]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/core/socket.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
core/cgroup: accepts MemorySwapMax=0 (#8366)
[thirdparty/systemd.git] / src / core / socket.c
CommitLineData
53e1b683 1/* SPDX-License-Identifier: LGPL-2.1+ */
a7334b09
LP		 2/***
3 This file is part of systemd.
4
5 Copyright 2010 Lennart Poettering
6
7 systemd is free software; you can redistribute it and/or modify it
5430f7f2
LP		 8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
a7334b09
LP		 10 (at your option) any later version.
11
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2 15 Lesser General Public License for more details.
a7334b09 16
5430f7f2 17 You should have received a copy of the GNU Lesser General Public License
a7334b09
LP		 18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
19***/
20
e8da24a6 21#include <arpa/inet.h>
83c60c9f
LP		 22#include <errno.h>
23#include <fcntl.h>
916abb21 24#include <mqueue.h>
e8da24a6
LP		 25#include <netinet/tcp.h>
26#include <signal.h>
27#include <sys/epoll.h>
28#include <sys/stat.h>
29#include <unistd.h>
62bc4efc 30#include <linux/sctp.h>
83c60c9f 31
b5efdb8a 32#include "alloc-util.h"
a79279c7 33#include "bpf-firewall.h"
e8da24a6
LP		 34#include "bus-error.h"
35#include "bus-util.h"
36#include "copy.h"
37#include "dbus-socket.h"
38#include "def.h"
39#include "exit-status.h"
3ffd4af2 40#include "fd-util.h"
f97b34a6 41#include "format-util.h"
95f7fbbf 42#include "fs-util.h"
a79279c7 43#include "in-addr-util.h"
60d9771c 44#include "io-util.h"
e8da24a6 45#include "label.h"
83c60c9f 46#include "log.h"
e8da24a6 47#include "missing.h"
49e942b2 48#include "mkdir.h"
6bedfcbb 49#include "parse-util.h"
9eb977db 50#include "path-util.h"
7b3e062c 51#include "process-util.h"
d7b8eec7 52#include "selinux-util.h"
24882e06 53#include "signal-util.h"
e8da24a6 54#include "smack-util.h"
24882e06 55#include "socket.h"
e045e325 56#include "socket-protocol-list.h"
e8da24a6 57#include "special.h"
8b43440b 58#include "string-table.h"
07630cea 59#include "string-util.h"
e8da24a6
LP		 60#include "strv.h"
61#include "unit-name.h"
e8da24a6 62#include "unit.h"
b1d4f8e1 63#include "user-util.h"
83c60c9f 64
166cf510
ZJS		 65struct SocketPeer {
66 unsigned n_ref;
67
68 Socket *socket;
69 union sockaddr_union peer;
41733ae1 70 socklen_t peer_salen;
166cf510
ZJS		 71};
72
acbb0225 73static const UnitActiveState state_translation_table[_SOCKET_STATE_MAX] = {
87f0e418
LP		 74 [SOCKET_DEAD] = UNIT_INACTIVE,
75 [SOCKET_START_PRE] = UNIT_ACTIVATING,
3900e5fd 76 [SOCKET_START_CHOWN] = UNIT_ACTIVATING,
87f0e418
LP		 77 [SOCKET_START_POST] = UNIT_ACTIVATING,
78 [SOCKET_LISTENING] = UNIT_ACTIVE,
79 [SOCKET_RUNNING] = UNIT_ACTIVE,
80 [SOCKET_STOP_PRE] = UNIT_DEACTIVATING,
81 [SOCKET_STOP_PRE_SIGTERM] = UNIT_DEACTIVATING,
82 [SOCKET_STOP_PRE_SIGKILL] = UNIT_DEACTIVATING,
83 [SOCKET_STOP_POST] = UNIT_DEACTIVATING,
80876c20
LP		 84 [SOCKET_FINAL_SIGTERM] = UNIT_DEACTIVATING,
85 [SOCKET_FINAL_SIGKILL] = UNIT_DEACTIVATING,
fdf20a31 86 [SOCKET_FAILED] = UNIT_FAILED
