]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/socket.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #7191 from Mic92/systemd
[thirdparty/systemd.git] / src / core / socket.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2 /***
3 This file is part of systemd.
4
5 Copyright 2010 Lennart Poettering
6
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
11
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
16
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
19 ***/
20
21 #include <arpa/inet.h>
22 #include <errno.h>
23 #include <fcntl.h>
24 #include <mqueue.h>
25 #include <netinet/tcp.h>
26 #include <signal.h>
27 #include <sys/epoll.h>
28 #include <sys/stat.h>
29 #include <unistd.h>
30 #include <linux/sctp.h>
31
32 #include "alloc-util.h"
33 #include "bpf-firewall.h"
34 #include "bus-error.h"
35 #include "bus-util.h"
36 #include "copy.h"
37 #include "dbus-socket.h"
38 #include "def.h"
39 #include "exit-status.h"
40 #include "fd-util.h"
41 #include "format-util.h"
42 #include "fs-util.h"
43 #include "in-addr-util.h"
44 #include "io-util.h"
45 #include "label.h"
46 #include "log.h"
47 #include "missing.h"
48 #include "mkdir.h"
49 #include "parse-util.h"
50 #include "path-util.h"
51 #include "process-util.h"
52 #include "selinux-util.h"
53 #include "signal-util.h"
54 #include "smack-util.h"
55 #include "socket.h"
56 #include "socket-protocol-list.h"
57 #include "special.h"
58 #include "string-table.h"
59 #include "string-util.h"
60 #include "strv.h"
61 #include "unit-name.h"
62 #include "unit.h"
63 #include "user-util.h"
64
65 struct SocketPeer {
66 unsigned n_ref;
67
68 Socket *socket;
69 union sockaddr_union peer;
70 socklen_t peer_salen;
71 };
72
73 static const UnitActiveState state_translation_table[_SOCKET_STATE_MAX] = {
74 [SOCKET_DEAD] = UNIT_INACTIVE,
75 [SOCKET_START_PRE] = UNIT_ACTIVATING,
76 [SOCKET_START_CHOWN] = UNIT_ACTIVATING,
77 [SOCKET_START_POST] = UNIT_ACTIVATING,
78 [SOCKET_LISTENING] = UNIT_ACTIVE,
79 [SOCKET_RUNNING] = UNIT_ACTIVE,
80 [SOCKET_STOP_PRE] = UNIT_DEACTIVATING,
81 [SOCKET_STOP_PRE_SIGTERM] = UNIT_DEACTIVATING,
82 [SOCKET_STOP_PRE_SIGKILL] = UNIT_DEACTIVATING,
83 [SOCKET_STOP_POST] = UNIT_DEACTIVATING,
84 [SOCKET_FINAL_SIGTERM] = UNIT_DEACTIVATING,
85 [SOCKET_FINAL_SIGKILL] = UNIT_DEACTIVATING,
86 [SOCKET_FAILED] = UNIT_FAILED
87 };
88
89 static int socket_dispatch_io(sd_event_source *source, int fd, uint32_t revents, void *userdata);
90 static int socket_dispatch_timer(sd_event_source *source, usec_t usec, void *userdata);
91
92 static void socket_init(Unit *u) {
93 Socket *s = SOCKET(u);
94
95 assert(u);
96 assert(u->load_state == UNIT_STUB);
97
98 s->backlog = SOMAXCONN;
99 s->timeout_usec = u->manager->default_timeout_start_usec;
100 s->directory_mode = 0755;
101 s->socket_mode = 0666;
102
103 s->max_connections = 64;
104
105 s->priority = -1;
106 s->ip_tos = -1;
107 s->ip_ttl = -1;
108 s->mark = -1;
109
110 s->exec_context.std_output = u->manager->default_std_output;
111 s->exec_context.std_error = u->manager->default_std_error;
112
113 s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
114
115 s->trigger_limit.interval = USEC_INFINITY;
116 s->trigger_limit.burst = (unsigned) -1;
117 }
118
119 static void socket_unwatch_control_pid(Socket *s) {
120 assert(s);
121
122 if (s->control_pid <= 0)
123 return;
124
125 unit_unwatch_pid(UNIT(s), s->control_pid);
126 s->control_pid = 0;
127 }
128
129 static void socket_cleanup_fd_list(SocketPort *p) {
130 assert(p);
131
132 close_many(p->auxiliary_fds, p->n_auxiliary_fds);
133 p->auxiliary_fds = mfree(p->auxiliary_fds);
134 p->n_auxiliary_fds = 0;
135 }
136
137 void socket_free_ports(Socket *s) {
138 SocketPort *p;
139
140 assert(s);
141
142 while ((p = s->ports)) {
143 LIST_REMOVE(port, s->ports, p);
144
145 sd_event_source_unref(p->event_source);
146
147 socket_cleanup_fd_list(p);
148 safe_close(p->fd);
149 free(p->path);
150 free(p);
151 }
152 }
153
154 static void socket_done(Unit *u) {
155 Socket *s = SOCKET(u);
156 SocketPeer *p;
157
158 assert(s);
159
160 socket_free_ports(s);
161
162 while ((p = set_steal_first(s->peers_by_address)))
163 p->socket = NULL;
164
165 s->peers_by_address = set_free(s->peers_by_address);
166
167 s->exec_runtime = exec_runtime_unref(s->exec_runtime);
168 exec_command_free_array(s->exec_command, _SOCKET_EXEC_COMMAND_MAX);
169 s->control_command = NULL;
170
171 dynamic_creds_unref(&s->dynamic_creds);
172
173 socket_unwatch_control_pid(s);
174
175 unit_ref_unset(&s->service);
176
177 s->tcp_congestion = mfree(s->tcp_congestion);
178 s->bind_to_device = mfree(s->bind_to_device);
179
180 s->smack = mfree(s->smack);
181 s->smack_ip_in = mfree(s->smack_ip_in);
182 s->smack_ip_out = mfree(s->smack_ip_out);
183
184 strv_free(s->symlinks);
185
186 s->user = mfree(s->user);
187 s->group = mfree(s->group);
188
189 s->fdname = mfree(s->fdname);
190
191 s->timer_event_source = sd_event_source_unref(s->timer_event_source);
192 }
193
194 static int socket_arm_timer(Socket *s, usec_t usec) {
195 int r;
196
197 assert(s);
198
199 if (s->timer_event_source) {
200 r = sd_event_source_set_time(s->timer_event_source, usec);
201 if (r < 0)
202 return r;
203
204 return sd_event_source_set_enabled(s->timer_event_source, SD_EVENT_ONESHOT);
205 }
206
207 if (usec == USEC_INFINITY)
208 return 0;
209
210 r = sd_event_add_time(
211 UNIT(s)->manager->event,
212 &s->timer_event_source,
213 CLOCK_MONOTONIC,
214 usec, 0,
215 socket_dispatch_timer, s);
216 if (r < 0)
217 return r;
218
219 (void) sd_event_source_set_description(s->timer_event_source, "socket-timer");
220
221 return 0;
222 }
223
224 int socket_instantiate_service(Socket *s) {
225 _cleanup_free_ char *prefix = NULL, *name = NULL;
226 int r;
227 Unit *u;
228
229 assert(s);
230
231 /* This fills in s->service if it isn't filled in yet. For
232 * Accept=yes sockets we create the next connection service
233 * here. For Accept=no this is mostly a NOP since the service
234 * is figured out at load time anyway. */
235
236 if (UNIT_DEREF(s->service))
237 return 0;
238
239 if (!s->accept)
240 return 0;
241
242 r = unit_name_to_prefix(UNIT(s)->id, &prefix);
243 if (r < 0)
244 return r;
245
246 if (asprintf(&name, "%s@%u.service", prefix, s->n_accepted) < 0)
247 return -ENOMEM;
248
249 r = manager_load_unit(UNIT(s)->manager, name, NULL, NULL, &u);
250 if (r < 0)
251 return r;
252
253 unit_ref_set(&s->service, u);
254
255 return unit_add_two_dependencies(UNIT(s), UNIT_BEFORE, UNIT_TRIGGERS, u, false, UNIT_DEPENDENCY_IMPLICIT);
256 }
257
258 static bool have_non_accept_socket(Socket *s) {
259 SocketPort *p;
260
261 assert(s);
262
263 if (!s->accept)
264 return true;
265
266 LIST_FOREACH(port, p, s->ports) {
267
268 if (p->type != SOCKET_SOCKET)
269 return true;
270
271 if (!socket_address_can_accept(&p->address))
272 return true;
273 }
274
275 return false;
276 }
277
278 static int socket_add_mount_dependencies(Socket *s) {
279 SocketPort *p;
280 int r;
281
282 assert(s);
283
284 LIST_FOREACH(port, p, s->ports) {
285 const char *path = NULL;
286
287 if (p->type == SOCKET_SOCKET)
288 path = socket_address_get_path(&p->address);
289 else if (IN_SET(p->type, SOCKET_FIFO, SOCKET_SPECIAL, SOCKET_USB_FUNCTION))
290 path = p->path;
291
292 if (!path)
293 continue;
294
295 r = unit_require_mounts_for(UNIT(s), path, UNIT_DEPENDENCY_FILE);
296 if (r < 0)
297 return r;
298 }
299
300 return 0;
301 }
302
303 static int socket_add_device_dependencies(Socket *s) {
304 char *t;
305
306 assert(s);
307
308 if (!s->bind_to_device || streq(s->bind_to_device, "lo"))
309 return 0;
310
311 t = strjoina("/sys/subsystem/net/devices/", s->bind_to_device);
312 return unit_add_node_dependency(UNIT(s), t, false, UNIT_BINDS_TO, UNIT_DEPENDENCY_FILE);
313 }
314
315 static int socket_add_default_dependencies(Socket *s) {
316 int r;
317 assert(s);
318
319 if (!UNIT(s)->default_dependencies)
320 return 0;
321
322 r = unit_add_dependency_by_name(UNIT(s), UNIT_BEFORE, SPECIAL_SOCKETS_TARGET, NULL, true, UNIT_DEPENDENCY_DEFAULT);
323 if (r < 0)
324 return r;
325
326 if (MANAGER_IS_SYSTEM(UNIT(s)->manager)) {
327 r = unit_add_two_dependencies_by_name(UNIT(s), UNIT_AFTER, UNIT_REQUIRES, SPECIAL_SYSINIT_TARGET, NULL, true, UNIT_DEPENDENCY_DEFAULT);
328 if (r < 0)
329 return r;
330 }
331
332 return unit_add_two_dependencies_by_name(UNIT(s), UNIT_BEFORE, UNIT_CONFLICTS, SPECIAL_SHUTDOWN_TARGET, NULL, true, UNIT_DEPENDENCY_DEFAULT);
333 }
334
335 _pure_ static bool socket_has_exec(Socket *s) {
336 unsigned i;
337 assert(s);
338
339 for (i = 0; i < _SOCKET_EXEC_COMMAND_MAX; i++)
340 if (s->exec_command[i])
341 return true;
342
343 return false;
344 }
345
346 static int socket_add_extras(Socket *s) {
347 Unit *u = UNIT(s);
348 int r;
349
350 assert(s);
351
352 /* Pick defaults for the trigger limit, if nothing was explicitly configured. We pick a relatively high limit
353 * in Accept=yes mode, and a lower limit for Accept=no. Reason: in Accept=yes mode we are invoking accept()
354 * ourselves before the trigger limit can hit, thus incoming connections are taken off the socket queue quickly
355 * and reliably. This is different for Accept=no, where the spawned service has to take the incoming traffic
356 * off the queues, which it might not necessarily do. Moreover, while Accept=no services are supposed to
357 * process whatever is queued in one go, and thus should normally never have to be started frequently. This is
358 * different for Accept=yes where each connection is processed by a new service instance, and thus frequent
359 * service starts are typical. */
360
361 if (s->trigger_limit.interval == USEC_INFINITY)
362 s->trigger_limit.interval = 2 * USEC_PER_SEC;
363
364 if (s->trigger_limit.burst == (unsigned) -1) {
365 if (s->accept)
366 s->trigger_limit.burst = 200;
367 else
368 s->trigger_limit.burst = 20;
369 }
370
371 if (have_non_accept_socket(s)) {
372
373 if (!UNIT_DEREF(s->service)) {
374 Unit *x;
375
376 r = unit_load_related_unit(u, ".service", &x);
377 if (r < 0)
378 return r;
379
380 unit_ref_set(&s->service, x);
381 }
382
383 r = unit_add_two_dependencies(u, UNIT_BEFORE, UNIT_TRIGGERS, UNIT_DEREF(s->service), true, UNIT_DEPENDENCY_IMPLICIT);
384 if (r < 0)
385 return r;
386 }
387
388 r = socket_add_mount_dependencies(s);
389 if (r < 0)
390 return r;
391
392 r = socket_add_device_dependencies(s);
393 if (r < 0)
394 return r;
395
396 r = unit_patch_contexts(u);
397 if (r < 0)
398 return r;
399
400 if (socket_has_exec(s)) {
401 r = unit_add_exec_dependencies(u, &s->exec_context);
402 if (r < 0)
403 return r;
404 }
405
406 r = unit_set_default_slice(u);
407 if (r < 0)
408 return r;
409
