]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/socket.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #8377 from sourcejedi/logind_restart_is_sorely_lacking_in_testing3
[thirdparty/systemd.git] / src / core / socket.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2 /***
3 This file is part of systemd.
4
5 Copyright 2010 Lennart Poettering
6
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
11
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
16
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
19 ***/
20
21 #include <arpa/inet.h>
22 #include <errno.h>
23 #include <fcntl.h>
24 #include <mqueue.h>
25 #include <netinet/tcp.h>
26 #include <signal.h>
27 #include <sys/epoll.h>
28 #include <sys/stat.h>
29 #include <unistd.h>
30 #include <linux/sctp.h>
31
32 #include "alloc-util.h"
33 #include "bpf-firewall.h"
34 #include "bus-error.h"
35 #include "bus-util.h"
36 #include "copy.h"
37 #include "dbus-socket.h"
38 #include "def.h"
39 #include "exit-status.h"
40 #include "fd-util.h"
41 #include "format-util.h"
42 #include "fs-util.h"
43 #include "in-addr-util.h"
44 #include "io-util.h"
45 #include "label.h"
46 #include "log.h"
47 #include "missing.h"
48 #include "mkdir.h"
49 #include "parse-util.h"
50 #include "path-util.h"
51 #include "process-util.h"
52 #include "selinux-util.h"
53 #include "signal-util.h"
54 #include "smack-util.h"
55 #include "socket.h"
56 #include "socket-protocol-list.h"
57 #include "special.h"
58 #include "string-table.h"
59 #include "string-util.h"
60 #include "strv.h"
61 #include "unit-name.h"
62 #include "unit.h"
63 #include "user-util.h"
64
65 struct SocketPeer {
66 unsigned n_ref;
67
68 Socket *socket;
69 union sockaddr_union peer;
70 socklen_t peer_salen;
71 };
72
73 static const UnitActiveState state_translation_table[_SOCKET_STATE_MAX] = {
74 [SOCKET_DEAD] = UNIT_INACTIVE,
75 [SOCKET_START_PRE] = UNIT_ACTIVATING,
76 [SOCKET_START_CHOWN] = UNIT_ACTIVATING,
77 [SOCKET_START_POST] = UNIT_ACTIVATING,
78 [SOCKET_LISTENING] = UNIT_ACTIVE,
79 [SOCKET_RUNNING] = UNIT_ACTIVE,
80 [SOCKET_STOP_PRE] = UNIT_DEACTIVATING,
81 [SOCKET_STOP_PRE_SIGTERM] = UNIT_DEACTIVATING,
82 [SOCKET_STOP_PRE_SIGKILL] = UNIT_DEACTIVATING,
83 [SOCKET_STOP_POST] = UNIT_DEACTIVATING,
84 [SOCKET_FINAL_SIGTERM] = UNIT_DEACTIVATING,
85 [SOCKET_FINAL_SIGKILL] = UNIT_DEACTIVATING,
86 [SOCKET_FAILED] = UNIT_FAILED
87 };
88
89 static int socket_dispatch_io(sd_event_source *source, int fd, uint32_t revents, void *userdata);
90 static int socket_dispatch_timer(sd_event_source *source, usec_t usec, void *userdata);
91
92 static void socket_init(Unit *u) {
93 Socket *s = SOCKET(u);
94
95 assert(u);
96 assert(u->load_state == UNIT_STUB);
97
98 s->backlog = SOMAXCONN;
99 s->timeout_usec = u->manager->default_timeout_start_usec;
100 s->directory_mode = 0755;
101 s->socket_mode = 0666;
102
103 s->max_connections = 64;
104
105 s->priority = -1;
106 s->ip_tos = -1;
107 s->ip_ttl = -1;
108 s->mark = -1;
109
110 s->exec_context.std_output = u->manager->default_std_output;
111 s->exec_context.std_error = u->manager->default_std_error;
112
113 s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
114
115 s->trigger_limit.interval = USEC_INFINITY;
116 s->trigger_limit.burst = (unsigned) -1;
117 }
118
119 static void socket_unwatch_control_pid(Socket *s) {
120 assert(s);
121
122 if (s->control_pid <= 0)
123 return;
124
125 unit_unwatch_pid(UNIT(s), s->control_pid);
126 s->control_pid = 0;
127 }
128
129 static void socket_cleanup_fd_list(SocketPort *p) {
130 assert(p);
131
132 close_many(p->auxiliary_fds, p->n_auxiliary_fds);
133 p->auxiliary_fds = mfree(p->auxiliary_fds);
134 p->n_auxiliary_fds = 0;
135 }
136
137 void socket_free_ports(Socket *s) {
138 SocketPort *p;
139
140 assert(s);
141
142 while ((p = s->ports)) {
143 LIST_REMOVE(port, s->ports, p);
144
145 sd_event_source_unref(p->event_source);
146
147 socket_cleanup_fd_list(p);
148 safe_close(p->fd);
149 free(p->path);
150 free(p);
151 }
152 }
153
154 static void socket_done(Unit *u) {
155 Socket *s = SOCKET(u);
156 SocketPeer *p;
157
158 assert(s);
159
160 socket_free_ports(s);
161
162 while ((p = set_steal_first(s->peers_by_address)))
163 p->socket = NULL;
164
165 s->peers_by_address = set_free(s->peers_by_address);
166
167 s->exec_runtime = exec_runtime_unref(s->exec_runtime, false);
168 exec_command_free_array(s->exec_command, _SOCKET_EXEC_COMMAND_MAX);
169 s->control_command = NULL;
170
171 dynamic_creds_unref(&s->dynamic_creds);
172
173 socket_unwatch_control_pid(s);
174
175 unit_ref_unset(&s->service);
176
177 s->tcp_congestion = mfree(s->tcp_congestion);
178 s->bind_to_device = mfree(s->bind_to_device);
179
180 s->smack = mfree(s->smack);
181 s->smack_ip_in = mfree(s->smack_ip_in);
182 s->smack_ip_out = mfree(s->smack_ip_out);
183
184 strv_free(s->symlinks);
185
186 s->user = mfree(s->user);
187 s->group = mfree(s->group);
188
189 s->fdname = mfree(s->fdname);
190
191 s->timer_event_source = sd_event_source_unref(s->timer_event_source);
192 }
193
194 static int socket_arm_timer(Socket *s, usec_t usec) {
195 int r;
196
197 assert(s);
198
199 if (s->timer_event_source) {
200 r = sd_event_source_set_time(s->timer_event_source, usec);
201 if (r < 0)
202 return r;
203
204 return sd_event_source_set_enabled(s->timer_event_source, SD_EVENT_ONESHOT);
205 }
206
207 if (usec == USEC_INFINITY)
208 return 0;
209
210 r = sd_event_add_time(
211 UNIT(s)->manager->event,
212 &s->timer_event_source,
213 CLOCK_MONOTONIC,
214 usec, 0,
215 socket_dispatch_timer, s);
216 if (r < 0)
217 return r;
218
219 (void) sd_event_source_set_description(s->timer_event_source, "socket-timer");
220
221 return 0;
222 }
223
224 int socket_instantiate_service(Socket *s) {
225 _cleanup_free_ char *prefix = NULL, *name = NULL;
226 int r;
227 Unit *u;
228
229 assert(s);
230
231 /* This fills in s->service if it isn't filled in yet. For
232 * Accept=yes sockets we create the next connection service
233 * here. For Accept=no this is mostly a NOP since the service
234 * is figured out at load time anyway. */
235
236 if (UNIT_DEREF(s->service))
237 return 0;
238
239 if (!s->accept)
240 return 0;
241
242 r = unit_name_to_prefix(UNIT(s)->id, &prefix);
243 if (r < 0)
244 return r;
245
246 if (asprintf(&name, "%s@%u.service", prefix, s->n_accepted) < 0)
247 return -ENOMEM;
248
249 r = manager_load_unit(UNIT(s)->manager, name, NULL, NULL, &u);
250 if (r < 0)
251 return r;
252
253 unit_ref_set(&s->service, UNIT(s), u);
254
255 return unit_add_two_dependencies(UNIT(s), UNIT_BEFORE, UNIT_TRIGGERS, u, false, UNIT_DEPENDENCY_IMPLICIT);
256 }
257
258 static bool have_non_accept_socket(Socket *s) {
259 SocketPort *p;
260
261 assert(s);
262
263 if (!s->accept)
264 return true;
265
266 LIST_FOREACH(port, p, s->ports) {
267
268 if (p->type != SOCKET_SOCKET)
269 return true;
270
271 if (!socket_address_can_accept(&p->address))
272 return true;
273 }
274
275 return false;
276 }
277
278 static int socket_add_mount_dependencies(Socket *s) {
279 SocketPort *p;
280 int r;
281
282 assert(s);
283
284 LIST_FOREACH(port, p, s->ports) {
285 const char *path = NULL;
286
287 if (p->type == SOCKET_SOCKET)
288 path = socket_address_get_path(&p->address);
289 else if (IN_SET(p->type, SOCKET_FIFO, SOCKET_SPECIAL, SOCKET_USB_FUNCTION))
290 path = p->path;
291
292 if (!path)
293 continue;
294
295 r = unit_require_mounts_for(UNIT(s), path, UNIT_DEPENDENCY_FILE);
296 if (r < 0)
297 return r;
298 }
299
300 return 0;
301 }
302
303 static int socket_add_device_dependencies(Socket *s) {
304 char *t;
305
306 assert(s);
307
308 if (!s->bind_to_device || streq(s->bind_to_device, "lo"))
309 return 0;
310
311 t = strjoina("/sys/subsystem/net/devices/", s->bind_to_device);
312 return unit_add_node_dependency(UNIT(s), t, false, UNIT_BINDS_TO, UNIT_DEPENDENCY_FILE);
313 }
314
315 static int socket_add_default_dependencies(Socket *s) {
316 int r;
317 assert(s);
318
319 if (!UNIT(s)->default_dependencies)
320 return 0;
321
322 r = unit_add_dependency_by_name(UNIT(s), UNIT_BEFORE, SPECIAL_SOCKETS_TARGET, NULL, true, UNIT_DEPENDENCY_DEFAULT);
323 if (r < 0)
324 return r;
325
326 if (MANAGER_IS_SYSTEM(UNIT(s)->manager)) {
327 r = unit_add_two_dependencies_by_name(UNIT(s), UNIT_AFTER, UNIT_REQUIRES, SPECIAL_SYSINIT_TARGET, NULL, true, UNIT_DEPENDENCY_DEFAULT);
328 if (r < 0)
329 return r;
330 }
331
332 return unit_add_two_dependencies_by_name(UNIT(s), UNIT_BEFORE, UNIT_CONFLICTS, SPECIAL_SHUTDOWN_TARGET, NULL, true, UNIT_DEPENDENCY_DEFAULT);
333 }
334
335 _pure_ static bool socket_has_exec(Socket *s) {
336 unsigned i;
337 assert(s);
338
339 for (i = 0; i < _SOCKET_EXEC_COMMAND_MAX; i++)
340 if (s->exec_command[i])
341 return true;
342
343 return false;
344 }
345
346 static int socket_add_extras(Socket *s) {
347 Unit *u = UNIT(s);
348 int r;
349
350 assert(s);
351
352 /* Pick defaults for the trigger limit, if nothing was explicitly configured. We pick a relatively high limit
353 * in Accept=yes mode, and a lower limit for Accept=no. Reason: in Accept=yes mode we are invoking accept()
354 * ourselves before the trigger limit can hit, thus incoming connections are taken off the socket queue quickly
355 * and reliably. This is different for Accept=no, where the spawned service has to take the incoming traffic
356 * off the queues, which it might not necessarily do. Moreover, while Accept=no services are supposed to
357 * process whatever is queued in one go, and thus should normally never have to be started frequently. This is
358 * different for Accept=yes where each connection is processed by a new service instance, and thus frequent
359 * service starts are typical. */
360
361 if (s->trigger_limit.interval == USEC_INFINITY)
362 s->trigger_limit.interval = 2 * USEC_PER_SEC;
363
364 if (s->trigger_limit.burst == (unsigned) -1) {
365 if (s->accept)
366 s->trigger_limit.burst = 200;
367 else
368 s->trigger_limit.burst = 20;
369 }
370
371 if (have_non_accept_socket(s)) {
372
373 if (!UNIT_DEREF(s->service)) {
374 Unit *x;
375
376 r = unit_load_related_unit(u, ".service", &x);
377 if (r < 0)
378 return r;
379
380 unit_ref_set(&s->service, u, x);
381 }
382
383 r = unit_add_two_dependencies(u, UNIT_BEFORE, UNIT_TRIGGERS, UNIT_DEREF(s->service), true, UNIT_DEPENDENCY_IMPLICIT);
384 if (r < 0)
385 return r;
386 }
387
388 r = socket_add_mount_dependencies(s);
389 if (r < 0)
390 return r;
391
392 r = socket_add_device_dependencies(s);
393 if (r < 0)
394 return r;
395
396 r = unit_patch_contexts(u);
397 if (r < 0)
398 return r;
399
400 if (socket_has_exec(s)) {
401 r = unit_add_exec_dependencies(u, &s->exec_context);
402 if (r < 0)
403 return r;
404 }
405
406 r = unit_set_default_slice(u);
407 if (r < 0)