83c60c9f 87};
5cb5a6ff 88
718db961
LP		 89static int socket_dispatch_io(sd_event_source *source, int fd, uint32_t revents, void *userdata);
90static int socket_dispatch_timer(sd_event_source *source, usec_t usec, void *userdata);
91
a16e1123
LP		 92static void socket_init(Unit *u) {
93 Socket *s = SOCKET(u);
94
95 assert(u);
ac155bb8 96 assert(u->load_state == UNIT_STUB);
a16e1123 97
a16e1123 98 s->backlog = SOMAXCONN;
1f19a534 99 s->timeout_usec = u->manager->default_timeout_start_usec;
a16e1123 100 s->directory_mode = 0755;
9131f660 101 s->socket_mode = 0666;
a16e1123 102
6cf6bbc2
LP		 103 s->max_connections = 64;
104
4fd5948e 105 s->priority = -1;
4fd5948e
LP		 106 s->ip_tos = -1;
107 s->ip_ttl = -1;
4fd5948e 108 s->mark = -1;
4fd5948e 109
ac155bb8
MS		 110 s->exec_context.std_output = u->manager->default_std_output;
111 s->exec_context.std_error = u->manager->default_std_error;
085afe36 112
a16e1123 113 s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
8b26cdbd 114
1f15ce28
LP		 115 s->trigger_limit.interval = USEC_INFINITY;
116 s->trigger_limit.burst = (unsigned) -1;
a16e1123 117}
acbb0225 118
5e94833f
LP		 119static void socket_unwatch_control_pid(Socket *s) {
120 assert(s);
121
122 if (s->control_pid <= 0)
123 return;
124
125 unit_unwatch_pid(UNIT(s), s->control_pid);
126 s->control_pid = 0;
127}
128
15087cdb 129static void socket_cleanup_fd_list(SocketPort *p) {
3ffd4af2 130 assert(p);
15087cdb 131
3ffd4af2 132 close_many(p->auxiliary_fds, p->n_auxiliary_fds);
15087cdb
PS		 133 p->auxiliary_fds = mfree(p->auxiliary_fds);
134 p->n_auxiliary_fds = 0;
135}
136
74051b9b 137void socket_free_ports(Socket *s) {
034c6ed7
LP		 138 SocketPort *p;
139
140 assert(s);
141
142 while ((p = s->ports)) {
71fda00f 143 LIST_REMOVE(port, s->ports, p);
034c6ed7 144
718db961
LP		 145 sd_event_source_unref(p->event_source);
146
15087cdb 147 socket_cleanup_fd_list(p);
03e334a1 148 safe_close(p->fd);
034c6ed7
LP		 149 free(p->path);
150 free(p);
151 }
74051b9b
LP		 152}
153
154static void socket_done(Unit *u) {
155 Socket *s = SOCKET(u);
9d565427 156 SocketPeer *p;
74051b9b
LP		 157
158 assert(s);
159
160 socket_free_ports(s);
034c6ed7 161
9a73653c 162 while ((p = set_steal_first(s->peers_by_address)))
9d565427
SS		 163 p->socket = NULL;
164
9a73653c 165 s->peers_by_address = set_free(s->peers_by_address);
9d565427 166
e8a565cb 167 s->exec_runtime = exec_runtime_unref(s->exec_runtime, false);
e537352b 168 exec_command_free_array(s->exec_command, _SOCKET_EXEC_COMMAND_MAX);
034c6ed7
LP		 169 s->control_command = NULL;
170
29206d46
LP		 171 dynamic_creds_unref(&s->dynamic_creds);
172
5e94833f 173 socket_unwatch_control_pid(s);
034c6ed7 174
57020a3a 175 unit_ref_unset(&s->service);
034c6ed7 176
a1e58e8e
LP		 177 s->tcp_congestion = mfree(s->tcp_congestion);
178 s->bind_to_device = mfree(s->bind_to_device);
acbb0225 179
0a78712e
DM		 180 s->smack = mfree(s->smack);
181 s->smack_ip_in = mfree(s->smack_ip_in);
182 s->smack_ip_out = mfree(s->smack_ip_out);
0eb59ccf 183
811ba7a0