410 r = socket_add_default_dependencies(s);
411 if (r < 0)
412 return r;
413
414 return 0;
415 }
416
417 static const char *socket_find_symlink_target(Socket *s) {
418 const char *found = NULL;
419 SocketPort *p;
420
421 LIST_FOREACH(port, p, s->ports) {
422 const char *f = NULL;
423
424 switch (p->type) {
425
426 case SOCKET_FIFO:
427 f = p->path;
428 break;
429
430 case SOCKET_SOCKET:
431 f = socket_address_get_path(&p->address);
432 break;
433
434 default:
435 break;
436 }
437
438 if (f) {
439 if (found)
440 return NULL;
441
442 found = f;
443 }
444 }
445
446 return found;
447 }
448
449 static int socket_verify(Socket *s) {
450 assert(s);
451
452 if (UNIT(s)->load_state != UNIT_LOADED)
453 return 0;
454
455 if (!s->ports) {
456 log_unit_error(UNIT(s), "Unit has no Listen setting (ListenStream=, ListenDatagram=, ListenFIFO=, ...). Refusing.");
457 return -EINVAL;
458 }
459
460 if (s->accept && have_non_accept_socket(s)) {
461 log_unit_error(UNIT(s), "Unit configured for accepting sockets, but sockets are non-accepting. Refusing.");
462 return -EINVAL;
463 }
464
465 if (s->accept && s->max_connections <= 0) {
466 log_unit_error(UNIT(s), "MaxConnection= setting too small. Refusing.");
467 return -EINVAL;
468 }
469
470 if (s->accept && UNIT_DEREF(s->service)) {
471 log_unit_error(UNIT(s), "Explicit service configuration for accepting socket units not supported. Refusing.");
472 return -EINVAL;
473 }
474
475 if (s->exec_context.pam_name && s->kill_context.kill_mode != KILL_CONTROL_GROUP) {
476 log_unit_error(UNIT(s), "Unit has PAM enabled. Kill mode must be set to 'control-group'. Refusing.");
477 return -EINVAL;
478 }
479
480 if (!strv_isempty(s->symlinks) && !socket_find_symlink_target(s)) {
481 log_unit_error(UNIT(s), "Unit has symlinks set but none or more than one node in the file system. Refusing.");
482 return -EINVAL;
483 }
484
485 return 0;
486 }
487
488 static void peer_address_hash_func(const void *p, struct siphash *state) {
489 const SocketPeer *s = p;
490
491 assert(s);
492
493 if (s->peer.sa.sa_family == AF_INET)
494 siphash24_compress(&s->peer.in.sin_addr, sizeof(s->peer.in.sin_addr), state);
495 else if (s->peer.sa.sa_family == AF_INET6)
496 siphash24_compress(&s->peer.in6.sin6_addr, sizeof(s->peer.in6.sin6_addr), state);
497 else if (s->peer.sa.sa_family == AF_VSOCK)
498 siphash24_compress(&s->peer.vm.svm_cid, sizeof(s->peer.vm.svm_cid), state);
499 else
500 assert_not_reached("Unknown address family.");
501 }
502
503 static int peer_address_compare_func(const void *a, const void *b) {
504 const SocketPeer *x = a, *y = b;
505
506 if (x->peer.sa.sa_family < y->peer.sa.sa_family)
507 return -1;
508 if (x->peer.sa.sa_family > y->peer.sa.sa_family)
509 return 1;
510
511 switch(x->peer.sa.sa_family) {
512 case AF_INET:
513 return memcmp(&x->peer.in.sin_addr, &y->peer.in.sin_addr, sizeof(x->peer.in.sin_addr));
514 case AF_INET6:
515 return memcmp(&x->peer.in6.sin6_addr, &y->peer.in6.sin6_addr, sizeof(x->peer.in6.sin6_addr));
516 case AF_VSOCK:
517 if (x->peer.vm.svm_cid < y->peer.vm.svm_cid)
518 return -1;
519 if (x->peer.vm.svm_cid > y->peer.vm.svm_cid)
520 return 1;
521 return 0;
522 }
523 assert_not_reached("Black sheep in the family!");
524 }
525
526 const struct hash_ops peer_address_hash_ops = {
527 .hash = peer_address_hash_func,
528 .compare = peer_address_compare_func
529 };
530
531 static int socket_load(Unit *u) {
532 Socket *s = SOCKET(u);
533 int r;
534
535 assert(u);
536 assert(u->load_state == UNIT_STUB);
537
538 r = set_ensure_allocated(&s->peers_by_address, &peer_address_hash_ops);
539 if (r < 0)
540 return r;
541
542 r = unit_load_fragment_and_dropin(u);
543 if (r < 0)
544 return r;
545
546 if (u->load_state == UNIT_LOADED) {
547 /* This is a new unit? Then let's add in some extras */
548 r = socket_add_extras(s);
549 if (r < 0)
550 return r;
551 }
552
553 return socket_verify(s);
554 }
555
556 static SocketPeer *socket_peer_new(void) {
557 SocketPeer *p;
558
559 p = new0(SocketPeer, 1);
560 if (!p)
561 return NULL;
562
563 p->n_ref = 1;
564
565 return p;
566 }
567
568 SocketPeer *socket_peer_ref(SocketPeer *p) {
569 if (!p)
570 return NULL;
571
572 assert(p->n_ref > 0);
573 p->n_ref++;
574
575 return p;
576 }
577
578 SocketPeer *socket_peer_unref(SocketPeer *p) {
579 if (!p)
580 return NULL;
581
582 assert(p->n_ref > 0);
583
584 p->n_ref--;
585
586 if (p->n_ref > 0)
587 return NULL;
588
589 if (p->socket)
590 set_remove(p->socket->peers_by_address, p);
591
592 return mfree(p);
593 }
594
595 int socket_acquire_peer(Socket *s, int fd, SocketPeer **p) {
596 _cleanup_(socket_peer_unrefp) SocketPeer *remote = NULL;
597 SocketPeer sa = {}, *i;
598 socklen_t salen = sizeof(sa.peer);
599 int r;
600
601 assert(fd >= 0);
602 assert(s);
603
604 r = getpeername(fd, &sa.peer.sa, &salen);
605 if (r < 0)
606 return log_error_errno(errno, "getpeername failed: %m");
607
608 if (!IN_SET(sa.peer.sa.sa_family, AF_INET, AF_INET6, AF_VSOCK)) {
609 *p = NULL;
610 return 0;
611 }
612
613 i = set_get(s->peers_by_address, &sa);
614 if (i) {
615 *p = socket_peer_ref(i);
616 return 1;
617 }
618
619 remote = socket_peer_new();
620 if (!remote)
621 return log_oom();
622
623 remote->peer = sa.peer;
624 remote->peer_salen = salen;
625
626 r = set_put(s->peers_by_address, remote);
627 if (r < 0)
628 return r;
629
630 remote->socket = s;
631
632 *p = remote;
633 remote = NULL;
634
635 return 1;
636 }
637
638 _const_ static const char* listen_lookup(int family, int type) {
639
640 if (family == AF_NETLINK)
641 return "ListenNetlink";
642
643 if (type == SOCK_STREAM)
644 return "ListenStream";
645 else if (type == SOCK_DGRAM)
646 return "ListenDatagram";
647 else if (type == SOCK_SEQPACKET)
648 return "ListenSequentialPacket";
649
650 assert_not_reached("Unknown socket type");
651 return NULL;
652 }
653
654 static void socket_dump(Unit *u, FILE *f, const char *prefix) {
655 char time_string[FORMAT_TIMESPAN_MAX];
656 SocketExecCommand c;
657 Socket *s = SOCKET(u);
658 SocketPort *p;
659 const char *prefix2, *str;
660
661 assert(s);
662 assert(f);
663
664 prefix = strempty(prefix);
665 prefix2 = strjoina(prefix, "\t");
666
667 fprintf(f,
668 "%sSocket State: %s\n"
669 "%sResult: %s\n"
670 "%sBindIPv6Only: %s\n"
671 "%sBacklog: %u\n"
672 "%sSocketMode: %04o\n"
673 "%sDirectoryMode: %04o\n"
674 "%sKeepAlive: %s\n"
675 "%sNoDelay: %s\n"
676 "%sFreeBind: %s\n"
677 "%sTransparent: %s\n"
678 "%sBroadcast: %s\n"
679 "%sPassCredentials: %s\n"
680 "%sPassSecurity: %s\n"
681 "%sTCPCongestion: %s\n"
682 "%sRemoveOnStop: %s\n"
683 "%sWritable: %s\n"
684 "%sFileDescriptorName: %s\n"
685 "%sSELinuxContextFromNet: %s\n",
686 prefix, socket_state_to_string(s->state),
687 prefix, socket_result_to_string(s->result),
688 prefix, socket_address_bind_ipv6_only_to_string(s->bind_ipv6_only),
689 prefix, s->backlog,
690 prefix, s->socket_mode,
691 prefix, s->directory_mode,
692 prefix, yes_no(s->keep_alive),
693 prefix, yes_no(s->no_delay),
694 prefix, yes_no(s->free_bind),
695 prefix, yes_no(s->transparent),
696 prefix, yes_no(s->broadcast),
697 prefix, yes_no(s->pass_cred),
698 prefix, yes_no(s->pass_sec),
699 prefix, strna(s->tcp_congestion),
700 prefix, yes_no(s->remove_on_stop),
701 prefix, yes_no(s->writable),
702 prefix, socket_fdname(s),
703 prefix, yes_no(s->selinux_context_from_net));
704
705 if (s->control_pid > 0)
706 fprintf(f,
707 "%sControl PID: "PID_FMT"\n",
708 prefix, s->control_pid);
709
710 if (s->bind_to_device)
711 fprintf(f,
712 "%sBindToDevice: %s\n",
713 prefix, s->bind_to_device);
714
715 if (s->accept)
716 fprintf(f,
717 "%sAccepted: %u\n"
718 "%sNConnections: %u\n"
719 "%sMaxConnections: %u\n"
720 "%sMaxConnectionsPerSource: %u\n",
721 prefix, s->n_accepted,
722 prefix, s->n_connections,
723 prefix, s->max_connections,
724 prefix, s->max_connections_per_source);
725
726 if (s->priority >= 0)
727 fprintf(f,
728 "%sPriority: %i\n",
729 prefix, s->priority);
730
731 if (s->receive_buffer > 0)
732 fprintf(f,
733 "%sReceiveBuffer: %zu\n",
734 prefix, s->receive_buffer);
735
736 if (s->send_buffer > 0)
737 fprintf(f,
738 "%sSendBuffer: %zu\n",
739 prefix, s->send_buffer);
740
741 if (s->ip_tos >= 0)
742 fprintf(f,
743 "%sIPTOS: %i\n",
744 prefix, s->ip_tos);
745
746 if (s->ip_ttl >= 0)
747 fprintf(f,
748 "%sIPTTL: %i\n",
749 prefix, s->ip_ttl);
750
751 if (s->pipe_size > 0)
752 fprintf(f,
753 "%sPipeSize: %zu\n",
754 prefix, s->pipe_size);
755
756 if (s->mark >= 0)
757 fprintf(f,
758 "%sMark: %i\n",
759 prefix, s->mark);
760
761 if (s->mq_maxmsg > 0)
762 fprintf(f,
763 "%sMessageQueueMaxMessages: %li\n",
764 prefix, s->mq_maxmsg);
765
766 if (s->mq_msgsize > 0)
767 fprintf(f,
768 "%sMessageQueueMessageSize: %li\n",
769 prefix, s->mq_msgsize);
770
771 if (s->reuse_port)
772 fprintf(f,
773 "%sReusePort: %s\n",
774 prefix, yes_no(s->reuse_port));
775
776 if (s->smack)
777 fprintf(f,
778 "%sSmackLabel: %s\n",
779 prefix, s->smack);
780
781 if (s->smack_ip_in)
782 fprintf(f,
783 "%sSmackLabelIPIn: %s\n",
784 prefix, s->smack_ip_in);
785
786 if (s->smack_ip_out)
787 fprintf(f,
788 "%sSmackLabelIPOut: %s\n",
789 prefix, s->smack_ip_out);
790
791 if (!isempty(s->user) || !isempty(s->group))
792 fprintf(f,
793 "%sSocketUser: %s\n"
794 "%sSocketGroup: %s\n",
795 prefix, strna(s->user),
796 prefix, strna(s->group));
797
798 if (s->keep_alive_time > 0)
799 fprintf(f,
800 "%sKeepAliveTimeSec: %s\n",
801 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->keep_alive_time, USEC_PER_SEC));
802
803 if (s->keep_alive_interval)
804 fprintf(f,
805 "%sKeepAliveIntervalSec: %s\n",
806 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->keep_alive_interval, USEC_PER_SEC));
807
808 if (s->keep_alive_cnt)
809 fprintf(f,
810 "%sKeepAliveProbes: %u\n",
811 prefix, s->keep_alive_cnt);
812
813 if (s->defer_accept)
814 fprintf(f,
815 "%sDeferAcceptSec: %s\n",
816 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->defer_accept, USEC_PER_SEC));
817
818 LIST_FOREACH(port, p, s->ports) {
819
820 if (p->type == SOCKET_SOCKET) {
821 const char *t;
822 int r;
823 char *k = NULL;
824
825 r = socket_address_print(&p->address, &k);
826 if (r < 0)
827 t = strerror(-r);
828 else
829 t = k;
830
831 fprintf(f, "%s%s: %s\n", prefix, listen_lookup(socket_address_family(&p->address), p->address.type), t);
832 free(k);
833 } else if (p->type == SOCKET_SPECIAL)
834 fprintf(f, "%sListenSpecial: %s\n", prefix, p->path);
835 else if (p->type == SOCKET_USB_FUNCTION)
836 fprintf(f, "%sListenUSBFunction: %s\n", prefix, p->path);
837 else if (p->type == SOCKET_MQUEUE)
838 fprintf(f, "%sListenMessageQueue: %s\n", prefix, p->path);
839 else
840 fprintf(f, "%sListenFIFO: %s\n", prefix, p->path);