408 return r;
409
410 r = socket_add_default_dependencies(s);
411 if (r < 0)
412 return r;
413
414 return 0;
415 }
416
417 static const char *socket_find_symlink_target(Socket *s) {
418 const char *found = NULL;
419 SocketPort *p;
420
421 LIST_FOREACH(port, p, s->ports) {
422 const char *f = NULL;
423
424 switch (p->type) {
425
426 case SOCKET_FIFO:
427 f = p->path;
428 break;
429
430 case SOCKET_SOCKET:
431 f = socket_address_get_path(&p->address);
432 break;
433
434 default:
435 break;
436 }
437
438 if (f) {
439 if (found)
440 return NULL;
441
442 found = f;
443 }
444 }
445
446 return found;
447 }
448
449 static int socket_verify(Socket *s) {
450 assert(s);
451
452 if (UNIT(s)->load_state != UNIT_LOADED)
453 return 0;
454
455 if (!s->ports) {
456 log_unit_error(UNIT(s), "Unit has no Listen setting (ListenStream=, ListenDatagram=, ListenFIFO=, ...). Refusing.");
457 return -EINVAL;
458 }
459
460 if (s->accept && have_non_accept_socket(s)) {
461 log_unit_error(UNIT(s), "Unit configured for accepting sockets, but sockets are non-accepting. Refusing.");
462 return -EINVAL;
463 }
464
465 if (s->accept && s->max_connections <= 0) {
466 log_unit_error(UNIT(s), "MaxConnection= setting too small. Refusing.");
467 return -EINVAL;
468 }
469
470 if (s->accept && UNIT_DEREF(s->service)) {
471 log_unit_error(UNIT(s), "Explicit service configuration for accepting socket units not supported. Refusing.");
472 return -EINVAL;
473 }
474
475 if (s->exec_context.pam_name && s->kill_context.kill_mode != KILL_CONTROL_GROUP) {
476 log_unit_error(UNIT(s), "Unit has PAM enabled. Kill mode must be set to 'control-group'. Refusing.");
477 return -EINVAL;
478 }
479
480 if (!strv_isempty(s->symlinks) && !socket_find_symlink_target(s)) {
481 log_unit_error(UNIT(s), "Unit has symlinks set but none or more than one node in the file system. Refusing.");
482 return -EINVAL;
483 }
484
485 return 0;
486 }
487
488 static void peer_address_hash_func(const void *p, struct siphash *state) {
489 const SocketPeer *s = p;
490
491 assert(s);
492
493 if (s->peer.sa.sa_family == AF_INET)
494 siphash24_compress(&s->peer.in.sin_addr, sizeof(s->peer.in.sin_addr), state);
495 else if (s->peer.sa.sa_family == AF_INET6)
496 siphash24_compress(&s->peer.in6.sin6_addr, sizeof(s->peer.in6.sin6_addr), state);
497 else if (s->peer.sa.sa_family == AF_VSOCK)
498 siphash24_compress(&s->peer.vm.svm_cid, sizeof(s->peer.vm.svm_cid), state);
499 else
500 assert_not_reached("Unknown address family.");
501 }
502
503 static int peer_address_compare_func(const void *a, const void *b) {
504 const SocketPeer *x = a, *y = b;
505
506 if (x->peer.sa.sa_family < y->peer.sa.sa_family)
507 return -1;
508 if (x->peer.sa.sa_family > y->peer.sa.sa_family)
509 return 1;
510
511 switch(x->peer.sa.sa_family) {
512 case AF_INET:
513 return memcmp(&x->peer.in.sin_addr, &y->peer.in.sin_addr, sizeof(x->peer.in.sin_addr));
514 case AF_INET6:
515 return memcmp(&x->peer.in6.sin6_addr, &y->peer.in6.sin6_addr, sizeof(x->peer.in6.sin6_addr));
516 case AF_VSOCK:
517 if (x->peer.vm.svm_cid < y->peer.vm.svm_cid)
518 return -1;
519 if (x->peer.vm.svm_cid > y->peer.vm.svm_cid)
520 return 1;
521 return 0;
522 }
523 assert_not_reached("Black sheep in the family!");
524 }
525
526 const struct hash_ops peer_address_hash_ops = {
527 .hash = peer_address_hash_func,
528 .compare = peer_address_compare_func
529 };
530
531 static int socket_load(Unit *u) {
532 Socket *s = SOCKET(u);
533 int r;
534
535 assert(u);
536 assert(u->load_state == UNIT_STUB);
537
538 r = set_ensure_allocated(&s->peers_by_address, &peer_address_hash_ops);
539 if (r < 0)
540 return r;
541
542 r = unit_load_fragment_and_dropin(u);
543 if (r < 0)
544 return r;
545
546 if (u->load_state == UNIT_LOADED) {
547 /* This is a new unit? Then let's add in some extras */
548 r = socket_add_extras(s);
549 if (r < 0)
550 return r;
551 }
552
553 return socket_verify(s);
554 }
555
556 static SocketPeer *socket_peer_new(void) {
557 SocketPeer *p;
558
559 p = new0(SocketPeer, 1);
560 if (!p)
561 return NULL;
562
563 p->n_ref = 1;
564
565 return p;
566 }
567
568 SocketPeer *socket_peer_ref(SocketPeer *p) {
569 if (!p)
570 return NULL;
571
572 assert(p->n_ref > 0);
573 p->n_ref++;
574
575 return p;
576 }
577
578 SocketPeer *socket_peer_unref(SocketPeer *p) {
579 if (!p)
580 return NULL;
581
582 assert(p->n_ref > 0);
583
584 p->n_ref--;
585
586 if (p->n_ref > 0)
587 return NULL;
588
589 if (p->socket)
590 set_remove(p->socket->peers_by_address, p);
591
592 return mfree(p);
593 }
594
595 int socket_acquire_peer(Socket *s, int fd, SocketPeer **p) {
596 _cleanup_(socket_peer_unrefp) SocketPeer *remote = NULL;
597 SocketPeer sa = {}, *i;
598 socklen_t salen = sizeof(sa.peer);
599 int r;
600
601 assert(fd >= 0);
602 assert(s);
603
604 r = getpeername(fd, &sa.peer.sa, &salen);
605 if (r < 0)
606 return log_error_errno(errno, "getpeername failed: %m");
607
608 if (!IN_SET(sa.peer.sa.sa_family, AF_INET, AF_INET6, AF_VSOCK)) {
609 *p = NULL;
610 return 0;
611 }
612
613 i = set_get(s->peers_by_address, &sa);
614 if (i) {
615 *p = socket_peer_ref(i);
616 return 1;
617 }
618
619 remote = socket_peer_new();
620 if (!remote)
621 return log_oom();
622
623 remote->peer = sa.peer;
624 remote->peer_salen = salen;
625
626 r = set_put(s->peers_by_address, remote);
627 if (r < 0)
628 return r;
629
630 remote->socket = s;
631
632 *p = remote;
633 remote = NULL;
634
635 return 1;
636 }
637
638 _const_ static const char* listen_lookup(int family, int type) {
639
640 if (family == AF_NETLINK)
641 return "ListenNetlink";
642
643 if (type == SOCK_STREAM)
644 return "ListenStream";
645 else if (type == SOCK_DGRAM)
646 return "ListenDatagram";
647 else if (type == SOCK_SEQPACKET)
648 return "ListenSequentialPacket";
649
650 assert_not_reached("Unknown socket type");
651 return NULL;
652 }
653
654 static void socket_dump(Unit *u, FILE *f, const char *prefix) {
655 char time_string[FORMAT_TIMESPAN_MAX];
656 SocketExecCommand c;
657 Socket *s = SOCKET(u);
658 SocketPort *p;
659 const char *prefix2, *str;
660
661 assert(s);
662 assert(f);
663
664 prefix = strempty(prefix);
665 prefix2 = strjoina(prefix, "\t");
666
667 fprintf(f,
668 "%sSocket State: %s\n"
669 "%sResult: %s\n"
670 "%sBindIPv6Only: %s\n"
671 "%sBacklog: %u\n"
672 "%sSocketMode: %04o\n"
673 "%sDirectoryMode: %04o\n"
674 "%sKeepAlive: %s\n"
675 "%sNoDelay: %s\n"
676 "%sFreeBind: %s\n"
677 "%sTransparent: %s\n"
678 "%sBroadcast: %s\n"
679 "%sPassCredentials: %s\n"
680 "%sPassSecurity: %s\n"
681 "%sTCPCongestion: %s\n"
682 "%sRemoveOnStop: %s\n"
683 "%sWritable: %s\n"
684 "%sFileDescriptorName: %s\n"
685 "%sSELinuxContextFromNet: %s\n",
686 prefix, socket_state_to_string(s->state),
687 prefix, socket_result_to_string(s->result),
688 prefix, socket_address_bind_ipv6_only_to_string(s->bind_ipv6_only),
689 prefix, s->backlog,
690 prefix, s->socket_mode,
691 prefix, s->directory_mode,
692 prefix, yes_no(s->keep_alive),
693 prefix, yes_no(s->no_delay),
694 prefix, yes_no(s->free_bind),
695 prefix, yes_no(s->transparent),
696 prefix, yes_no(s->broadcast),
697 prefix, yes_no(s->pass_cred),
698 prefix, yes_no(s->pass_sec),
699 prefix, strna(s->tcp_congestion),
700 prefix, yes_no(s->remove_on_stop),
701 prefix, yes_no(s->writable),
702 prefix, socket_fdname(s),
703 prefix, yes_no(s->selinux_context_from_net));
704
705 if (s->control_pid > 0)
706 fprintf(f,
707 "%sControl PID: "PID_FMT"\n",
708 prefix, s->control_pid);
709
710 if (s->bind_to_device)
711 fprintf(f,
712 "%sBindToDevice: %s\n",
713 prefix, s->bind_to_device);
714
715 if (s->accept)
716 fprintf(f,
717 "%sAccepted: %u\n"
718 "%sNConnections: %u\n"
719 "%sMaxConnections: %u\n"
720 "%sMaxConnectionsPerSource: %u\n",
721 prefix, s->n_accepted,
722 prefix, s->n_connections,
723 prefix, s->max_connections,
724 prefix, s->max_connections_per_source);
725
726 if (s->priority >= 0)
727 fprintf(f,
728 "%sPriority: %i\n",
729 prefix, s->priority);
730
731 if (s->receive_buffer > 0)
732 fprintf(f,
733 "%sReceiveBuffer: %zu\n",
734 prefix, s->receive_buffer);
735
736 if (s->send_buffer > 0)
737 fprintf(f,
738 "%sSendBuffer: %zu\n",
739 prefix, s->send_buffer);
740
741 if (s->ip_tos >= 0)
742 fprintf(f,
743 "%sIPTOS: %i\n",
744 prefix, s->ip_tos);
745
746 if (s->ip_ttl >= 0)
747 fprintf(f,
748 "%sIPTTL: %i\n",
749 prefix, s->ip_ttl);
750
751 if (s->pipe_size > 0)
752 fprintf(f,
753 "%sPipeSize: %zu\n",
754 prefix, s->pipe_size);
755
756 if (s->mark >= 0)
757 fprintf(f,
758 "%sMark: %i\n",
759 prefix, s->mark);
760
761 if (s->mq_maxmsg > 0)
762 fprintf(f,
763 "%sMessageQueueMaxMessages: %li\n",
764 prefix, s->mq_maxmsg);
765
766 if (s->mq_msgsize > 0)
767 fprintf(f,
768 "%sMessageQueueMessageSize: %li\n",
769 prefix, s->mq_msgsize);
770
771 if (s->reuse_port)
772 fprintf(f,
773 "%sReusePort: %s\n",
774 prefix, yes_no(s->reuse_port));
775
776 if (s->smack)
777 fprintf(f,
778 "%sSmackLabel: %s\n",
779 prefix, s->smack);
780
781 if (s->smack_ip_in)
782 fprintf(f,
783 "%sSmackLabelIPIn: %s\n",
784 prefix, s->smack_ip_in);
785
786 if (s->smack_ip_out)
787 fprintf(f,
788 "%sSmackLabelIPOut: %s\n",
789 prefix, s->smack_ip_out);
790
791 if (!isempty(s->user) || !isempty(s->group))
792 fprintf(f,
793 "%sSocketUser: %s\n"
794 "%sSocketGroup: %s\n",
795 prefix, strna(s->user),
796 prefix, strna(s->group));
797
798 if (s->keep_alive_time > 0)
799 fprintf(f,
800 "%sKeepAliveTimeSec: %s\n",
801 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->keep_alive_time, USEC_PER_SEC));
802
803 if (s->keep_alive_interval)
804 fprintf(f,
805 "%sKeepAliveIntervalSec: %s\n",
806 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->keep_alive_interval, USEC_PER_SEC));
807
808 if (s->keep_alive_cnt)
809 fprintf(f,
810 "%sKeepAliveProbes: %u\n",
811 prefix, s->keep_alive_cnt);
812
813 if (s->defer_accept)
814 fprintf(f,
815 "%sDeferAcceptSec: %s\n",
816 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->defer_accept, USEC_PER_SEC));
817
818 LIST_FOREACH(port, p, s->ports) {
819
820 if (p->type == SOCKET_SOCKET) {
821 const char *t;
822 int r;
823 char *k = NULL;
824
825 r = socket_address_print(&p->address, &k);
826 if (r < 0)
827 t = strerror(-r);
828 else
829 t = k;
830
831 fprintf(f, "%s%s: %s\n", prefix, listen_lookup(socket_address_family(&p->address), p->address.type), t);
832 free(k);
833 } else if (p->type == SOCKET_SPECIAL)
834 fprintf(f, "%sListenSpecial: %s\n", prefix, p->path);
835 else if (p->type == SOCKET_USB_FUNCTION)
836 fprintf(f, "%sListenUSBFunction: %s\n", prefix, p->path);
837 else if (p->type == SOCKET_MQUEUE)
838 fprintf(f, "%sListenMessageQueue: %s\n", prefix, p->path);
839 else
840 fprintf(f, "%sListenFIFO: %s\n", prefix, p->path);
841 }
842