LP		 184 strv_free(s->symlinks);
185
0a78712e
DM		 186 s->user = mfree(s->user);
187 s->group = mfree(s->group);
3900e5fd 188
a97b23d6
DM		 189 s->fdname = mfree(s->fdname);
190
718db961
LP		 191 s->timer_event_source = sd_event_source_unref(s->timer_event_source);
192}
193
36c16a7c 194static int socket_arm_timer(Socket *s, usec_t usec) {
718db961
LP		 195 int r;
196
197 assert(s);
198
718db961 199 if (s->timer_event_source) {
36c16a7c 200 r = sd_event_source_set_time(s->timer_event_source, usec);
718db961
LP		 201 if (r < 0)
202 return r;
203
204 return sd_event_source_set_enabled(s->timer_event_source, SD_EVENT_ONESHOT);
205 }
206
36c16a7c
LP		 207 if (usec == USEC_INFINITY)
208 return 0;
209
7dfbe2e3 210 r = sd_event_add_time(
6a0f1f6d
LP		 211 UNIT(s)->manager->event,
212 &s->timer_event_source,
213 CLOCK_MONOTONIC,
36c16a7c 214 usec, 0,
6a0f1f6d 215 socket_dispatch_timer, s);
7dfbe2e3
TG		 216 if (r < 0)
217 return r;
218
219 (void) sd_event_source_set_description(s->timer_event_source, "socket-timer");
220
221 return 0;
5cb5a6ff
LP		 222}
223
8b835fcc
ZJS		 224int socket_instantiate_service(Socket *s) {
225 _cleanup_free_ char *prefix = NULL, *name = NULL;
b15bdda8
LP		 226 int r;
227 Unit *u;
228
229 assert(s);
230
231 /* This fills in s->service if it isn't filled in yet. For
232 * Accept=yes sockets we create the next connection service
233 * here. For Accept=no this is mostly a NOP since the service
234 * is figured out at load time anyway. */
235
7410616c 236 if (UNIT_DEREF(s->service))
b15bdda8
LP		 237 return 0;
238
7410616c
LP		 239 if (!s->accept)
240 return 0;
241
242 r = unit_name_to_prefix(UNIT(s)->id, &prefix);
243 if (r < 0)
244 return r;
b15bdda8 245
315db1a8 246 if (asprintf(&name, "%s@%u.service", prefix, s->n_accepted) < 0)
b15bdda8
LP		 247 return -ENOMEM;
248
1124fe6f 249 r = manager_load_unit(UNIT(s)->manager, name, NULL, NULL, &u);
b15bdda8
LP		 250 if (r < 0)
251 return r;
252
7f7d01ed 253 unit_ref_set(&s->service, UNIT(s), u);
57020a3a 254
eef85c4a 255 return unit_add_two_dependencies(UNIT(s), UNIT_BEFORE, UNIT_TRIGGERS, u, false, UNIT_DEPENDENCY_IMPLICIT);
b15bdda8
LP		 256}
257
4f2d528d
LP		 258static bool have_non_accept_socket(Socket *s) {
259 SocketPort *p;
260
261 assert(s);
262
263 if (!s->accept)
264 return true;
265
dd5ad9d4
LP		 266 LIST_FOREACH(port, p, s->ports) {
267
268 if (p->type != SOCKET_SOCKET)
269 return true;
270
4f2d528d
LP		 271 if (!socket_address_can_accept(&p->address))
272 return true;
dd5ad9d4 273 }
4f2d528d
LP		 274
275 return false;
276}
277
eef85c4a 278static int socket_add_mount_dependencies(Socket *s) {
6e2ef85b 279 SocketPort *p;
6e2ef85b
LP		 280 int r;
281
282 assert(s);
6e2ef85b 283
a57f7e2c
LP		 284 LIST_FOREACH(port, p, s->ports) {
285 const char *path = NULL;
6e2ef85b 286
a57f7e2c
LP		 287 if (p->type == SOCKET_SOCKET)
288 path = socket_address_get_path(&p->address);
60252446 289 else if (IN_SET(p->type, SOCKET_FIFO, SOCKET_SPECIAL, SOCKET_USB_FUNCTION))
a57f7e2c 290 path = p->path;
6e2ef85b 291
a57f7e2c
LP		 292 if (!path)
293 continue;
