src/basic/socket-label.c

   1 /* SPDX-License-Identifier: LGPL-2.1+ */
   2
   3 #include <errno.h>
   4 #include <netinet/in.h>
   5 #include <stdbool.h>
   6 #include <stddef.h>
   7 #include <string.h>
   8 #include <sys/socket.h>
   9 #include <sys/un.h>
  10 #include <unistd.h>
  11
  12 #include "alloc-util.h"
  13 #include "fd-util.h"
  14 #include "fs-util.h"
  15 #include "log.h"
  16 #include "macro.h"
  17 #include "missing.h"
  18 #include "mkdir.h"
  19 #include "selinux-util.h"
  20 #include "socket-util.h"
  21 #include "umask-util.h"
  22
  23 int socket_address_listen(
  24                 const SocketAddress *a,
  25                 int flags,
  26                 int backlog,
  27                 SocketAddressBindIPv6Only only,
  28                 const char *bind_to_device,
  29                 bool reuse_port,
  30                 bool free_bind,
  31                 bool transparent,
  32                 mode_t directory_mode,
  33                 mode_t socket_mode,
  34                 const char *label) {
  35
  36         _cleanup_close_ int fd = -1;
  37         const char *p;
  38         int r, one;
  39
  40         assert(a);
  41
  42         r = socket_address_verify(a);
  43         if (r < 0)
  44                 return r;
  45
  46         if (socket_address_family(a) == AF_INET6 && !socket_ipv6_is_supported())
  47                 return -EAFNOSUPPORT;
  48
  49         if (label) {
  50                 r = mac_selinux_create_socket_prepare(label);
  51                 if (r < 0)
  52                         return r;
  53         }
  54
  55         fd = socket(socket_address_family(a), a->type | flags, a->protocol);
  56         r = fd < 0 ? -errno : 0;
  57
  58         if (label)
  59                 mac_selinux_create_socket_clear();
  60
  61         if (r < 0)
  62                 return r;
  63
  64         if (socket_address_family(a) == AF_INET6 && only != SOCKET_ADDRESS_DEFAULT) {
  65                 int flag = only == SOCKET_ADDRESS_IPV6_ONLY;
  66
  67                 if (setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &flag, sizeof(flag)) < 0)
  68                         return -errno;
  69         }
  70
  71         if (IN_SET(socket_address_family(a), AF_INET, AF_INET6)) {
  72                 if (bind_to_device)
  73                         if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, bind_to_device, strlen(bind_to_device)+1) < 0)
  74                                 return -errno;
  75
  76                 if (reuse_port) {
  77                         one = 1;
  78                         if (setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, &one, sizeof(one)) < 0)
  79                                 log_warning_errno(errno, "SO_REUSEPORT failed: %m");
  80                 }
  81
  82                 if (free_bind) {
  83                         one = 1;
  84                         if (setsockopt(fd, IPPROTO_IP, IP_FREEBIND, &one, sizeof(one)) < 0)
  85                                 log_warning_errno(errno, "IP_FREEBIND failed: %m");
  86                 }
  87
  88                 if (transparent) {
  89                         one = 1;
  90                         if (setsockopt(fd, IPPROTO_IP, IP_TRANSPARENT, &one, sizeof(one)) < 0)
  91                                 log_warning_errno(errno, "IP_TRANSPARENT failed: %m");
  92                 }
  93         }
  94
  95         one = 1;
  96         if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)) < 0)
  97                 return -errno;
  98
  99         p = socket_address_get_path(a);
 100         if (p) {
 101                 /* Create parents */
 102                 (void) mkdir_parents_label(p, directory_mode);
 103
 104                 /* Enforce the right access mode for the socket */
 105                 RUN_WITH_UMASK(~socket_mode) {
 106                         r = mac_selinux_bind(fd, &a->sockaddr.sa, a->size);
 107                         if (r == -EADDRINUSE) {
 108                                 /* Unlink and try again */
 109
 110                                 if (unlink(p) < 0)
 111                                         return r; /* didn't work, return original error */
 112
 113                                 r = mac_selinux_bind(fd, &a->sockaddr.sa, a->size);
 114                         }
 115                         if (r < 0)
 116                                 return r;
 117                 }
 118         } else {
 119                 if (bind(fd, &a->sockaddr.sa, a->size) < 0)
 120                         return -errno;
 121         }
 122
 123         if (socket_address_can_accept(a))
 124                 if (listen(fd, backlog) < 0)
 125                         return -errno;
 126
 127         /* Let's trigger an inotify event on the socket node, so that anyone waiting for this socket to be connectable
 128          * gets notified */
 129         if (p)
 130                 (void) touch(p);
 131
 132         r = fd;
 133         fd = -1;
 134
 135         return r;
 136 }
 137
 138 int make_socket_fd(int log_level, const char* address, int type, int flags) {
 139         SocketAddress a;
 140         int fd, r;
 141
 142         r = socket_address_parse(&a, address);
 143         if (r < 0)
 144                 return log_error_errno(r, "Failed to parse socket address \"%s\": %m", address);
 145
 146         a.type = type;
 147
 148         fd = socket_address_listen(&a, type | flags, SOMAXCONN, SOCKET_ADDRESS_DEFAULT,
 149                                    NULL, false, false, false, 0755, 0644, NULL);
 150         if (fd < 0 || log_get_max_level() >= log_level) {
 151                 _cleanup_free_ char *p = NULL;
 152
 153                 r = socket_address_print(&a, &p);
 154                 if (r < 0)
 155                         return log_error_errno(r, "socket_address_print(): %m");
 156
 157                 if (fd < 0)
 158                         log_error_errno(fd, "Failed to listen on %s: %m", p);
 159                 else
 160                         log_full(log_level, "Listening on %s", p);
 161         }
 162
 163         return fd;
 164 }