843 fprintf(f,
844 "%sTriggerLimitIntervalSec: %s\n"
845 "%sTriggerLimitBurst: %u\n",
846 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->trigger_limit.interval, USEC_PER_SEC),
847 prefix, s->trigger_limit.burst);
848
849 str = socket_protocol_to_name(s->socket_protocol);
850 if (str)
851 fprintf(f, "%sSocketProtocol: %s\n", prefix, str);
852
853 if (!strv_isempty(s->symlinks)) {
854 char **q;
855
856 fprintf(f, "%sSymlinks:", prefix);
857 STRV_FOREACH(q, s->symlinks)
858 fprintf(f, " %s", *q);
859
860 fprintf(f, "\n");
861 }
862
863 fprintf(f,
864 "%sTimeoutSec: %s\n",
865 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->timeout_usec, USEC_PER_SEC));
866
867 exec_context_dump(&s->exec_context, f, prefix);
868 kill_context_dump(&s->kill_context, f, prefix);
869
870 for (c = 0; c < _SOCKET_EXEC_COMMAND_MAX; c++) {
871 if (!s->exec_command[c])
872 continue;
873
874 fprintf(f, "%s-> %s:\n",
875 prefix, socket_exec_command_to_string(c));
876
877 exec_command_dump_list(s->exec_command[c], f, prefix2);
878 }
879
880 cgroup_context_dump(&s->cgroup_context, f, prefix);
881 }
882
883 static int instance_from_socket(int fd, unsigned nr, char **instance) {
884 socklen_t l;
885 char *r;
886 union sockaddr_union local, remote;
887
888 assert(fd >= 0);
889 assert(instance);
890
891 l = sizeof(local);
892 if (getsockname(fd, &local.sa, &l) < 0)
893 return -errno;
894
895 l = sizeof(remote);
896 if (getpeername(fd, &remote.sa, &l) < 0)
897 return -errno;
898
899 switch (local.sa.sa_family) {
900
901 case AF_INET: {
902 uint32_t
903 a = be32toh(local.in.sin_addr.s_addr),
904 b = be32toh(remote.in.sin_addr.s_addr);
905
906 if (asprintf(&r,
907 "%u-%u.%u.%u.%u:%u-%u.%u.%u.%u:%u",
908 nr,
909 a >> 24, (a >> 16) & 0xFF, (a >> 8) & 0xFF, a & 0xFF,
910 be16toh(local.in.sin_port),
911 b >> 24, (b >> 16) & 0xFF, (b >> 8) & 0xFF, b & 0xFF,
912 be16toh(remote.in.sin_port)) < 0)
913 return -ENOMEM;
914
915 break;
916 }
917
918 case AF_INET6: {
919 static const unsigned char ipv4_prefix[] = {
920 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xFF, 0xFF
921 };
922
923 if (memcmp(&local.in6.sin6_addr, ipv4_prefix, sizeof(ipv4_prefix)) == 0 &&
924 memcmp(&remote.in6.sin6_addr, ipv4_prefix, sizeof(ipv4_prefix)) == 0) {
925 const uint8_t
926 *a = local.in6.sin6_addr.s6_addr+12,
927 *b = remote.in6.sin6_addr.s6_addr+12;
928
929 if (asprintf(&r,
930 "%u-%u.%u.%u.%u:%u-%u.%u.%u.%u:%u",
931 nr,
932 a[0], a[1], a[2], a[3],
933 be16toh(local.in6.sin6_port),
934 b[0], b[1], b[2], b[3],
935 be16toh(remote.in6.sin6_port)) < 0)
936 return -ENOMEM;
937 } else {
938 char a[INET6_ADDRSTRLEN], b[INET6_ADDRSTRLEN];
939
940 if (asprintf(&r,
941 "%u-%s:%u-%s:%u",
942 nr,
943 inet_ntop(AF_INET6, &local.in6.sin6_addr, a, sizeof(a)),
944 be16toh(local.in6.sin6_port),
945 inet_ntop(AF_INET6, &remote.in6.sin6_addr, b, sizeof(b)),
946 be16toh(remote.in6.sin6_port)) < 0)
947 return -ENOMEM;
948 }
949
950 break;
951 }
952
953 case AF_UNIX: {
954 struct ucred ucred;
955 int k;
956
957 k = getpeercred(fd, &ucred);
958 if (k >= 0) {
959 if (asprintf(&r,
960 "%u-"PID_FMT"-"UID_FMT,
961 nr, ucred.pid, ucred.uid) < 0)
962 return -ENOMEM;
963 } else if (k == -ENODATA) {
964 /* This handles the case where somebody is
965 * connecting from another pid/uid namespace
966 * (e.g. from outside of our container). */
967 if (asprintf(&r,
968 "%u-unknown",
969 nr) < 0)
970 return -ENOMEM;
971 } else
972 return k;
973
974 break;
975 }
976
977 case AF_VSOCK:
978 if (asprintf(&r,
979 "%u-%u:%u-%u:%u",
980 nr,
981 local.vm.svm_cid, local.vm.svm_port,
982 remote.vm.svm_cid, remote.vm.svm_port) < 0)
983 return -ENOMEM;
984
985 break;
986
987 default:
988 assert_not_reached("Unhandled socket type.");
989 }
990
991 *instance = r;
992 return 0;
993 }
994
995 static void socket_close_fds(Socket *s) {
996 SocketPort *p;
997 char **i;
998
999 assert(s);
1000
1001 LIST_FOREACH(port, p, s->ports) {
1002 bool was_open;
1003
1004 was_open = p->fd >= 0;
1005
1006 p->event_source = sd_event_source_unref(p->event_source);
1007 p->fd = safe_close(p->fd);
1008 socket_cleanup_fd_list(p);
1009
1010 /* One little note: we should normally not delete any sockets in the file system here! After all some
1011 * other process we spawned might still have a reference of this fd and wants to continue to use
1012 * it. Therefore we normally delete sockets in the file system before we create a new one, not after we
1013 * stopped using one! That all said, if the user explicitly requested this, we'll delete them here
1014 * anyway, but only then. */
1015
1016 if (!was_open || !s->remove_on_stop)
1017 continue;
1018
1019 switch (p->type) {
1020
1021 case SOCKET_FIFO:
1022 (void) unlink(p->path);
1023 break;
1024
1025 case SOCKET_MQUEUE:
1026 (void) mq_unlink(p->path);
1027 break;
1028
1029 case SOCKET_SOCKET:
1030 (void) socket_address_unlink(&p->address);
1031 break;
1032
1033 default:
1034 break;
1035 }
1036 }
1037
1038 if (s->remove_on_stop)
1039 STRV_FOREACH(i, s->symlinks)
1040 (void) unlink(*i);
1041 }
1042
1043 static void socket_apply_socket_options(Socket *s, int fd) {
1044 int r;
1045
1046 assert(s);
1047 assert(fd >= 0);
1048
1049 if (s->keep_alive) {
1050 int b = s->keep_alive;
1051 if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, &b, sizeof(b)) < 0)
1052 log_unit_warning_errno(UNIT(s), errno, "SO_KEEPALIVE failed: %m");
1053 }
1054
1055 if (s->keep_alive_time) {
1056 int value = s->keep_alive_time / USEC_PER_SEC;
1057 if (setsockopt(fd, SOL_TCP, TCP_KEEPIDLE, &value, sizeof(value)) < 0)
1058 log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPIDLE failed: %m");
1059 }
1060
1061 if (s->keep_alive_interval) {
1062 int value = s->keep_alive_interval / USEC_PER_SEC;
1063 if (setsockopt(fd, SOL_TCP, TCP_KEEPINTVL, &value, sizeof(value)) < 0)
1064 log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPINTVL failed: %m");
1065 }
1066
1067 if (s->keep_alive_cnt) {
1068 int value = s->keep_alive_cnt;
1069 if (setsockopt(fd, SOL_TCP, TCP_KEEPCNT, &value, sizeof(value)) < 0)
1070 log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPCNT failed: %m");
1071 }
1072
1073 if (s->defer_accept) {
1074 int value = s->defer_accept / USEC_PER_SEC;
1075 if (setsockopt(fd, SOL_TCP, TCP_DEFER_ACCEPT, &value, sizeof(value)) < 0)
1076 log_unit_warning_errno(UNIT(s), errno, "TCP_DEFER_ACCEPT failed: %m");
1077 }
1078
1079 if (s->no_delay) {
1080 int b = s->no_delay;
1081
1082 if (s->socket_protocol == IPPROTO_SCTP) {
1083 if (setsockopt(fd, SOL_SCTP, SCTP_NODELAY, &b, sizeof(b)) < 0)
1084 log_unit_warning_errno(UNIT(s), errno, "SCTP_NODELAY failed: %m");
1085 } else {
1086 if (setsockopt(fd, SOL_TCP, TCP_NODELAY, &b, sizeof(b)) < 0)
1087 log_unit_warning_errno(UNIT(s), errno, "TCP_NODELAY failed: %m");
1088 }
1089 }
1090
1091 if (s->broadcast) {
1092 int one = 1;
1093 if (setsockopt(fd, SOL_SOCKET, SO_BROADCAST, &one, sizeof(one)) < 0)
1094 log_unit_warning_errno(UNIT(s), errno, "SO_BROADCAST failed: %m");
1095 }
1096
1097 if (s->pass_cred) {
1098 int one = 1;
1099 if (setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &one, sizeof(one)) < 0)
1100 log_unit_warning_errno(UNIT(s), errno, "SO_PASSCRED failed: %m");
1101 }
1102
1103 if (s->pass_sec) {
1104 int one = 1;
1105 if (setsockopt(fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one)) < 0)
1106 log_unit_warning_errno(UNIT(s), errno, "SO_PASSSEC failed: %m");
1107 }
1108
1109 if (s->priority >= 0)
1110 if (setsockopt(fd, SOL_SOCKET, SO_PRIORITY, &s->priority, sizeof(s->priority)) < 0)
1111 log_unit_warning_errno(UNIT(s), errno, "SO_PRIORITY failed: %m");
1112
1113 if (s->receive_buffer > 0) {
1114 int value = (int) s->receive_buffer;
1115
1116 /* We first try with SO_RCVBUFFORCE, in case we have the perms for that */
1117
1118 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUFFORCE, &value, sizeof(value)) < 0)
1119 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &value, sizeof(value)) < 0)
1120 log_unit_warning_errno(UNIT(s), errno, "SO_RCVBUF failed: %m");
1121 }
1122
1123 if (s->send_buffer > 0) {
1124 int value = (int) s->send_buffer;
1125 if (setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, &value, sizeof(value)) < 0)
1126 if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &value, sizeof(value)) < 0)
1127 log_unit_warning_errno(UNIT(s), errno, "SO_SNDBUF failed: %m");
1128 }
1129
1130 if (s->mark >= 0)
1131 if (setsockopt(fd, SOL_SOCKET, SO_MARK, &s->mark, sizeof(s->mark)) < 0)
1132 log_unit_warning_errno(UNIT(s), errno, "SO_MARK failed: %m");
1133
1134 if (s->ip_tos >= 0)
1135 if (setsockopt(fd, IPPROTO_IP, IP_TOS, &s->ip_tos, sizeof(s->ip_tos)) < 0)
1136 log_unit_warning_errno(UNIT(s), errno, "IP_TOS failed: %m");
1137
1138 if (s->ip_ttl >= 0) {
1139 int x;
1140
1141 r = setsockopt(fd, IPPROTO_IP, IP_TTL, &s->ip_ttl, sizeof(s->ip_ttl));
1142
1143 if (socket_ipv6_is_supported())
1144 x = setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &s->ip_ttl, sizeof(s->ip_ttl));
1145 else {
1146 x = -1;
1147 errno = EAFNOSUPPORT;
1148 }
1149
1150 if (r < 0 && x < 0)
1151 log_unit_warning_errno(UNIT(s), errno, "IP_TTL/IPV6_UNICAST_HOPS failed: %m");
1152 }
1153
1154 if (s->tcp_congestion)
1155 if (setsockopt(fd, SOL_TCP, TCP_CONGESTION, s->tcp_congestion, strlen(s->tcp_congestion)+1) < 0)
1156 log_unit_warning_errno(UNIT(s), errno, "TCP_CONGESTION failed: %m");
1157
1158 if (s->smack_ip_in) {
1159 r = mac_smack_apply_fd(fd, SMACK_ATTR_IPIN, s->smack_ip_in);
1160 if (r < 0)
1161 log_unit_error_errno(UNIT(s), r, "mac_smack_apply_ip_in_fd: %m");
1162 }
1163
1164 if (s->smack_ip_out) {
1165 r = mac_smack_apply_fd(fd, SMACK_ATTR_IPOUT, s->smack_ip_out);
1166 if (r < 0)
1167 log_unit_error_errno(UNIT(s), r, "mac_smack_apply_ip_out_fd: %m");
1168 }
1169 }
1170
1171 static void socket_apply_fifo_options(Socket *s, int fd) {
1172 int r;
1173
1174 assert(s);
1175 assert(fd >= 0);
1176
1177 if (s->pipe_size > 0)
1178 if (fcntl(fd, F_SETPIPE_SZ, s->pipe_size) < 0)
1179 log_unit_warning_errno(UNIT(s), errno, "Setting pipe size failed, ignoring: %m");
1180
1181 if (s->smack) {
1182 r = mac_smack_apply_fd(fd, SMACK_ATTR_ACCESS, s->smack);
1183 if (r < 0)
1184 log_unit_error_errno(UNIT(s), r, "SMACK relabelling failed, ignoring: %m");
1185 }
1186 }
1187
1188 static int fifo_address_create(
1189 const char *path,
1190 mode_t directory_mode,
1191 mode_t socket_mode) {
1192
1193 _cleanup_close_ int fd = -1;
1194 mode_t old_mask;
1195 struct stat st;
1196 int r;
1197
1198 assert(path);
1199
1200 (void) mkdir_parents_label(path, directory_mode);
1201
1202 r = mac_selinux_create_file_prepare(path, S_IFIFO);
1203 if (r < 0)
1204 return r;
1205
1206 /* Enforce the right access mode for the fifo */
