 "%sNoDelay: %s\n"
675 "%sFreeBind: %s\n"
676 "%sTransparent: %s\n"
677 "%sBroadcast: %s\n"
678 "%sPassCredentials: %s\n"
679 "%sPassSecurity: %s\n"
680 "%sTCPCongestion: %s\n"
681 "%sRemoveOnStop: %s\n"
682 "%sWritable: %s\n"
683 "%sFDName: %s\n"
684 "%sSELinuxContextFromNet: %s\n",
685 prefix, socket_state_to_string(s->state),
686 prefix, socket_result_to_string(s->result),
687 prefix, socket_address_bind_ipv6_only_to_string(s->bind_ipv6_only),
688 prefix, s->backlog,
689 prefix, s->socket_mode,
690 prefix, s->directory_mode,
691 prefix, yes_no(s->keep_alive),
692 prefix, yes_no(s->no_delay),
693 prefix, yes_no(s->free_bind),
694 prefix, yes_no(s->transparent),
695 prefix, yes_no(s->broadcast),
696 prefix, yes_no(s->pass_cred),
697 prefix, yes_no(s->pass_sec),
698 prefix, strna(s->tcp_congestion),
699 prefix, yes_no(s->remove_on_stop),
700 prefix, yes_no(s->writable),
701 prefix, socket_fdname(s),
702 prefix, yes_no(s->selinux_context_from_net));
703
704 if (s->control_pid > 0)
705 fprintf(f,
706 "%sControl PID: "PID_FMT"\n",
707 prefix, s->control_pid);
708
709 if (s->bind_to_device)
710 fprintf(f,
711 "%sBindToDevice: %s\n",
712 prefix, s->bind_to_device);
713
714 if (s->accept)
715 fprintf(f,
716 "%sAccepted: %u\n"
717 "%sNConnections: %u\n"
718 "%sMaxConnections: %u\n",
719 prefix, s->n_accepted,
720 prefix, s->n_connections,
721 prefix, s->max_connections);
722
723 if (s->priority >= 0)
724 fprintf(f,
725 "%sPriority: %i\n",
726 prefix, s->priority);
727
728 if (s->receive_buffer > 0)
729 fprintf(f,
730 "%sReceiveBuffer: %zu\n",
731 prefix, s->receive_buffer);
732
733 if (s->send_buffer > 0)
734 fprintf(f,
735 "%sSendBuffer: %zu\n",
736 prefix, s->send_buffer);
737
738 if (s->ip_tos >= 0)
739 fprintf(f,
740 "%sIPTOS: %i\n",
741 prefix, s->ip_tos);
742
743 if (s->ip_ttl >= 0)
744 fprintf(f,
745 "%sIPTTL: %i\n",
746 prefix, s->ip_ttl);
747
748 if (s->pipe_size > 0)
749 fprintf(f,
750 "%sPipeSize: %zu\n",
751 prefix, s->pipe_size);
752
753 if (s->mark >= 0)
754 fprintf(f,
755 "%sMark: %i\n",
756 prefix, s->mark);
757
758 if (s->mq_maxmsg > 0)
759 fprintf(f,
760 "%sMessageQueueMaxMessages: %li\n",
761 prefix, s->mq_maxmsg);
762
763 if (s->mq_msgsize > 0)
764 fprintf(f,
765 "%sMessageQueueMessageSize: %li\n",
766 prefix, s->mq_msgsize);
767
768 if (s->reuse_port)
769 fprintf(f,
770 "%sReusePort: %s\n",
771 prefix, yes_no(s->reuse_port));
772
773 if (s->smack)
774 fprintf(f,
775 "%sSmackLabel: %s\n",
776 prefix, s->smack);
777
778 if (s->smack_ip_in)
779 fprintf(f,
780 "%sSmackLabelIPIn: %s\n",
781 prefix, s->smack_ip_in);
782
783 if (s->smack_ip_out)
784 fprintf(f,
785 "%sSmackLabelIPOut: %s\n",
786 prefix, s->smack_ip_out);
787
788 if (!isempty(s->user) || !isempty(s->group))
789 fprintf(f,
790 "%sSocketUser: %s\n"
791 "%sSocketGroup: %s\n",
792 prefix, strna(s->user),
793 prefix, strna(s->group));
794
795 if (s->keep_alive_time > 0)
796 fprintf(f,
797 "%sKeepAliveTimeSec: %s\n",
798 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->keep_alive_time, USEC_PER_SEC));
799
800 if (s->keep_alive_interval)
801 fprintf(f,
802 "%sKeepAliveIntervalSec: %s\n",
803 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->keep_alive_interval, USEC_PER_SEC));
804
805 if (s->keep_alive_cnt)
806 fprintf(f,
807 "%sKeepAliveProbes: %u\n",
808 prefix, s->keep_alive_cnt);
809
810 if (s->defer_accept)
811 fprintf(f,
812 "%sDeferAcceptSec: %s\n",
813 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->defer_accept, USEC_PER_SEC));
814
815 LIST_FOREACH(port, p, s->ports) {
816
817 if (p->type == SOCKET_SOCKET) {
818 const char *t;
819 int r;
820 char *k = NULL;
821
822 r = socket_address_print(&p->address, &k);
823 if (r < 0)
824 t = strerror(-r);
825 else
826 t = k;
827
828 fprintf(f, "%s%s: %s\n", prefix, listen_lookup(socket_address_family(&p->address), p->address.type), t);
829 free(k);
830 } else if (p->type == SOCKET_SPECIAL)
831 fprintf(f, "%sListenSpecial: %s\n", prefix, p->path);
832 else if (p->type == SOCKET_USB_FUNCTION)
833 fprintf(f, "%sListenUSBFunction: %s\n", prefix, p->path);
834 else if (p->type == SOCKET_MQUEUE)
835 fprintf(f, "%sListenMessageQueue: %s\n", prefix, p->path);
836 else
837 fprintf(f, "%sListenFIFO: %s\n", prefix, p->path);
838 }
839
840 fprintf(f,
841 "%sTriggerLimitIntervalSec: %s\n"
842 "%sTriggerLimitBurst: %u\n",
843 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->trigger_limit.interval, USEC_PER_SEC),
844 prefix, s->trigger_limit.burst);
845
846 exec_context_dump(&s->exec_context, f, prefix);
847 kill_context_dump(&s->kill_context, f, prefix);
848
849 for (c = 0; c < _SOCKET_EXEC_COMMAND_MAX; c++) {
850 if (!s->exec_command[c])
851 continue;
852
853 fprintf(f, "%s-> %s:\n",
854 prefix, socket_exec_command_to_string(c));
855
856 exec_command_dump_list(s->exec_command[c], f, prefix2);
857 }
858
859 cgroup_context_dump(&s->cgroup_context, f, prefix);
860 }
861
862 static int instance_from_socket(int fd, unsigned nr, char **instance) {
863 socklen_t l;
864 char *r;
865 union sockaddr_union local, remote;
866
867 assert(fd >= 0);
868 assert(instance);
869
870 l = sizeof(local);
871 if (getsockname(fd, &local.sa, &l) < 0)
872 return -errno;
873
874 l = sizeof(remote);
875 if (getpeername(fd, &remote.sa, &l) < 0)
876 return -errno;
877
878 switch (local.sa.sa_family) {
879
880 case AF_INET: {
881 uint32_t
882 a = be32toh(local.in.sin_addr.s_addr),
883 b = be32toh(remote.in.sin_addr.s_addr);
884
885 if (asprintf(&r,
886 "%u-%u.%u.%u.%u:%u-%u.%u.%u.%u:%u",
887 nr,
888 a >> 24, (a >> 16) & 0xFF, (a >> 8) & 0xFF, a & 0xFF,
889 be16toh(local.in.sin_port),
890 b >> 24, (b >> 16) & 0xFF, (b >> 8) & 0xFF, b & 0xFF,
891 be16toh(remote.in.sin_port)) < 0)
892 return -ENOMEM;
893
894 break;
895 }
896
897 case AF_INET6: {
898 static const unsigned char ipv4_prefix[] = {
899 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xFF, 0xFF
900 };
901
902 if (memcmp(&local.in6.sin6_addr, ipv4_prefix, sizeof(ipv4_prefix)) == 0 &&
903 memcmp(&remote.in6.sin6_addr, ipv4_prefix, sizeof(ipv4_prefix)) == 0) {
904 const uint8_t
905 *a = local.in6.sin6_addr.s6_addr+12,
906 *b = remote.in6.sin6_addr.s6_addr+12;
907
908 if (asprintf(&r,
909 "%u-%u.%u.%u.%u:%u-%u.%u.%u.%u:%u",
910 nr,
911 a[0], a[1], a[2], a[3],
912 be16toh(local.in6.sin6_port),
913 b[0], b[1], b[2], b[3],
914 be16toh(remote.in6.sin6_port)) < 0)
915 return -ENOMEM;
916 } else {
917 char a[INET6_ADDRSTRLEN], b[INET6_ADDRSTRLEN];
918
919 if (asprintf(&r,
920 "%u-%s:%u-%s:%u",
921 nr,
922 inet_ntop(AF_INET6, &local.in6.sin6_addr, a, sizeof(a)),
923 be16toh(local.in6.sin6_port),
924 inet_ntop(AF_INET6, &remote.in6.sin6_addr, b, sizeof(b)),
925 be16toh(remote.in6.sin6_port)) < 0)
926 return -ENOMEM;
927 }
928
929 break;
930 }
931
932 case AF_UNIX: {
933 struct ucred ucred;
934 int k;
935
936 k = getpeercred(fd, &ucred);
937 if (k >= 0) {
938 if (asprintf(&r,
939 "%u-"PID_FMT"-"UID_FMT,
940 nr, ucred.pid, ucred.uid) < 0)
941 return -ENOMEM;
942 } else if (k == -ENODATA) {
943 /* This handles the case where somebody is
944 * connecting from another pid/uid namespace
945 * (e.g. from outside of our container). */
946 if (asprintf(&r,
947 "%u-unknown",
948 nr) < 0)
949 return -ENOMEM;
950 } else
951 return k;
952
953 break;
954 }
955
956 case AF_VSOCK:
957 if (asprintf(&r,
958 "%u-%u:%u-%u:%u",
959 nr,
960 local.vm.svm_cid, local.vm.svm_port,
961 remote.vm.svm_cid, remote.vm.svm_port) < 0)
962 return -ENOMEM;
963
964 break;
965
966 default:
967 assert_not_reached("Unhandled socket type.");
968 }
969
970 *instance = r;
971 return 0;
972 }
973
974 static void socket_close_fds(Socket *s) {
975 SocketPort *p;
976 char **i;
977
978 assert(s);
979
980 LIST_FOREACH(port, p, s->ports) {
981 bool was_open;
982
983 was_open = p->fd >= 0;
984
985 p->event_source = sd_event_source_unref(p->event_source);
986 p->fd = safe_close(p->fd);
987 socket_cleanup_fd_list(p);
988
989 /* One little note: we should normally not delete any sockets in the file system here! After all some
990 * other process we spawned might still have a reference of this fd and wants to continue to use
991 * it. Therefore we normally delete sockets in the file system before we create a new one, not after we
992 * stopped using one! That all said, if the user explicitly requested this, we'll delete them here
993 * anyway, but only then. */
994
995 if (!was_open || !s->remove_on_stop)
996 continue;
997
998 switch (p->type) {
999
1000 case SOCKET_FIFO:
1001 (void) unlink(p->path);
1002 break;
1003
1004 case SOCKET_MQUEUE:
1005 (void) mq_unlink(p->path);
1006 break;
1007
1008 case SOCKET_SOCKET:
1009 (void) socket_address_unlink(&p->address);
1010 break;
1011
1012 default:
1013 break;
1014 }
1015 }
1016
1017 if (s->remove_on_stop)
1018 STRV_FOREACH(i, s->symlinks)
1019 (void) unlink(*i);
1020 }
1021
1022 static void socket_apply_socket_options(Socket *s, int fd) {
1023 int r;
1024
1025 assert(s);
1026 assert(fd >= 0);
1027