841 }
842
843 fprintf(f,
844 "%sTriggerLimitIntervalSec: %s\n"
845 "%sTriggerLimitBurst: %u\n",
846 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->trigger_limit.interval, USEC_PER_SEC),
847 prefix, s->trigger_limit.burst);
848
849 str = socket_protocol_to_name(s->socket_protocol);
850 if (str)
851 fprintf(f, "%sSocketProtocol: %s\n", prefix, str);
852
853 if (!strv_isempty(s->symlinks)) {
854 char **q;
855
856 fprintf(f, "%sSymlinks:", prefix);
857 STRV_FOREACH(q, s->symlinks)
858 fprintf(f, " %s", *q);
859
860 fprintf(f, "\n");
861 }
862
863 fprintf(f,
864 "%sTimeoutSec: %s\n",
865 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->timeout_usec, USEC_PER_SEC));
866
867 exec_context_dump(&s->exec_context, f, prefix);
868 kill_context_dump(&s->kill_context, f, prefix);
869
870 for (c = 0; c < _SOCKET_EXEC_COMMAND_MAX; c++) {
871 if (!s->exec_command[c])
872 continue;
873
874 fprintf(f, "%s-> %s:\n",
875 prefix, socket_exec_command_to_string(c));
876
877 exec_command_dump_list(s->exec_command[c], f, prefix2);
878 }
879
880 cgroup_context_dump(&s->cgroup_context, f, prefix);
881 }
882
883 static int instance_from_socket(int fd, unsigned nr, char **instance) {
884 socklen_t l;
885 char *r;
886 union sockaddr_union local, remote;
887
888 assert(fd >= 0);
889 assert(instance);
890
891 l = sizeof(local);
892 if (getsockname(fd, &local.sa, &l) < 0)
893 return -errno;
894
895 l = sizeof(remote);
896 if (getpeername(fd, &remote.sa, &l) < 0)
897 return -errno;
898
899 switch (local.sa.sa_family) {
900
901 case AF_INET: {
902 uint32_t
903 a = be32toh(local.in.sin_addr.s_addr),
904 b = be32toh(remote.in.sin_addr.s_addr);
905
906 if (asprintf(&r,
907 "%u-%u.%u.%u.%u:%u-%u.%u.%u.%u:%u",
908 nr,
909 a >> 24, (a >> 16) & 0xFF, (a >> 8) & 0xFF, a & 0xFF,
910 be16toh(local.in.sin_port),
911 b >> 24, (b >> 16) & 0xFF, (b >> 8) & 0xFF, b & 0xFF,
912 be16toh(remote.in.sin_port)) < 0)
913 return -ENOMEM;
914
915 break;
916 }
917
918 case AF_INET6: {
919 static const unsigned char ipv4_prefix[] = {
920 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xFF, 0xFF
921 };
922
923 if (memcmp(&local.in6.sin6_addr, ipv4_prefix, sizeof(ipv4_prefix)) == 0 &&
924 memcmp(&remote.in6.sin6_addr, ipv4_prefix, sizeof(ipv4_prefix)) == 0) {
925 const uint8_t
926 *a = local.in6.sin6_addr.s6_addr+12,
927 *b = remote.in6.sin6_addr.s6_addr+12;
928
929 if (asprintf(&r,
930 "%u-%u.%u.%u.%u:%u-%u.%u.%u.%u:%u",
931 nr,
932 a[0], a[1], a[2], a[3],
933 be16toh(local.in6.sin6_port),
934 b[0], b[1], b[2], b[3],
935 be16toh(remote.in6.sin6_port)) < 0)
936 return -ENOMEM;
937 } else {
938 char a[INET6_ADDRSTRLEN], b[INET6_ADDRSTRLEN];
939
940 if (asprintf(&r,
941 "%u-%s:%u-%s:%u",
942 nr,
943 inet_ntop(AF_INET6, &local.in6.sin6_addr, a, sizeof(a)),
944 be16toh(local.in6.sin6_port),
945 inet_ntop(AF_INET6, &remote.in6.sin6_addr, b, sizeof(b)),
946 be16toh(remote.in6.sin6_port)) < 0)
947 return -ENOMEM;
948 }
949
950 break;
951 }
952
953 case AF_UNIX: {
954 struct ucred ucred;
955 int k;
956
957 k = getpeercred(fd, &ucred);
958 if (k >= 0) {
959 if (asprintf(&r,
960 "%u-"PID_FMT"-"UID_FMT,
961 nr, ucred.pid, ucred.uid) < 0)
962 return -ENOMEM;
963 } else if (k == -ENODATA) {
964 /* This handles the case where somebody is
965 * connecting from another pid/uid namespace
966 * (e.g. from outside of our container). */
967 if (asprintf(&r,
968 "%u-unknown",
969 nr) < 0)
970 return -ENOMEM;
971 } else
972 return k;
973
974 break;
975 }
976
977 case AF_VSOCK:
978 if (asprintf(&r,
979 "%u-%u:%u-%u:%u",
980 nr,
981 local.vm.svm_cid, local.vm.svm_port,
982 remote.vm.svm_cid, remote.vm.svm_port) < 0)
983 return -ENOMEM;
984
985 break;
986
987 default:
988 assert_not_reached("Unhandled socket type.");
989 }
990
991 *instance = r;
992 return 0;
993 }
994
995 static void socket_close_fds(Socket *s) {
996 SocketPort *p;
997 char **i;
998
999 assert(s);
1000
1001 LIST_FOREACH(port, p, s->ports) {
1002 bool was_open;
1003
1004 was_open = p->fd >= 0;
1005
1006 p->event_source = sd_event_source_unref(p->event_source);
1007 p->fd = safe_close(p->fd);
1008 socket_cleanup_fd_list(p);
1009
1010 /* One little note: we should normally not delete any sockets in the file system here! After all some
1011 * other process we spawned might still have a reference of this fd and wants to continue to use
1012 * it. Therefore we normally delete sockets in the file system before we create a new one, not after we
1013 * stopped using one! That all said, if the user explicitly requested this, we'll delete them here
1014 * anyway, but only then. */
1015
1016 if (!was_open || !s->remove_on_stop)
1017 continue;
1018
1019 switch (p->type) {
1020
1021 case SOCKET_FIFO:
1022 (void) unlink(p->path);
1023 break;
1024
1025 case SOCKET_MQUEUE:
1026 (void) mq_unlink(p->path);
1027 break;
1028
1029 case SOCKET_SOCKET:
1030 (void) socket_address_unlink(&p->address);
1031 break;
1032
1033 default:
1034 break;
1035 }
1036 }
1037
1038 if (s->remove_on_stop)
1039 STRV_FOREACH(i, s->symlinks)
1040 (void) unlink(*i);
1041 }
1042
1043 static void socket_apply_socket_options(Socket *s, int fd) {
1044 int r;
1045
1046 assert(s);
1047 assert(fd >= 0);
1048
1049 if (s->keep_alive) {
1050 int b = s->keep_alive;
1051 if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, &b, sizeof(b)) < 0)
1052 log_unit_warning_errno(UNIT(s), errno, "SO_KEEPALIVE failed: %m");
1053 }
1054
1055 if (s->keep_alive_time) {
1056 int value = s->keep_alive_time / USEC_PER_SEC;
1057 if (setsockopt(fd, SOL_TCP, TCP_KEEPIDLE, &value, sizeof(value)) < 0)
1058 log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPIDLE failed: %m");
1059 }
1060
1061 if (s->keep_alive_interval) {
1062 int value = s->keep_alive_interval / USEC_PER_SEC;
1063 if (setsockopt(fd, SOL_TCP, TCP_KEEPINTVL, &value, sizeof(value)) < 0)
1064 log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPINTVL failed: %m");
1065 }
1066
1067 if (s->keep_alive_cnt) {
1068 int value = s->keep_alive_cnt;
1069 if (setsockopt(fd, SOL_TCP, TCP_KEEPCNT, &value, sizeof(value)) < 0)
1070 log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPCNT failed: %m");
1071 }
1072
1073 if (s->defer_accept) {
1074 int value = s->defer_accept / USEC_PER_SEC;
1075 if (setsockopt(fd, SOL_TCP, TCP_DEFER_ACCEPT, &value, sizeof(value)) < 0)
1076 log_unit_warning_errno(UNIT(s), errno, "TCP_DEFER_ACCEPT failed: %m");
1077 }
1078
1079 if (s->no_delay) {
1080 int b = s->no_delay;
1081
1082 if (s->socket_protocol == IPPROTO_SCTP) {
1083 if (setsockopt(fd, SOL_SCTP, SCTP_NODELAY, &b, sizeof(b)) < 0)
1084 log_unit_warning_errno(UNIT(s), errno, "SCTP_NODELAY failed: %m");
1085 } else {
1086 if (setsockopt(fd, SOL_TCP, TCP_NODELAY, &b, sizeof(b)) < 0)
1087 log_unit_warning_errno(UNIT(s), errno, "TCP_NODELAY failed: %m");
1088 }
1089 }
1090
1091 if (s->broadcast) {
1092 int one = 1;
1093 if (setsockopt(fd, SOL_SOCKET, SO_BROADCAST, &one, sizeof(one)) < 0)
1094 log_unit_warning_errno(UNIT(s), errno, "SO_BROADCAST failed: %m");
1095 }
1096
1097 if (s->pass_cred) {
1098 int one = 1;
1099 if (setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &one, sizeof(one)) < 0)
1100 log_unit_warning_errno(UNIT(s), errno, "SO_PASSCRED failed: %m");
1101 }
1102
1103 if (s->pass_sec) {
1104 int one = 1;
1105 if (setsockopt(fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one)) < 0)
1106 log_unit_warning_errno(UNIT(s), errno, "SO_PASSSEC failed: %m");
1107 }
1108
1109 if (s->priority >= 0)
1110 if (setsockopt(fd, SOL_SOCKET, SO_PRIORITY, &s->priority, sizeof(s->priority)) < 0)
1111 log_unit_warning_errno(UNIT(s), errno, "SO_PRIORITY failed: %m");
1112
1113 if (s->receive_buffer > 0) {
1114 int value = (int) s->receive_buffer;
1115
1116 /* We first try with SO_RCVBUFFORCE, in case we have the perms for that */
1117
1118 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUFFORCE, &value, sizeof(value)) < 0)
1119 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &value, sizeof(value)) < 0)
1120 log_unit_warning_errno(UNIT(s), errno, "SO_RCVBUF failed: %m");
1121 }
1122
1123 if (s->send_buffer > 0) {
1124 int value = (int) s->send_buffer;
1125 if (setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, &value, sizeof(value)) < 0)
1126 if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &value, sizeof(value)) < 0)
1127 log_unit_warning_errno(UNIT(s), errno, "SO_SNDBUF failed: %m");
1128 }
1129
1130 if (s->mark >= 0)
1131 if (setsockopt(fd, SOL_SOCKET, SO_MARK, &s->mark, sizeof(s->mark)) < 0)
1132 log_unit_warning_errno(UNIT(s), errno, "SO_MARK failed: %m");
1133
1134 if (s->ip_tos >= 0)
1135 if (setsockopt(fd, IPPROTO_IP, IP_TOS, &s->ip_tos, sizeof(s->ip_tos)) < 0)
1136 log_unit_warning_errno(UNIT(s), errno, "IP_TOS failed: %m");
1137
1138 if (s->ip_ttl >= 0) {
1139 int x;
1140
1141 r = setsockopt(fd, IPPROTO_IP, IP_TTL, &s->ip_ttl, sizeof(s->ip_ttl));
1142
1143 if (socket_ipv6_is_supported())
1144 x = setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &s->ip_ttl, sizeof(s->ip_ttl));
1145 else {
1146 x = -1;
1147 errno = EAFNOSUPPORT;
1148 }
1149
1150 if (r < 0 && x < 0)
1151 log_unit_warning_errno(UNIT(s), errno, "IP_TTL/IPV6_UNICAST_HOPS failed: %m");
1152 }
1153
1154 if (s->tcp_congestion)
1155 if (setsockopt(fd, SOL_TCP, TCP_CONGESTION, s->tcp_congestion, strlen(s->tcp_congestion)+1) < 0)
1156 log_unit_warning_errno(UNIT(s), errno, "TCP_CONGESTION failed: %m");
1157
1158 if (s->smack_ip_in) {
1159 r = mac_smack_apply_fd(fd, SMACK_ATTR_IPIN, s->smack_ip_in);
1160 if (r < 0)
1161 log_unit_error_errno(UNIT(s), r, "mac_smack_apply_ip_in_fd: %m");
1162 }
1163
1164 if (s->smack_ip_out) {
1165 r = mac_smack_apply_fd(fd, SMACK_ATTR_IPOUT, s->smack_ip_out);
1166 if (r < 0)
1167 log_unit_error_errno(UNIT(s), r, "mac_smack_apply_ip_out_fd: %m");
1168 }
1169 }
1170
1171 static void socket_apply_fifo_options(Socket *s, int fd) {
1172 int r;
1173
1174 assert(s);
1175 assert(fd >= 0);
1176
1177 if (s->pipe_size > 0)
1178 if (fcntl(fd, F_SETPIPE_SZ, s->pipe_size) < 0)
1179 log_unit_warning_errno(UNIT(s), errno, "Setting pipe size failed, ignoring: %m");
1180
1181 if (s->smack) {
1182 r = mac_smack_apply_fd(fd, SMACK_ATTR_ACCESS, s->smack);
1183 if (r < 0)
1184 log_unit_error_errno(UNIT(s), r, "SMACK relabelling failed, ignoring: %m");
1185 }
1186 }
1187
1188 static int fifo_address_create(
1189 const char *path,
1190 mode_t directory_mode,
1191 mode_t socket_mode) {
1192
1193 _cleanup_close_ int fd = -1;
1194 mode_t old_mask;
1195 struct stat st;
1196 int r;
1197
1198 assert(path);
1199
1200 (void) mkdir_parents_label(path, directory_mode);
1201
1202 r = mac_selinux_create_file_prepare(path, S_IFIFO);
1203 if (r < 0)
1204 return r;