6e2ef85b 294
eef85c4a 295 r = unit_require_mounts_for(UNIT(s), path, UNIT_DEPENDENCY_FILE);
b87705cd 296 if (r < 0)
6e2ef85b 297 return r;
b87705cd 298 }
6e2ef85b
LP		 299
300 return 0;
301}
302
eef85c4a 303static int socket_add_device_dependencies(Socket *s) {
6e2ef85b 304 char *t;
6e2ef85b
LP		 305
306 assert(s);
307
7d0c710d 308 if (!s->bind_to_device || streq(s->bind_to_device, "lo"))
6e2ef85b
LP		 309 return 0;
310
63c372cb 311 t = strjoina("/sys/subsystem/net/devices/", s->bind_to_device);
eef85c4a 312 return unit_add_node_dependency(UNIT(s), t, false, UNIT_BINDS_TO, UNIT_DEPENDENCY_FILE);
6e2ef85b
LP		 313}
314
a40eb732
LP		 315static int socket_add_default_dependencies(Socket *s) {
316 int r;
317 assert(s);
318
4c9ea260
LP		 319 if (!UNIT(s)->default_dependencies)
320 return 0;
321
eef85c4a 322 r = unit_add_dependency_by_name(UNIT(s), UNIT_BEFORE, SPECIAL_SOCKETS_TARGET, NULL, true, UNIT_DEPENDENCY_DEFAULT);
e3d84721
LP		 323 if (r < 0)
324 return r;
2a77d31d 325
463d0d15 326 if (MANAGER_IS_SYSTEM(UNIT(s)->manager)) {
eef85c4a 327 r = unit_add_two_dependencies_by_name(UNIT(s), UNIT_AFTER, UNIT_REQUIRES, SPECIAL_SYSINIT_TARGET, NULL, true, UNIT_DEPENDENCY_DEFAULT);
e3d84721 328 if (r < 0)
a40eb732 329 return r;
2a77d31d 330 }
a40eb732 331
eef85c4a 332 return unit_add_two_dependencies_by_name(UNIT(s), UNIT_BEFORE, UNIT_CONFLICTS, SPECIAL_SHUTDOWN_TARGET, NULL, true, UNIT_DEPENDENCY_DEFAULT);
a40eb732
LP		 333}
334
44a6b1b6 335_pure_ static bool socket_has_exec(Socket *s) {
4cfc6dbe
LP		 336 unsigned i;
337 assert(s);
338
339 for (i = 0; i < _SOCKET_EXEC_COMMAND_MAX; i++)
340 if (s->exec_command[i])
341 return true;
342
343 return false;
344}
345
e821075a
LP		 346static int socket_add_extras(Socket *s) {
347 Unit *u = UNIT(s);
e537352b 348 int r;
44d8db9e 349
e821075a 350 assert(s);
57020a3a 351
1f15ce28
LP		 352 /* Pick defaults for the trigger limit, if nothing was explicitly configured. We pick a relatively high limit
353 * in Accept=yes mode, and a lower limit for Accept=no. Reason: in Accept=yes mode we are invoking accept()
354 * ourselves before the trigger limit can hit, thus incoming connections are taken off the socket queue quickly
355 * and reliably. This is different for Accept=no, where the spawned service has to take the incoming traffic
356 * off the queues, which it might not necessarily do. Moreover, while Accept=no services are supposed to
357 * process whatever is queued in one go, and thus should normally never have to be started frequently. This is
358 * different for Accept=yes where each connection is processed by a new service instance, and thus frequent
359 * service starts are typical. */
360
361 if (s->trigger_limit.interval == USEC_INFINITY)
362 s->trigger_limit.interval = 2 * USEC_PER_SEC;
363
364 if (s->trigger_limit.burst == (unsigned) -1) {
365 if (s->accept)
366 s->trigger_limit.burst = 200;
367 else
368 s->trigger_limit.burst = 20;
369 }
370
e821075a 371 if (have_non_accept_socket(s)) {
23a177ef 372
e821075a
LP		 373 if (!UNIT_DEREF(s->service)) {