1028 if (s->keep_alive) {
1029 int b = s->keep_alive;
1030 if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, &b, sizeof(b)) < 0)
1031 log_unit_warning_errno(UNIT(s), errno, "SO_KEEPALIVE failed: %m");
1032 }
1033
1034 if (s->keep_alive_time) {
1035 int value = s->keep_alive_time / USEC_PER_SEC;
1036 if (setsockopt(fd, SOL_TCP, TCP_KEEPIDLE, &value, sizeof(value)) < 0)
1037 log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPIDLE failed: %m");
1038 }
1039
1040 if (s->keep_alive_interval) {
1041 int value = s->keep_alive_interval / USEC_PER_SEC;
1042 if (setsockopt(fd, SOL_TCP, TCP_KEEPINTVL, &value, sizeof(value)) < 0)
1043 log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPINTVL failed: %m");
1044 }
1045
1046 if (s->keep_alive_cnt) {
1047 int value = s->keep_alive_cnt;
1048 if (setsockopt(fd, SOL_TCP, TCP_KEEPCNT, &value, sizeof(value)) < 0)
1049 log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPCNT failed: %m");
1050 }
1051
1052 if (s->defer_accept) {
1053 int value = s->defer_accept / USEC_PER_SEC;
1054 if (setsockopt(fd, SOL_TCP, TCP_DEFER_ACCEPT, &value, sizeof(value)) < 0)
1055 log_unit_warning_errno(UNIT(s), errno, "TCP_DEFER_ACCEPT failed: %m");
1056 }
1057
1058 if (s->no_delay) {
1059 int b = s->no_delay;
1060
1061 if (s->socket_protocol == IPPROTO_SCTP) {
1062 if (setsockopt(fd, SOL_SCTP, SCTP_NODELAY, &b, sizeof(b)) < 0)
1063 log_unit_warning_errno(UNIT(s), errno, "SCTP_NODELAY failed: %m");
1064 } else {
1065 if (setsockopt(fd, SOL_TCP, TCP_NODELAY, &b, sizeof(b)) < 0)
1066 log_unit_warning_errno(UNIT(s), errno, "TCP_NODELAY failed: %m");
1067 }
1068 }
1069
1070 if (s->broadcast) {
1071 int one = 1;
1072 if (setsockopt(fd, SOL_SOCKET, SO_BROADCAST, &one, sizeof(one)) < 0)
1073 log_unit_warning_errno(UNIT(s), errno, "SO_BROADCAST failed: %m");
1074 }
1075
1076 if (s->pass_cred) {
1077 int one = 1;
1078 if (setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &one, sizeof(one)) < 0)
1079 log_unit_warning_errno(UNIT(s), errno, "SO_PASSCRED failed: %m");
1080 }
1081
1082 if (s->pass_sec) {
1083 int one = 1;
1084 if (setsockopt(fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one)) < 0)
1085 log_unit_warning_errno(UNIT(s), errno, "SO_PASSSEC failed: %m");
1086 }
1087
1088 if (s->priority >= 0)
1089 if (setsockopt(fd, SOL_SOCKET, SO_PRIORITY, &s->priority, sizeof(s->priority)) < 0)
1090 log_unit_warning_errno(UNIT(s), errno, "SO_PRIORITY failed: %m");
1091
1092 if (s->receive_buffer > 0) {
1093 int value = (int) s->receive_buffer;
1094
1095 /* We first try with SO_RCVBUFFORCE, in case we have the perms for that */
1096
1097 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUFFORCE, &value, sizeof(value)) < 0)
1098 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &value, sizeof(value)) < 0)
1099 log_unit_warning_errno(UNIT(s), errno, "SO_RCVBUF failed: %m");
1100 }
1101
1102 if (s->send_buffer > 0) {
1103 int value = (int) s->send_buffer;
1104 if (setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, &value, sizeof(value)) < 0)
1105 if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &value, sizeof(value)) < 0)
1106 log_unit_warning_errno(UNIT(s), errno, "SO_SNDBUF failed: %m");
1107 }
1108
1109 if (s->mark >= 0)
1110 if (setsockopt(fd, SOL_SOCKET, SO_MARK, &s->mark, sizeof(s->mark)) < 0)
1111 log_unit_warning_errno(UNIT(s), errno, "SO_MARK failed: %m");
1112
1113 if (s->ip_tos >= 0)
1114 if (setsockopt(fd, IPPROTO_IP, IP_TOS, &s->ip_tos, sizeof(s->ip_tos)) < 0)
1115 log_unit_warning_errno(UNIT(s), errno, "IP_TOS failed: %m");
1116
1117 if (s->ip_ttl >= 0) {
1118 int x;
1119
1120 r = setsockopt(fd, IPPROTO_IP, IP_TTL, &s->ip_ttl, sizeof(s->ip_ttl));
1121
1122 if (socket_ipv6_is_supported())
1123 x = setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &s->ip_ttl, sizeof(s->ip_ttl));
1124 else {
1125 x = -1;
1126 errno = EAFNOSUPPORT;
1127 }
1128
1129 if (r < 0 && x < 0)
1130 log_unit_warning_errno(UNIT(s), errno, "IP_TTL/IPV6_UNICAST_HOPS failed: %m");
1131 }
1132
1133 if (s->tcp_congestion)
1134 if (setsockopt(fd, SOL_TCP, TCP_CONGESTION, s->tcp_congestion, strlen(s->tcp_congestion)+1) < 0)
1135 log_unit_warning_errno(UNIT(s), errno, "TCP_CONGESTION failed: %m");
1136
1137 if (s->smack_ip_in) {
1138 r = mac_smack_apply_fd(fd, SMACK_ATTR_IPIN, s->smack_ip_in);
1139 if (r < 0)
1140 log_unit_error_errno(UNIT(s), r, "mac_smack_apply_ip_in_fd: %m");
1141 }
1142
1143 if (s->smack_ip_out) {
1144 r = mac_smack_apply_fd(fd, SMACK_ATTR_IPOUT, s->smack_ip_out);
1145 if (r < 0)
1146 log_unit_error_errno(UNIT(s), r, "mac_smack_apply_ip_out_fd: %m");
1147 }
1148 }
1149
1150 static void socket_apply_fifo_options(Socket *s, int fd) {
1151 int r;
1152
1153 assert(s);
1154 assert(fd >= 0);
1155
1156 if (s->pipe_size > 0)
1157 if (fcntl(fd, F_SETPIPE_SZ, s->pipe_size) < 0)
1158 log_unit_warning_errno(UNIT(s), errno, "Setting pipe size failed, ignoring: %m");
1159
1160 if (s->smack) {
1161 r = mac_smack_apply_fd(fd, SMACK_ATTR_ACCESS, s->smack);
1162 if (r < 0)
1163 log_unit_error_errno(UNIT(s), r, "SMACK relabelling failed, ignoring: %m");
1164 }
1165 }
1166
1167 static int fifo_address_create(
1168 const char *path,
1169 mode_t directory_mode,
1170 mode_t socket_mode) {
1171
1172 _cleanup_close_ int fd = -1;
1173 mode_t old_mask;
1174 struct stat st;
1175 int r;
1176
1177 assert(path);
1178
1179 (void) mkdir_parents_label(path, directory_mode);
1180
1181 r = mac_selinux_create_file_prepare(path, S_IFIFO);
1182 if (r < 0)
1183 return r;
1184
1185 /* Enforce the right access mode for the fifo */
1186 old_mask = umask(~ socket_mode);
1187
1188 /* Include the original umask in our mask */
1189 (void) umask(~socket_mode | old_mask);
1190
1191 r = mkfifo(path, socket_mode);
1192 (void) umask(old_mask);
1193
1194 if (r < 0 && errno != EEXIST) {
1195 r = -errno;
1196 goto fail;
1197 }
1198
1199 fd = open(path, O_RDWR | O_CLOEXEC | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW);
1200 if (fd < 0) {
1201 r = -errno;
1202 goto fail;
1203 }
1204
1205 mac_selinux_create_file_clear();
1206
1207 if (fstat(fd, &st) < 0) {
1208 r = -errno;
1209 goto fail;
1210 }
1211
1212 if (!S_ISFIFO(st.st_mode) ||
1213 (st.st_mode & 0777) != (socket_mode & ~old_mask) ||
1214 st.st_uid != getuid() ||
1215 st.st_gid != getgid()) {
1216 r = -EEXIST;
1217 goto fail;
1218 }
1219
1220 r = fd;
1221 fd = -1;
1222
1223 return r;
1224
1225 fail:
1226 mac_selinux_create_file_clear();
1227 return r;
1228 }
1229
1230 static int special_address_create(const char *path, bool writable) {
1231 _cleanup_close_ int fd = -1;
1232 struct stat st;
1233 int r;
1234
1235 assert(path);
1236
1237 fd = open(path, (writable ? O_RDWR : O_RDONLY)|O_CLOEXEC|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW);
1238 if (fd < 0)
1239 return -errno;
1240
1241 if (fstat(fd, &st) < 0)
1242 return -errno;
1243
1244 /* Check whether this is a /proc, /sys or /dev file or char device */
1245 if (!S_ISREG(st.st_mode) && !S_ISCHR(st.st_mode))
1246 return -EEXIST;
1247
1248 r = fd;
1249 fd = -1;
1250
1251 return r;
1252 }
1253
1254 static int usbffs_address_create(const char *path) {
1255 _cleanup_close_ int fd = -1;
1256 struct stat st;
1257 int r;
1258
1259 assert(path);
1260
1261 fd = open(path, O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW);
1262 if (fd < 0)
1263 return -errno;
1264
1265 if (fstat(fd, &st) < 0)
1266 return -errno;
1267
1268 /* Check whether this is a regular file (ffs endpoint) */
1269 if (!S_ISREG(st.st_mode))
1270 return -EEXIST;
1271
1272 r = fd;
1273 fd = -1;
1274
1275 return r;
1276 }
1277
1278 static int mq_address_create(
1279 const char *path,
1280 mode_t mq_mode,
1281 long maxmsg,
1282 long msgsize) {
1283
1284 _cleanup_close_ int fd = -1;
1285 struct stat st;
1286 mode_t old_mask;
1287 struct mq_attr _attr, *attr = NULL;
1288 int r;
1289
1290 assert(path);
1291
1292 if (maxmsg > 0 && msgsize > 0) {
1293 _attr = (struct mq_attr) {
1294 .mq_flags = O_NONBLOCK,
1295 .mq_maxmsg = maxmsg,
1296 .mq_msgsize = msgsize,
1297 };
1298 attr = &_attr;
1299 }
1300
1301 /* Enforce the right access mode for the mq */
1302 old_mask = umask(~ mq_mode);
1303
1304 /* Include the original umask in our mask */
1305 (void) umask(~mq_mode | old_mask);
1306 fd = mq_open(path, O_RDONLY|O_CLOEXEC|O_NONBLOCK|O_CREAT, mq_mode, attr);
1307 (void) umask(old_mask);
1308
1309 if (fd < 0)
1310 return -errno;
1311
1312 if (fstat(fd, &st) < 0)
1313 return -errno;
1314
1315 if ((st.st_mode & 0777) != (mq_mode & ~old_mask) ||
1316 st.st_uid != getuid() ||
1317 st.st_gid != getgid())
1318 return -EEXIST;
1319
1320 r = fd;
1321 fd = -1;
1322
1323 return r;
1324 }
1325
1326 static int socket_symlink(Socket *s) {
1327 const char *p;
1328 char **i;
1329 int r;
1330
1331 assert(s);
1332
1333 p = socket_find_symlink_target(s);
1334 if (!p)
1335 return 0;
1336
1337 STRV_FOREACH(i, s->symlinks) {
1338 (void) mkdir_parents_label(*i, s->directory_mode);
1339