1205
1206 /* Enforce the right access mode for the fifo */
1207 old_mask = umask(~ socket_mode);
1208
1209 /* Include the original umask in our mask */
1210 (void) umask(~socket_mode | old_mask);
1211
1212 r = mkfifo(path, socket_mode);
1213 (void) umask(old_mask);
1214
1215 if (r < 0 && errno != EEXIST) {
1216 r = -errno;
1217 goto fail;
1218 }
1219
1220 fd = open(path, O_RDWR | O_CLOEXEC | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW);
1221 if (fd < 0) {
1222 r = -errno;
1223 goto fail;
1224 }
1225
1226 mac_selinux_create_file_clear();
1227
1228 if (fstat(fd, &st) < 0) {
1229 r = -errno;
1230 goto fail;
1231 }
1232
1233 if (!S_ISFIFO(st.st_mode) ||
1234 (st.st_mode & 0777) != (socket_mode & ~old_mask) ||
1235 st.st_uid != getuid() ||
1236 st.st_gid != getgid()) {
1237 r = -EEXIST;
1238 goto fail;
1239 }
1240
1241 r = fd;
1242 fd = -1;
1243
1244 return r;
1245
1246 fail:
1247 mac_selinux_create_file_clear();
1248 return r;
1249 }
1250
1251 static int special_address_create(const char *path, bool writable) {
1252 _cleanup_close_ int fd = -1;
1253 struct stat st;
1254 int r;
1255
1256 assert(path);
1257
1258 fd = open(path, (writable ? O_RDWR : O_RDONLY)|O_CLOEXEC|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW);
1259 if (fd < 0)
1260 return -errno;
1261
1262 if (fstat(fd, &st) < 0)
1263 return -errno;
1264
1265 /* Check whether this is a /proc, /sys or /dev file or char device */
1266 if (!S_ISREG(st.st_mode) && !S_ISCHR(st.st_mode))
1267 return -EEXIST;
1268
1269 r = fd;
1270 fd = -1;
1271
1272 return r;
1273 }
1274
1275 static int usbffs_address_create(const char *path) {
1276 _cleanup_close_ int fd = -1;
1277 struct stat st;
1278 int r;
1279
1280 assert(path);
1281
1282 fd = open(path, O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW);
1283 if (fd < 0)
1284 return -errno;
1285
1286 if (fstat(fd, &st) < 0)
1287 return -errno;
1288
1289 /* Check whether this is a regular file (ffs endpoint) */
1290 if (!S_ISREG(st.st_mode))
1291 return -EEXIST;
1292
1293 r = fd;
1294 fd = -1;
1295
1296 return r;
1297 }
1298
1299 static int mq_address_create(
1300 const char *path,
1301 mode_t mq_mode,
1302 long maxmsg,
1303 long msgsize) {
1304
1305 _cleanup_close_ int fd = -1;
1306 struct stat st;
1307 mode_t old_mask;
1308 struct mq_attr _attr, *attr = NULL;
1309 int r;
1310
1311 assert(path);
1312
1313 if (maxmsg > 0 && msgsize > 0) {
1314 _attr = (struct mq_attr) {
1315 .mq_flags = O_NONBLOCK,
1316 .mq_maxmsg = maxmsg,
1317 .mq_msgsize = msgsize,
1318 };
1319 attr = &_attr;
1320 }
1321
1322 /* Enforce the right access mode for the mq */
1323 old_mask = umask(~ mq_mode);
1324
1325 /* Include the original umask in our mask */
1326 (void) umask(~mq_mode | old_mask);
1327 fd = mq_open(path, O_RDONLY|O_CLOEXEC|O_NONBLOCK|O_CREAT, mq_mode, attr);
1328 (void) umask(old_mask);
1329
1330 if (fd < 0)
1331 return -errno;
1332
1333 if (fstat(fd, &st) < 0)
1334 return -errno;
1335
1336 if ((st.st_mode & 0777) != (mq_mode & ~old_mask) ||
1337 st.st_uid != getuid() ||
1338 st.st_gid != getgid())
1339 return -EEXIST;
1340
1341 r = fd;
1342 fd = -1;
1343
1344 return r;
1345 }
1346
1347 static int socket_symlink(Socket *s) {
1348 const char *p;
1349 char **i;
1350 int r;
1351
1352 assert(s);
1353
1354 p = socket_find_symlink_target(s);
1355 if (!p)
1356 return 0;
1357
1358 STRV_FOREACH(i, s->symlinks) {
1359 (void) mkdir_parents_label(*i, s->directory_mode);
1360
1361 r = symlink_idempotent(p, *i);
1362
1363 if (r == -EEXIST && s->remove_on_stop) {
1364 /* If there's already something where we want to create the symlink, and the destructive
1365 * RemoveOnStop= mode is set, then we might as well try to remove what already exists and try
1366 * again. */
1367
1368 if (unlink(*i) >= 0)
1369 r = symlink_idempotent(p, *i);
1370 }
1371
1372 if (r < 0)
1373 log_unit_warning_errno(UNIT(s), r, "Failed to create symlink %s → %s, ignoring: %m", p, *i);
1374 }
1375
1376 return 0;
1377 }
1378
1379 static int usbffs_write_descs(int fd, Service *s) {
1380 int r;
1381
1382 if (!s->usb_function_descriptors || !s->usb_function_strings)
1383 return -EINVAL;
1384
1385 r = copy_file_fd(s->usb_function_descriptors, fd, 0);
1386 if (r < 0)
1387 return r;
1388
1389 return copy_file_fd(s->usb_function_strings, fd, 0);
1390 }
1391
1392 static int usbffs_select_ep(const struct dirent *d) {
1393 return d->d_name[0] != '.' && !streq(d->d_name, "ep0");
1394 }
1395
1396 static int usbffs_dispatch_eps(SocketPort *p) {
1397 _cleanup_free_ struct dirent **ent = NULL;
1398 int r, i, n, k;
1399
1400 r = scandir(p->path, &ent, usbffs_select_ep, alphasort);
1401 if (r < 0)
1402 return -errno;
1403
1404 n = r;
1405 p->auxiliary_fds = new(int, n);
1406 if (!p->auxiliary_fds)
1407 return -ENOMEM;
1408
1409 p->n_auxiliary_fds = n;
1410
1411 k = 0;
1412 for (i = 0; i < n; ++i) {
1413 _cleanup_free_ char *ep = NULL;
1414
1415 ep = path_make_absolute(ent[i]->d_name, p->path);
1416 if (!ep)
1417 return -ENOMEM;
1418
1419 path_kill_slashes(ep);
1420
1421 r = usbffs_address_create(ep);
1422 if (r < 0)
1423 goto fail;
1424
1425 p->auxiliary_fds[k] = r;
1426
1427 ++k;
1428 free(ent[i]);
1429 }
1430
1431 return r;
1432
1433 fail:
1434 close_many(p->auxiliary_fds, k);
1435 p->auxiliary_fds = mfree(p->auxiliary_fds);
1436 p->n_auxiliary_fds = 0;
1437
1438 return r;
1439 }
1440
1441 static int socket_determine_selinux_label(Socket *s, char **ret) {
1442 ExecCommand *c;
1443 int r;
1444
1445 assert(s);
1446 assert(ret);
1447
1448 if (s->selinux_context_from_net) {
1449 /* If this is requested, get label from the network label */
1450
1451 r = mac_selinux_get_our_label(ret);
1452 if (r == -EOPNOTSUPP)
1453 goto no_label;
1454
1455 } else {
1456 /* Otherwise, get it from the executable we are about to start */
1457 r = socket_instantiate_service(s);
1458 if (r < 0)
1459 return r;
1460
1461 if (!UNIT_ISSET(s->service))
1462 goto no_label;
1463
1464 c = SERVICE(UNIT_DEREF(s->service))->exec_command[SERVICE_EXEC_START];
1465 if (!c)
1466 goto no_label;
1467
1468 r = mac_selinux_get_create_label_from_exe(c->path, ret);
1469 if (IN_SET(r, -EPERM, -EOPNOTSUPP))
1470 goto no_label;
1471 }
1472
1473 return r;
1474
1475 no_label:
1476 *ret = NULL;
1477 return 0;
1478 }
1479
1480 static int socket_address_listen_do(
1481 Socket *s,
1482 const SocketAddress *address,
1483 const char *label) {
1484
1485 assert(s);
1486 assert(address);
1487
1488 return socket_address_listen(
1489 address,
1490 SOCK_CLOEXEC|SOCK_NONBLOCK,
1491 s->backlog,
1492 s->bind_ipv6_only,
1493 s->bind_to_device,
1494 s->reuse_port,
1495 s->free_bind,
1496 s->transparent,
1497 s->directory_mode,
1498 s->socket_mode,
1499 label);
1500 }
1501
1502 static int socket_address_listen_in_cgroup(
1503 Socket *s,
1504 const SocketAddress *address,
1505 const char *label) {
1506
1507 _cleanup_close_pair_ int pair[2] = { -1, -1 };
1508 int fd, r;
1509 pid_t pid;
1510
1511 assert(s);
1512 assert(address);
1513
1514 /* This is a wrapper around socket_address_listen(), that forks off a helper process inside the socket's cgroup
1515 * in which the socket is actually created. This way we ensure the socket is actually properly attached to the
1516 * unit's cgroup for the purpose of BPF filtering and such. */
1517
1518 if (!IN_SET(address->sockaddr.sa.sa_family, AF_INET, AF_INET6))
1519 goto shortcut; /* BPF filtering only applies to IPv4 + IPv6, shortcut things for other protocols */
1520
1521 r = bpf_firewall_supported();
1522 if (r < 0)
1523 return r;
1524 if (r == 0) /* If BPF firewalling isn't supported anyway — there's no point in this forking complexity */
1525 goto shortcut;
1526
1527 if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, pair) < 0)
1528 return log_unit_error_errno(UNIT(s), errno, "Failed to create communication channel: %m");
1529
1530 r = unit_fork_helper_process(UNIT(s), "(sd-listen)", &pid);
1531 if (r < 0)
1532 return log_unit_error_errno(UNIT(s), r, "Failed to fork off listener stub process: %m");
1533 if (r == 0) {
1534 /* Child */
1535
1536 pair[0] = safe_close(pair[0]);
1537
1538 fd = socket_address_listen_do(s, address, label);
1539 if (fd < 0) {
1540 log_unit_error_errno(UNIT(s), fd, "Failed to create listening socket: %m");
1541 _exit(EXIT_FAILURE);
1542 }
1543
1544 r = send_one_fd(pair[1], fd, 0);
1545 if (r < 0) {
1546 log_unit_error_errno(UNIT(s), r, "Failed to send listening socket to parent: %m");
1547 _exit(EXIT_FAILURE);
1548 }
1549
1550 _exit(EXIT_SUCCESS);
1551 }
1552
1553 pair[1] = safe_close(pair[1]);
1554 fd = receive_one_fd(pair[0], 0);
1555
1556 /* We synchronously wait for the helper, as it shouldn't be slow */
1557 r = wait_for_terminate_and_check("(sd-listen)", pid, WAIT_LOG_ABNORMAL);
1558 if (r < 0) {
1559 safe_close(fd);
1560 return r;
1561 }
1562
1563 if (fd < 0)
1564 return log_unit_error_errno(UNIT(s), fd, "Failed to receive listening socket: %m");
1565
1566 return fd;
1567
1568 shortcut:
1569 fd = socket_address_listen_do(s, address, label);
1570 if (fd < 0)
1571 return log_error_errno(fd, "Failed to create listening socket: %m");
1572
1573 return fd;
1574 }
1575
1576 static int socket_open_fds(Socket *s) {
1577 _cleanup_(mac_selinux_freep) char *label = NULL;
1578 bool know_label = false;
1579 SocketPort *p;
1580 int r;
1581
1582 assert(s);
1583
1584 LIST_FOREACH(port, p, s->ports) {
1585
1586 if (p->fd >= 0)
1587 continue;
1588
1589 switch (p->type) {
1590
1591 case SOCKET_SOCKET:
1592
1593 if (!know_label) {
1594 /* Figure out label, if we don't it know yet. We do it once, for the first socket where
1595 * we need this and remember it for the rest. */
1596
1597 r = socket_determine_selinux_label(s, &label);
1598 if (r < 0)
1599 goto rollback;
1600
1601 know_label = true;
1602 }
1603
1604 /* Apply the socket protocol */
1605 switch (p->address.type) {
1606
1607 case SOCK_STREAM:
1608 case SOCK_SEQPACKET:
1609 if (s->socket_protocol == IPPROTO_SCTP)
1610 p->address.protocol = s->socket_protocol;
1611 break;
1612
1613 case SOCK_DGRAM:
1614 if (s->socket_protocol == IPPROTO_UDPLITE)
1615 p->address.protocol = s->socket_protocol;
1616 break;
1617 }
1618
1619 r = socket_address_listen_in_cgroup(s, &p->address, label);
1620 if (r < 0)
1621 goto rollback;
1622
1623 p->fd = r;
1624 socket_apply_socket_options(s, p->fd);
1625 socket_symlink(s);
1626 break;
1627
1628 case SOCKET_SPECIAL:
1629
1630 p->fd = special_address_create(p->path, s->writable);
1631 if (p->fd < 0) {
1632 r = p->fd;
1633 goto rollback;
1634 }
1635 break;
1636
1637 case SOCKET_FIFO:
1638
1639 p->fd = fifo_address_create(
1640 p->path,
1641 s->directory_mode,
1642 s->socket_mode);
1643 if (p->fd < 0) {
1644 r = p->fd;