1207 old_mask = umask(~ socket_mode);
1208
1209 /* Include the original umask in our mask */
1210 (void) umask(~socket_mode | old_mask);
1211
1212 r = mkfifo(path, socket_mode);
1213 (void) umask(old_mask);
1214
1215 if (r < 0 && errno != EEXIST) {
1216 r = -errno;
1217 goto fail;
1218 }
1219
1220 fd = open(path, O_RDWR | O_CLOEXEC | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW);
1221 if (fd < 0) {
1222 r = -errno;
1223 goto fail;
1224 }
1225
1226 mac_selinux_create_file_clear();
1227
1228 if (fstat(fd, &st) < 0) {
1229 r = -errno;
1230 goto fail;
1231 }
1232
1233 if (!S_ISFIFO(st.st_mode) ||
1234 (st.st_mode & 0777) != (socket_mode & ~old_mask) ||
1235 st.st_uid != getuid() ||
1236 st.st_gid != getgid()) {
1237 r = -EEXIST;
1238 goto fail;
1239 }
1240
1241 r = fd;
1242 fd = -1;
1243
1244 return r;
1245
1246 fail:
1247 mac_selinux_create_file_clear();
1248 return r;
1249 }
1250
1251 static int special_address_create(const char *path, bool writable) {
1252 _cleanup_close_ int fd = -1;
1253 struct stat st;
1254 int r;
1255
1256 assert(path);
1257
1258 fd = open(path, (writable ? O_RDWR : O_RDONLY)|O_CLOEXEC|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW);
1259 if (fd < 0)
1260 return -errno;
1261
1262 if (fstat(fd, &st) < 0)
1263 return -errno;
1264
1265 /* Check whether this is a /proc, /sys or /dev file or char device */
1266 if (!S_ISREG(st.st_mode) && !S_ISCHR(st.st_mode))
1267 return -EEXIST;
1268
1269 r = fd;
1270 fd = -1;
1271
1272 return r;
1273 }
1274
1275 static int usbffs_address_create(const char *path) {
1276 _cleanup_close_ int fd = -1;
1277 struct stat st;
1278 int r;
1279
1280 assert(path);
1281
1282 fd = open(path, O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW);
1283 if (fd < 0)
1284 return -errno;
1285
1286 if (fstat(fd, &st) < 0)
1287 return -errno;
1288
1289 /* Check whether this is a regular file (ffs endpoint) */
1290 if (!S_ISREG(st.st_mode))
1291 return -EEXIST;
1292
1293 r = fd;
1294 fd = -1;
1295
1296 return r;
1297 }
1298
1299 static int mq_address_create(
1300 const char *path,
1301 mode_t mq_mode,
1302 long maxmsg,
1303 long msgsize) {
1304
1305 _cleanup_close_ int fd = -1;
1306 struct stat st;
1307 mode_t old_mask;
1308 struct mq_attr _attr, *attr = NULL;
1309 int r;
1310
1311 assert(path);
1312
1313 if (maxmsg > 0 && msgsize > 0) {
1314 _attr = (struct mq_attr) {
1315 .mq_flags = O_NONBLOCK,
1316 .mq_maxmsg = maxmsg,
1317 .mq_msgsize = msgsize,
1318 };
1319 attr = &_attr;
1320 }
1321
1322 /* Enforce the right access mode for the mq */
1323 old_mask = umask(~ mq_mode);
1324
1325 /* Include the original umask in our mask */
1326 (void) umask(~mq_mode | old_mask);
1327 fd = mq_open(path, O_RDONLY|O_CLOEXEC|O_NONBLOCK|O_CREAT, mq_mode, attr);
1328 (void) umask(old_mask);
1329
1330 if (fd < 0)
1331 return -errno;
1332
1333 if (fstat(fd, &st) < 0)
1334 return -errno;
1335
1336 if ((st.st_mode & 0777) != (mq_mode & ~old_mask) ||
1337 st.st_uid != getuid() ||
1338 st.st_gid != getgid())
1339 return -EEXIST;
1340
1341 r = fd;
1342 fd = -1;
1343
1344 return r;
1345 }
1346
1347 static int socket_symlink(Socket *s) {
1348 const char *p;
1349 char **i;
1350 int r;
1351
1352 assert(s);
1353
1354 p = socket_find_symlink_target(s);
1355 if (!p)
1356 return 0;
1357
1358 STRV_FOREACH(i, s->symlinks) {
1359 (void) mkdir_parents_label(*i, s->directory_mode);
1360
1361 r = symlink_idempotent(p, *i);
1362
1363 if (r == -EEXIST && s->remove_on_stop) {
1364 /* If there's already something where we want to create the symlink, and the destructive
1365 * RemoveOnStop= mode is set, then we might as well try to remove what already exists and try
1366 * again. */
1367
1368 if (unlink(*i) >= 0)
1369 r = symlink_idempotent(p, *i);
1370 }
1371
1372 if (r < 0)
1373 log_unit_warning_errno(UNIT(s), r, "Failed to create symlink %s → %s, ignoring: %m", p, *i);
1374 }
1375
1376 return 0;
1377 }
1378
1379 static int usbffs_write_descs(int fd, Service *s) {
1380 int r;
1381
1382 if (!s->usb_function_descriptors || !s->usb_function_strings)
1383 return -EINVAL;
1384
1385 r = copy_file_fd(s->usb_function_descriptors, fd, 0);
1386 if (r < 0)
1387 return r;
1388
1389 return copy_file_fd(s->usb_function_strings, fd, 0);
1390 }
1391
1392 static int usbffs_select_ep(const struct dirent *d) {
1393 return d->d_name[0] != '.' && !streq(d->d_name, "ep0");
1394 }
1395
1396 static int usbffs_dispatch_eps(SocketPort *p) {
1397 _cleanup_free_ struct dirent **ent = NULL;
1398 int r, i, n, k;
1399
1400 r = scandir(p->path, &ent, usbffs_select_ep, alphasort);
1401 if (r < 0)
1402 return -errno;
1403
1404 n = r;
1405 p->auxiliary_fds = new(int, n);
1406 if (!p->auxiliary_fds)
1407 return -ENOMEM;
1408
1409 p->n_auxiliary_fds = n;
1410
1411 k = 0;
1412 for (i = 0; i < n; ++i) {
1413 _cleanup_free_ char *ep = NULL;
1414
1415 ep = path_make_absolute(ent[i]->d_name, p->path);
1416 if (!ep)
1417 return -ENOMEM;
1418
1419 path_kill_slashes(ep);
1420
1421 r = usbffs_address_create(ep);
1422 if (r < 0)
1423 goto fail;
1424
1425 p->auxiliary_fds[k] = r;
1426
1427 ++k;
1428 free(ent[i]);
1429 }
1430
1431 return r;
1432
1433 fail:
1434 close_many(p->auxiliary_fds, k);
1435 p->auxiliary_fds = mfree(p->auxiliary_fds);
1436 p->n_auxiliary_fds = 0;
1437
1438 return r;
1439 }
1440
1441 static int socket_determine_selinux_label(Socket *s, char **ret) {
1442 Service *service;
1443 ExecCommand *c;
1444 const char *path;
1445 int r;
1446
1447 assert(s);
1448 assert(ret);
1449
1450 if (s->selinux_context_from_net) {
1451 /* If this is requested, get label from the network label */
1452
1453 r = mac_selinux_get_our_label(ret);
1454 if (r == -EOPNOTSUPP)
1455 goto no_label;
1456
1457 } else {
1458 /* Otherwise, get it from the executable we are about to start */
1459 r = socket_instantiate_service(s);
1460 if (r < 0)
1461 return r;
1462
1463 if (!UNIT_ISSET(s->service))
1464 goto no_label;
1465
1466 service = SERVICE(UNIT_DEREF(s->service));
1467 c = service->exec_command[SERVICE_EXEC_START];
1468 if (!c)
1469 goto no_label;
1470
1471 path = prefix_roota(service->exec_context.root_directory, c->path);
1472 r = mac_selinux_get_create_label_from_exe(path, ret);
1473 if (IN_SET(r, -EPERM, -EOPNOTSUPP))
1474 goto no_label;
1475 }
1476
1477 return r;
1478
1479 no_label:
1480 *ret = NULL;
1481 return 0;
1482 }
1483
1484 static int socket_address_listen_do(
1485 Socket *s,
1486 const SocketAddress *address,
1487 const char *label) {
1488
1489 assert(s);
1490 assert(address);
1491
1492 return socket_address_listen(
1493 address,
1494 SOCK_CLOEXEC|SOCK_NONBLOCK,
1495 s->backlog,
1496 s->bind_ipv6_only,
1497 s->bind_to_device,
1498 s->reuse_port,
1499 s->free_bind,
1500 s->transparent,
1501 s->directory_mode,
1502 s->socket_mode,
1503 label);
1504 }
1505
1506 static int socket_address_listen_in_cgroup(
1507 Socket *s,
1508 const SocketAddress *address,
1509 const char *label) {
1510
1511 _cleanup_close_pair_ int pair[2] = { -1, -1 };
1512 int fd, r;
1513 pid_t pid;
1514
1515 assert(s);
1516 assert(address);
1517
1518 /* This is a wrapper around socket_address_listen(), that forks off a helper process inside the socket's cgroup
1519 * in which the socket is actually created. This way we ensure the socket is actually properly attached to the
1520 * unit's cgroup for the purpose of BPF filtering and such. */
1521
1522 if (!IN_SET(address->sockaddr.sa.sa_family, AF_INET, AF_INET6))
1523 goto shortcut; /* BPF filtering only applies to IPv4 + IPv6, shortcut things for other protocols */
1524
1525 r = bpf_firewall_supported();
1526 if (r < 0)
1527 return r;
1528 if (r == BPF_FIREWALL_UNSUPPORTED) /* If BPF firewalling isn't supported anyway — there's no point in this forking complexity */
1529 goto shortcut;
1530
1531 if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, pair) < 0)
1532 return log_unit_error_errno(UNIT(s), errno, "Failed to create communication channel: %m");
1533
1534 r = unit_fork_helper_process(UNIT(s), "(sd-listen)", &pid);
1535 if (r < 0)
1536 return log_unit_error_errno(UNIT(s), r, "Failed to fork off listener stub process: %m");
1537 if (r == 0) {
1538 /* Child */
1539
1540 pair[0] = safe_close(pair[0]);
1541
1542 fd = socket_address_listen_do(s, address, label);
1543 if (fd < 0) {
1544 log_unit_error_errno(UNIT(s), fd, "Failed to create listening socket: %m");
1545 _exit(EXIT_FAILURE);
1546 }
1547
1548 r = send_one_fd(pair[1], fd, 0);
1549 if (r < 0) {
1550 log_unit_error_errno(UNIT(s), r, "Failed to send listening socket to parent: %m");
1551 _exit(EXIT_FAILURE);
1552 }
1553
1554 _exit(EXIT_SUCCESS);
1555 }
1556
1557 pair[1] = safe_close(pair[1]);
1558 fd = receive_one_fd(pair[0], 0);
1559
1560 /* We synchronously wait for the helper, as it shouldn't be slow */
1561 r = wait_for_terminate_and_check("(sd-listen)", pid, WAIT_LOG_ABNORMAL);
1562 if (r < 0) {
1563 safe_close(fd);
1564 return r;
1565 }
1566
1567 if (fd < 0)
1568 return log_unit_error_errno(UNIT(s), fd, "Failed to receive listening socket: %m");
1569
1570 return fd;
1571
1572 shortcut:
1573 fd = socket_address_listen_do(s, address, label);
1574 if (fd < 0)
1575 return log_error_errno(fd, "Failed to create listening socket: %m");
1576
1577 return fd;
1578 }
1579
1580 static int socket_open_fds(Socket *s) {
1581 _cleanup_(mac_selinux_freep) char *label = NULL;
1582 bool know_label = false;
1583 SocketPort *p;
1584 int r;
1585
1586 assert(s);
1587
1588 LIST_FOREACH(port, p, s->ports) {
1589
1590 if (p->fd >= 0)
1591 continue;
1592
1593 switch (p->type) {
1594
1595 case SOCKET_SOCKET:
1596
1597 if (!know_label) {
1598 /* Figure out label, if we don't it know yet. We do it once, for the first socket where
1599 * we need this and remember it for the rest. */
1600
1601 r = socket_determine_selinux_label(s, &label);
1602 if (r < 0)
1603 goto rollback;
1604
1605 know_label = true;
1606 }
1607
1608 /* Apply the socket protocol */
1609 switch (p->address.type) {
1610
1611 case SOCK_STREAM:
1612 case SOCK_SEQPACKET:
1613 if (s->socket_protocol == IPPROTO_SCTP)
1614 p->address.protocol = s->socket_protocol;
1615 break;
1616
1617 case SOCK_DGRAM:
1618 if (s->socket_protocol == IPPROTO_UDPLITE)
1619 p->address.protocol = s->socket_protocol;
1620 break;
1621 }
1622
1623 r = socket_address_listen_in_cgroup(s, &p->address, label);
1624 if (r < 0)
1625 goto rollback;
1626
1627 p->fd = r;
1628 socket_apply_socket_options(s, p->fd);
1629 socket_symlink(s);
1630 break;
1631
1632 case SOCKET_SPECIAL:
1633
1634 p->fd = special_address_create(p->path, s->writable);
1635 if (p->fd < 0) {
1636 r = p->fd;
1637 goto rollback;
1638 }
1639 break;
1640
1641 case SOCKET_FIFO:
1642
1643 p->fd = fifo_address_create(
1644 p->path,