1340 r = symlink_idempotent(p, *i);
1341
1342 if (r == -EEXIST && s->remove_on_stop) {
1343 /* If there's already something where we want to create the symlink, and the destructive
1344 * RemoveOnStop= mode is set, then we might as well try to remove what already exists and try
1345 * again. */
1346
1347 if (unlink(*i) >= 0)
1348 r = symlink_idempotent(p, *i);
1349 }
1350
1351 if (r < 0)
1352 log_unit_warning_errno(UNIT(s), r, "Failed to create symlink %s → %s, ignoring: %m", p, *i);
1353 }
1354
1355 return 0;
1356 }
1357
1358 static int usbffs_write_descs(int fd, Service *s) {
1359 int r;
1360
1361 if (!s->usb_function_descriptors || !s->usb_function_strings)
1362 return -EINVAL;
1363
1364 r = copy_file_fd(s->usb_function_descriptors, fd, 0);
1365 if (r < 0)
1366 return r;
1367
1368 return copy_file_fd(s->usb_function_strings, fd, 0);
1369 }
1370
1371 static int usbffs_select_ep(const struct dirent *d) {
1372 return d->d_name[0] != '.' && !streq(d->d_name, "ep0");
1373 }
1374
1375 static int usbffs_dispatch_eps(SocketPort *p) {
1376 _cleanup_free_ struct dirent **ent = NULL;
1377 int r, i, n, k;
1378
1379 r = scandir(p->path, &ent, usbffs_select_ep, alphasort);
1380 if (r < 0)
1381 return -errno;
1382
1383 n = r;
1384 p->auxiliary_fds = new(int, n);
1385 if (!p->auxiliary_fds)
1386 return -ENOMEM;
1387
1388 p->n_auxiliary_fds = n;
1389
1390 k = 0;
1391 for (i = 0; i < n; ++i) {
1392 _cleanup_free_ char *ep = NULL;
1393
1394 ep = path_make_absolute(ent[i]->d_name, p->path);
1395 if (!ep)
1396 return -ENOMEM;
1397
1398 path_kill_slashes(ep);
1399
1400 r = usbffs_address_create(ep);
1401 if (r < 0)
1402 goto fail;
1403
1404 p->auxiliary_fds[k] = r;
1405
1406 ++k;
1407 free(ent[i]);
1408 }
1409
1410 return r;
1411
1412 fail:
1413 close_many(p->auxiliary_fds, k);
1414 p->auxiliary_fds = mfree(p->auxiliary_fds);
1415 p->n_auxiliary_fds = 0;
1416
1417 return r;
1418 }
1419
1420 static int socket_determine_selinux_label(Socket *s, char **ret) {
1421 ExecCommand *c;
1422 int r;
1423
1424 assert(s);
1425 assert(ret);
1426
1427 if (s->selinux_context_from_net) {
1428 /* If this is requested, get label from the network label */
1429
1430 r = mac_selinux_get_our_label(ret);
1431 if (r == -EOPNOTSUPP)
1432 goto no_label;
1433
1434 } else {
1435 /* Otherwise, get it from the executable we are about to start */
1436 r = socket_instantiate_service(s);
1437 if (r < 0)
1438 return r;
1439
1440 if (!UNIT_ISSET(s->service))
1441 goto no_label;
1442
1443 c = SERVICE(UNIT_DEREF(s->service))->exec_command[SERVICE_EXEC_START];
1444 if (!c)
1445 goto no_label;
1446
1447 r = mac_selinux_get_create_label_from_exe(c->path, ret);
1448 if (IN_SET(r, -EPERM, -EOPNOTSUPP))
1449 goto no_label;
1450 }
1451
1452 return r;
1453
1454 no_label:
1455 *ret = NULL;
1456 return 0;
1457 }
1458
1459 static int socket_address_listen_do(
1460 Socket *s,
1461 const SocketAddress *address,
1462 const char *label) {
1463
1464 assert(s);
1465 assert(address);
1466
1467 return socket_address_listen(
1468 address,
1469 SOCK_CLOEXEC|SOCK_NONBLOCK,
1470 s->backlog,
1471 s->bind_ipv6_only,
1472 s->bind_to_device,
1473 s->reuse_port,
1474 s->free_bind,
1475 s->transparent,
1476 s->directory_mode,
1477 s->socket_mode,
1478 label);
1479 }
1480
1481 static int socket_address_listen_in_cgroup(
1482 Socket *s,
1483 const SocketAddress *address,
1484 const char *label) {
1485
1486 _cleanup_close_pair_ int pair[2] = { -1, -1 };
1487 int fd, r;
1488 pid_t pid;
1489
1490 assert(s);
1491 assert(address);
1492
1493 /* This is a wrapper around socket_address_listen(), that forks off a helper process inside the socket's cgroup
1494 * in which the socket is actually created. This way we ensure the socket is actually properly attached to the
1495 * unit's cgroup for the purpose of BPF filtering and such. */
1496
1497 if (!IN_SET(address->sockaddr.sa.sa_family, AF_INET, AF_INET6))
1498 goto shortcut; /* BPF filtering only applies to IPv4 + IPv6, shortcut things for other protocols */
1499
1500 r = bpf_firewall_supported();
1501 if (r < 0)
1502 return r;
1503 if (r == 0) /* If BPF firewalling isn't supported anyway — there's no point in this forking complexity */
1504 goto shortcut;
1505
1506 if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, pair) < 0)
1507 return log_unit_error_errno(UNIT(s), errno, "Failed to create communication channel: %m");
1508
1509 r = unit_fork_helper_process(UNIT(s), &pid);
1510 if (r < 0)
1511 return log_unit_error_errno(UNIT(s), r, "Failed to fork off listener stub process: %m");
1512 if (r == 0) {
1513 /* Child */
1514
1515 pair[0] = safe_close(pair[0]);
1516
1517 fd = socket_address_listen_do(s, address, label);
1518 if (fd < 0) {
1519 log_unit_error_errno(UNIT(s), fd, "Failed to create listening socket: %m");
1520 _exit(EXIT_FAILURE);
1521 }
1522
1523 r = send_one_fd(pair[1], fd, 0);
1524 if (r < 0) {
1525 log_unit_error_errno(UNIT(s), r, "Failed to send listening socket to parent: %m");
1526 _exit(EXIT_FAILURE);
1527 }
1528
1529 _exit(EXIT_SUCCESS);
1530 }
1531
1532 pair[1] = safe_close(pair[1]);
1533 fd = receive_one_fd(pair[0], 0);
1534
1535 /* We synchronously wait for the helper, as it shouldn't be slow */
1536 r = wait_for_terminate_and_warn("listen-cgroup-helper", pid, false);
1537 if (r < 0) {
1538 safe_close(fd);
1539 return r;
1540 }
1541
1542 if (fd < 0)
1543 return log_unit_error_errno(UNIT(s), fd, "Failed to receive listening socket: %m");
1544
1545 return fd;
1546
1547 shortcut:
1548 fd = socket_address_listen_do(s, address, label);
1549 if (fd < 0)
1550 return log_error_errno(fd, "Failed to create listening socket: %m");
1551
1552 return fd;
1553 }
1554
1555 static int socket_open_fds(Socket *s) {
1556 _cleanup_(mac_selinux_freep) char *label = NULL;
1557 bool know_label = false;
1558 SocketPort *p;
1559 int r;
1560
1561 assert(s);
1562
1563 LIST_FOREACH(port, p, s->ports) {
1564
1565 if (p->fd >= 0)
1566 continue;
1567
1568 switch (p->type) {
1569
1570 case SOCKET_SOCKET:
1571
1572 if (!know_label) {
1573 /* Figure out label, if we don't it know yet. We do it once, for the first socket where
1574 * we need this and remember it for the rest. */
1575
1576 r = socket_determine_selinux_label(s, &label);
1577 if (r < 0)
1578 goto rollback;
1579
1580 know_label = true;
1581 }
1582
1583 /* Apply the socket protocol */
1584 switch (p->address.type) {
1585
1586 case SOCK_STREAM:
1587 case SOCK_SEQPACKET:
1588 if (s->socket_protocol == IPPROTO_SCTP)
1589 p->address.protocol = s->socket_protocol;
1590 break;
1591
1592 case SOCK_DGRAM:
1593 if (s->socket_protocol == IPPROTO_UDPLITE)
1594 p->address.protocol = s->socket_protocol;
1595 break;
1596 }
1597
1598 r = socket_address_listen_in_cgroup(s, &p->address, label);
1599 if (r < 0)
1600 goto rollback;
1601
1602 p->fd = r;
1603 socket_apply_socket_options(s, p->fd);
1604 socket_symlink(s);
1605 break;
1606
1607 case SOCKET_SPECIAL:
1608
1609 p->fd = special_address_create(p->path, s->writable);
1610 if (p->fd < 0) {
1611 r = p->fd;
1612 goto rollback;
1613 }
1614 break;
1615
1616 case SOCKET_FIFO:
1617
1618 p->fd = fifo_address_create(
1619 p->path,
1620 s->directory_mode,
1621 s->socket_mode);
1622 if (p->fd < 0) {
1623 r = p->fd;
1624 goto rollback;
1625 }
1626
1627 socket_apply_fifo_options(s, p->fd);
1628 socket_symlink(s);
1629 break;
1630
1631 case SOCKET_MQUEUE:
1632
1633 p->fd = mq_address_create(
1634 p->path,
1635 s->socket_mode,
1636 s->mq_maxmsg,
1637 s->mq_msgsize);
1638 if (p->fd < 0) {
1639 r = p->fd;
1640 goto rollback;
1641 }
1642 break;
1643
1644 case SOCKET_USB_FUNCTION: {
1645 _cleanup_free_ char *ep = NULL;
1646
1647 ep = path_make_absolute("ep0", p->path);
1648
1649 p->fd = usbffs_address_create(ep);
1650 if (p->fd < 0) {
1651 r = p->fd;
1652 goto rollback;
1653 }
1654
1655 r = usbffs_write_descs(p->fd, SERVICE(UNIT_DEREF(s->service)));
1656 if (r < 0)
1657 goto rollback;
1658
1659 r = usbffs_dispatch_eps(p);
1660 if (r < 0)
1661 goto rollback;
1662
1663 break;
1664 }
1665 default:
1666 assert_not_reached("Unknown port type");
1667 }
1668 }
1669
1670 return 0;
1671
1672 rollback:
1673 socket_close_fds(s);
1674 return r;
1675 }
1676
1677 static void socket_unwatch_fds(Socket *s) {
1678 SocketPort *p;
1679 int r;
1680
1681 assert(s);
1682
1683 LIST_FOREACH(port, p, s->ports) {
1684 if (p->fd < 0)
1685 continue;
1686
1687 if (!p->event_source)
1688 continue;
1689
1690 r = sd_event_source_set_enabled(p->event_source, SD_EVENT_OFF);
1691 if (r < 0)
1692 log_unit_debug_errno(UNIT(s), r, "Failed to disable event source: %m");
1693 }
1694 }
1695
1696 static int socket_watch_fds(Socket *s) {
1697 SocketPort *p;
1698 int r;
1699
1700 assert(s);
1701
1702 LIST_FOREACH(port, p, s->ports) {
1703 if (p->fd < 0)
1704 continue;
1705
1706 if (p->event_source) {
1707 r = sd_event_source_set_enabled(p->event_source, SD_EVENT_ON);
1708 if (r < 0)
1709 goto fail;
1710 } else {