1645 goto rollback;
1646 }
1647
1648 socket_apply_fifo_options(s, p->fd);
1649 socket_symlink(s);
1650 break;
1651
1652 case SOCKET_MQUEUE:
1653
1654 p->fd = mq_address_create(
1655 p->path,
1656 s->socket_mode,
1657 s->mq_maxmsg,
1658 s->mq_msgsize);
1659 if (p->fd < 0) {
1660 r = p->fd;
1661 goto rollback;
1662 }
1663 break;
1664
1665 case SOCKET_USB_FUNCTION: {
1666 _cleanup_free_ char *ep = NULL;
1667
1668 ep = path_make_absolute("ep0", p->path);
1669
1670 p->fd = usbffs_address_create(ep);
1671 if (p->fd < 0) {
1672 r = p->fd;
1673 goto rollback;
1674 }
1675
1676 r = usbffs_write_descs(p->fd, SERVICE(UNIT_DEREF(s->service)));
1677 if (r < 0)
1678 goto rollback;
1679
1680 r = usbffs_dispatch_eps(p);
1681 if (r < 0)
1682 goto rollback;
1683
1684 break;
1685 }
1686 default:
1687 assert_not_reached("Unknown port type");
1688 }
1689 }
1690
1691 return 0;
1692
1693 rollback:
1694 socket_close_fds(s);
1695 return r;
1696 }
1697
1698 static void socket_unwatch_fds(Socket *s) {
1699 SocketPort *p;
1700 int r;
1701
1702 assert(s);
1703
1704 LIST_FOREACH(port, p, s->ports) {
1705 if (p->fd < 0)
1706 continue;
1707
1708 if (!p->event_source)
1709 continue;
1710
1711 r = sd_event_source_set_enabled(p->event_source, SD_EVENT_OFF);
1712 if (r < 0)
1713 log_unit_debug_errno(UNIT(s), r, "Failed to disable event source: %m");
1714 }
1715 }
1716
1717 static int socket_watch_fds(Socket *s) {
1718 SocketPort *p;
1719 int r;
1720
1721 assert(s);
1722
1723 LIST_FOREACH(port, p, s->ports) {
1724 if (p->fd < 0)
1725 continue;
1726
1727 if (p->event_source) {
1728 r = sd_event_source_set_enabled(p->event_source, SD_EVENT_ON);
1729 if (r < 0)
1730 goto fail;
1731 } else {
1732 r = sd_event_add_io(UNIT(s)->manager->event, &p->event_source, p->fd, EPOLLIN, socket_dispatch_io, p);
1733 if (r < 0)
1734 goto fail;
1735
1736 (void) sd_event_source_set_description(p->event_source, "socket-port-io");
1737 }
1738 }
1739
1740 return 0;
1741
1742 fail:
1743 log_unit_warning_errno(UNIT(s), r, "Failed to watch listening fds: %m");
1744 socket_unwatch_fds(s);
1745 return r;
1746 }
1747
1748 enum {
1749 SOCKET_OPEN_NONE,
1750 SOCKET_OPEN_SOME,
1751 SOCKET_OPEN_ALL,
1752 };
1753
1754 static int socket_check_open(Socket *s) {
1755 bool have_open = false, have_closed = false;
1756 SocketPort *p;
1757
1758 assert(s);
1759
1760 LIST_FOREACH(port, p, s->ports) {
1761 if (p->fd < 0)
1762 have_closed = true;
1763 else
1764 have_open = true;
1765
1766 if (have_open && have_closed)
1767 return SOCKET_OPEN_SOME;
1768 }
1769
1770 if (have_open)
1771 return SOCKET_OPEN_ALL;
1772
1773 return SOCKET_OPEN_NONE;
1774 }
1775
1776 static void socket_set_state(Socket *s, SocketState state) {
1777 SocketState old_state;
1778 assert(s);
1779
1780 old_state = s->state;
1781 s->state = state;
1782
1783 if (!IN_SET(state,
1784 SOCKET_START_PRE,
1785 SOCKET_START_CHOWN,
1786 SOCKET_START_POST,
1787 SOCKET_STOP_PRE,
1788 SOCKET_STOP_PRE_SIGTERM,
1789 SOCKET_STOP_PRE_SIGKILL,
1790 SOCKET_STOP_POST,
1791 SOCKET_FINAL_SIGTERM,
1792 SOCKET_FINAL_SIGKILL)) {
1793
1794 s->timer_event_source = sd_event_source_unref(s->timer_event_source);
1795 socket_unwatch_control_pid(s);
1796 s->control_command = NULL;
1797 s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
1798 }
1799
1800 if (state != SOCKET_LISTENING)
1801 socket_unwatch_fds(s);
1802
1803 if (!IN_SET(state,
1804 SOCKET_START_CHOWN,
1805 SOCKET_START_POST,
1806 SOCKET_LISTENING,
1807 SOCKET_RUNNING,
1808 SOCKET_STOP_PRE,
1809 SOCKET_STOP_PRE_SIGTERM,
1810 SOCKET_STOP_PRE_SIGKILL))
1811 socket_close_fds(s);
1812
1813 if (state != old_state)
1814 log_unit_debug(UNIT(s), "Changed %s -> %s", socket_state_to_string(old_state), socket_state_to_string(state));
1815
1816 unit_notify(UNIT(s), state_translation_table[old_state], state_translation_table[state], true);
1817 }
1818
1819 static int socket_coldplug(Unit *u) {
1820 Socket *s = SOCKET(u);
1821 int r;
1822
1823 assert(s);
1824 assert(s->state == SOCKET_DEAD);
1825
1826 if (s->deserialized_state == s->state)
1827 return 0;
1828
1829 if (s->control_pid > 0 &&
1830 pid_is_unwaited(s->control_pid) &&
1831 IN_SET(s->deserialized_state,
1832 SOCKET_START_PRE,
1833 SOCKET_START_CHOWN,
1834 SOCKET_START_POST,
1835 SOCKET_STOP_PRE,
1836 SOCKET_STOP_PRE_SIGTERM,
1837 SOCKET_STOP_PRE_SIGKILL,
1838 SOCKET_STOP_POST,
1839 SOCKET_FINAL_SIGTERM,
1840 SOCKET_FINAL_SIGKILL)) {
1841
1842 r = unit_watch_pid(UNIT(s), s->control_pid);
1843 if (r < 0)
1844 return r;
1845
1846 r = socket_arm_timer(s, usec_add(u->state_change_timestamp.monotonic, s->timeout_usec));
1847 if (r < 0)
1848 return r;
1849 }
1850
1851 if (IN_SET(s->deserialized_state,
1852 SOCKET_START_CHOWN,
1853 SOCKET_START_POST,
1854 SOCKET_LISTENING,
1855 SOCKET_RUNNING)) {
1856
1857 /* Originally, we used to simply reopen all sockets here that we didn't have file descriptors
1858 * for. However, this is problematic, as we won't traverse throught the SOCKET_START_CHOWN state for
1859 * them, and thus the UID/GID wouldn't be right. Hence, instead simply check if we have all fds open,
1860 * and if there's a mismatch, warn loudly. */
1861
1862 r = socket_check_open(s);
1863 if (r == SOCKET_OPEN_NONE)
1864 log_unit_warning(UNIT(s),
1865 "Socket unit configuration has changed while unit has been running, "
1866 "no open socket file descriptor left. "
1867 "The socket unit is not functional until restarted.");
1868 else if (r == SOCKET_OPEN_SOME)
1869 log_unit_warning(UNIT(s),
1870 "Socket unit configuration has changed while unit has been running, "
1871 "and some socket file descriptors have not been opened yet. "
1872 "The socket unit is not fully functional until restarted.");
1873 }
1874
1875 if (s->deserialized_state == SOCKET_LISTENING) {
1876 r = socket_watch_fds(s);
1877 if (r < 0)
1878 return r;
1879 }
1880
1881 if (!IN_SET(s->deserialized_state, SOCKET_DEAD, SOCKET_FAILED))
1882 (void) unit_setup_dynamic_creds(u);
1883
1884 socket_set_state(s, s->deserialized_state);
1885 return 0;
1886 }
1887
1888 static int socket_spawn(Socket *s, ExecCommand *c, pid_t *_pid) {
1889
1890 ExecParameters exec_params = {
1891 .flags = EXEC_APPLY_SANDBOXING|EXEC_APPLY_CHROOT|EXEC_APPLY_TTY_STDIN,
1892 .stdin_fd = -1,
1893 .stdout_fd = -1,
1894 .stderr_fd = -1,
1895 };
1896 pid_t pid;
1897 int r;
1898
1899 assert(s);
1900 assert(c);
1901 assert(_pid);
1902
1903 r = unit_prepare_exec(UNIT(s));
1904 if (r < 0)
1905 return r;
1906
1907 r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
1908 if (r < 0)
1909 return r;
1910
1911 manager_set_exec_params(UNIT(s)->manager, &exec_params);
1912 unit_set_exec_params(UNIT(s), &exec_params);
1913
1914 exec_params.argv = c->argv;
1915
1916 r = exec_spawn(UNIT(s),
1917 c,
1918 &s->exec_context,
1919 &exec_params,
1920 s->exec_runtime,
1921 &s->dynamic_creds,
1922 &pid);
1923 if (r < 0)
1924 return r;
1925
1926 r = unit_watch_pid(UNIT(s), pid);
1927 if (r < 0)
1928 /* FIXME: we need to do something here */
1929 return r;
1930
1931 *_pid = pid;
1932
1933 return 0;
1934 }
1935
1936 static int socket_chown(Socket *s, pid_t *_pid) {
1937 pid_t pid;
1938 int r;
1939
1940 r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
1941 if (r < 0)
1942 goto fail;
1943
1944 /* We have to resolve the user names out-of-process, hence
1945 * let's fork here. It's messy, but well, what can we do? */
1946
1947 r = unit_fork_helper_process(UNIT(s), "(sd-chown)", &pid);
1948 if (r < 0)
1949 return r;
1950 if (r == 0) {
1951 uid_t uid = UID_INVALID;
1952 gid_t gid = GID_INVALID;
1953 SocketPort *p;
1954
1955 /* Child */
1956
1957 if (!isempty(s->user)) {
1958 const char *user = s->user;
1959
1960 r = get_user_creds(&user, &uid, &gid, NULL, NULL);
1961 if (r < 0) {
1962 log_unit_error_errno(UNIT(s), r, "Failed to resolve user %s: %m", user);
1963 _exit(EXIT_USER);
1964 }
1965 }
1966
1967 if (!isempty(s->group)) {
1968 const char *group = s->group;
1969
1970 r = get_group_creds(&group, &gid);
1971 if (r < 0) {
1972 log_unit_error_errno(UNIT(s), r, "Failed to resolve group %s: %m", group);
1973 _exit(EXIT_GROUP);
1974 }
1975 }
1976
1977 LIST_FOREACH(port, p, s->ports) {
1978 const char *path = NULL;
1979
1980 if (p->type == SOCKET_SOCKET)
1981 path = socket_address_get_path(&p->address);
1982 else if (p->type == SOCKET_FIFO)
1983 path = p->path;
1984
1985 if (!path)
1986 continue;
1987
1988 if (chown(path, uid, gid) < 0) {
1989 log_unit_error_errno(UNIT(s), errno, "Failed to chown(): %m");
1990 _exit(EXIT_CHOWN);
1991 }
1992 }
1993
1994 _exit(EXIT_SUCCESS);
1995 }
1996
1997 r = unit_watch_pid(UNIT(s), pid);
1998 if (r < 0)
1999 goto fail;
2000
2001 *_pid = pid;
2002 return 0;
2003
2004 fail:
2005 s->timer_event_source = sd_event_source_unref(s->timer_event_source);
2006 return r;
2007 }
2008
2009 static void socket_enter_dead(Socket *s, SocketResult f) {
2010 assert(s);
2011
2012 if (s->result == SOCKET_SUCCESS)
2013 s->result = f;
2014
2015 if (s->result != SOCKET_SUCCESS)
2016 log_unit_warning(UNIT(s), "Failed with result '%s'.", socket_result_to_string(s->result));
2017
2018 socket_set_state(s, s->result != SOCKET_SUCCESS ? SOCKET_FAILED : SOCKET_DEAD);
2019
2020 exec_runtime_destroy(s->exec_runtime);
2021 s->exec_runtime = exec_runtime_unref(s->exec_runtime);
2022
2023 exec_context_destroy_runtime_directory(&s->exec_context, UNIT(s)->manager->prefix[EXEC_DIRECTORY_RUNTIME]);
2024
2025 unit_unref_uid_gid(UNIT(s), true);
2026
2027 dynamic_creds_destroy(&s->dynamic_creds);
2028 }
2029
2030 static void socket_enter_signal(Socket *s, SocketState state, SocketResult f);
2031
2032 static void socket_enter_stop_post(Socket *s, SocketResult f) {
2033 int r;
2034 assert(s);
2035
2036 if (s->result == SOCKET_SUCCESS)
2037 s->result = f;
2038
2039 socket_unwatch_control_pid(s);
2040 s->control_command_id = SOCKET_EXEC_STOP_POST;
2041 s->control_command = s->exec_command[SOCKET_EXEC_STOP_POST];
2042
2043 if (s->control_command) {
2044 r = socket_spawn(s, s->control_command, &s->control_pid);
2045 if (r < 0)
2046 goto fail;
2047
2048 socket_set_state(s, SOCKET_STOP_POST);
2049 } else
2050 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_SUCCESS);
2051
2052 return;
2053
2054 fail:
2055 log_unit_warning_errno(UNIT(s), r, "Failed to run 'stop-post' task: %m");
2056 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_RESOURCES);
2057 }
2058
2059 static void socket_enter_signal(Socket *s, SocketState state, SocketResult f) {
2060 int r;
2061
2062 assert(s);
2063
2064 if (s->result == SOCKET_SUCCESS)
2065 s->result = f;
2066
2067 r = unit_kill_context(
2068 UNIT(s),
2069 &s->kill_context,
2070 !IN_SET(state, SOCKET_STOP_PRE_SIGTERM, SOCKET_FINAL_SIGTERM) ?