1645 s->directory_mode,
1646 s->socket_mode);
1647 if (p->fd < 0) {
1648 r = p->fd;
1649 goto rollback;
1650 }
1651
1652 socket_apply_fifo_options(s, p->fd);
1653 socket_symlink(s);
1654 break;
1655
1656 case SOCKET_MQUEUE:
1657
1658 p->fd = mq_address_create(
1659 p->path,
1660 s->socket_mode,
1661 s->mq_maxmsg,
1662 s->mq_msgsize);
1663 if (p->fd < 0) {
1664 r = p->fd;
1665 goto rollback;
1666 }
1667 break;
1668
1669 case SOCKET_USB_FUNCTION: {
1670 _cleanup_free_ char *ep = NULL;
1671
1672 ep = path_make_absolute("ep0", p->path);
1673
1674 p->fd = usbffs_address_create(ep);
1675 if (p->fd < 0) {
1676 r = p->fd;
1677 goto rollback;
1678 }
1679
1680 r = usbffs_write_descs(p->fd, SERVICE(UNIT_DEREF(s->service)));
1681 if (r < 0)
1682 goto rollback;
1683
1684 r = usbffs_dispatch_eps(p);
1685 if (r < 0)
1686 goto rollback;
1687
1688 break;
1689 }
1690 default:
1691 assert_not_reached("Unknown port type");
1692 }
1693 }
1694
1695 return 0;
1696
1697 rollback:
1698 socket_close_fds(s);
1699 return r;
1700 }
1701
1702 static void socket_unwatch_fds(Socket *s) {
1703 SocketPort *p;
1704 int r;
1705
1706 assert(s);
1707
1708 LIST_FOREACH(port, p, s->ports) {
1709 if (p->fd < 0)
1710 continue;
1711
1712 if (!p->event_source)
1713 continue;
1714
1715 r = sd_event_source_set_enabled(p->event_source, SD_EVENT_OFF);
1716 if (r < 0)
1717 log_unit_debug_errno(UNIT(s), r, "Failed to disable event source: %m");
1718 }
1719 }
1720
1721 static int socket_watch_fds(Socket *s) {
1722 SocketPort *p;
1723 int r;
1724
1725 assert(s);
1726
1727 LIST_FOREACH(port, p, s->ports) {
1728 if (p->fd < 0)
1729 continue;
1730
1731 if (p->event_source) {
1732 r = sd_event_source_set_enabled(p->event_source, SD_EVENT_ON);
1733 if (r < 0)
1734 goto fail;
1735 } else {
1736 r = sd_event_add_io(UNIT(s)->manager->event, &p->event_source, p->fd, EPOLLIN, socket_dispatch_io, p);
1737 if (r < 0)
1738 goto fail;
1739
1740 (void) sd_event_source_set_description(p->event_source, "socket-port-io");
1741 }
1742 }
1743
1744 return 0;
1745
1746 fail:
1747 log_unit_warning_errno(UNIT(s), r, "Failed to watch listening fds: %m");
1748 socket_unwatch_fds(s);
1749 return r;
1750 }
1751
1752 enum {
1753 SOCKET_OPEN_NONE,
1754 SOCKET_OPEN_SOME,
1755 SOCKET_OPEN_ALL,
1756 };
1757
1758 static int socket_check_open(Socket *s) {
1759 bool have_open = false, have_closed = false;
1760 SocketPort *p;
1761
1762 assert(s);
1763
1764 LIST_FOREACH(port, p, s->ports) {
1765 if (p->fd < 0)
1766 have_closed = true;
1767 else
1768 have_open = true;
1769
1770 if (have_open && have_closed)
1771 return SOCKET_OPEN_SOME;
1772 }
1773
1774 if (have_open)
1775 return SOCKET_OPEN_ALL;
1776
1777 return SOCKET_OPEN_NONE;
1778 }
1779
1780 static void socket_set_state(Socket *s, SocketState state) {
1781 SocketState old_state;
1782 assert(s);
1783
1784 old_state = s->state;
1785 s->state = state;
1786
1787 if (!IN_SET(state,
1788 SOCKET_START_PRE,
1789 SOCKET_START_CHOWN,
1790 SOCKET_START_POST,
1791 SOCKET_STOP_PRE,
1792 SOCKET_STOP_PRE_SIGTERM,
1793 SOCKET_STOP_PRE_SIGKILL,
1794 SOCKET_STOP_POST,
1795 SOCKET_FINAL_SIGTERM,
1796 SOCKET_FINAL_SIGKILL)) {
1797
1798 s->timer_event_source = sd_event_source_unref(s->timer_event_source);
1799 socket_unwatch_control_pid(s);
1800 s->control_command = NULL;
1801 s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
1802 }
1803
1804 if (state != SOCKET_LISTENING)
1805 socket_unwatch_fds(s);
1806
1807 if (!IN_SET(state,
1808 SOCKET_START_CHOWN,
1809 SOCKET_START_POST,
1810 SOCKET_LISTENING,
1811 SOCKET_RUNNING,
1812 SOCKET_STOP_PRE,
1813 SOCKET_STOP_PRE_SIGTERM,
1814 SOCKET_STOP_PRE_SIGKILL))
1815 socket_close_fds(s);
1816
1817 if (state != old_state)
1818 log_unit_debug(UNIT(s), "Changed %s -> %s", socket_state_to_string(old_state), socket_state_to_string(state));
1819
1820 unit_notify(UNIT(s), state_translation_table[old_state], state_translation_table[state], true);
1821 }
1822
1823 static int socket_coldplug(Unit *u) {
1824 Socket *s = SOCKET(u);
1825 int r;
1826
1827 assert(s);
1828 assert(s->state == SOCKET_DEAD);
1829
1830 if (s->deserialized_state == s->state)
1831 return 0;
1832
1833 if (s->control_pid > 0 &&
1834 pid_is_unwaited(s->control_pid) &&
1835 IN_SET(s->deserialized_state,
1836 SOCKET_START_PRE,
1837 SOCKET_START_CHOWN,
1838 SOCKET_START_POST,
1839 SOCKET_STOP_PRE,
1840 SOCKET_STOP_PRE_SIGTERM,
1841 SOCKET_STOP_PRE_SIGKILL,
1842 SOCKET_STOP_POST,
1843 SOCKET_FINAL_SIGTERM,
1844 SOCKET_FINAL_SIGKILL)) {
1845
1846 r = unit_watch_pid(UNIT(s), s->control_pid);
1847 if (r < 0)
1848 return r;
1849
1850 r = socket_arm_timer(s, usec_add(u->state_change_timestamp.monotonic, s->timeout_usec));
1851 if (r < 0)
1852 return r;
1853 }
1854
1855 if (IN_SET(s->deserialized_state,
1856 SOCKET_START_CHOWN,
1857 SOCKET_START_POST,
1858 SOCKET_LISTENING,
1859 SOCKET_RUNNING)) {
1860
1861 /* Originally, we used to simply reopen all sockets here that we didn't have file descriptors
1862 * for. However, this is problematic, as we won't traverse throught the SOCKET_START_CHOWN state for
1863 * them, and thus the UID/GID wouldn't be right. Hence, instead simply check if we have all fds open,
1864 * and if there's a mismatch, warn loudly. */
1865
1866 r = socket_check_open(s);
1867 if (r == SOCKET_OPEN_NONE)
1868 log_unit_warning(UNIT(s),
1869 "Socket unit configuration has changed while unit has been running, "
1870 "no open socket file descriptor left. "
1871 "The socket unit is not functional until restarted.");
1872 else if (r == SOCKET_OPEN_SOME)
1873 log_unit_warning(UNIT(s),
1874 "Socket unit configuration has changed while unit has been running, "
1875 "and some socket file descriptors have not been opened yet. "
1876 "The socket unit is not fully functional until restarted.");
1877 }
1878
1879 if (s->deserialized_state == SOCKET_LISTENING) {
1880 r = socket_watch_fds(s);
1881 if (r < 0)
1882 return r;
1883 }
1884
1885 if (!IN_SET(s->deserialized_state, SOCKET_DEAD, SOCKET_FAILED)) {
1886 (void) unit_setup_dynamic_creds(u);
1887 (void) unit_setup_exec_runtime(u);
1888 }
1889
1890 socket_set_state(s, s->deserialized_state);
1891 return 0;
1892 }
1893
1894 static int socket_spawn(Socket *s, ExecCommand *c, pid_t *_pid) {
1895
1896 ExecParameters exec_params = {
1897 .flags = EXEC_APPLY_SANDBOXING|EXEC_APPLY_CHROOT|EXEC_APPLY_TTY_STDIN,
1898 .stdin_fd = -1,
1899 .stdout_fd = -1,
1900 .stderr_fd = -1,
1901 };
1902 pid_t pid;
1903 int r;
1904
1905 assert(s);
1906 assert(c);
1907 assert(_pid);
1908
1909 r = unit_prepare_exec(UNIT(s));
1910 if (r < 0)
1911 return r;
1912
1913 r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
1914 if (r < 0)
1915 return r;
1916
1917 unit_set_exec_params(UNIT(s), &exec_params);
1918
1919 exec_params.argv = c->argv;
1920
1921 r = exec_spawn(UNIT(s),
1922 c,
1923 &s->exec_context,
1924 &exec_params,
1925 s->exec_runtime,
1926 &s->dynamic_creds,
1927 &pid);
1928 if (r < 0)
1929 return r;
1930
1931 r = unit_watch_pid(UNIT(s), pid);
1932 if (r < 0)
1933 /* FIXME: we need to do something here */
1934 return r;
1935
1936 *_pid = pid;
1937
1938 return 0;
1939 }
1940
1941 static int socket_chown(Socket *s, pid_t *_pid) {
1942 pid_t pid;
1943 int r;
1944
1945 r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
1946 if (r < 0)
1947 goto fail;
1948
1949 /* We have to resolve the user names out-of-process, hence
1950 * let's fork here. It's messy, but well, what can we do? */
1951
1952 r = unit_fork_helper_process(UNIT(s), "(sd-chown)", &pid);
1953 if (r < 0)
1954 return r;
1955 if (r == 0) {
1956 uid_t uid = UID_INVALID;
1957 gid_t gid = GID_INVALID;
1958 SocketPort *p;
1959
1960 /* Child */
1961
1962 if (!isempty(s->user)) {
1963 const char *user = s->user;
1964
1965 r = get_user_creds(&user, &uid, &gid, NULL, NULL);
1966 if (r < 0) {
1967 log_unit_error_errno(UNIT(s), r, "Failed to resolve user %s: %m", user);
1968 _exit(EXIT_USER);
1969 }
1970 }
1971
1972 if (!isempty(s->group)) {
1973 const char *group = s->group;
1974
1975 r = get_group_creds(&group, &gid);
1976 if (r < 0) {
1977 log_unit_error_errno(UNIT(s), r, "Failed to resolve group %s: %m", group);
1978 _exit(EXIT_GROUP);
1979 }
1980 }
1981
1982 LIST_FOREACH(port, p, s->ports) {
1983 const char *path = NULL;
1984
1985 if (p->type == SOCKET_SOCKET)
1986 path = socket_address_get_path(&p->address);
1987 else if (p->type == SOCKET_FIFO)
1988 path = p->path;
1989
1990 if (!path)
1991 continue;
1992
1993 if (chown(path, uid, gid) < 0) {
1994 log_unit_error_errno(UNIT(s), errno, "Failed to chown(): %m");
1995 _exit(EXIT_CHOWN);
1996 }
1997 }
1998
1999 _exit(EXIT_SUCCESS);
2000 }
2001
2002 r = unit_watch_pid(UNIT(s), pid);
2003 if (r < 0)
2004 goto fail;
2005
2006 *_pid = pid;
2007 return 0;
2008
2009 fail:
2010 s->timer_event_source = sd_event_source_unref(s->timer_event_source);
2011 return r;
2012 }
2013
2014 static void socket_enter_dead(Socket *s, SocketResult f) {
2015 assert(s);
2016
2017 if (s->result == SOCKET_SUCCESS)
2018 s->result = f;
2019
2020 if (s->result != SOCKET_SUCCESS)
2021 log_unit_warning(UNIT(s), "Failed with result '%s'.", socket_result_to_string(s->result));
2022
2023 socket_set_state(s, s->result != SOCKET_SUCCESS ? SOCKET_FAILED : SOCKET_DEAD);
2024
2025 s->exec_runtime = exec_runtime_unref(s->exec_runtime, true);
2026
2027 exec_context_destroy_runtime_directory(&s->exec_context, UNIT(s)->manager->prefix[EXEC_DIRECTORY_RUNTIME]);
2028
2029 unit_unref_uid_gid(UNIT(s), true);
2030
2031 dynamic_creds_destroy(&s->dynamic_creds);
2032 }
2033
2034 static void socket_enter_signal(Socket *s, SocketState state, SocketResult f);
2035
2036 static void socket_enter_stop_post(Socket *s, SocketResult f) {
2037 int r;
2038 assert(s);
2039
2040 if (s->result == SOCKET_SUCCESS)
2041 s->result = f;
2042
2043 socket_unwatch_control_pid(s);
2044 s->control_command_id = SOCKET_EXEC_STOP_POST;
2045 s->control_command = s->exec_command[SOCKET_EXEC_STOP_POST];
2046
2047 if (s->control_command) {
2048 r = socket_spawn(s, s->control_command, &s->control_pid);
2049 if (r < 0)
2050 goto fail;
2051
2052 socket_set_state(s, SOCKET_STOP_POST);
2053 } else
2054 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_SUCCESS);
2055
2056 return;
2057
2058 fail:
2059 log_unit_warning_errno(UNIT(s), r, "Failed to run 'stop-post' task: %m");
2060 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_RESOURCES);
2061 }
2062
2063 static void socket_enter_signal(Socket *s, SocketState state, SocketResult f) {
2064 int r;
2065
2066 assert(s);
2067
2068 if (s->result == SOCKET_SUCCESS)
2069 s->result = f;
2070
2071 r = unit_kill_context(
2072 UNIT(s),
2073 &s->kill_context,
2074 !IN_SET(state, SOCKET_STOP_PRE_SIGTERM, SOCKET_FINAL_SIGTERM) ?