1711 r = sd_event_add_io(UNIT(s)->manager->event, &p->event_source, p->fd, EPOLLIN, socket_dispatch_io, p);
1712 if (r < 0)
1713 goto fail;
1714
1715 (void) sd_event_source_set_description(p->event_source, "socket-port-io");
1716 }
1717 }
1718
1719 return 0;
1720
1721 fail:
1722 log_unit_warning_errno(UNIT(s), r, "Failed to watch listening fds: %m");
1723 socket_unwatch_fds(s);
1724 return r;
1725 }
1726
1727 enum {
1728 SOCKET_OPEN_NONE,
1729 SOCKET_OPEN_SOME,
1730 SOCKET_OPEN_ALL,
1731 };
1732
1733 static int socket_check_open(Socket *s) {
1734 bool have_open = false, have_closed = false;
1735 SocketPort *p;
1736
1737 assert(s);
1738
1739 LIST_FOREACH(port, p, s->ports) {
1740 if (p->fd < 0)
1741 have_closed = true;
1742 else
1743 have_open = true;
1744
1745 if (have_open && have_closed)
1746 return SOCKET_OPEN_SOME;
1747 }
1748
1749 if (have_open)
1750 return SOCKET_OPEN_ALL;
1751
1752 return SOCKET_OPEN_NONE;
1753 }
1754
1755 static void socket_set_state(Socket *s, SocketState state) {
1756 SocketState old_state;
1757 assert(s);
1758
1759 old_state = s->state;
1760 s->state = state;
1761
1762 if (!IN_SET(state,
1763 SOCKET_START_PRE,
1764 SOCKET_START_CHOWN,
1765 SOCKET_START_POST,
1766 SOCKET_STOP_PRE,
1767 SOCKET_STOP_PRE_SIGTERM,
1768 SOCKET_STOP_PRE_SIGKILL,
1769 SOCKET_STOP_POST,
1770 SOCKET_FINAL_SIGTERM,
1771 SOCKET_FINAL_SIGKILL)) {
1772
1773 s->timer_event_source = sd_event_source_unref(s->timer_event_source);
1774 socket_unwatch_control_pid(s);
1775 s->control_command = NULL;
1776 s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
1777 }
1778
1779 if (state != SOCKET_LISTENING)
1780 socket_unwatch_fds(s);
1781
1782 if (!IN_SET(state,
1783 SOCKET_START_CHOWN,
1784 SOCKET_START_POST,
1785 SOCKET_LISTENING,
1786 SOCKET_RUNNING,
1787 SOCKET_STOP_PRE,
1788 SOCKET_STOP_PRE_SIGTERM,
1789 SOCKET_STOP_PRE_SIGKILL))
1790 socket_close_fds(s);
1791
1792 if (state != old_state)
1793 log_unit_debug(UNIT(s), "Changed %s -> %s", socket_state_to_string(old_state), socket_state_to_string(state));
1794
1795 unit_notify(UNIT(s), state_translation_table[old_state], state_translation_table[state], true);
1796 }
1797
1798 static int socket_coldplug(Unit *u) {
1799 Socket *s = SOCKET(u);
1800 int r;
1801
1802 assert(s);
1803 assert(s->state == SOCKET_DEAD);
1804
1805 if (s->deserialized_state == s->state)
1806 return 0;
1807
1808 if (s->control_pid > 0 &&
1809 pid_is_unwaited(s->control_pid) &&
1810 IN_SET(s->deserialized_state,
1811 SOCKET_START_PRE,
1812 SOCKET_START_CHOWN,
1813 SOCKET_START_POST,
1814 SOCKET_STOP_PRE,
1815 SOCKET_STOP_PRE_SIGTERM,
1816 SOCKET_STOP_PRE_SIGKILL,
1817 SOCKET_STOP_POST,
1818 SOCKET_FINAL_SIGTERM,
1819 SOCKET_FINAL_SIGKILL)) {
1820
1821 r = unit_watch_pid(UNIT(s), s->control_pid);
1822 if (r < 0)
1823 return r;
1824
1825 r = socket_arm_timer(s, usec_add(u->state_change_timestamp.monotonic, s->timeout_usec));
1826 if (r < 0)
1827 return r;
1828 }
1829
1830 if (IN_SET(s->deserialized_state,
1831 SOCKET_START_CHOWN,
1832 SOCKET_START_POST,
1833 SOCKET_LISTENING,
1834 SOCKET_RUNNING)) {
1835
1836 /* Originally, we used to simply reopen all sockets here that we didn't have file descriptors
1837 * for. However, this is problematic, as we won't traverse throught the SOCKET_START_CHOWN state for
1838 * them, and thus the UID/GID wouldn't be right. Hence, instead simply check if we have all fds open,
1839 * and if there's a mismatch, warn loudly. */
1840
1841 r = socket_check_open(s);
1842 if (r == SOCKET_OPEN_NONE)
1843 log_unit_warning(UNIT(s),
1844 "Socket unit configuration has changed while unit has been running, "
1845 "no open socket file descriptor left. "
1846 "The socket unit is not functional until restarted.");
1847 else if (r == SOCKET_OPEN_SOME)
1848 log_unit_warning(UNIT(s),
1849 "Socket unit configuration has changed while unit has been running, "
1850 "and some socket file descriptors have not been opened yet. "
1851 "The socket unit is not fully functional until restarted.");
1852 }
1853
1854 if (s->deserialized_state == SOCKET_LISTENING) {
1855 r = socket_watch_fds(s);
1856 if (r < 0)
1857 return r;
1858 }
1859
1860 if (!IN_SET(s->deserialized_state, SOCKET_DEAD, SOCKET_FAILED))
1861 (void) unit_setup_dynamic_creds(u);
1862
1863 socket_set_state(s, s->deserialized_state);
1864 return 0;
1865 }
1866
1867 static int socket_spawn(Socket *s, ExecCommand *c, pid_t *_pid) {
1868
1869 ExecParameters exec_params = {
1870 .flags = EXEC_APPLY_SANDBOXING|EXEC_APPLY_CHROOT|EXEC_APPLY_TTY_STDIN,
1871 .stdin_fd = -1,
1872 .stdout_fd = -1,
1873 .stderr_fd = -1,
1874 };
1875 pid_t pid;
1876 int r;
1877
1878 assert(s);
1879 assert(c);
1880 assert(_pid);
1881
1882 r = unit_prepare_exec(UNIT(s));
1883 if (r < 0)
1884 return r;
1885
1886 r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
1887 if (r < 0)
1888 return r;
1889
1890 manager_set_exec_params(UNIT(s)->manager, &exec_params);
1891 unit_set_exec_params(UNIT(s), &exec_params);
1892
1893 exec_params.argv = c->argv;
1894
1895 r = exec_spawn(UNIT(s),
1896 c,
1897 &s->exec_context,
1898 &exec_params,
1899 s->exec_runtime,
1900 &s->dynamic_creds,
1901 &pid);
1902 if (r < 0)
1903 return r;
1904
1905 r = unit_watch_pid(UNIT(s), pid);
1906 if (r < 0)
1907 /* FIXME: we need to do something here */
1908 return r;
1909
1910 *_pid = pid;
1911
1912 return 0;
1913 }
1914
1915 static int socket_chown(Socket *s, pid_t *_pid) {
1916 pid_t pid;
1917 int r;
1918
1919 r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
1920 if (r < 0)
1921 goto fail;
1922
1923 /* We have to resolve the user names out-of-process, hence
1924 * let's fork here. It's messy, but well, what can we do? */
1925
1926 r = unit_fork_helper_process(UNIT(s), &pid);
1927 if (r < 0)
1928 return r;
1929 if (r == 0) {
1930 uid_t uid = UID_INVALID;
1931 gid_t gid = GID_INVALID;
1932 SocketPort *p;
1933
1934 /* Child */
1935
1936 if (!isempty(s->user)) {
1937 const char *user = s->user;
1938
1939 r = get_user_creds(&user, &uid, &gid, NULL, NULL);
1940 if (r < 0) {
1941 log_unit_error_errno(UNIT(s), r, "Failed to resolve user %s: %m", user);
1942 _exit(EXIT_USER);
1943 }
1944 }
1945
1946 if (!isempty(s->group)) {
1947 const char *group = s->group;
1948
1949 r = get_group_creds(&group, &gid);
1950 if (r < 0) {
1951 log_unit_error_errno(UNIT(s), r, "Failed to resolve group %s: %m", group);
1952 _exit(EXIT_GROUP);
1953 }
1954 }
1955
1956 LIST_FOREACH(port, p, s->ports) {
1957 const char *path = NULL;
1958
1959 if (p->type == SOCKET_SOCKET)
1960 path = socket_address_get_path(&p->address);
1961 else if (p->type == SOCKET_FIFO)
1962 path = p->path;
1963
1964 if (!path)
1965 continue;
1966
1967 if (chown(path, uid, gid) < 0) {
1968 log_unit_error_errno(UNIT(s), errno, "Failed to chown(): %m");
1969 _exit(EXIT_CHOWN);
1970 }
1971 }
1972
1973 _exit(EXIT_SUCCESS);
1974 }
1975
1976 r = unit_watch_pid(UNIT(s), pid);
1977 if (r < 0)
1978 goto fail;
1979
1980 *_pid = pid;
1981 return 0;
1982
1983 fail:
1984 s->timer_event_source = sd_event_source_unref(s->timer_event_source);
1985 return r;
1986 }
1987
1988 static void socket_enter_dead(Socket *s, SocketResult f) {
1989 assert(s);
1990
1991 if (s->result == SOCKET_SUCCESS)
1992 s->result = f;
1993
1994 if (s->result != SOCKET_SUCCESS)
1995 log_unit_warning(UNIT(s), "Failed with result '%s'.", socket_result_to_string(s->result));
1996
1997 socket_set_state(s, s->result != SOCKET_SUCCESS ? SOCKET_FAILED : SOCKET_DEAD);
1998
1999 exec_runtime_destroy(s->exec_runtime);
2000 s->exec_runtime = exec_runtime_unref(s->exec_runtime);
2001
2002 exec_context_destroy_runtime_directory(&s->exec_context, UNIT(s)->manager->prefix[EXEC_DIRECTORY_RUNTIME]);
2003
2004 unit_unref_uid_gid(UNIT(s), true);
2005
2006 dynamic_creds_destroy(&s->dynamic_creds);
2007 }
2008
2009 static void socket_enter_signal(Socket *s, SocketState state, SocketResult f);
2010
2011 static void socket_enter_stop_post(Socket *s, SocketResult f) {
2012 int r;
2013 assert(s);
2014
2015 if (s->result == SOCKET_SUCCESS)
2016 s->result = f;
2017
2018 socket_unwatch_control_pid(s);
2019 s->control_command_id = SOCKET_EXEC_STOP_POST;
2020 s->control_command = s->exec_command[SOCKET_EXEC_STOP_POST];
2021
2022 if (s->control_command) {
2023 r = socket_spawn(s, s->control_command, &s->control_pid);
2024 if (r < 0)
2025 goto fail;
2026
2027 socket_set_state(s, SOCKET_STOP_POST);
2028 } else
2029 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_SUCCESS);
2030
2031 return;
2032
2033 fail:
2034 log_unit_warning_errno(UNIT(s), r, "Failed to run 'stop-post' task: %m");
2035 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_RESOURCES);
2036 }
2037
2038 static void socket_enter_signal(Socket *s, SocketState state, SocketResult f) {
2039 int r;
2040
2041 assert(s);
2042
2043 if (s->result == SOCKET_SUCCESS)
2044 s->result = f;
2045
2046 r = unit_kill_context(
2047 UNIT(s),
2048 &s->kill_context,
2049 !IN_SET(state, SOCKET_STOP_PRE_SIGTERM, SOCKET_FINAL_SIGTERM) ?