2071 KILL_KILL : KILL_TERMINATE,
2072 -1,
2073 s->control_pid,
2074 false);
2075 if (r < 0)
2076 goto fail;
2077
2078 if (r > 0) {
2079 r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
2080 if (r < 0)
2081 goto fail;
2082
2083 socket_set_state(s, state);
2084 } else if (state == SOCKET_STOP_PRE_SIGTERM)
2085 socket_enter_signal(s, SOCKET_STOP_PRE_SIGKILL, SOCKET_SUCCESS);
2086 else if (state == SOCKET_STOP_PRE_SIGKILL)
2087 socket_enter_stop_post(s, SOCKET_SUCCESS);
2088 else if (state == SOCKET_FINAL_SIGTERM)
2089 socket_enter_signal(s, SOCKET_FINAL_SIGKILL, SOCKET_SUCCESS);
2090 else
2091 socket_enter_dead(s, SOCKET_SUCCESS);
2092
2093 return;
2094
2095 fail:
2096 log_unit_warning_errno(UNIT(s), r, "Failed to kill processes: %m");
2097
2098 if (IN_SET(state, SOCKET_STOP_PRE_SIGTERM, SOCKET_STOP_PRE_SIGKILL))
2099 socket_enter_stop_post(s, SOCKET_FAILURE_RESOURCES);
2100 else
2101 socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
2102 }
2103
2104 static void socket_enter_stop_pre(Socket *s, SocketResult f) {
2105 int r;
2106 assert(s);
2107
2108 if (s->result == SOCKET_SUCCESS)
2109 s->result = f;
2110
2111 socket_unwatch_control_pid(s);
2112 s->control_command_id = SOCKET_EXEC_STOP_PRE;
2113 s->control_command = s->exec_command[SOCKET_EXEC_STOP_PRE];
2114
2115 if (s->control_command) {
2116 r = socket_spawn(s, s->control_command, &s->control_pid);
2117 if (r < 0)
2118 goto fail;
2119
2120 socket_set_state(s, SOCKET_STOP_PRE);
2121 } else
2122 socket_enter_stop_post(s, SOCKET_SUCCESS);
2123
2124 return;
2125
2126 fail:
2127 log_unit_warning_errno(UNIT(s), r, "Failed to run 'stop-pre' task: %m");
2128 socket_enter_stop_post(s, SOCKET_FAILURE_RESOURCES);
2129 }
2130
2131 static void socket_enter_listening(Socket *s) {
2132 int r;
2133 assert(s);
2134
2135 r = socket_watch_fds(s);
2136 if (r < 0) {
2137 log_unit_warning_errno(UNIT(s), r, "Failed to watch sockets: %m");
2138 goto fail;
2139 }
2140
2141 socket_set_state(s, SOCKET_LISTENING);
2142 return;
2143
2144 fail:
2145 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2146 }
2147
2148 static void socket_enter_start_post(Socket *s) {
2149 int r;
2150 assert(s);
2151
2152 socket_unwatch_control_pid(s);
2153 s->control_command_id = SOCKET_EXEC_START_POST;
2154 s->control_command = s->exec_command[SOCKET_EXEC_START_POST];
2155
2156 if (s->control_command) {
2157 r = socket_spawn(s, s->control_command, &s->control_pid);
2158 if (r < 0) {
2159 log_unit_warning_errno(UNIT(s), r, "Failed to run 'start-post' task: %m");
2160 goto fail;
2161 }
2162
2163 socket_set_state(s, SOCKET_START_POST);
2164 } else
2165 socket_enter_listening(s);
2166
2167 return;
2168
2169 fail:
2170 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2171 }
2172
2173 static void socket_enter_start_chown(Socket *s) {
2174 int r;
2175
2176 assert(s);
2177
2178 r = socket_open_fds(s);
2179 if (r < 0) {
2180 log_unit_warning_errno(UNIT(s), r, "Failed to listen on sockets: %m");
2181 goto fail;
2182 }
2183
2184 if (!isempty(s->user) || !isempty(s->group)) {
2185
2186 socket_unwatch_control_pid(s);
2187 s->control_command_id = SOCKET_EXEC_START_CHOWN;
2188 s->control_command = NULL;
2189
2190 r = socket_chown(s, &s->control_pid);
2191 if (r < 0) {
2192 log_unit_warning_errno(UNIT(s), r, "Failed to fork 'start-chown' task: %m");
2193 goto fail;
2194 }
2195
2196 socket_set_state(s, SOCKET_START_CHOWN);
2197 } else
2198 socket_enter_start_post(s);
2199
2200 return;
2201
2202 fail:
2203 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2204 }
2205
2206 static void socket_enter_start_pre(Socket *s) {
2207 int r;
2208 assert(s);
2209
2210 socket_unwatch_control_pid(s);
2211
2212 unit_warn_leftover_processes(UNIT(s));
2213
2214 s->control_command_id = SOCKET_EXEC_START_PRE;
2215 s->control_command = s->exec_command[SOCKET_EXEC_START_PRE];
2216
2217 if (s->control_command) {
2218 r = socket_spawn(s, s->control_command, &s->control_pid);
2219 if (r < 0) {
2220 log_unit_warning_errno(UNIT(s), r, "Failed to run 'start-pre' task: %m");
2221 goto fail;
2222 }
2223
2224 socket_set_state(s, SOCKET_START_PRE);
2225 } else
2226 socket_enter_start_chown(s);
2227
2228 return;
2229
2230 fail:
2231 socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
2232 }
2233
2234 static void flush_ports(Socket *s) {
2235 SocketPort *p;
2236
2237 /* Flush all incoming traffic, regardless if actual bytes or new connections, so that this socket isn't busy
2238 * anymore */
2239
2240 LIST_FOREACH(port, p, s->ports) {
2241 if (p->fd < 0)
2242 continue;
2243
2244 (void) flush_accept(p->fd);
2245 (void) flush_fd(p->fd);
2246 }
2247 }
2248
2249 static void socket_enter_running(Socket *s, int cfd) {
2250 _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
2251 int r;
2252
2253 /* Note that this call takes possession of the connection fd passed. It either has to assign it somewhere or
2254 * close it. */
2255
2256 assert(s);
2257
2258 /* We don't take connections anymore if we are supposed to shut down anyway */
2259 if (unit_stop_pending(UNIT(s))) {
2260
2261 log_unit_debug(UNIT(s), "Suppressing connection request since unit stop is scheduled.");
2262
2263 if (cfd >= 0)
2264 cfd = safe_close(cfd);
2265 else
2266 flush_ports(s);
2267
2268 return;
2269 }
2270
2271 if (!ratelimit_test(&s->trigger_limit)) {
2272 safe_close(cfd);
2273 log_unit_warning(UNIT(s), "Trigger limit hit, refusing further activation.");
2274 socket_enter_stop_pre(s, SOCKET_FAILURE_TRIGGER_LIMIT_HIT);
2275 return;
2276 }
2277
2278 if (cfd < 0) {
2279 bool pending = false;
2280 Unit *other;
2281 Iterator i;
2282 void *v;
2283
2284 /* If there's already a start pending don't bother to
2285 * do anything */
2286 HASHMAP_FOREACH_KEY(v, other, UNIT(s)->dependencies[UNIT_TRIGGERS], i)
2287 if (unit_active_or_pending(other)) {
2288 pending = true;
2289 break;
2290 }
2291
2292 if (!pending) {
2293 if (!UNIT_ISSET(s->service)) {
2294 log_unit_error(UNIT(s), "Service to activate vanished, refusing activation.");
2295 r = -ENOENT;
2296 goto fail;
2297 }
2298
2299 r = manager_add_job(UNIT(s)->manager, JOB_START, UNIT_DEREF(s->service), JOB_REPLACE, &error, NULL);
2300 if (r < 0)
2301 goto fail;
2302 }
2303
2304 socket_set_state(s, SOCKET_RUNNING);
2305 } else {
2306 _cleanup_free_ char *prefix = NULL, *instance = NULL, *name = NULL;
2307 _cleanup_(socket_peer_unrefp) SocketPeer *p = NULL;
2308 Service *service;
2309
2310 if (s->n_connections >= s->max_connections) {
2311 log_unit_warning(UNIT(s), "Too many incoming connections (%u), dropping connection.",
2312 s->n_connections);
2313 safe_close(cfd);
2314 return;
2315 }
2316
2317 if (s->max_connections_per_source > 0) {
2318 r = socket_acquire_peer(s, cfd, &p);
2319 if (r < 0) {
2320 safe_close(cfd);
2321 return;
2322 } else if (r > 0 && p->n_ref > s->max_connections_per_source) {
2323 _cleanup_free_ char *t = NULL;
2324
2325 (void) sockaddr_pretty(&p->peer.sa, p->peer_salen, true, false, &t);
2326
2327 log_unit_warning(UNIT(s),
2328 "Too many incoming connections (%u) from source %s, dropping connection.",
2329 p->n_ref, strnull(t));
2330 safe_close(cfd);
2331 return;
2332 }
2333 }
2334
2335 r = socket_instantiate_service(s);
2336 if (r < 0)
2337 goto fail;
2338
2339 r = instance_from_socket(cfd, s->n_accepted, &instance);
2340 if (r < 0) {
2341 if (r != -ENOTCONN)
2342 goto fail;
2343
2344 /* ENOTCONN is legitimate if TCP RST was received.
2345 * This connection is over, but the socket unit lives on. */
2346 log_unit_debug(UNIT(s), "Got ENOTCONN on incoming socket, assuming aborted connection attempt, ignoring.");
2347 safe_close(cfd);
2348 return;
2349 }
2350
2351 r = unit_name_to_prefix(UNIT(s)->id, &prefix);
2352 if (r < 0)
2353 goto fail;
2354
2355 r = unit_name_build(prefix, instance, ".service", &name);
2356 if (r < 0)
2357 goto fail;
2358
2359 r = unit_add_name(UNIT_DEREF(s->service), name);
2360 if (r < 0)
2361 goto fail;
2362
2363 service = SERVICE(UNIT_DEREF(s->service));
2364 unit_ref_unset(&s->service);
2365
2366 s->n_accepted++;
2367 unit_choose_id(UNIT(service), name);
2368
2369 r = service_set_socket_fd(service, cfd, s, s->selinux_context_from_net);
2370 if (r < 0)
2371 goto fail;
2372
2373 cfd = -1; /* We passed ownership of the fd to the service now. Forget it here. */
2374 s->n_connections++;
2375
2376 service->peer = p; /* Pass ownership of the peer reference */
2377 p = NULL;
2378
2379 r = manager_add_job(UNIT(s)->manager, JOB_START, UNIT(service), JOB_REPLACE, &error, NULL);
2380 if (r < 0) {
2381 /* We failed to activate the new service, but it still exists. Let's make sure the service
2382 * closes and forgets the connection fd again, immediately. */
2383 service_close_socket_fd(service);
2384 goto fail;
2385 }
2386
2387 /* Notify clients about changed counters */
2388 unit_add_to_dbus_queue(UNIT(s));
2389 }
2390
2391 return;
2392
2393 fail:
2394 log_unit_warning(UNIT(s), "Failed to queue service startup job (Maybe the service file is missing or not a %s unit?): %s",
2395 cfd >= 0 ? "template" : "non-template",
2396 bus_error_message(&error, r));
2397
2398 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2399 safe_close(cfd);
2400 }
2401
2402 static void socket_run_next(Socket *s) {
2403 int r;
2404
2405 assert(s);
2406 assert(s->control_command);
2407 assert(s->control_command->command_next);
2408
2409 socket_unwatch_control_pid(s);
2410
2411 s->control_command = s->control_command->command_next;
2412
2413 r = socket_spawn(s, s->control_command, &s->control_pid);
2414 if (r < 0)
2415 goto fail;
2416
2417 return;
2418
2419 fail:
2420 log_unit_warning_errno(UNIT(s), r, "Failed to run next task: %m");
2421
2422 if (s->state == SOCKET_START_POST)
2423 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2424 else if (s->state == SOCKET_STOP_POST)
2425 socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
2426 else
2427 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_RESOURCES);
2428 }
2429
2430 static int socket_start(Unit *u) {
2431 Socket *s = SOCKET(u);
2432 int r;
2433
2434 assert(s);
2435
2436 /* We cannot fulfill this request right now, try again later
2437 * please! */
2438 if (IN_SET(s->state,
2439 SOCKET_STOP_PRE,
2440 SOCKET_STOP_PRE_SIGKILL,
2441 SOCKET_STOP_PRE_SIGTERM,
2442 SOCKET_STOP_POST,
2443 SOCKET_FINAL_SIGTERM,
2444 SOCKET_FINAL_SIGKILL))
2445 return -EAGAIN;
2446
2447 /* Already on it! */
2448 if (IN_SET(s->state,
2449 SOCKET_START_PRE,
2450 SOCKET_START_CHOWN,
2451 SOCKET_START_POST))
2452 return 0;
2453
2454 /* Cannot run this without the service being around */
2455 if (UNIT_ISSET(s->service)) {
2456 Service *service;
2457
2458 service = SERVICE(UNIT_DEREF(s->service));
2459
2460 if (UNIT(service)->load_state != UNIT_LOADED) {
2461 log_unit_error(u, "Socket service %s not loaded, refusing.", UNIT(service)->id);
2462 return -ENOENT;
2463 }
2464
2465 /* If the service is already active we cannot start the
2466 * socket */
2467 if (!IN_SET(service->state, SERVICE_DEAD, SERVICE_FAILED, SERVICE_AUTO_RESTART)) {
2468 log_unit_error(u, "Socket service %s already active, refusing.", UNIT(service)->id);
2469 return -EBUSY;
2470 }
2471 }
2472
2473 assert(IN_SET(s->state, SOCKET_DEAD, SOCKET_FAILED));
2474
2475 r = unit_start_limit_test(u);
2476 if (r < 0) {
2477 socket_enter_dead(s, SOCKET_FAILURE_START_LIMIT_HIT);
2478 return r;
2479 }
2480
2481 r = unit_acquire_invocation_id(u);
2482 if (r < 0)
2483 return r;
2484
2485 s->result = SOCKET_SUCCESS;
2486
2487 u->reset_accounting = true;
2488
2489 socket_enter_start_pre(s);
2490 return 1;
2491 }
2492
2493 static int socket_stop(Unit *u) {
2494 Socket *s = SOCKET(u);
2495
2496 assert(s);
2497
2498 /* Already on it */
2499 if (IN_SET(s->state,
2500 SOCKET_STOP_PRE,
2501 SOCKET_STOP_PRE_SIGTERM,
2502 SOCKET_STOP_PRE_SIGKILL,