2075 KILL_KILL : KILL_TERMINATE,
2076 -1,
2077 s->control_pid,
2078 false);
2079 if (r < 0)
2080 goto fail;
2081
2082 if (r > 0) {
2083 r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
2084 if (r < 0)
2085 goto fail;
2086
2087 socket_set_state(s, state);
2088 } else if (state == SOCKET_STOP_PRE_SIGTERM)
2089 socket_enter_signal(s, SOCKET_STOP_PRE_SIGKILL, SOCKET_SUCCESS);
2090 else if (state == SOCKET_STOP_PRE_SIGKILL)
2091 socket_enter_stop_post(s, SOCKET_SUCCESS);
2092 else if (state == SOCKET_FINAL_SIGTERM)
2093 socket_enter_signal(s, SOCKET_FINAL_SIGKILL, SOCKET_SUCCESS);
2094 else
2095 socket_enter_dead(s, SOCKET_SUCCESS);
2096
2097 return;
2098
2099 fail:
2100 log_unit_warning_errno(UNIT(s), r, "Failed to kill processes: %m");
2101
2102 if (IN_SET(state, SOCKET_STOP_PRE_SIGTERM, SOCKET_STOP_PRE_SIGKILL))
2103 socket_enter_stop_post(s, SOCKET_FAILURE_RESOURCES);
2104 else
2105 socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
2106 }
2107
2108 static void socket_enter_stop_pre(Socket *s, SocketResult f) {
2109 int r;
2110 assert(s);
2111
2112 if (s->result == SOCKET_SUCCESS)
2113 s->result = f;
2114
2115 socket_unwatch_control_pid(s);
2116 s->control_command_id = SOCKET_EXEC_STOP_PRE;
2117 s->control_command = s->exec_command[SOCKET_EXEC_STOP_PRE];
2118
2119 if (s->control_command) {
2120 r = socket_spawn(s, s->control_command, &s->control_pid);
2121 if (r < 0)
2122 goto fail;
2123
2124 socket_set_state(s, SOCKET_STOP_PRE);
2125 } else
2126 socket_enter_stop_post(s, SOCKET_SUCCESS);
2127
2128 return;
2129
2130 fail:
2131 log_unit_warning_errno(UNIT(s), r, "Failed to run 'stop-pre' task: %m");
2132 socket_enter_stop_post(s, SOCKET_FAILURE_RESOURCES);
2133 }
2134
2135 static void socket_enter_listening(Socket *s) {
2136 int r;
2137 assert(s);
2138
2139 r = socket_watch_fds(s);
2140 if (r < 0) {
2141 log_unit_warning_errno(UNIT(s), r, "Failed to watch sockets: %m");
2142 goto fail;
2143 }
2144
2145 socket_set_state(s, SOCKET_LISTENING);
2146 return;
2147
2148 fail:
2149 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2150 }
2151
2152 static void socket_enter_start_post(Socket *s) {
2153 int r;
2154 assert(s);
2155
2156 socket_unwatch_control_pid(s);
2157 s->control_command_id = SOCKET_EXEC_START_POST;
2158 s->control_command = s->exec_command[SOCKET_EXEC_START_POST];
2159
2160 if (s->control_command) {
2161 r = socket_spawn(s, s->control_command, &s->control_pid);
2162 if (r < 0) {
2163 log_unit_warning_errno(UNIT(s), r, "Failed to run 'start-post' task: %m");
2164 goto fail;
2165 }
2166
2167 socket_set_state(s, SOCKET_START_POST);
2168 } else
2169 socket_enter_listening(s);
2170
2171 return;
2172
2173 fail:
2174 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2175 }
2176
2177 static void socket_enter_start_chown(Socket *s) {
2178 int r;
2179
2180 assert(s);
2181
2182 r = socket_open_fds(s);
2183 if (r < 0) {
2184 log_unit_warning_errno(UNIT(s), r, "Failed to listen on sockets: %m");
2185 goto fail;
2186 }
2187
2188 if (!isempty(s->user) || !isempty(s->group)) {
2189
2190 socket_unwatch_control_pid(s);
2191 s->control_command_id = SOCKET_EXEC_START_CHOWN;
2192 s->control_command = NULL;
2193
2194 r = socket_chown(s, &s->control_pid);
2195 if (r < 0) {
2196 log_unit_warning_errno(UNIT(s), r, "Failed to fork 'start-chown' task: %m");
2197 goto fail;
2198 }
2199
2200 socket_set_state(s, SOCKET_START_CHOWN);
2201 } else
2202 socket_enter_start_post(s);
2203
2204 return;
2205
2206 fail:
2207 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2208 }
2209
2210 static void socket_enter_start_pre(Socket *s) {
2211 int r;
2212 assert(s);
2213
2214 socket_unwatch_control_pid(s);
2215
2216 unit_warn_leftover_processes(UNIT(s));
2217
2218 s->control_command_id = SOCKET_EXEC_START_PRE;
2219 s->control_command = s->exec_command[SOCKET_EXEC_START_PRE];
2220
2221 if (s->control_command) {
2222 r = socket_spawn(s, s->control_command, &s->control_pid);
2223 if (r < 0) {
2224 log_unit_warning_errno(UNIT(s), r, "Failed to run 'start-pre' task: %m");
2225 goto fail;
2226 }
2227
2228 socket_set_state(s, SOCKET_START_PRE);
2229 } else
2230 socket_enter_start_chown(s);
2231
2232 return;
2233
2234 fail:
2235 socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
2236 }
2237
2238 static void flush_ports(Socket *s) {
2239 SocketPort *p;
2240
2241 /* Flush all incoming traffic, regardless if actual bytes or new connections, so that this socket isn't busy
2242 * anymore */
2243
2244 LIST_FOREACH(port, p, s->ports) {
2245 if (p->fd < 0)
2246 continue;
2247
2248 (void) flush_accept(p->fd);
2249 (void) flush_fd(p->fd);
2250 }
2251 }
2252
2253 static void socket_enter_running(Socket *s, int cfd) {
2254 _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
2255 int r;
2256
2257 /* Note that this call takes possession of the connection fd passed. It either has to assign it somewhere or
2258 * close it. */
2259
2260 assert(s);
2261
2262 /* We don't take connections anymore if we are supposed to shut down anyway */
2263 if (unit_stop_pending(UNIT(s))) {
2264
2265 log_unit_debug(UNIT(s), "Suppressing connection request since unit stop is scheduled.");
2266
2267 if (cfd >= 0)
2268 cfd = safe_close(cfd);
2269 else
2270 flush_ports(s);
2271
2272 return;
2273 }
2274
2275 if (!ratelimit_test(&s->trigger_limit)) {
2276 safe_close(cfd);
2277 log_unit_warning(UNIT(s), "Trigger limit hit, refusing further activation.");
2278 socket_enter_stop_pre(s, SOCKET_FAILURE_TRIGGER_LIMIT_HIT);
2279 return;
2280 }
2281
2282 if (cfd < 0) {
2283 bool pending = false;
2284 Unit *other;
2285 Iterator i;
2286 void *v;
2287
2288 /* If there's already a start pending don't bother to
2289 * do anything */
2290 HASHMAP_FOREACH_KEY(v, other, UNIT(s)->dependencies[UNIT_TRIGGERS], i)
2291 if (unit_active_or_pending(other)) {
2292 pending = true;
2293 break;
2294 }
2295
2296 if (!pending) {
2297 if (!UNIT_ISSET(s->service)) {
2298 log_unit_error(UNIT(s), "Service to activate vanished, refusing activation.");
2299 r = -ENOENT;
2300 goto fail;
2301 }
2302
2303 r = manager_add_job(UNIT(s)->manager, JOB_START, UNIT_DEREF(s->service), JOB_REPLACE, &error, NULL);
2304 if (r < 0)
2305 goto fail;
2306 }
2307
2308 socket_set_state(s, SOCKET_RUNNING);
2309 } else {
2310 _cleanup_free_ char *prefix = NULL, *instance = NULL, *name = NULL;
2311 _cleanup_(socket_peer_unrefp) SocketPeer *p = NULL;
2312 Service *service;
2313
2314 if (s->n_connections >= s->max_connections) {
2315 log_unit_warning(UNIT(s), "Too many incoming connections (%u), dropping connection.",
2316 s->n_connections);
2317 safe_close(cfd);
2318 return;
2319 }
2320
2321 if (s->max_connections_per_source > 0) {
2322 r = socket_acquire_peer(s, cfd, &p);
2323 if (r < 0) {
2324 safe_close(cfd);
2325 return;
2326 } else if (r > 0 && p->n_ref > s->max_connections_per_source) {
2327 _cleanup_free_ char *t = NULL;
2328
2329 (void) sockaddr_pretty(&p->peer.sa, p->peer_salen, true, false, &t);
2330
2331 log_unit_warning(UNIT(s),
2332 "Too many incoming connections (%u) from source %s, dropping connection.",
2333 p->n_ref, strnull(t));
2334 safe_close(cfd);
2335 return;
2336 }
2337 }
2338
2339 r = socket_instantiate_service(s);
2340 if (r < 0)
2341 goto fail;
2342
2343 r = instance_from_socket(cfd, s->n_accepted, &instance);
2344 if (r < 0) {
2345 if (r != -ENOTCONN)
2346 goto fail;
2347
2348 /* ENOTCONN is legitimate if TCP RST was received.
2349 * This connection is over, but the socket unit lives on. */
2350 log_unit_debug(UNIT(s), "Got ENOTCONN on incoming socket, assuming aborted connection attempt, ignoring.");
2351 safe_close(cfd);
2352 return;
2353 }
2354
2355 r = unit_name_to_prefix(UNIT(s)->id, &prefix);
2356 if (r < 0)
2357 goto fail;
2358
2359 r = unit_name_build(prefix, instance, ".service", &name);
2360 if (r < 0)
2361 goto fail;
2362
2363 r = unit_add_name(UNIT_DEREF(s->service), name);
2364 if (r < 0)
2365 goto fail;
2366
2367 service = SERVICE(UNIT_DEREF(s->service));
2368 unit_ref_unset(&s->service);
2369
2370 s->n_accepted++;
2371 unit_choose_id(UNIT(service), name);
2372
2373 r = service_set_socket_fd(service, cfd, s, s->selinux_context_from_net);
2374 if (r < 0)
2375 goto fail;
2376
2377 cfd = -1; /* We passed ownership of the fd to the service now. Forget it here. */
2378 s->n_connections++;
2379
2380 service->peer = p; /* Pass ownership of the peer reference */
2381 p = NULL;
2382
2383 r = manager_add_job(UNIT(s)->manager, JOB_START, UNIT(service), JOB_REPLACE, &error, NULL);
2384 if (r < 0) {
2385 /* We failed to activate the new service, but it still exists. Let's make sure the service
2386 * closes and forgets the connection fd again, immediately. */
2387 service_close_socket_fd(service);
2388 goto fail;
2389 }
2390
2391 /* Notify clients about changed counters */
2392 unit_add_to_dbus_queue(UNIT(s));
2393 }
2394
2395 return;
2396
2397 fail:
2398 log_unit_warning(UNIT(s), "Failed to queue service startup job (Maybe the service file is missing or not a %s unit?): %s",
2399 cfd >= 0 ? "template" : "non-template",
2400 bus_error_message(&error, r));
2401
2402 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2403 safe_close(cfd);
2404 }
2405
2406 static void socket_run_next(Socket *s) {
2407 int r;
2408
2409 assert(s);
2410 assert(s->control_command);
2411 assert(s->control_command->command_next);
2412
2413 socket_unwatch_control_pid(s);
2414
2415 s->control_command = s->control_command->command_next;
2416
2417 r = socket_spawn(s, s->control_command, &s->control_pid);
2418 if (r < 0)
2419 goto fail;
2420
2421 return;
2422
2423 fail:
2424 log_unit_warning_errno(UNIT(s), r, "Failed to run next task: %m");
2425
2426 if (s->state == SOCKET_START_POST)
2427 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2428 else if (s->state == SOCKET_STOP_POST)
2429 socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
2430 else
2431 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_RESOURCES);
2432 }
2433
2434 static int socket_start(Unit *u) {
2435 Socket *s = SOCKET(u);
2436 int r;
2437
2438 assert(s);
2439
2440 /* We cannot fulfill this request right now, try again later
2441 * please! */
2442 if (IN_SET(s->state,
2443 SOCKET_STOP_PRE,
2444 SOCKET_STOP_PRE_SIGKILL,
2445 SOCKET_STOP_PRE_SIGTERM,
2446 SOCKET_STOP_POST,
2447 SOCKET_FINAL_SIGTERM,
2448 SOCKET_FINAL_SIGKILL))
2449 return -EAGAIN;
2450
2451 /* Already on it! */
2452 if (IN_SET(s->state,
2453 SOCKET_START_PRE,
2454 SOCKET_START_CHOWN,
2455 SOCKET_START_POST))
2456 return 0;
2457
2458 /* Cannot run this without the service being around */
2459 if (UNIT_ISSET(s->service)) {
2460 Service *service;
2461
2462 service = SERVICE(UNIT_DEREF(s->service));
2463
2464 if (UNIT(service)->load_state != UNIT_LOADED) {
2465 log_unit_error(u, "Socket service %s not loaded, refusing.", UNIT(service)->id);
2466 return -ENOENT;
2467 }
2468
2469 /* If the service is already active we cannot start the
2470 * socket */
2471 if (!IN_SET(service->state, SERVICE_DEAD, SERVICE_FAILED, SERVICE_AUTO_RESTART)) {
2472 log_unit_error(u, "Socket service %s already active, refusing.", UNIT(service)->id);
2473 return -EBUSY;
2474 }
2475 }
2476
2477 assert(IN_SET(s->state, SOCKET_DEAD, SOCKET_FAILED));
2478
2479 r = unit_start_limit_test(u);
2480 if (r < 0) {
2481 socket_enter_dead(s, SOCKET_FAILURE_START_LIMIT_HIT);
2482 return r;
2483 }
2484
2485 r = unit_acquire_invocation_id(u);
2486 if (r < 0)
2487 return r;
2488
2489 s->result = SOCKET_SUCCESS;
2490
2491 u->reset_accounting = true;
2492
2493 socket_enter_start_pre(s);
2494 return 1;
2495 }
2496
2497 static int socket_stop(Unit *u) {
2498 Socket *s = SOCKET(u);
2499
2500 assert(s);
2501
2502 /* Already on it */
2503 if (IN_SET(s->state,
2504 SOCKET_STOP_PRE,
2505 SOCKET_STOP_PRE_SIGTERM,
2506 SOCKET_STOP_PRE_SIGKILL,
2507 SOCKET_STOP_POST,