2050 KILL_KILL : KILL_TERMINATE,
2051 -1,
2052 s->control_pid,
2053 false);
2054 if (r < 0)
2055 goto fail;
2056
2057 if (r > 0) {
2058 r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
2059 if (r < 0)
2060 goto fail;
2061
2062 socket_set_state(s, state);
2063 } else if (state == SOCKET_STOP_PRE_SIGTERM)
2064 socket_enter_signal(s, SOCKET_STOP_PRE_SIGKILL, SOCKET_SUCCESS);
2065 else if (state == SOCKET_STOP_PRE_SIGKILL)
2066 socket_enter_stop_post(s, SOCKET_SUCCESS);
2067 else if (state == SOCKET_FINAL_SIGTERM)
2068 socket_enter_signal(s, SOCKET_FINAL_SIGKILL, SOCKET_SUCCESS);
2069 else
2070 socket_enter_dead(s, SOCKET_SUCCESS);
2071
2072 return;
2073
2074 fail:
2075 log_unit_warning_errno(UNIT(s), r, "Failed to kill processes: %m");
2076
2077 if (IN_SET(state, SOCKET_STOP_PRE_SIGTERM, SOCKET_STOP_PRE_SIGKILL))
2078 socket_enter_stop_post(s, SOCKET_FAILURE_RESOURCES);
2079 else
2080 socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
2081 }
2082
2083 static void socket_enter_stop_pre(Socket *s, SocketResult f) {
2084 int r;
2085 assert(s);
2086
2087 if (s->result == SOCKET_SUCCESS)
2088 s->result = f;
2089
2090 socket_unwatch_control_pid(s);
2091 s->control_command_id = SOCKET_EXEC_STOP_PRE;
2092 s->control_command = s->exec_command[SOCKET_EXEC_STOP_PRE];
2093
2094 if (s->control_command) {
2095 r = socket_spawn(s, s->control_command, &s->control_pid);
2096 if (r < 0)
2097 goto fail;
2098
2099 socket_set_state(s, SOCKET_STOP_PRE);
2100 } else
2101 socket_enter_stop_post(s, SOCKET_SUCCESS);
2102
2103 return;
2104
2105 fail:
2106 log_unit_warning_errno(UNIT(s), r, "Failed to run 'stop-pre' task: %m");
2107 socket_enter_stop_post(s, SOCKET_FAILURE_RESOURCES);
2108 }
2109
2110 static void socket_enter_listening(Socket *s) {
2111 int r;
2112 assert(s);
2113
2114 r = socket_watch_fds(s);
2115 if (r < 0) {
2116 log_unit_warning_errno(UNIT(s), r, "Failed to watch sockets: %m");
2117 goto fail;
2118 }
2119
2120 socket_set_state(s, SOCKET_LISTENING);
2121 return;
2122
2123 fail:
2124 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2125 }
2126
2127 static void socket_enter_start_post(Socket *s) {
2128 int r;
2129 assert(s);
2130
2131 socket_unwatch_control_pid(s);
2132 s->control_command_id = SOCKET_EXEC_START_POST;
2133 s->control_command = s->exec_command[SOCKET_EXEC_START_POST];
2134
2135 if (s->control_command) {
2136 r = socket_spawn(s, s->control_command, &s->control_pid);
2137 if (r < 0) {
2138 log_unit_warning_errno(UNIT(s), r, "Failed to run 'start-post' task: %m");
2139 goto fail;
2140 }
2141
2142 socket_set_state(s, SOCKET_START_POST);
2143 } else
2144 socket_enter_listening(s);
2145
2146 return;
2147
2148 fail:
2149 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2150 }
2151
2152 static void socket_enter_start_chown(Socket *s) {
2153 int r;
2154
2155 assert(s);
2156
2157 r = socket_open_fds(s);
2158 if (r < 0) {
2159 log_unit_warning_errno(UNIT(s), r, "Failed to listen on sockets: %m");
2160 goto fail;
2161 }
2162
2163 if (!isempty(s->user) || !isempty(s->group)) {
2164
2165 socket_unwatch_control_pid(s);
2166 s->control_command_id = SOCKET_EXEC_START_CHOWN;
2167 s->control_command = NULL;
2168
2169 r = socket_chown(s, &s->control_pid);
2170 if (r < 0) {
2171 log_unit_warning_errno(UNIT(s), r, "Failed to fork 'start-chown' task: %m");
2172 goto fail;
2173 }
2174
2175 socket_set_state(s, SOCKET_START_CHOWN);
2176 } else
2177 socket_enter_start_post(s);
2178
2179 return;
2180
2181 fail:
2182 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2183 }
2184
2185 static void socket_enter_start_pre(Socket *s) {
2186 int r;
2187 assert(s);
2188
2189 socket_unwatch_control_pid(s);
2190
2191 unit_warn_leftover_processes(UNIT(s));
2192
2193 s->control_command_id = SOCKET_EXEC_START_PRE;
2194 s->control_command = s->exec_command[SOCKET_EXEC_START_PRE];
2195
2196 if (s->control_command) {
2197 r = socket_spawn(s, s->control_command, &s->control_pid);
2198 if (r < 0) {
2199 log_unit_warning_errno(UNIT(s), r, "Failed to run 'start-pre' task: %m");
2200 goto fail;
2201 }
2202
2203 socket_set_state(s, SOCKET_START_PRE);
2204 } else
2205 socket_enter_start_chown(s);
2206
2207 return;
2208
2209 fail:
2210 socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
2211 }
2212
2213 static void flush_ports(Socket *s) {
2214 SocketPort *p;
2215
2216 /* Flush all incoming traffic, regardless if actual bytes or new connections, so that this socket isn't busy
2217 * anymore */
2218
2219 LIST_FOREACH(port, p, s->ports) {
2220 if (p->fd < 0)
2221 continue;
2222
2223 (void) flush_accept(p->fd);
2224 (void) flush_fd(p->fd);
2225 }
2226 }
2227
2228 static void socket_enter_running(Socket *s, int cfd) {
2229 _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
2230 int r;
2231
2232 /* Note that this call takes possession of the connection fd passed. It either has to assign it somewhere or
2233 * close it. */
2234
2235 assert(s);
2236
2237 /* We don't take connections anymore if we are supposed to shut down anyway */
2238 if (unit_stop_pending(UNIT(s))) {
2239
2240 log_unit_debug(UNIT(s), "Suppressing connection request since unit stop is scheduled.");
2241
2242 if (cfd >= 0)
2243 cfd = safe_close(cfd);
2244 else
2245 flush_ports(s);
2246
2247 return;
2248 }
2249
2250 if (!ratelimit_test(&s->trigger_limit)) {
2251 safe_close(cfd);
2252 log_unit_warning(UNIT(s), "Trigger limit hit, refusing further activation.");
2253 socket_enter_stop_pre(s, SOCKET_FAILURE_TRIGGER_LIMIT_HIT);
2254 return;
2255 }
2256
2257 if (cfd < 0) {
2258 bool pending = false;
2259 Unit *other;
2260 Iterator i;
2261 void *v;
2262
2263 /* If there's already a start pending don't bother to
2264 * do anything */
2265 HASHMAP_FOREACH_KEY(v, other, UNIT(s)->dependencies[UNIT_TRIGGERS], i)
2266 if (unit_active_or_pending(other)) {
2267 pending = true;
2268 break;
2269 }
2270
2271 if (!pending) {
2272 if (!UNIT_ISSET(s->service)) {
2273 log_unit_error(UNIT(s), "Service to activate vanished, refusing activation.");
2274 r = -ENOENT;
2275 goto fail;
2276 }
2277
2278 r = manager_add_job(UNIT(s)->manager, JOB_START, UNIT_DEREF(s->service), JOB_REPLACE, &error, NULL);
2279 if (r < 0)
2280 goto fail;
2281 }
2282
2283 socket_set_state(s, SOCKET_RUNNING);
2284 } else {
2285 _cleanup_free_ char *prefix = NULL, *instance = NULL, *name = NULL;
2286 _cleanup_(socket_peer_unrefp) SocketPeer *p = NULL;
2287 Service *service;
2288
2289 if (s->n_connections >= s->max_connections) {
2290 log_unit_warning(UNIT(s), "Too many incoming connections (%u), dropping connection.",
2291 s->n_connections);
2292 safe_close(cfd);
2293 return;
2294 }
2295
2296 if (s->max_connections_per_source > 0) {
2297 r = socket_acquire_peer(s, cfd, &p);
2298 if (r < 0) {
2299 safe_close(cfd);
2300 return;
2301 } else if (r > 0 && p->n_ref > s->max_connections_per_source) {
2302 _cleanup_free_ char *t = NULL;
2303
2304 (void) sockaddr_pretty(&p->peer.sa, p->peer_salen, true, false, &t);
2305
2306 log_unit_warning(UNIT(s),
2307 "Too many incoming connections (%u) from source %s, dropping connection.",
2308 p->n_ref, strnull(t));
2309 safe_close(cfd);
2310 return;
2311 }
2312 }
2313
2314 r = socket_instantiate_service(s);
2315 if (r < 0)
2316 goto fail;
2317
2318 r = instance_from_socket(cfd, s->n_accepted, &instance);
2319 if (r < 0) {
2320 if (r != -ENOTCONN)
2321 goto fail;
2322
2323 /* ENOTCONN is legitimate if TCP RST was received.