374 Unit *x;
57020a3a 375
e821075a 376 r = unit_load_related_unit(u, ".service", &x);
57020a3a 377 if (r < 0)
4f2d528d 378 return r;
e821075a 379
7f7d01ed 380 unit_ref_set(&s->service, u, x);
4f2d528d 381 }
44d8db9e 382
eef85c4a 383 r = unit_add_two_dependencies(u, UNIT_BEFORE, UNIT_TRIGGERS, UNIT_DEREF(s->service), true, UNIT_DEPENDENCY_IMPLICIT);
e821075a 384 if (r < 0)
6e2ef85b 385 return r;
e821075a 386 }
6e2ef85b 387
eef85c4a 388 r = socket_add_mount_dependencies(s);
e821075a
LP		 389 if (r < 0)
390 return r;
6e2ef85b 391
eef85c4a 392 r = socket_add_device_dependencies(s);
e821075a
LP		 393 if (r < 0)
394 return r;
395
598459ce 396 r = unit_patch_contexts(u);
e821075a
LP		 397 if (r < 0)
398 return r;
399
400 if (socket_has_exec(s)) {
401 r = unit_add_exec_dependencies(u, &s->exec_context);
402 if (r < 0)
403 return r;
e821075a 404 }
a016b922 405
88af31f9
LP		 406 r = unit_set_default_slice(u);
407 if (r < 0)
408 return r;
409
4c9ea260
LP		 410 r = socket_add_default_dependencies(s);
411 if (r < 0)
412 return r;
e821075a
LP		 413
414 return 0;
415}
416
811ba7a0
LP		 417static const char *socket_find_symlink_target(Socket *s) {
418 const char *found = NULL;
419 SocketPort *p;
420
421 LIST_FOREACH(port, p, s->ports) {
422 const char *f = NULL;
423
424 switch (p->type) {
425
426 case SOCKET_FIFO:
427 f = p->path;
428 break;
429
430 case SOCKET_SOCKET:
b9495e8d 431 f = socket_address_get_path(&p->address);
811ba7a0
LP		 432 break;
433
434 default:
435 break;
436 }
437
438 if (f) {
439 if (found)
440 return NULL;
441
442 found = f;
443 }
444 }
445
446 return found;
447}
448
e821075a
LP		 449static int socket_verify(Socket *s) {
450 assert(s);
451
452 if (UNIT(s)->load_state != UNIT_LOADED)
453 return 0;
454
455 if (!s->ports) {
da3bddc9 456 log_unit_error(UNIT(s), "Unit has no Listen setting (ListenStream=, ListenDatagram=, ListenFIFO=, ...). Refusing.");
e821075a
LP		 457 return -EINVAL;
458 }
459
460 if (s->accept && have_non_accept_socket(s)) {
f2341e0a 461 log_unit_error(UNIT(s), "Unit configured for accepting sockets, but sockets are non-accepting. Refusing.");
e821075a
LP		 462 return -EINVAL;
463 }
464
465 if (s->accept && s->max_connections <= 0) {
f2341e0a 466 log_unit_error(UNIT(s), "MaxConnection= setting too small. Refusing.");
e821075a
LP		 467 return -EINVAL;
468 }
e06c73cc 469
e821075a 470 if (s->accept && UNIT_DEREF(s->service)) {
f2341e0a 471 log_unit_error(UNIT(s), "Explicit service configuration for accepting socket units not supported. Refusing.");
e821075a
LP		 472 return -EINVAL;
473 }
474
475 if (s->exec_context.pam_name && s->kill_context.kill_mode != KILL_CONTROL_GROUP) {
f2341e0a 476 log_unit_error(UNIT(s), "Unit has PAM enabled. Kill mode must be set to 'control-group'. Refusing.");
e821075a
LP		 477 return -EINVAL;
478 }
479
811ba7a0 480 if (!strv_isempty(s->symlinks) && !socket_find_symlink_target(s)) {
f2341e0a 481 log_unit_error(UNIT(s), "Unit has symlinks set but none or more than one node in the file system. Refusing.");
811ba7a0
LP		 482 return -EINVAL;