2508 SOCKET_FINAL_SIGTERM,
2509 SOCKET_FINAL_SIGKILL))
2510 return 0;
2511
2512 /* If there's already something running we go directly into
2513 * kill mode. */
2514 if (IN_SET(s->state,
2515 SOCKET_START_PRE,
2516 SOCKET_START_CHOWN,
2517 SOCKET_START_POST)) {
2518 socket_enter_signal(s, SOCKET_STOP_PRE_SIGTERM, SOCKET_SUCCESS);
2519 return -EAGAIN;
2520 }
2521
2522 assert(IN_SET(s->state, SOCKET_LISTENING, SOCKET_RUNNING));
2523
2524 socket_enter_stop_pre(s, SOCKET_SUCCESS);
2525 return 1;
2526 }
2527
2528 static int socket_serialize(Unit *u, FILE *f, FDSet *fds) {
2529 Socket *s = SOCKET(u);
2530 SocketPort *p;
2531 int r;
2532
2533 assert(u);
2534 assert(f);
2535 assert(fds);
2536
2537 unit_serialize_item(u, f, "state", socket_state_to_string(s->state));
2538 unit_serialize_item(u, f, "result", socket_result_to_string(s->result));
2539 unit_serialize_item_format(u, f, "n-accepted", "%u", s->n_accepted);
2540
2541 if (s->control_pid > 0)
2542 unit_serialize_item_format(u, f, "control-pid", PID_FMT, s->control_pid);
2543
2544 if (s->control_command_id >= 0)
2545 unit_serialize_item(u, f, "control-command", socket_exec_command_to_string(s->control_command_id));
2546
2547 LIST_FOREACH(port, p, s->ports) {
2548 int copy;
2549
2550 if (p->fd < 0)
2551 continue;
2552
2553 copy = fdset_put_dup(fds, p->fd);
2554 if (copy < 0)
2555 return copy;
2556
2557 if (p->type == SOCKET_SOCKET) {
2558 _cleanup_free_ char *t = NULL;
2559
2560 r = socket_address_print(&p->address, &t);
2561 if (r < 0)
2562 return r;
2563
2564 if (socket_address_family(&p->address) == AF_NETLINK)
2565 unit_serialize_item_format(u, f, "netlink", "%i %s", copy, t);
2566 else
2567 unit_serialize_item_format(u, f, "socket", "%i %i %s", copy, p->address.type, t);
2568
2569 } else if (p->type == SOCKET_SPECIAL)
2570 unit_serialize_item_format(u, f, "special", "%i %s", copy, p->path);
2571 else if (p->type == SOCKET_MQUEUE)
2572 unit_serialize_item_format(u, f, "mqueue", "%i %s", copy, p->path);
2573 else if (p->type == SOCKET_USB_FUNCTION)
2574 unit_serialize_item_format(u, f, "ffs", "%i %s", copy, p->path);
2575 else {
2576 assert(p->type == SOCKET_FIFO);
2577 unit_serialize_item_format(u, f, "fifo", "%i %s", copy, p->path);
2578 }
2579 }
2580
2581 return 0;
2582 }
2583
2584 static void socket_port_take_fd(SocketPort *p, FDSet *fds, int fd) {
2585 safe_close(p->fd);
2586 p->fd = fdset_remove(fds, fd);
2587 }
2588
2589 static int socket_deserialize_item(Unit *u, const char *key, const char *value, FDSet *fds) {
2590 Socket *s = SOCKET(u);
2591
2592 assert(u);
2593 assert(key);
2594 assert(value);
2595
2596 if (streq(key, "state")) {
2597 SocketState state;
2598
2599 state = socket_state_from_string(value);
2600 if (state < 0)
2601 log_unit_debug(u, "Failed to parse state value: %s", value);
2602 else
2603 s->deserialized_state = state;
2604 } else if (streq(key, "result")) {
2605 SocketResult f;
2606
2607 f = socket_result_from_string(value);
2608 if (f < 0)
2609 log_unit_debug(u, "Failed to parse result value: %s", value);
2610 else if (f != SOCKET_SUCCESS)
2611 s->result = f;
2612
2613 } else if (streq(key, "n-accepted")) {
2614 unsigned k;
2615
2616 if (safe_atou(value, &k) < 0)
2617 log_unit_debug(u, "Failed to parse n-accepted value: %s", value);
2618 else
2619 s->n_accepted += k;
2620 } else if (streq(key, "control-pid")) {
2621 pid_t pid;
2622
2623 if (parse_pid(value, &pid) < 0)
2624 log_unit_debug(u, "Failed to parse control-pid value: %s", value);
2625 else
2626 s->control_pid = pid;
2627 } else if (streq(key, "control-command")) {
2628 SocketExecCommand id;
2629
2630 id = socket_exec_command_from_string(value);
2631 if (id < 0)
2632 log_unit_debug(u, "Failed to parse exec-command value: %s", value);
2633 else {
2634 s->control_command_id = id;
2635 s->control_command = s->exec_command[id];
2636 }
2637 } else if (streq(key, "fifo")) {
2638 int fd, skip = 0;
2639 SocketPort *p;
2640
2641 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2642 log_unit_debug(u, "Failed to parse fifo value: %s", value);
2643 else
2644 LIST_FOREACH(port, p, s->ports)
2645 if (p->type == SOCKET_FIFO &&
2646 path_equal_or_files_same(p->path, value+skip, 0)) {
2647 socket_port_take_fd(p, fds, fd);
2648 break;
2649 }
2650
2651 } else if (streq(key, "special")) {
2652 int fd, skip = 0;
2653 SocketPort *p;
2654
2655 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2656 log_unit_debug(u, "Failed to parse special value: %s", value);
2657 else
2658 LIST_FOREACH(port, p, s->ports)
2659 if (p->type == SOCKET_SPECIAL &&
2660 path_equal_or_files_same(p->path, value+skip, 0)) {
2661 socket_port_take_fd(p, fds, fd);
2662 break;
2663 }
2664
2665 } else if (streq(key, "mqueue")) {
2666 int fd, skip = 0;
2667 SocketPort *p;
2668
2669 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2670 log_unit_debug(u, "Failed to parse mqueue value: %s", value);
2671 else
2672 LIST_FOREACH(port, p, s->ports)
2673 if (p->type == SOCKET_MQUEUE &&
2674 streq(p->path, value+skip)) {
2675 socket_port_take_fd(p, fds, fd);
2676 break;
2677 }
2678
2679 } else if (streq(key, "socket")) {
2680 int fd, type, skip = 0;
2681 SocketPort *p;
2682
2683 if (sscanf(value, "%i %i %n", &fd, &type, &skip) < 2 || fd < 0 || type < 0 || !fdset_contains(fds, fd))
2684 log_unit_debug(u, "Failed to parse socket value: %s", value);
2685 else
2686 LIST_FOREACH(port, p, s->ports)
2687 if (socket_address_is(&p->address, value+skip, type)) {
2688 socket_port_take_fd(p, fds, fd);
2689 break;
2690 }
2691
2692 } else if (streq(key, "netlink")) {
2693 int fd, skip = 0;
2694 SocketPort *p;
2695
2696 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2697 log_unit_debug(u, "Failed to parse socket value: %s", value);
2698 else
2699 LIST_FOREACH(port, p, s->ports)
2700 if (socket_address_is_netlink(&p->address, value+skip)) {
2701 socket_port_take_fd(p, fds, fd);
2702 break;
2703 }
2704
2705 } else if (streq(key, "ffs")) {
2706 int fd, skip = 0;
2707 SocketPort *p;
2708
2709 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2710 log_unit_debug(u, "Failed to parse ffs value: %s", value);
2711 else
2712 LIST_FOREACH(port, p, s->ports)
2713 if (p->type == SOCKET_USB_FUNCTION &&
2714 path_equal_or_files_same(p->path, value+skip, 0)) {
2715 socket_port_take_fd(p, fds, fd);
2716 break;
2717 }
2718
2719 } else
2720 log_unit_debug(UNIT(s), "Unknown serialization key: %s", key);
2721
2722 return 0;
2723 }
2724
2725 static void socket_distribute_fds(Unit *u, FDSet *fds) {
2726 Socket *s = SOCKET(u);
2727 SocketPort *p;
2728
2729 assert(u);
2730
2731 LIST_FOREACH(port, p, s->ports) {
2732 Iterator i;
2733 int fd;
2734
2735 if (p->type != SOCKET_SOCKET)
2736 continue;
2737
2738 if (p->fd >= 0)
2739 continue;
2740
2741 FDSET_FOREACH(fd, fds, i) {
2742 if (socket_address_matches_fd(&p->address, fd)) {
2743 p->fd = fdset_remove(fds, fd);
2744 s->deserialized_state = SOCKET_LISTENING;
2745 break;
2746 }
2747 }
2748 }
2749 }
2750
2751 _pure_ static UnitActiveState socket_active_state(Unit *u) {
2752 assert(u);
2753
2754 return state_translation_table[SOCKET(u)->state];
2755 }
2756
2757 _pure_ static const char *socket_sub_state_to_string(Unit *u) {
2758 assert(u);
2759
2760 return socket_state_to_string(SOCKET(u)->state);
2761 }
2762
2763 const char* socket_port_type_to_string(SocketPort *p) {
2764
2765 assert(p);
2766
2767 switch (p->type) {
2768
2769 case SOCKET_SOCKET:
2770
2771 switch (p->address.type) {
2772
2773 case SOCK_STREAM:
2774 return "Stream";
2775
2776 case SOCK_DGRAM:
2777 return "Datagram";
2778
2779 case SOCK_SEQPACKET:
2780 return "SequentialPacket";
2781
2782 case SOCK_RAW:
2783 if (socket_address_family(&p->address) == AF_NETLINK)
2784 return "Netlink";
2785
2786 _fallthrough_;
2787 default:
2788 return NULL;
2789 }
2790
2791 case SOCKET_SPECIAL:
2792 return "Special";
2793
2794 case SOCKET_MQUEUE:
2795 return "MessageQueue";
2796
2797 case SOCKET_FIFO:
2798 return "FIFO";
2799
2800 case SOCKET_USB_FUNCTION:
2801 return "USBFunction";
2802
2803 default:
2804 return NULL;
2805 }
2806 }
2807
2808 SocketType socket_port_type_from_string(const char *s) {
2809 assert(s);
2810
2811 if (STR_IN_SET(s, "Stream", "Datagram", "SequentialPacket", "Netlink"))
2812 return SOCKET_SOCKET;
2813 else if (streq(s, "Special"))
2814 return SOCKET_SPECIAL;
2815 else if (streq(s, "MessageQueue"))
2816 return SOCKET_MQUEUE;
2817 else if (streq(s, "FIFO"))
2818 return SOCKET_FIFO;
2819 else if (streq(s, "USBFunction"))
2820 return SOCKET_USB_FUNCTION;
2821 else
2822 return _SOCKET_TYPE_INVALID;
2823 }
2824
2825 _pure_ static bool socket_may_gc(Unit *u) {
2826 Socket *s = SOCKET(u);
2827
2828 assert(u);
2829
2830 return s->n_connections == 0;
2831 }
2832
2833 static int socket_accept_do(Socket *s, int fd) {
2834 int cfd;
2835
2836 assert(s);
2837 assert(fd >= 0);
2838
2839 for (;;) {
2840 cfd = accept4(fd, NULL, NULL, SOCK_NONBLOCK);
2841 if (cfd < 0) {
2842 if (errno == EINTR)
2843 continue;
2844
2845 return -errno;
2846 }
2847
2848 break;
2849 }
2850
2851 return cfd;
2852 }
2853
2854 static int socket_accept_in_cgroup(Socket *s, SocketPort *p, int fd) {
2855 _cleanup_close_pair_ int pair[2] = { -1, -1 };
2856 int cfd, r;
2857 pid_t pid;
2858
2859 assert(s);
2860 assert(p);
2861 assert(fd >= 0);
2862
2863 /* Similar to socket_address_listen_in_cgroup(), but for accept() rathern than socket(): make sure that any
2864 * connection socket is also properly associated with the cgroup. */
2865
2866 if (!IN_SET(p->address.sockaddr.sa.sa_family, AF_INET, AF_INET6))
2867 goto shortcut;
2868
2869 r = bpf_firewall_supported();
2870 if (r < 0)
2871 return r;
2872 if (r == BPF_FIREWALL_UNSUPPORTED)
2873 goto shortcut;
2874
2875 if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, pair) < 0)
2876 return log_unit_error_errno(UNIT(s), errno, "Failed to create communication channel: %m");
2877
2878 r = unit_fork_helper_process(UNIT(s), "(sd-accept)", &pid);
2879 if (r < 0)
2880 return log_unit_error_errno(UNIT(s), r, "Failed to fork off accept stub process: %m");
2881 if (r == 0) {
2882 /* Child */
2883
2884 pair[0] = safe_close(pair[0]);
2885
2886 cfd = socket_accept_do(s, fd);
2887 if (cfd < 0) {
2888 log_unit_error_errno(UNIT(s), cfd, "Failed to accept connection socket: %m");
2889 _exit(EXIT_FAILURE);
2890 }
2891
2892 r = send_one_fd(pair[1], cfd, 0);
2893 if (r < 0) {
2894 log_unit_error_errno(UNIT(s), r, "Failed to send connection socket to parent: %m");
2895 _exit(EXIT_FAILURE);
2896 }
2897
2898 _exit(EXIT_SUCCESS);
2899 }
2900
2901 pair[1] = safe_close(pair[1]);
2902 cfd = receive_one_fd(pair[0], 0);
2903
2904 /* We synchronously wait for the helper, as it shouldn't be slow */
2905 r = wait_for_terminate_and_check("(sd-accept)", pid, WAIT_LOG_ABNORMAL);
2906 if (r < 0) {
2907 safe_close(cfd);
2908 return r;
2909 }
2910
2911 if (cfd < 0)
2912 return log_unit_error_errno(UNIT(s), cfd, "Failed to receive connection socket: %m");
2913
2914 return cfd;
2915
2916 shortcut:
2917 cfd = socket_accept_do(s, fd);
2918 if (cfd < 0)
2919 return log_unit_error_errno(UNIT(s), cfd, "Failed to accept connection socket: %m");
2920
2921 return cfd;
2922 }
2923
2924 static int socket_dispatch_io(sd_event_source *source, int fd, uint32_t revents, void *userdata) {
2925 SocketPort *p = userdata;
2926 int cfd = -1;
2927
2928 assert(p);
2929 assert(fd >= 0);
2930
2931 if (p->socket->state != SOCKET_LISTENING)
2932 return 0;
2933
2934 log_unit_debug(UNIT(p->socket), "Incoming traffic");
2935
2936 if (revents != EPOLLIN) {
2937
2938 if (revents & EPOLLHUP)
2939 log_unit_error(UNIT(p->socket), "Got POLLHUP on a listening socket. The service probably invoked shutdown() on it, and should better not do that.");
2940 else
2941 log_unit_error(UNIT(p->socket), "Got unexpected poll event (0x%x) on socket.", revents);