2324 * This connection is over, but the socket unit lives on. */
2325 log_unit_debug(UNIT(s), "Got ENOTCONN on incoming socket, assuming aborted connection attempt, ignoring.");
2326 safe_close(cfd);
2327 return;
2328 }
2329
2330 r = unit_name_to_prefix(UNIT(s)->id, &prefix);
2331 if (r < 0)
2332 goto fail;
2333
2334 r = unit_name_build(prefix, instance, ".service", &name);
2335 if (r < 0)
2336 goto fail;
2337
2338 r = unit_add_name(UNIT_DEREF(s->service), name);
2339 if (r < 0)
2340 goto fail;
2341
2342 service = SERVICE(UNIT_DEREF(s->service));
2343 unit_ref_unset(&s->service);
2344
2345 s->n_accepted++;
2346 unit_choose_id(UNIT(service), name);
2347
2348 r = service_set_socket_fd(service, cfd, s, s->selinux_context_from_net);
2349 if (r < 0)
2350 goto fail;
2351
2352 cfd = -1; /* We passed ownership of the fd to the service now. Forget it here. */
2353 s->n_connections++;
2354
2355 service->peer = p; /* Pass ownership of the peer reference */
2356 p = NULL;
2357
2358 r = manager_add_job(UNIT(s)->manager, JOB_START, UNIT(service), JOB_REPLACE, &error, NULL);
2359 if (r < 0) {
2360 /* We failed to activate the new service, but it still exists. Let's make sure the service
2361 * closes and forgets the connection fd again, immediately. */
2362 service_close_socket_fd(service);
2363 goto fail;
2364 }
2365
2366 /* Notify clients about changed counters */
2367 unit_add_to_dbus_queue(UNIT(s));
2368 }
2369
2370 return;
2371
2372 fail:
2373 log_unit_warning(UNIT(s), "Failed to queue service startup job (Maybe the service file is missing or not a %s unit?): %s",
2374 cfd >= 0 ? "template" : "non-template",
2375 bus_error_message(&error, r));
2376
2377 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2378 safe_close(cfd);
2379 }
2380
2381 static void socket_run_next(Socket *s) {
2382 int r;
2383
2384 assert(s);
2385 assert(s->control_command);
2386 assert(s->control_command->command_next);
2387
2388 socket_unwatch_control_pid(s);
2389
2390 s->control_command = s->control_command->command_next;
2391
2392 r = socket_spawn(s, s->control_command, &s->control_pid);
2393 if (r < 0)
2394 goto fail;
2395
2396 return;
2397
2398 fail:
2399 log_unit_warning_errno(UNIT(s), r, "Failed to run next task: %m");
2400
2401 if (s->state == SOCKET_START_POST)
2402 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2403 else if (s->state == SOCKET_STOP_POST)
2404 socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
2405 else
2406 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_RESOURCES);
2407 }
2408
2409 static int socket_start(Unit *u) {
2410 Socket *s = SOCKET(u);
2411 int r;
2412
2413 assert(s);
2414
2415 /* We cannot fulfill this request right now, try again later
2416 * please! */
2417 if (IN_SET(s->state,
2418 SOCKET_STOP_PRE,
2419 SOCKET_STOP_PRE_SIGKILL,
2420 SOCKET_STOP_PRE_SIGTERM,
2421 SOCKET_STOP_POST,
2422 SOCKET_FINAL_SIGTERM,
2423 SOCKET_FINAL_SIGKILL))
2424 return -EAGAIN;
2425
2426 /* Already on it! */
2427 if (IN_SET(s->state,
2428 SOCKET_START_PRE,
2429 SOCKET_START_CHOWN,
2430 SOCKET_START_POST))
2431 return 0;
2432
2433 /* Cannot run this without the service being around */
2434 if (UNIT_ISSET(s->service)) {
2435 Service *service;
2436
2437 service = SERVICE(UNIT_DEREF(s->service));
2438
2439 if (UNIT(service)->load_state != UNIT_LOADED) {
2440 log_unit_error(u, "Socket service %s not loaded, refusing.", UNIT(service)->id);
2441 return -ENOENT;
2442 }
2443
2444 /* If the service is already active we cannot start the
2445 * socket */
2446 if (!IN_SET(service->state, SERVICE_DEAD, SERVICE_FAILED, SERVICE_AUTO_RESTART)) {
2447 log_unit_error(u, "Socket service %s already active, refusing.", UNIT(service)->id);
2448 return -EBUSY;
2449 }
2450 }
2451
2452 assert(IN_SET(s->state, SOCKET_DEAD, SOCKET_FAILED));
2453
2454 r = unit_start_limit_test(u);
2455 if (r < 0) {
2456 socket_enter_dead(s, SOCKET_FAILURE_START_LIMIT_HIT);
2457 return r;
2458 }
2459
2460 r = unit_acquire_invocation_id(u);
2461 if (r < 0)
2462 return r;
2463
2464 s->result = SOCKET_SUCCESS;
2465
2466 u->reset_accounting = true;
2467
2468 socket_enter_start_pre(s);
2469 return 1;
2470 }
2471
2472 static int socket_stop(Unit *u) {
2473 Socket *s = SOCKET(u);
2474
2475 assert(s);
2476
2477 /* Already on it */
2478 if (IN_SET(s->state,
2479 SOCKET_STOP_PRE,
2480 SOCKET_STOP_PRE_SIGTERM,
2481 SOCKET_STOP_PRE_SIGKILL,
2482 SOCKET_STOP_POST,
2483 SOCKET_FINAL_SIGTERM,
2484 SOCKET_FINAL_SIGKILL))
2485 return 0;
2486
2487 /* If there's already something running we go directly into
2488 * kill mode. */
2489 if (IN_SET(s->state,
2490 SOCKET_START_PRE,
2491 SOCKET_START_CHOWN,
2492 SOCKET_START_POST)) {
2493 socket_enter_signal(s, SOCKET_STOP_PRE_SIGTERM, SOCKET_SUCCESS);
2494 return -EAGAIN;
2495 }
2496
2497 assert(IN_SET(s->state, SOCKET_LISTENING, SOCKET_RUNNING));
2498
2499 socket_enter_stop_pre(s, SOCKET_SUCCESS);
2500 return 1;
2501 }
2502
2503 static int socket_serialize(Unit *u, FILE *f, FDSet *fds) {
2504 Socket *s = SOCKET(u);
2505 SocketPort *p;
2506 int r;
2507
2508 assert(u);
2509 assert(f);
2510 assert(fds);
2511
2512 unit_serialize_item(u, f, "state", socket_state_to_string(s->state));
2513 unit_serialize_item(u, f, "result", socket_result_to_string(s->result));
2514 unit_serialize_item_format(u, f, "n-accepted", "%u", s->n_accepted);
2515
2516 if (s->control_pid > 0)
2517 unit_serialize_item_format(u, f, "control-pid", PID_FMT, s->control_pid);
2518
2519 if (s->control_command_id >= 0)
2520 unit_serialize_item(u, f, "control-command", socket_exec_command_to_string(s->control_command_id));
2521
2522 LIST_FOREACH(port, p, s->ports) {
2523 int copy;
2524
2525 if (p->fd < 0)
2526 continue;
2527
2528 copy = fdset_put_dup(fds, p->fd);
2529 if (copy < 0)
2530 return copy;
2531
2532 if (p->type == SOCKET_SOCKET) {
2533 _cleanup_free_ char *t = NULL;
2534
2535 r = socket_address_print(&p->address, &t);
2536 if (r < 0)
2537 return r;
2538
2539 if (socket_address_family(&p->address) == AF_NETLINK)
2540 unit_serialize_item_format(u, f, "netlink", "%i %s", copy, t);
2541 else
2542 unit_serialize_item_format(u, f, "socket", "%i %i %s", copy, p->address.type, t);
2543
2544 } else if (p->type == SOCKET_SPECIAL)
2545 unit_serialize_item_format(u, f, "special", "%i %s", copy, p->path);
2546 else if (p->type == SOCKET_MQUEUE)
2547 unit_serialize_item_format(u, f, "mqueue", "%i %s", copy, p->path);
2548 else if (p->type == SOCKET_USB_FUNCTION)
2549 unit_serialize_item_format(u, f, "ffs", "%i %s", copy, p->path);
2550 else {
2551 assert(p->type == SOCKET_FIFO);
2552 unit_serialize_item_format(u, f, "fifo", "%i %s", copy, p->path);
2553 }
2554 }
2555
2556 return 0;
2557 }
2558
2559 static void socket_port_take_fd(SocketPort *p, FDSet *fds, int fd) {
2560 safe_close(p->fd);
2561 p->fd = fdset_remove(fds, fd);
2562 }
2563
2564 static int socket_deserialize_item(Unit *u, const char *key, const char *value, FDSet *fds) {
2565 Socket *s = SOCKET(u);
2566
2567 assert(u);
2568 assert(key);
2569 assert(value);
2570
2571 if (streq(key, "state")) {
2572 SocketState state;
2573
2574 state = socket_state_from_string(value);
2575 if (state < 0)
2576 log_unit_debug(u, "Failed to parse state value: %s", value);
2577 else
2578 s->deserialized_state = state;
2579 } else if (streq(key, "result")) {
2580 SocketResult f;
2581
2582 f = socket_result_from_string(value);
2583 if (f < 0)
2584 log_unit_debug(u, "Failed to parse result value: %s", value);
2585 else if (f != SOCKET_SUCCESS)
2586 s->result = f;
2587
2588 } else if (streq(key, "n-accepted")) {
2589 unsigned k;
2590
2591 if (safe_atou(value, &k) < 0)
2592 log_unit_debug(u, "Failed to parse n-accepted value: %s", value);
2593 else
2594 s->n_accepted += k;
2595 } else if (streq(key, "control-pid")) {
2596 pid_t pid;
2597
2598 if (parse_pid(value, &pid) < 0)
2599 log_unit_debug(u, "Failed to parse control-pid value: %s", value);
2600 else
2601 s->control_pid = pid;
2602 } else if (streq(key, "control-command")) {
2603 SocketExecCommand id;
2604
2605 id = socket_exec_command_from_string(value);
2606 if (id < 0)
2607 log_unit_debug(u, "Failed to parse exec-command value: %s", value);
2608 else {
2609 s->control_command_id = id;
2610 s->control_command = s->exec_command[id];
2611 }
2612 } else if (streq(key, "fifo")) {
2613 int fd, skip = 0;
2614 SocketPort *p;
2615
2616 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2617 log_unit_debug(u, "Failed to parse fifo value: %s", value);
2618 else
2619 LIST_FOREACH(port, p, s->ports)
2620 if (p->type == SOCKET_FIFO &&
2621 path_equal_or_files_same(p->path, value+skip, 0)) {
2622 socket_port_take_fd(p, fds, fd);
2623 break;
2624 }
2625
2626 } else if (streq(key, "special")) {
2627 int fd, skip = 0;
2628 SocketPort *p;
2629
2630 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2631 log_unit_debug(u, "Failed to parse special value: %s", value);
2632 else
2633 LIST_FOREACH(port, p, s->ports)
2634 if (p->type == SOCKET_SPECIAL &&
2635 path_equal_or_files_same(p->path, value+skip, 0)) {
2636 socket_port_take_fd(p, fds, fd);
2637 break;
2638 }
2639
2640 } else if (streq(key, "mqueue")) {
2641 int fd, skip = 0;
2642 SocketPort *p;
2643
2644 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2645 log_unit_debug(u, "Failed to parse mqueue value: %s", value);
2646 else