2503 SOCKET_STOP_POST,
2504 SOCKET_FINAL_SIGTERM,
2505 SOCKET_FINAL_SIGKILL))
2506 return 0;
2507
2508 /* If there's already something running we go directly into
2509 * kill mode. */
2510 if (IN_SET(s->state,
2511 SOCKET_START_PRE,
2512 SOCKET_START_CHOWN,
2513 SOCKET_START_POST)) {
2514 socket_enter_signal(s, SOCKET_STOP_PRE_SIGTERM, SOCKET_SUCCESS);
2515 return -EAGAIN;
2516 }
2517
2518 assert(IN_SET(s->state, SOCKET_LISTENING, SOCKET_RUNNING));
2519
2520 socket_enter_stop_pre(s, SOCKET_SUCCESS);
2521 return 1;
2522 }
2523
2524 static int socket_serialize(Unit *u, FILE *f, FDSet *fds) {
2525 Socket *s = SOCKET(u);
2526 SocketPort *p;
2527 int r;
2528
2529 assert(u);
2530 assert(f);
2531 assert(fds);
2532
2533 unit_serialize_item(u, f, "state", socket_state_to_string(s->state));
2534 unit_serialize_item(u, f, "result", socket_result_to_string(s->result));
2535 unit_serialize_item_format(u, f, "n-accepted", "%u", s->n_accepted);
2536
2537 if (s->control_pid > 0)
2538 unit_serialize_item_format(u, f, "control-pid", PID_FMT, s->control_pid);
2539
2540 if (s->control_command_id >= 0)
2541 unit_serialize_item(u, f, "control-command", socket_exec_command_to_string(s->control_command_id));
2542
2543 LIST_FOREACH(port, p, s->ports) {
2544 int copy;
2545
2546 if (p->fd < 0)
2547 continue;
2548
2549 copy = fdset_put_dup(fds, p->fd);
2550 if (copy < 0)
2551 return copy;
2552
2553 if (p->type == SOCKET_SOCKET) {
2554 _cleanup_free_ char *t = NULL;
2555
2556 r = socket_address_print(&p->address, &t);
2557 if (r < 0)
2558 return r;
2559
2560 if (socket_address_family(&p->address) == AF_NETLINK)
2561 unit_serialize_item_format(u, f, "netlink", "%i %s", copy, t);
2562 else
2563 unit_serialize_item_format(u, f, "socket", "%i %i %s", copy, p->address.type, t);
2564
2565 } else if (p->type == SOCKET_SPECIAL)
2566 unit_serialize_item_format(u, f, "special", "%i %s", copy, p->path);
2567 else if (p->type == SOCKET_MQUEUE)
2568 unit_serialize_item_format(u, f, "mqueue", "%i %s", copy, p->path);
2569 else if (p->type == SOCKET_USB_FUNCTION)
2570 unit_serialize_item_format(u, f, "ffs", "%i %s", copy, p->path);
2571 else {
2572 assert(p->type == SOCKET_FIFO);
2573 unit_serialize_item_format(u, f, "fifo", "%i %s", copy, p->path);
2574 }
2575 }
2576
2577 return 0;
2578 }
2579
2580 static void socket_port_take_fd(SocketPort *p, FDSet *fds, int fd) {
2581 safe_close(p->fd);
2582 p->fd = fdset_remove(fds, fd);
2583 }
2584
2585 static int socket_deserialize_item(Unit *u, const char *key, const char *value, FDSet *fds) {
2586 Socket *s = SOCKET(u);
2587
2588 assert(u);
2589 assert(key);
2590 assert(value);
2591
2592 if (streq(key, "state")) {
2593 SocketState state;
2594
2595 state = socket_state_from_string(value);
2596 if (state < 0)
2597 log_unit_debug(u, "Failed to parse state value: %s", value);
2598 else
2599 s->deserialized_state = state;
2600 } else if (streq(key, "result")) {
2601 SocketResult f;
2602
2603 f = socket_result_from_string(value);
2604 if (f < 0)
2605 log_unit_debug(u, "Failed to parse result value: %s", value);
2606 else if (f != SOCKET_SUCCESS)
2607 s->result = f;
2608
2609 } else if (streq(key, "n-accepted")) {
2610 unsigned k;
2611
2612 if (safe_atou(value, &k) < 0)
2613 log_unit_debug(u, "Failed to parse n-accepted value: %s", value);
2614 else
2615 s->n_accepted += k;
2616 } else if (streq(key, "control-pid")) {
2617 pid_t pid;
2618
2619 if (parse_pid(value, &pid) < 0)
2620 log_unit_debug(u, "Failed to parse control-pid value: %s", value);
2621 else
2622 s->control_pid = pid;
2623 } else if (streq(key, "control-command")) {
2624 SocketExecCommand id;
2625
2626 id = socket_exec_command_from_string(value);
2627 if (id < 0)
2628 log_unit_debug(u, "Failed to parse exec-command value: %s", value);
2629 else {
2630 s->control_command_id = id;
2631 s->control_command = s->exec_command[id];
2632 }
2633 } else if (streq(key, "fifo")) {
2634 int fd, skip = 0;
2635 SocketPort *p;
2636
2637 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2638 log_unit_debug(u, "Failed to parse fifo value: %s", value);
2639 else
2640 LIST_FOREACH(port, p, s->ports)
2641 if (p->type == SOCKET_FIFO &&
2642 path_equal_or_files_same(p->path, value+skip, 0)) {
2643 socket_port_take_fd(p, fds, fd);
2644 break;
2645 }
2646
2647 } else if (streq(key, "special")) {
2648 int fd, skip = 0;
2649 SocketPort *p;
2650
2651 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2652 log_unit_debug(u, "Failed to parse special value: %s", value);
2653 else
2654 LIST_FOREACH(port, p, s->ports)
2655 if (p->type == SOCKET_SPECIAL &&
2656 path_equal_or_files_same(p->path, value+skip, 0)) {
2657 socket_port_take_fd(p, fds, fd);
2658 break;
2659 }
2660
2661 } else if (streq(key, "mqueue")) {
2662 int fd, skip = 0;
2663 SocketPort *p;
2664
2665 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2666 log_unit_debug(u, "Failed to parse mqueue value: %s", value);
2667 else
2668 LIST_FOREACH(port, p, s->ports)
2669 if (p->type == SOCKET_MQUEUE &&
2670 streq(p->path, value+skip)) {
2671 socket_port_take_fd(p, fds, fd);
2672 break;
2673 }
2674
2675 } else if (streq(key, "socket")) {
2676 int fd, type, skip = 0;
2677 SocketPort *p;
2678
2679 if (sscanf(value, "%i %i %n", &fd, &type, &skip) < 2 || fd < 0 || type < 0 || !fdset_contains(fds, fd))
2680 log_unit_debug(u, "Failed to parse socket value: %s", value);
2681 else
2682 LIST_FOREACH(port, p, s->ports)
2683 if (socket_address_is(&p->address, value+skip, type)) {
2684 socket_port_take_fd(p, fds, fd);
2685 break;
2686 }
2687
2688 } else if (streq(key, "netlink")) {
2689 int fd, skip = 0;
2690 SocketPort *p;
2691
2692 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2693 log_unit_debug(u, "Failed to parse socket value: %s", value);
2694 else
2695 LIST_FOREACH(port, p, s->ports)
2696 if (socket_address_is_netlink(&p->address, value+skip)) {
2697 socket_port_take_fd(p, fds, fd);
2698 break;
2699 }
2700
2701 } else if (streq(key, "ffs")) {
2702 int fd, skip = 0;
2703 SocketPort *p;
2704
2705 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2706 log_unit_debug(u, "Failed to parse ffs value: %s", value);
2707 else
2708 LIST_FOREACH(port, p, s->ports)
2709 if (p->type == SOCKET_USB_FUNCTION &&
2710 path_equal_or_files_same(p->path, value+skip, 0)) {
2711 socket_port_take_fd(p, fds, fd);
2712 break;
2713 }
2714
2715 } else
2716 log_unit_debug(UNIT(s), "Unknown serialization key: %s", key);
2717
2718 return 0;
2719 }
2720
2721 static void socket_distribute_fds(Unit *u, FDSet *fds) {
2722 Socket *s = SOCKET(u);
2723 SocketPort *p;
2724
2725 assert(u);
2726
2727 LIST_FOREACH(port, p, s->ports) {
2728 Iterator i;
2729 int fd;
2730
2731 if (p->type != SOCKET_SOCKET)
2732 continue;
2733
2734 if (p->fd >= 0)
2735 continue;
2736
2737 FDSET_FOREACH(fd, fds, i) {
2738 if (socket_address_matches_fd(&p->address, fd)) {
2739 p->fd = fdset_remove(fds, fd);
2740 s->deserialized_state = SOCKET_LISTENING;
2741 break;
2742 }
2743 }
2744 }
2745 }
2746
2747 _pure_ static UnitActiveState socket_active_state(Unit *u) {
2748 assert(u);
2749
2750 return state_translation_table[SOCKET(u)->state];
2751 }
2752
2753 _pure_ static const char *socket_sub_state_to_string(Unit *u) {
2754 assert(u);
2755
2756 return socket_state_to_string(SOCKET(u)->state);
2757 }
2758
2759 const char* socket_port_type_to_string(SocketPort *p) {
2760
2761 assert(p);
2762
2763 switch (p->type) {
2764
2765 case SOCKET_SOCKET:
2766
2767 switch (p->address.type) {
2768
2769 case SOCK_STREAM:
2770 return "Stream";
2771
2772 case SOCK_DGRAM:
2773 return "Datagram";
2774
2775 case SOCK_SEQPACKET:
2776 return "SequentialPacket";
2777
2778 case SOCK_RAW:
2779 if (socket_address_family(&p->address) == AF_NETLINK)
2780 return "Netlink";
2781
2782 _fallthrough_;
2783 default:
2784 return NULL;
2785 }
2786
2787 case SOCKET_SPECIAL:
2788 return "Special";
2789
2790 case SOCKET_MQUEUE:
2791 return "MessageQueue";
2792
2793 case SOCKET_FIFO:
2794 return "FIFO";
2795
2796 case SOCKET_USB_FUNCTION:
2797 return "USBFunction";
2798
2799 default:
2800 return NULL;
2801 }
2802 }
2803
2804 SocketType socket_port_type_from_string(const char *s) {
2805 assert(s);
2806
2807 if (STR_IN_SET(s, "Stream", "Datagram", "SequentialPacket", "Netlink"))
2808 return SOCKET_SOCKET;
2809 else if (streq(s, "Special"))
2810 return SOCKET_SPECIAL;
2811 else if (streq(s, "MessageQueue"))
2812 return SOCKET_MQUEUE;
2813 else if (streq(s, "FIFO"))
2814 return SOCKET_FIFO;
2815 else if (streq(s, "USBFunction"))
2816 return SOCKET_USB_FUNCTION;
2817 else
2818 return _SOCKET_TYPE_INVALID;
2819 }
2820
2821 _pure_ static bool socket_check_gc(Unit *u) {
2822 Socket *s = SOCKET(u);
2823
2824 assert(u);
2825
2826 return s->n_connections > 0;
2827 }
2828
2829 static int socket_accept_do(Socket *s, int fd) {
2830 int cfd;
2831
2832 assert(s);
2833 assert(fd >= 0);
2834
2835 for (;;) {
2836 cfd = accept4(fd, NULL, NULL, SOCK_NONBLOCK);
2837 if (cfd < 0) {
2838 if (errno == EINTR)
2839 continue;
2840
2841 return -errno;
2842 }
2843
2844 break;
2845 }
2846
2847 return cfd;
2848 }
2849
2850 static int socket_accept_in_cgroup(Socket *s, SocketPort *p, int fd) {
2851 _cleanup_close_pair_ int pair[2] = { -1, -1 };
2852 int cfd, r;
2853 pid_t pid;
2854
2855 assert(s);
2856 assert(p);
2857 assert(fd >= 0);
2858
2859 /* Similar to socket_address_listen_in_cgroup(), but for accept() rathern than socket(): make sure that any
2860 * connection socket is also properly associated with the cgroup. */
2861
2862 if (!IN_SET(p->address.sockaddr.sa.sa_family, AF_INET, AF_INET6))
2863 goto shortcut;
2864
2865 r = bpf_firewall_supported();
2866 if (r < 0)
2867 return r;
2868 if (r == 0)
2869 goto shortcut;
2870
2871 if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, pair) < 0)
2872 return log_unit_error_errno(UNIT(s), errno, "Failed to create communication channel: %m");
2873
2874 r = unit_fork_helper_process(UNIT(s), "(sd-accept)", &pid);
2875 if (r < 0)
2876 return log_unit_error_errno(UNIT(s), r, "Failed to fork off accept stub process: %m");
2877 if (r == 0) {
2878 /* Child */
2879
2880 pair[0] = safe_close(pair[0]);
2881
2882 cfd = socket_accept_do(s, fd);
2883 if (cfd < 0) {
2884 log_unit_error_errno(UNIT(s), cfd, "Failed to accept connection socket: %m");
2885 _exit(EXIT_FAILURE);
2886 }
2887
2888 r = send_one_fd(pair[1], cfd, 0);
2889 if (r < 0) {
2890 log_unit_error_errno(UNIT(s), r, "Failed to send connection socket to parent: %m");
2891 _exit(EXIT_FAILURE);
2892 }
2893
2894 _exit(EXIT_SUCCESS);
2895 }
2896
2897 pair[1] = safe_close(pair[1]);
2898 cfd = receive_one_fd(pair[0], 0);
2899
2900 /* We synchronously wait for the helper, as it shouldn't be slow */
2901 r = wait_for_terminate_and_check("(sd-accept)", pid, WAIT_LOG_ABNORMAL);
2902 if (r < 0) {
2903 safe_close(cfd);
2904 return r;
2905 }
2906
2907 if (cfd < 0)
2908 return log_unit_error_errno(UNIT(s), cfd, "Failed to receive connection socket: %m");
2909
2910 return cfd;
2911
2912 shortcut:
2913 cfd = socket_accept_do(s, fd);
2914 if (cfd < 0)
2915 return log_unit_error_errno(UNIT(s), cfd, "Failed to accept connection socket: %m");
2916
2917 return cfd;
2918 }
2919
2920 static int socket_dispatch_io(sd_event_source *source, int fd, uint32_t revents, void *userdata) {
2921 SocketPort *p = userdata;
2922 int cfd = -1;
2923
2924 assert(p);
2925 assert(fd >= 0);
2926
2927 if (p->socket->state != SOCKET_LISTENING)
2928 return 0;
2929
2930 log_unit_debug(UNIT(p->socket), "Incoming traffic");
2931
2932 if (revents != EPOLLIN) {
2933
2934 if (revents & EPOLLHUP)
2935 log_unit_error(UNIT(p->socket), "Got POLLHUP on a listening socket. The service probably invoked shutdown() on it, and should better not do that.");
2936 else
2937 log_unit_error(UNIT(p->socket), "Got unexpected poll event (0x%x) on socket.", revents);