2942 goto fail;
2943 }
2944
2945 if (p->socket->accept &&
2946 p->type == SOCKET_SOCKET &&
2947 socket_address_can_accept(&p->address)) {
2948
2949 cfd = socket_accept_in_cgroup(p->socket, p, fd);
2950 if (cfd < 0)
2951 goto fail;
2952
2953 socket_apply_socket_options(p->socket, cfd);
2954 }
2955
2956 socket_enter_running(p->socket, cfd);
2957 return 0;
2958
2959 fail:
2960 socket_enter_stop_pre(p->socket, SOCKET_FAILURE_RESOURCES);
2961 return 0;
2962 }
2963
2964 static void socket_sigchld_event(Unit *u, pid_t pid, int code, int status) {
2965 Socket *s = SOCKET(u);
2966 SocketResult f;
2967
2968 assert(s);
2969 assert(pid >= 0);
2970
2971 if (pid != s->control_pid)
2972 return;
2973
2974 s->control_pid = 0;
2975
2976 if (is_clean_exit(code, status, EXIT_CLEAN_COMMAND, NULL))
2977 f = SOCKET_SUCCESS;
2978 else if (code == CLD_EXITED)
2979 f = SOCKET_FAILURE_EXIT_CODE;
2980 else if (code == CLD_KILLED)
2981 f = SOCKET_FAILURE_SIGNAL;
2982 else if (code == CLD_DUMPED)
2983 f = SOCKET_FAILURE_CORE_DUMP;
2984 else
2985 assert_not_reached("Unknown sigchld code");
2986
2987 if (s->control_command) {
2988 exec_status_exit(&s->control_command->exec_status, &s->exec_context, pid, code, status);
2989
2990 if (s->control_command->flags & EXEC_COMMAND_IGNORE_FAILURE)
2991 f = SOCKET_SUCCESS;
2992 }
2993
2994 log_unit_full(u, f == SOCKET_SUCCESS ? LOG_DEBUG : LOG_NOTICE, 0,
2995 "Control process exited, code=%s status=%i",
2996 sigchld_code_to_string(code), status);
2997
2998 if (s->result == SOCKET_SUCCESS)
2999 s->result = f;
3000
3001 if (s->control_command &&
3002 s->control_command->command_next &&
3003 f == SOCKET_SUCCESS) {
3004
3005 log_unit_debug(u, "Running next command for state %s", socket_state_to_string(s->state));
3006 socket_run_next(s);
3007 } else {
3008 s->control_command = NULL;
3009 s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
3010
3011 /* No further commands for this step, so let's figure
3012 * out what to do next */
3013
3014 log_unit_debug(u, "Got final SIGCHLD for state %s", socket_state_to_string(s->state));
3015
3016 switch (s->state) {
3017
3018 case SOCKET_START_PRE:
3019 if (f == SOCKET_SUCCESS)
3020 socket_enter_start_chown(s);
3021 else
3022 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, f);
3023 break;
3024
3025 case SOCKET_START_CHOWN:
3026 if (f == SOCKET_SUCCESS)
3027 socket_enter_start_post(s);
3028 else
3029 socket_enter_stop_pre(s, f);
3030 break;
3031
3032 case SOCKET_START_POST:
3033 if (f == SOCKET_SUCCESS)
3034 socket_enter_listening(s);
3035 else
3036 socket_enter_stop_pre(s, f);
3037 break;
3038
3039 case SOCKET_STOP_PRE:
3040 case SOCKET_STOP_PRE_SIGTERM:
3041 case SOCKET_STOP_PRE_SIGKILL:
3042 socket_enter_stop_post(s, f);
3043 break;
3044
3045 case SOCKET_STOP_POST:
3046 case SOCKET_FINAL_SIGTERM:
3047 case SOCKET_FINAL_SIGKILL:
3048 socket_enter_dead(s, f);
3049 break;
3050
3051 default:
3052 assert_not_reached("Uh, control process died at wrong time.");
3053 }
3054 }
3055
3056 /* Notify clients about changed exit status */
3057 unit_add_to_dbus_queue(u);
3058 }
3059
3060 static int socket_dispatch_timer(sd_event_source *source, usec_t usec, void *userdata) {
3061 Socket *s = SOCKET(userdata);
3062
3063 assert(s);
3064 assert(s->timer_event_source == source);
3065
3066 switch (s->state) {
3067
3068 case SOCKET_START_PRE:
3069 log_unit_warning(UNIT(s), "Starting timed out. Terminating.");
3070 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_TIMEOUT);
3071 break;
3072
3073 case SOCKET_START_CHOWN:
3074 case SOCKET_START_POST:
3075 log_unit_warning(UNIT(s), "Starting timed out. Stopping.");
3076 socket_enter_stop_pre(s, SOCKET_FAILURE_TIMEOUT);
3077 break;
3078
3079 case SOCKET_STOP_PRE:
3080 log_unit_warning(UNIT(s), "Stopping timed out. Terminating.");
3081 socket_enter_signal(s, SOCKET_STOP_PRE_SIGTERM, SOCKET_FAILURE_TIMEOUT);
3082 break;
3083
3084 case SOCKET_STOP_PRE_SIGTERM:
3085 if (s->kill_context.send_sigkill) {
3086 log_unit_warning(UNIT(s), "Stopping timed out. Killing.");
3087 socket_enter_signal(s, SOCKET_STOP_PRE_SIGKILL, SOCKET_FAILURE_TIMEOUT);
3088 } else {
3089 log_unit_warning(UNIT(s), "Stopping timed out. Skipping SIGKILL. Ignoring.");
3090 socket_enter_stop_post(s, SOCKET_FAILURE_TIMEOUT);
3091 }
3092 break;
3093
3094 case SOCKET_STOP_PRE_SIGKILL:
3095 log_unit_warning(UNIT(s), "Processes still around after SIGKILL. Ignoring.");
3096 socket_enter_stop_post(s, SOCKET_FAILURE_TIMEOUT);
3097 break;
3098
3099 case SOCKET_STOP_POST:
3100 log_unit_warning(UNIT(s), "Stopping timed out (2). Terminating.");
3101 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_TIMEOUT);
3102 break;
3103
3104 case SOCKET_FINAL_SIGTERM:
3105 if (s->kill_context.send_sigkill) {
3106 log_unit_warning(UNIT(s), "Stopping timed out (2). Killing.");
3107 socket_enter_signal(s, SOCKET_FINAL_SIGKILL, SOCKET_FAILURE_TIMEOUT);
3108 } else {
3109 log_unit_warning(UNIT(s), "Stopping timed out (2). Skipping SIGKILL. Ignoring.");
3110 socket_enter_dead(s, SOCKET_FAILURE_TIMEOUT);
3111 }
3112 break;
3113
3114 case SOCKET_FINAL_SIGKILL:
3115 log_unit_warning(UNIT(s), "Still around after SIGKILL (2). Entering failed mode.");
3116 socket_enter_dead(s, SOCKET_FAILURE_TIMEOUT);
3117 break;
3118
3119 default:
3120 assert_not_reached("Timeout at wrong time.");
3121 }
3122
3123 return 0;
3124 }
3125
3126 int socket_collect_fds(Socket *s, int **fds) {
3127 int *rfds, k = 0, n = 0;
3128 SocketPort *p;
3129
3130 assert(s);
3131 assert(fds);
3132
3133 /* Called from the service code for requesting our fds */
3134
3135 LIST_FOREACH(port, p, s->ports) {
3136 if (p->fd >= 0)
3137 n++;
3138 n += p->n_auxiliary_fds;
3139 }
3140
3141 if (n <= 0) {
3142 *fds = NULL;
3143 return 0;
3144 }
3145
3146 rfds = new(int, n);
3147 if (!rfds)
3148 return -ENOMEM;
3149
3150 LIST_FOREACH(port, p, s->ports) {
3151 int i;
3152
3153 if (p->fd >= 0)
3154 rfds[k++] = p->fd;
3155 for (i = 0; i < p->n_auxiliary_fds; ++i)
3156 rfds[k++] = p->auxiliary_fds[i];
3157 }
3158
3159 assert(k == n);
3160
3161 *fds = rfds;
3162 return n;
3163 }
3164
3165 static void socket_reset_failed(Unit *u) {
3166 Socket *s = SOCKET(u);
3167
3168 assert(s);
3169
3170 if (s->state == SOCKET_FAILED)
3171 socket_set_state(s, SOCKET_DEAD);
3172
3173 s->result = SOCKET_SUCCESS;
3174 }
3175
3176 void socket_connection_unref(Socket *s) {
3177 assert(s);
3178
3179 /* The service is dead. Yay!
3180 *
3181 * This is strictly for one-instance-per-connection
3182 * services. */
3183
3184 assert(s->n_connections > 0);
3185 s->n_connections--;
3186
3187 log_unit_debug(UNIT(s), "One connection closed, %u left.", s->n_connections);
3188 }
3189
3190 static void socket_trigger_notify(Unit *u, Unit *other) {
3191 Socket *s = SOCKET(u);
3192
3193 assert(u);
3194 assert(other);
3195
3196 /* Filter out invocations with bogus state */
3197 if (other->load_state != UNIT_LOADED || other->type != UNIT_SERVICE)
3198 return;
3199
3200 /* Don't propagate state changes from the service if we are already down */
3201 if (!IN_SET(s->state, SOCKET_RUNNING, SOCKET_LISTENING))
3202 return;
3203
3204 /* We don't care for the service state if we are in Accept=yes mode */
3205 if (s->accept)
3206 return;
3207
3208 /* Propagate start limit hit state */
3209 if (other->start_limit_hit) {
3210 socket_enter_stop_pre(s, SOCKET_FAILURE_SERVICE_START_LIMIT_HIT);
3211 return;
3212 }
3213
3214 /* Don't propagate anything if there's still a job queued */
3215 if (other->job)
3216 return;
3217
3218 if (IN_SET(SERVICE(other)->state,
3219 SERVICE_DEAD, SERVICE_FAILED,
3220 SERVICE_FINAL_SIGTERM, SERVICE_FINAL_SIGKILL,
3221 SERVICE_AUTO_RESTART))
3222 socket_enter_listening(s);
3223
3224 if (SERVICE(other)->state == SERVICE_RUNNING)
3225 socket_set_state(s, SOCKET_RUNNING);
3226 }
3227
3228 static int socket_kill(Unit *u, KillWho who, int signo, sd_bus_error *error) {
3229 return unit_kill_common(u, who, signo, -1, SOCKET(u)->control_pid, error);
3230 }
3231
3232 static int socket_get_timeout(Unit *u, usec_t *timeout) {
3233 Socket *s = SOCKET(u);
3234 usec_t t;
3235 int r;
3236
3237 if (!s->timer_event_source)
3238 return 0;
3239
3240 r = sd_event_source_get_time(s->timer_event_source, &t);
3241 if (r < 0)
3242 return r;
3243 if (t == USEC_INFINITY)
3244 return 0;
3245
3246 *timeout = t;
3247 return 1;
3248 }
3249
3250 char *socket_fdname(Socket *s) {
3251 assert(s);
3252
3253 /* Returns the name to use for $LISTEN_NAMES. If the user
3254 * didn't specify anything specifically, use the socket unit's
3255 * name as fallback. */
3256
3257 return s->fdname ?: UNIT(s)->id;
3258 }
3259
3260 static int socket_control_pid(Unit *u) {
3261 Socket *s = SOCKET(u);
3262
3263 assert(s);
3264
3265 return s->control_pid;
3266 }
3267
3268 static const char* const socket_exec_command_table[_SOCKET_EXEC_COMMAND_MAX] = {
3269 [SOCKET_EXEC_START_PRE] = "ExecStartPre",
3270 [SOCKET_EXEC_START_CHOWN] = "ExecStartChown",
3271 [SOCKET_EXEC_START_POST] = "ExecStartPost",
3272 [SOCKET_EXEC_STOP_PRE] = "ExecStopPre",
3273 [SOCKET_EXEC_STOP_POST] = "ExecStopPost"
3274 };
3275
3276 DEFINE_STRING_TABLE_LOOKUP(socket_exec_command, SocketExecCommand);
3277
3278 static const char* const socket_result_table[_SOCKET_RESULT_MAX] = {
3279 [SOCKET_SUCCESS] = "success",
3280 [SOCKET_FAILURE_RESOURCES] = "resources",
3281 [SOCKET_FAILURE_TIMEOUT] = "timeout",
3282 [SOCKET_FAILURE_EXIT_CODE] = "exit-code",
3283 [SOCKET_FAILURE_SIGNAL] = "signal",
3284 [SOCKET_FAILURE_CORE_DUMP] = "core-dump",
3285 [SOCKET_FAILURE_START_LIMIT_HIT] = "start-limit-hit",
3286 [SOCKET_FAILURE_TRIGGER_LIMIT_HIT] = "trigger-limit-hit",
3287 [SOCKET_FAILURE_SERVICE_START_LIMIT_HIT] = "service-start-limit-hit"
3288 };
3289
3290 DEFINE_STRING_TABLE_LOOKUP(socket_result, SocketResult);
3291
3292 const UnitVTable socket_vtable = {
3293 .object_size = sizeof(Socket),
3294 .exec_context_offset = offsetof(Socket, exec_context),
3295 .cgroup_context_offset = offsetof(Socket, cgroup_context),
3296 .kill_context_offset = offsetof(Socket, kill_context),
3297 .exec_runtime_offset = offsetof(Socket, exec_runtime),
3298 .dynamic_creds_offset = offsetof(Socket, dynamic_creds),
3299
3300 .sections =
3301 "Unit\0"
3302 "Socket\0"
3303 "Install\0",
3304 .private_section = "Socket",
3305
3306 .can_transient = true,
3307
3308 .init = socket_init,
3309 .done = socket_done,
3310 .load = socket_load,
3311
3312 .coldplug = socket_coldplug,
3313
3314 .dump = socket_dump,
3315
3316 .start = socket_start,
3317 .stop = socket_stop,
3318
3319 .kill = socket_kill,
3320
3321 .get_timeout = socket_get_timeout,
3322
3323 .serialize = socket_serialize,
3324 .deserialize_item = socket_deserialize_item,
3325 .distribute_fds = socket_distribute_fds,
3326
3327 .active_state = socket_active_state,
3328 .sub_state_to_string = socket_sub_state_to_string,
3329
3330 .may_gc = socket_may_gc,
3331
3332 .sigchld_event = socket_sigchld_event,
3333
3334 .trigger_notify = socket_trigger_notify,
3335
3336 .reset_failed = socket_reset_failed,
3337
3338 .control_pid = socket_control_pid,
3339
3340 .bus_vtable = bus_socket_vtable,
3341 .bus_set_property = bus_socket_set_property,
3342 .bus_commit_properties = bus_socket_commit_properties,
3343
3344 .status_message_formats = {
3345 /*.starting_stopping = {
3346 [0] = "Starting socket %s...",
3347 [1] = "Stopping socket %s...",
3348 },*/
3349 .finished_start_job = {
3350 [JOB_DONE] = "Listening on %s.",
3351 [JOB_FAILED] = "Failed to listen on %s.",
3352 [JOB_TIMEOUT] = "Timed out starting %s.",
3353 },
3354 .finished_stop_job = {
3355 [JOB_DONE] = "Closed %s.",
3356 [JOB_FAILED] = "Failed stopping %s.",
3357 [JOB_TIMEOUT] = "Timed out stopping %s.",
3358 },
3359 },
3360 };
Unnamed repository; edit this file 'description' to name the repository.