2647 LIST_FOREACH(port, p, s->ports)
2648 if (p->type == SOCKET_MQUEUE &&
2649 streq(p->path, value+skip)) {
2650 socket_port_take_fd(p, fds, fd);
2651 break;
2652 }
2653
2654 } else if (streq(key, "socket")) {
2655 int fd, type, skip = 0;
2656 SocketPort *p;
2657
2658 if (sscanf(value, "%i %i %n", &fd, &type, &skip) < 2 || fd < 0 || type < 0 || !fdset_contains(fds, fd))
2659 log_unit_debug(u, "Failed to parse socket value: %s", value);
2660 else
2661 LIST_FOREACH(port, p, s->ports)
2662 if (socket_address_is(&p->address, value+skip, type)) {
2663 socket_port_take_fd(p, fds, fd);
2664 break;
2665 }
2666
2667 } else if (streq(key, "netlink")) {
2668 int fd, skip = 0;
2669 SocketPort *p;
2670
2671 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2672 log_unit_debug(u, "Failed to parse socket value: %s", value);
2673 else
2674 LIST_FOREACH(port, p, s->ports)
2675 if (socket_address_is_netlink(&p->address, value+skip)) {
2676 socket_port_take_fd(p, fds, fd);
2677 break;
2678 }
2679
2680 } else if (streq(key, "ffs")) {
2681 int fd, skip = 0;
2682 SocketPort *p;
2683
2684 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2685 log_unit_debug(u, "Failed to parse ffs value: %s", value);
2686 else
2687 LIST_FOREACH(port, p, s->ports)
2688 if (p->type == SOCKET_USB_FUNCTION &&
2689 path_equal_or_files_same(p->path, value+skip, 0)) {
2690 socket_port_take_fd(p, fds, fd);
2691 break;
2692 }
2693
2694 } else
2695 log_unit_debug(UNIT(s), "Unknown serialization key: %s", key);
2696
2697 return 0;
2698 }
2699
2700 static void socket_distribute_fds(Unit *u, FDSet *fds) {
2701 Socket *s = SOCKET(u);
2702 SocketPort *p;
2703
2704 assert(u);
2705
2706 LIST_FOREACH(port, p, s->ports) {
2707 Iterator i;
2708 int fd;
2709
2710 if (p->type != SOCKET_SOCKET)
2711 continue;
2712
2713 if (p->fd >= 0)
2714 continue;
2715
2716 FDSET_FOREACH(fd, fds, i) {
2717 if (socket_address_matches_fd(&p->address, fd)) {
2718 p->fd = fdset_remove(fds, fd);
2719 s->deserialized_state = SOCKET_LISTENING;
2720 break;
2721 }
2722 }
2723 }
2724 }
2725
2726 _pure_ static UnitActiveState socket_active_state(Unit *u) {
2727 assert(u);
2728
2729 return state_translation_table[SOCKET(u)->state];
2730 }
2731
2732 _pure_ static const char *socket_sub_state_to_string(Unit *u) {
2733 assert(u);
2734
2735 return socket_state_to_string(SOCKET(u)->state);
2736 }
2737
2738 const char* socket_port_type_to_string(SocketPort *p) {
2739
2740 assert(p);
2741
2742 switch (p->type) {
2743
2744 case SOCKET_SOCKET:
2745
2746 switch (p->address.type) {
2747
2748 case SOCK_STREAM:
2749 return "Stream";
2750
2751 case SOCK_DGRAM:
2752 return "Datagram";
2753
2754 case SOCK_SEQPACKET:
2755 return "SequentialPacket";
2756
2757 case SOCK_RAW:
2758 if (socket_address_family(&p->address) == AF_NETLINK)
2759 return "Netlink";
2760
2761 _fallthrough_;
2762 default:
2763 return NULL;
2764 }
2765
2766 case SOCKET_SPECIAL:
2767 return "Special";
2768
2769 case SOCKET_MQUEUE:
2770 return "MessageQueue";
2771
2772 case SOCKET_FIFO:
2773 return "FIFO";
2774
2775 case SOCKET_USB_FUNCTION:
2776 return "USBFunction";
2777
2778 default:
2779 return NULL;
2780 }
2781 }
2782
2783 SocketType socket_port_type_from_string(const char *s) {
2784 assert(s);
2785
2786 if (STR_IN_SET(t, "Stream", "Datagram", "SequentialPacket", "Netlink"))
2787 return = SOCKET_SOCKET;
2788 else if (streq(t, "Special"))
2789 return = SOCKET_SPECIAL;
2790 else if (streq(t, "MessageQueue"))
2791 return = SOCKET_MQUEUE;
2792 else if (streq(t, "FIFO"))
2793 return = SOCKET_FIFO;
2794 else if (streq(t, "USBFunction"))
2795 return = SOCKET_USB_FUNCTION;
2796 else
2797 return _SOCKET_TYPE_INVALID;
2798 }
2799
2800 _pure_ static bool socket_check_gc(Unit *u) {
2801 Socket *s = SOCKET(u);
2802
2803 assert(u);
2804
2805 return s->n_connections > 0;
2806 }
2807
2808 static int socket_accept_do(Socket *s, int fd) {
2809 int cfd;
2810
2811 assert(s);
2812 assert(fd >= 0);
2813
2814 for (;;) {
2815 cfd = accept4(fd, NULL, NULL, SOCK_NONBLOCK);
2816 if (cfd < 0) {
2817 if (errno == EINTR)
2818 continue;
2819
2820 return -errno;
2821 }
2822
2823 break;
2824 }
2825
2826 return cfd;
2827 }
2828
2829 static int socket_accept_in_cgroup(Socket *s, SocketPort *p, int fd) {
2830 _cleanup_close_pair_ int pair[2] = { -1, -1 };
2831 int cfd, r;
2832 pid_t pid;
2833
2834 assert(s);
2835 assert(p);
2836 assert(fd >= 0);
2837
2838 /* Similar to socket_address_listen_in_cgroup(), but for accept() rathern than socket(): make sure that any
2839 * connection socket is also properly associated with the cgroup. */
2840
2841 if (!IN_SET(p->address.sockaddr.sa.sa_family, AF_INET, AF_INET6))
2842 goto shortcut;
2843
2844 r = bpf_firewall_supported();
2845 if (r < 0)
2846 return r;
2847 if (r == 0)
2848 goto shortcut;
2849
2850 if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, pair) < 0)
2851 return log_unit_error_errno(UNIT(s), errno, "Failed to create communication channel: %m");
2852
2853 r = unit_fork_helper_process(UNIT(s), &pid);
2854 if (r < 0)
2855 return log_unit_error_errno(UNIT(s), r, "Failed to fork off accept stub process: %m");
2856 if (r == 0) {
2857 /* Child */
2858
2859 pair[0] = safe_close(pair[0]);
2860
2861 cfd = socket_accept_do(s, fd);
2862 if (cfd < 0) {
2863 log_unit_error_errno(UNIT(s), cfd, "Failed to accept connection socket: %m");
2864 _exit(EXIT_FAILURE);
2865 }
2866
2867 r = send_one_fd(pair[1], cfd, 0);
2868 if (r < 0) {
2869 log_unit_error_errno(UNIT(s), r, "Failed to send connection socket to parent: %m");
2870 _exit(EXIT_FAILURE);
2871 }
2872
2873 _exit(EXIT_SUCCESS);
2874 }
2875
2876 pair[1] = safe_close(pair[1]);
2877 cfd = receive_one_fd(pair[0], 0);
2878
2879 /* We synchronously wait for the helper, as it shouldn't be slow */
2880 r = wait_for_terminate_and_warn("accept-cgroup-helper", pid, false);
2881 if (r < 0) {
2882 safe_close(cfd);
2883 return r;
2884 }
2885
2886 if (cfd < 0)
2887 return log_unit_error_errno(UNIT(s), cfd, "Failed to receive connection socket: %m");
2888
2889 return cfd;
2890
2891 shortcut:
2892 cfd = socket_accept_do(s, fd);
2893 if (cfd < 0)
2894 return log_unit_error_errno(UNIT(s), cfd, "Failed to accept connection socket: %m");
2895
2896 return cfd;
2897 }
2898
2899 static int socket_dispatch_io(sd_event_source *source, int fd, uint32_t revents, void *userdata) {
2900 SocketPort *p = userdata;
2901 int cfd = -1;
2902
2903 assert(p);
2904 assert(fd >= 0);
2905
2906 if (p->socket->state != SOCKET_LISTENING)
2907 return 0;
2908
2909 log_unit_debug(UNIT(p->socket), "Incoming traffic");
2910
2911 if (revents != EPOLLIN) {
2912
2913 if (revents & EPOLLHUP)
2914 log_unit_error(UNIT(p->socket), "Got POLLHUP on a listening socket. The service probably invoked shutdown() on it, and should better not do that.");
2915 else
2916 log_unit_error(UNIT(p->socket), "Got unexpected poll event (0x%x) on socket.", revents);
2917 goto fail;
2918 }
2919
2920 if (p->socket->accept &&
2921 p->type == SOCKET_SOCKET &&
2922 socket_address_can_accept(&p->address)) {
2923
2924 cfd = socket_accept_in_cgroup(p->socket, p, fd);
2925 if (cfd < 0)
2926 goto fail;
2927
2928 socket_apply_socket_options(p->socket, cfd);
2929 }
2930
2931 socket_enter_running(p->socket, cfd);
2932 return 0;
2933
2934 fail:
2935 socket_enter_stop_pre(p->socket, SOCKET_FAILURE_RESOURCES);
2936 return 0;
2937 }
2938
2939 static void socket_sigchld_event(Unit *u, pid_t pid, int code, int status) {
2940 Socket *s = SOCKET(u);
2941 SocketResult f;
2942
2943 assert(s);
2944 assert(pid >= 0);
2945
2946 if (pid != s->control_pid)
2947 return;
2948
2949 s->control_pid = 0;
2950
2951 if (is_clean_exit(code, status, EXIT_CLEAN_COMMAND, NULL))
2952 f = SOCKET_SUCCESS;
2953 else if (code == CLD_EXITED)
2954 f = SOCKET_FAILURE_EXIT_CODE;
2955 else if (code == CLD_KILLED)
2956 f = SOCKET_FAILURE_SIGNAL;
2957 else if (code == CLD_DUMPED)
2958 f = SOCKET_FAILURE_CORE_DUMP;
2959 else
2960 assert_not_reached("Unknown sigchld code");
2961
2962 if (s->control_command) {
2963 exec_status_exit(&s->control_command->exec_status, &s->exec_context, pid, code, status);
2964
2965 if (s->control_command->flags & EXEC_COMMAND_IGNORE_FAILURE)
2966 f = SOCKET_SUCCESS;
2967 }
2968
2969 log_unit_full(u, f == SOCKET_SUCCESS ? LOG_DEBUG : LOG_NOTICE, 0,
2970 "Control process exited, code=%s status=%i",
2971 sigchld_code_to_string(code), status);
2972
2973 if (s->result == SOCKET_SUCCESS)
2974 s->result = f;
2975
2976 if (s->control_command &&
2977 s->control_command->command_next &&
2978 f == SOCKET_SUCCESS) {
2979
2980 log_unit_debug(u, "Running next command for state %s", socket_state_to_string(s->state));
2981 socket_run_next(s);
2982 } else {
2983 s->control_command = NULL;
2984 s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
2985
2986 /* No further commands for this step, so let's figure
2987 * out what to do next */
2988
2989 log_unit_debug(u, "Got final SIGCHLD for state %s", socket_state_to_string(s->state));
2990
2991 switch (s->state) {
2992
2993 case SOCKET_START_PRE:
2994 if (f == SOCKET_SUCCESS)
2995 socket_enter_start_chown(s);
2996 else
2997 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, f);
2998 break;
2999
3000 case SOCKET_START_CHOWN:
3001 if (f == SOCKET_SUCCESS)
3002 socket_enter_start_post(s);
3003 else
3004 socket_enter_stop_pre(s, f);
3005 break;
3006