2938 goto fail;
2939 }
2940
2941 if (p->socket->accept &&
2942 p->type == SOCKET_SOCKET &&
2943 socket_address_can_accept(&p->address)) {
2944
2945 cfd = socket_accept_in_cgroup(p->socket, p, fd);
2946 if (cfd < 0)
2947 goto fail;
2948
2949 socket_apply_socket_options(p->socket, cfd);
2950 }
2951
2952 socket_enter_running(p->socket, cfd);
2953 return 0;
2954
2955 fail:
2956 socket_enter_stop_pre(p->socket, SOCKET_FAILURE_RESOURCES);
2957 return 0;
2958 }
2959
2960 static void socket_sigchld_event(Unit *u, pid_t pid, int code, int status) {
2961 Socket *s = SOCKET(u);
2962 SocketResult f;
2963
2964 assert(s);
2965 assert(pid >= 0);
2966
2967 if (pid != s->control_pid)
2968 return;
2969
2970 s->control_pid = 0;
2971
2972 if (is_clean_exit(code, status, EXIT_CLEAN_COMMAND, NULL))
2973 f = SOCKET_SUCCESS;
2974 else if (code == CLD_EXITED)
2975 f = SOCKET_FAILURE_EXIT_CODE;
2976 else if (code == CLD_KILLED)
2977 f = SOCKET_FAILURE_SIGNAL;
2978 else if (code == CLD_DUMPED)
2979 f = SOCKET_FAILURE_CORE_DUMP;
2980 else
2981 assert_not_reached("Unknown sigchld code");
2982
2983 if (s->control_command) {
2984 exec_status_exit(&s->control_command->exec_status, &s->exec_context, pid, code, status);
2985
2986 if (s->control_command->flags & EXEC_COMMAND_IGNORE_FAILURE)
2987 f = SOCKET_SUCCESS;
2988 }
2989
2990 log_unit_full(u, f == SOCKET_SUCCESS ? LOG_DEBUG : LOG_NOTICE, 0,
2991 "Control process exited, code=%s status=%i",
2992 sigchld_code_to_string(code), status);
2993
2994 if (s->result == SOCKET_SUCCESS)
2995 s->result = f;
2996
2997 if (s->control_command &&
2998 s->control_command->command_next &&
2999 f == SOCKET_SUCCESS) {
3000
3001 log_unit_debug(u, "Running next command for state %s", socket_state_to_string(s->state));
3002 socket_run_next(s);
3003 } else {
3004 s->control_command = NULL;
3005 s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
3006
3007 /* No further commands for this step, so let's figure
3008 * out what to do next */
3009
3010 log_unit_debug(u, "Got final SIGCHLD for state %s", socket_state_to_string(s->state));
3011
3012 switch (s->state) {
3013
3014 case SOCKET_START_PRE:
3015 if (f == SOCKET_SUCCESS)
3016 socket_enter_start_chown(s);
3017 else
3018 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, f);
3019 break;
3020
3021 case SOCKET_START_CHOWN:
3022 if (f == SOCKET_SUCCESS)
3023 socket_enter_start_post(s);
3024 else
3025 socket_enter_stop_pre(s, f);
3026 break;
3027
3028 case SOCKET_START_POST:
3029 if (f == SOCKET_SUCCESS)
3030 socket_enter_listening(s);
3031 else
3032 socket_enter_stop_pre(s, f);
3033 break;
3034
3035 case SOCKET_STOP_PRE:
3036 case SOCKET_STOP_PRE_SIGTERM:
3037 case SOCKET_STOP_PRE_SIGKILL:
3038 socket_enter_stop_post(s, f);
3039 break;
3040
3041 case SOCKET_STOP_POST:
3042 case SOCKET_FINAL_SIGTERM:
3043 case SOCKET_FINAL_SIGKILL:
3044 socket_enter_dead(s, f);
3045 break;
3046
3047 default:
3048 assert_not_reached("Uh, control process died at wrong time.");
3049 }
3050 }
3051
3052 /* Notify clients about changed exit status */
3053 unit_add_to_dbus_queue(u);
3054 }
3055
3056 static int socket_dispatch_timer(sd_event_source *source, usec_t usec, void *userdata) {
3057 Socket *s = SOCKET(userdata);
3058
3059 assert(s);
3060 assert(s->timer_event_source == source);
3061
3062 switch (s->state) {
3063
3064 case SOCKET_START_PRE:
3065 log_unit_warning(UNIT(s), "Starting timed out. Terminating.");
3066 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_TIMEOUT);
3067 break;
3068
3069 case SOCKET_START_CHOWN:
3070 case SOCKET_START_POST:
3071 log_unit_warning(UNIT(s), "Starting timed out. Stopping.");
3072 socket_enter_stop_pre(s, SOCKET_FAILURE_TIMEOUT);
3073 break;
3074
3075 case SOCKET_STOP_PRE:
3076 log_unit_warning(UNIT(s), "Stopping timed out. Terminating.");
3077 socket_enter_signal(s, SOCKET_STOP_PRE_SIGTERM, SOCKET_FAILURE_TIMEOUT);
3078 break;
3079
3080 case SOCKET_STOP_PRE_SIGTERM:
3081 if (s->kill_context.send_sigkill) {
3082 log_unit_warning(UNIT(s), "Stopping timed out. Killing.");
3083 socket_enter_signal(s, SOCKET_STOP_PRE_SIGKILL, SOCKET_FAILURE_TIMEOUT);
3084 } else {
3085 log_unit_warning(UNIT(s), "Stopping timed out. Skipping SIGKILL. Ignoring.");
3086 socket_enter_stop_post(s, SOCKET_FAILURE_TIMEOUT);
3087 }
3088 break;
3089
3090 case SOCKET_STOP_PRE_SIGKILL:
3091 log_unit_warning(UNIT(s), "Processes still around after SIGKILL. Ignoring.");
3092 socket_enter_stop_post(s, SOCKET_FAILURE_TIMEOUT);
3093 break;
3094
3095 case SOCKET_STOP_POST:
3096 log_unit_warning(UNIT(s), "Stopping timed out (2). Terminating.");
3097 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_TIMEOUT);
3098 break;
3099
3100 case SOCKET_FINAL_SIGTERM:
3101 if (s->kill_context.send_sigkill) {
3102 log_unit_warning(UNIT(s), "Stopping timed out (2). Killing.");
3103 socket_enter_signal(s, SOCKET_FINAL_SIGKILL, SOCKET_FAILURE_TIMEOUT);
3104 } else {
3105 log_unit_warning(UNIT(s), "Stopping timed out (2). Skipping SIGKILL. Ignoring.");
3106 socket_enter_dead(s, SOCKET_FAILURE_TIMEOUT);
3107 }
3108 break;
3109
3110 case SOCKET_FINAL_SIGKILL:
3111 log_unit_warning(UNIT(s), "Still around after SIGKILL (2). Entering failed mode.");
3112 socket_enter_dead(s, SOCKET_FAILURE_TIMEOUT);
3113 break;
3114
3115 default:
3116 assert_not_reached("Timeout at wrong time.");
3117 }
3118
3119 return 0;
3120 }
3121
3122 int socket_collect_fds(Socket *s, int **fds) {
3123 int *rfds, k = 0, n = 0;
3124 SocketPort *p;
3125
3126 assert(s);
3127 assert(fds);
3128
3129 /* Called from the service code for requesting our fds */
3130
3131 LIST_FOREACH(port, p, s->ports) {
3132 if (p->fd >= 0)
3133 n++;
3134 n += p->n_auxiliary_fds;
3135 }
3136
3137 if (n <= 0) {
3138 *fds = NULL;
3139 return 0;
3140 }
3141
3142 rfds = new(int, n);
3143 if (!rfds)
3144 return -ENOMEM;
3145
3146 LIST_FOREACH(port, p, s->ports) {
3147 int i;
3148
3149 if (p->fd >= 0)
3150 rfds[k++] = p->fd;
3151 for (i = 0; i < p->n_auxiliary_fds; ++i)
3152 rfds[k++] = p->auxiliary_fds[i];
3153 }
3154
3155 assert(k == n);
3156
3157 *fds = rfds;
3158 return n;
3159 }
3160
3161 static void socket_reset_failed(Unit *u) {
3162 Socket *s = SOCKET(u);
3163
3164 assert(s);
3165
3166 if (s->state == SOCKET_FAILED)
3167 socket_set_state(s, SOCKET_DEAD);
3168
3169 s->result = SOCKET_SUCCESS;
3170 }
3171
3172 void socket_connection_unref(Socket *s) {
3173 assert(s);
3174
3175 /* The service is dead. Yay!
3176 *
3177 * This is strictly for one-instance-per-connection
3178 * services. */
3179
3180 assert(s->n_connections > 0);
3181 s->n_connections--;
3182
3183 log_unit_debug(UNIT(s), "One connection closed, %u left.", s->n_connections);
3184 }
3185
3186 static void socket_trigger_notify(Unit *u, Unit *other) {
3187 Socket *s = SOCKET(u);
3188
3189 assert(u);
3190 assert(other);
3191
3192 /* Filter out invocations with bogus state */
3193 if (other->load_state != UNIT_LOADED || other->type != UNIT_SERVICE)
3194 return;
3195
3196 /* Don't propagate state changes from the service if we are already down */
3197 if (!IN_SET(s->state, SOCKET_RUNNING, SOCKET_LISTENING))
3198 return;
3199
3200 /* We don't care for the service state if we are in Accept=yes mode */
3201 if (s->accept)
3202 return;
3203
3204 /* Propagate start limit hit state */
3205 if (other->start_limit_hit) {
3206 socket_enter_stop_pre(s, SOCKET_FAILURE_SERVICE_START_LIMIT_HIT);
3207 return;
3208 }
3209
3210 /* Don't propagate anything if there's still a job queued */
3211 if (other->job)
3212 return;
3213
3214 if (IN_SET(SERVICE(other)->state,
3215 SERVICE_DEAD, SERVICE_FAILED,
3216 SERVICE_FINAL_SIGTERM, SERVICE_FINAL_SIGKILL,
3217 SERVICE_AUTO_RESTART))
3218 socket_enter_listening(s);
3219
3220 if (SERVICE(other)->state == SERVICE_RUNNING)
3221 socket_set_state(s, SOCKET_RUNNING);
3222 }
3223
3224 static int socket_kill(Unit *u, KillWho who, int signo, sd_bus_error *error) {
3225 return unit_kill_common(u, who, signo, -1, SOCKET(u)->control_pid, error);
3226 }
3227
3228 static int socket_get_timeout(Unit *u, usec_t *timeout) {
3229 Socket *s = SOCKET(u);
3230 usec_t t;
3231 int r;
3232
3233 if (!s->timer_event_source)
3234 return 0;
3235
3236 r = sd_event_source_get_time(s->timer_event_source, &t);
3237 if (r < 0)
3238 return r;
3239 if (t == USEC_INFINITY)
3240 return 0;
3241
3242 *timeout = t;
3243 return 1;
3244 }
3245
3246 char *socket_fdname(Socket *s) {
3247 assert(s);
3248
3249 /* Returns the name to use for $LISTEN_NAMES. If the user
3250 * didn't specify anything specifically, use the socket unit's
3251 * name as fallback. */
3252
3253 return s->fdname ?: UNIT(s)->id;
3254 }
3255
3256 static int socket_control_pid(Unit *u) {
3257 Socket *s = SOCKET(u);
3258
3259 assert(s);
3260
3261 return s->control_pid;
3262 }
3263
3264 static const char* const socket_exec_command_table[_SOCKET_EXEC_COMMAND_MAX] = {
3265 [SOCKET_EXEC_START_PRE] = "ExecStartPre",
3266 [SOCKET_EXEC_START_CHOWN] = "ExecStartChown",
3267 [SOCKET_EXEC_START_POST] = "ExecStartPost",
3268 [SOCKET_EXEC_STOP_PRE] = "ExecStopPre",
3269 [SOCKET_EXEC_STOP_POST] = "ExecStopPost"
3270 };
3271
3272 DEFINE_STRING_TABLE_LOOKUP(socket_exec_command, SocketExecCommand);
3273
3274 static const char* const socket_result_table[_SOCKET_RESULT_MAX] = {
3275 [SOCKET_SUCCESS] = "success",
3276 [SOCKET_FAILURE_RESOURCES] = "resources",
3277 [SOCKET_FAILURE_TIMEOUT] = "timeout",
3278 [SOCKET_FAILURE_EXIT_CODE] = "exit-code",
3279 [SOCKET_FAILURE_SIGNAL] = "signal",
3280 [SOCKET_FAILURE_CORE_DUMP] = "core-dump",
3281 [SOCKET_FAILURE_START_LIMIT_HIT] = "start-limit-hit",
3282 [SOCKET_FAILURE_TRIGGER_LIMIT_HIT] = "trigger-limit-hit",
3283 [SOCKET_FAILURE_SERVICE_START_LIMIT_HIT] = "service-start-limit-hit"
3284 };
3285
3286 DEFINE_STRING_TABLE_LOOKUP(socket_result, SocketResult);
3287
3288 const UnitVTable socket_vtable = {
3289 .object_size = sizeof(Socket),
3290 .exec_context_offset = offsetof(Socket, exec_context),
3291 .cgroup_context_offset = offsetof(Socket, cgroup_context),
3292 .kill_context_offset = offsetof(Socket, kill_context),
3293 .exec_runtime_offset = offsetof(Socket, exec_runtime),
3294 .dynamic_creds_offset = offsetof(Socket, dynamic_creds),
3295
3296 .sections =
3297 "Unit\0"
3298 "Socket\0"
3299 "Install\0",
3300 .private_section = "Socket",
3301
3302 .can_transient = true,
3303
3304 .init = socket_init,
3305 .done = socket_done,
3306 .load = socket_load,
3307
3308 .coldplug = socket_coldplug,
3309
3310 .dump = socket_dump,
3311
3312 .start = socket_start,
3313 .stop = socket_stop,
3314
3315 .kill = socket_kill,
3316
3317 .get_timeout = socket_get_timeout,
3318
3319 .serialize = socket_serialize,
3320 .deserialize_item = socket_deserialize_item,
3321 .distribute_fds = socket_distribute_fds,
3322
3323 .active_state = socket_active_state,
3324 .sub_state_to_string = socket_sub_state_to_string,
3325
3326 .check_gc = socket_check_gc,
3327
3328 .sigchld_event = socket_sigchld_event,
3329
3330 .trigger_notify = socket_trigger_notify,
3331
3332 .reset_failed = socket_reset_failed,
3333
3334 .control_pid = socket_control_pid,
3335
3336 .bus_vtable = bus_socket_vtable,
3337 .bus_set_property = bus_socket_set_property,
3338 .bus_commit_properties = bus_socket_commit_properties,
3339
3340 .status_message_formats = {
3341 /*.starting_stopping = {
3342 [0] = "Starting socket %s...",
3343 [1] = "Stopping socket %s...",
3344 },*/
3345 .finished_start_job = {
3346 [JOB_DONE] = "Listening on %s.",
3347 [JOB_FAILED] = "Failed to listen on %s.",
3348 [JOB_TIMEOUT] = "Timed out starting %s.",
3349 },
3350 .finished_stop_job = {
3351 [JOB_DONE] = "Closed %s.",
3352 [JOB_FAILED] = "Failed stopping %s.",
3353 [JOB_TIMEOUT] = "Timed out stopping %s.",
3354 },
3355 },
3356 };
Unnamed repository; edit this file 'description' to name the repository.