3007 case SOCKET_START_POST:
3008 if (f == SOCKET_SUCCESS)
3009 socket_enter_listening(s);
3010 else
3011 socket_enter_stop_pre(s, f);
3012 break;
3013
3014 case SOCKET_STOP_PRE:
3015 case SOCKET_STOP_PRE_SIGTERM:
3016 case SOCKET_STOP_PRE_SIGKILL:
3017 socket_enter_stop_post(s, f);
3018 break;
3019
3020 case SOCKET_STOP_POST:
3021 case SOCKET_FINAL_SIGTERM:
3022 case SOCKET_FINAL_SIGKILL:
3023 socket_enter_dead(s, f);
3024 break;
3025
3026 default:
3027 assert_not_reached("Uh, control process died at wrong time.");
3028 }
3029 }
3030
3031 /* Notify clients about changed exit status */
3032 unit_add_to_dbus_queue(u);
3033 }
3034
3035 static int socket_dispatch_timer(sd_event_source *source, usec_t usec, void *userdata) {
3036 Socket *s = SOCKET(userdata);
3037
3038 assert(s);
3039 assert(s->timer_event_source == source);
3040
3041 switch (s->state) {
3042
3043 case SOCKET_START_PRE:
3044 log_unit_warning(UNIT(s), "Starting timed out. Terminating.");
3045 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_TIMEOUT);
3046 break;
3047
3048 case SOCKET_START_CHOWN:
3049 case SOCKET_START_POST:
3050 log_unit_warning(UNIT(s), "Starting timed out. Stopping.");
3051 socket_enter_stop_pre(s, SOCKET_FAILURE_TIMEOUT);
3052 break;
3053
3054 case SOCKET_STOP_PRE:
3055 log_unit_warning(UNIT(s), "Stopping timed out. Terminating.");
3056 socket_enter_signal(s, SOCKET_STOP_PRE_SIGTERM, SOCKET_FAILURE_TIMEOUT);
3057 break;
3058
3059 case SOCKET_STOP_PRE_SIGTERM:
3060 if (s->kill_context.send_sigkill) {
3061 log_unit_warning(UNIT(s), "Stopping timed out. Killing.");
3062 socket_enter_signal(s, SOCKET_STOP_PRE_SIGKILL, SOCKET_FAILURE_TIMEOUT);
3063 } else {
3064 log_unit_warning(UNIT(s), "Stopping timed out. Skipping SIGKILL. Ignoring.");
3065 socket_enter_stop_post(s, SOCKET_FAILURE_TIMEOUT);
3066 }
3067 break;
3068
3069 case SOCKET_STOP_PRE_SIGKILL:
3070 log_unit_warning(UNIT(s), "Processes still around after SIGKILL. Ignoring.");
3071 socket_enter_stop_post(s, SOCKET_FAILURE_TIMEOUT);
3072 break;
3073
3074 case SOCKET_STOP_POST:
3075 log_unit_warning(UNIT(s), "Stopping timed out (2). Terminating.");
3076 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_TIMEOUT);
3077 break;
3078
3079 case SOCKET_FINAL_SIGTERM:
3080 if (s->kill_context.send_sigkill) {
3081 log_unit_warning(UNIT(s), "Stopping timed out (2). Killing.");
3082 socket_enter_signal(s, SOCKET_FINAL_SIGKILL, SOCKET_FAILURE_TIMEOUT);
3083 } else {
3084 log_unit_warning(UNIT(s), "Stopping timed out (2). Skipping SIGKILL. Ignoring.");
3085 socket_enter_dead(s, SOCKET_FAILURE_TIMEOUT);
3086 }
3087 break;
3088
3089 case SOCKET_FINAL_SIGKILL:
3090 log_unit_warning(UNIT(s), "Still around after SIGKILL (2). Entering failed mode.");
3091 socket_enter_dead(s, SOCKET_FAILURE_TIMEOUT);
3092 break;
3093
3094 default:
3095 assert_not_reached("Timeout at wrong time.");
3096 }
3097
3098 return 0;
3099 }
3100
3101 int socket_collect_fds(Socket *s, int **fds) {
3102 int *rfds, k = 0, n = 0;
3103 SocketPort *p;
3104
3105 assert(s);
3106 assert(fds);
3107
3108 /* Called from the service code for requesting our fds */
3109
3110 LIST_FOREACH(port, p, s->ports) {
3111 if (p->fd >= 0)
3112 n++;
3113 n += p->n_auxiliary_fds;
3114 }
3115
3116 if (n <= 0) {
3117 *fds = NULL;
3118 return 0;
3119 }
3120
3121 rfds = new(int, n);
3122 if (!rfds)
3123 return -ENOMEM;
3124
3125 LIST_FOREACH(port, p, s->ports) {
3126 int i;
3127
3128 if (p->fd >= 0)
3129 rfds[k++] = p->fd;
3130 for (i = 0; i < p->n_auxiliary_fds; ++i)
3131 rfds[k++] = p->auxiliary_fds[i];
3132 }
3133
3134 assert(k == n);
3135
3136 *fds = rfds;
3137 return n;
3138 }
3139
3140 static void socket_reset_failed(Unit *u) {
3141 Socket *s = SOCKET(u);
3142
3143 assert(s);
3144
3145 if (s->state == SOCKET_FAILED)
3146 socket_set_state(s, SOCKET_DEAD);
3147
3148 s->result = SOCKET_SUCCESS;
3149 }
3150
3151 void socket_connection_unref(Socket *s) {
3152 assert(s);
3153
3154 /* The service is dead. Yay!
3155 *
3156 * This is strictly for one-instance-per-connection
3157 * services. */
3158
3159 assert(s->n_connections > 0);
3160 s->n_connections--;
3161
3162 log_unit_debug(UNIT(s), "One connection closed, %u left.", s->n_connections);
3163 }
3164
3165 static void socket_trigger_notify(Unit *u, Unit *other) {
3166 Socket *s = SOCKET(u);
3167
3168 assert(u);
3169 assert(other);
3170
3171 /* Filter out invocations with bogus state */
3172 if (other->load_state != UNIT_LOADED || other->type != UNIT_SERVICE)
3173 return;
3174
3175 /* Don't propagate state changes from the service if we are already down */
3176 if (!IN_SET(s->state, SOCKET_RUNNING, SOCKET_LISTENING))
3177 return;
3178
3179 /* We don't care for the service state if we are in Accept=yes mode */
3180 if (s->accept)
3181 return;
3182
3183 /* Propagate start limit hit state */
3184 if (other->start_limit_hit) {
3185 socket_enter_stop_pre(s, SOCKET_FAILURE_SERVICE_START_LIMIT_HIT);
3186 return;
3187 }
3188
3189 /* Don't propagate anything if there's still a job queued */
3190 if (other->job)
3191 return;
3192
3193 if (IN_SET(SERVICE(other)->state,
3194 SERVICE_DEAD, SERVICE_FAILED,
3195 SERVICE_FINAL_SIGTERM, SERVICE_FINAL_SIGKILL,
3196 SERVICE_AUTO_RESTART))
3197 socket_enter_listening(s);
3198
3199 if (SERVICE(other)->state == SERVICE_RUNNING)
3200 socket_set_state(s, SOCKET_RUNNING);
3201 }
3202
3203 static int socket_kill(Unit *u, KillWho who, int signo, sd_bus_error *error) {
3204 return unit_kill_common(u, who, signo, -1, SOCKET(u)->control_pid, error);
3205 }
3206
3207 static int socket_get_timeout(Unit *u, usec_t *timeout) {
3208 Socket *s = SOCKET(u);
3209 usec_t t;
3210 int r;
3211
3212 if (!s->timer_event_source)
3213 return 0;
3214
3215 r = sd_event_source_get_time(s->timer_event_source, &t);
3216 if (r < 0)
3217 return r;
3218 if (t == USEC_INFINITY)
3219 return 0;
3220
3221 *timeout = t;
3222 return 1;
3223 }
3224
3225 char *socket_fdname(Socket *s) {
3226 assert(s);
3227
3228 /* Returns the name to use for $LISTEN_NAMES. If the user
3229 * didn't specify anything specifically, use the socket unit's
3230 * name as fallback. */
3231
3232 if (s->fdname)
3233 return s->fdname;
3234
3235 return UNIT(s)->id;
3236 }
3237
3238 static int socket_control_pid(Unit *u) {
3239 Socket *s = SOCKET(u);
3240
3241 assert(s);
3242
3243 return s->control_pid;
3244 }
3245
3246 static const char* const socket_exec_command_table[_SOCKET_EXEC_COMMAND_MAX] = {
3247 [SOCKET_EXEC_START_PRE] = "ExecStartPre",
3248 [SOCKET_EXEC_START_CHOWN] = "ExecStartChown",
3249 [SOCKET_EXEC_START_POST] = "ExecStartPost",
3250 [SOCKET_EXEC_STOP_PRE] = "ExecStopPre",
3251 [SOCKET_EXEC_STOP_POST] = "ExecStopPost"
3252 };
3253
3254 DEFINE_STRING_TABLE_LOOKUP(socket_exec_command, SocketExecCommand);
3255
3256 static const char* const socket_result_table[_SOCKET_RESULT_MAX] = {
3257 [SOCKET_SUCCESS] = "success",
3258 [SOCKET_FAILURE_RESOURCES] = "resources",
3259 [SOCKET_FAILURE_TIMEOUT] = "timeout",
3260 [SOCKET_FAILURE_EXIT_CODE] = "exit-code",
3261 [SOCKET_FAILURE_SIGNAL] = "signal",
3262 [SOCKET_FAILURE_CORE_DUMP] = "core-dump",
3263 [SOCKET_FAILURE_START_LIMIT_HIT] = "start-limit-hit",
3264 [SOCKET_FAILURE_TRIGGER_LIMIT_HIT] = "trigger-limit-hit",
3265 [SOCKET_FAILURE_SERVICE_START_LIMIT_HIT] = "service-start-limit-hit"
3266 };
3267
3268 DEFINE_STRING_TABLE_LOOKUP(socket_result, SocketResult);
3269
3270 const UnitVTable socket_vtable = {
3271 .object_size = sizeof(Socket),
3272 .exec_context_offset = offsetof(Socket, exec_context),
3273 .cgroup_context_offset = offsetof(Socket, cgroup_context),
3274 .kill_context_offset = offsetof(Socket, kill_context),
3275 .exec_runtime_offset = offsetof(Socket, exec_runtime),
3276 .dynamic_creds_offset = offsetof(Socket, dynamic_creds),
3277
3278 .sections =
3279 "Unit\0"
3280 "Socket\0"
3281 "Install\0",
3282 .private_section = "Socket",
3283
3284 .init = socket_init,
3285 .done = socket_done,
3286 .load = socket_load,
3287
3288 .coldplug = socket_coldplug,
3289
3290 .dump = socket_dump,
3291
3292 .start = socket_start,
3293 .stop = socket_stop,
3294
3295 .kill = socket_kill,
3296
3297 .get_timeout = socket_get_timeout,
3298
3299 .serialize = socket_serialize,
3300 .deserialize_item = socket_deserialize_item,
3301 .distribute_fds = socket_distribute_fds,
3302
3303 .active_state = socket_active_state,
3304 .sub_state_to_string = socket_sub_state_to_string,
3305
3306 .check_gc = socket_check_gc,
3307
3308 .sigchld_event = socket_sigchld_event,
3309
3310 .trigger_notify = socket_trigger_notify,
3311
3312 .reset_failed = socket_reset_failed,
3313
3314 .control_pid = socket_control_pid,
3315
3316 .bus_vtable = bus_socket_vtable,
3317 .bus_set_property = bus_socket_set_property,
3318 .bus_commit_properties = bus_socket_commit_properties,
3319
3320 .status_message_formats = {
3321 /*.starting_stopping = {
3322 [0] = "Starting socket %s...",
3323 [1] = "Stopping socket %s...",
3324 },*/
3325 .finished_start_job = {
3326 [JOB_DONE] = "Listening on %s.",
3327 [JOB_FAILED] = "Failed to listen on %s.",
3328 [JOB_TIMEOUT] = "Timed out starting %s.",
3329 },
3330 .finished_stop_job = {
3331 [JOB_DONE] = "Closed %s.",
3332 [JOB_FAILED] = "Failed stopping %s.",
3333 [JOB_TIMEOUT] = "Timed out stopping %s.",
3334 },
3335 },
3336 };
Unnamed repository; edit this file 'description' to name the repository.