483 }
484
e821075a
LP		 485 return 0;
486}
487
9d565427
SS		 488static void peer_address_hash_func(const void *p, struct siphash *state) {
489 const SocketPeer *s = p;
490
491 assert(s);
492
493 if (s->peer.sa.sa_family == AF_INET)
494 siphash24_compress(&s->peer.in.sin_addr, sizeof(s->peer.in.sin_addr), state);
41733ae1 495 else if (s->peer.sa.sa_family == AF_INET6)
9d565427 496 siphash24_compress(&s->peer.in6.sin6_addr, sizeof(s->peer.in6.sin6_addr), state);
359a5bcf
SH		 497 else if (s->peer.sa.sa_family == AF_VSOCK)
498 siphash24_compress(&s->peer.vm.svm_cid, sizeof(s->peer.vm.svm_cid), state);
41733ae1
LP		 499 else
500 assert_not_reached("Unknown address family.");
9d565427
SS		 501}
502
503static int peer_address_compare_func(const void *a, const void *b) {
504 const SocketPeer *x = a, *y = b;
505
506 if (x->peer.sa.sa_family < y->peer.sa.sa_family)
507 return -1;
508 if (x->peer.sa.sa_family > y->peer.sa.sa_family)
509 return 1;
510
511 switch(x->peer.sa.sa_family) {
512 case AF_INET:
513 return memcmp(&x->peer.in.sin_addr, &y->peer.in.sin_addr, sizeof(x->peer.in.sin_addr));
514 case AF_INET6:
515 return memcmp(&x->peer.in6.sin6_addr, &y->peer.in6.sin6_addr, sizeof(x->peer.in6.sin6_addr));
359a5bcf
SH		 516 case AF_VSOCK:
517 if (x->peer.vm.svm_cid < y->peer.vm.svm_cid)
518 return -1;
519 if (x->peer.vm.svm_cid > y->peer.vm.svm_cid)
520 return 1;
521 return 0;
9d565427 522 }
166cf510 523 assert_not_reached("Black sheep in the family!");
9d565427
SS		 524}
525
526const struct hash_ops peer_address_hash_ops = {
527 .hash = peer_address_hash_func,
528 .compare = peer_address_compare_func
529};
530
e821075a
LP		 531static int socket_load(Unit *u) {
532 Socket *s = SOCKET(u);
533 int r;
534
535 assert(u);
536 assert(u->load_state == UNIT_STUB);
537
9a73653c 538 r = set_ensure_allocated(&s->peers_by_address, &peer_address_hash_ops);
9d565427
SS		 539 if (r < 0)
540 return r;
541
e821075a
LP		 542 r = unit_load_fragment_and_dropin(u);
543 if (r < 0)
544 return r;
545
546 if (u->load_state == UNIT_LOADED) {
547 /* This is a new unit? Then let's add in some extras */
548 r = socket_add_extras(s);
e06c73cc
LP		 549 if (r < 0)
550 return r;
23a177ef
LP		 551 }
552
4f2d528d 553 return socket_verify(s);
44d8db9e
LP		 554}
555
166cf510
ZJS		 556static SocketPeer *socket_peer_new(void) {
557 SocketPeer *p;
558
559 p = new0(SocketPeer, 1);
560 if (!p)
561 return NULL;
562
563 p->n_ref = 1;
564
565 return p;
566}
567
568SocketPeer *socket_peer_ref(SocketPeer *p) {
569 if (!p)
570 return NULL;
571
572 assert(p->n_ref > 0);
573 p->n_ref++;
574
575 return p;
576}
577
578SocketPeer *socket_peer_unref(SocketPeer *p) {
579 if (!p)
580 return NULL;
581
582 assert(p->n_ref > 0);
583
584 p->n_ref--;
585
586 if (p->n_ref > 0)
587 return NULL;
588
589 if (p->socket)
590 set_remove(p->socket->peers_by_address, p);
591
592 return mfree(p);
593}
594
3ebcd323 595int socket_acquire_peer(Socket *s, int fd, SocketPeer **p) {
166cf510
ZJS		 596 _cleanup_(socket_peer_unrefp) SocketPeer *remote = NULL;
597 SocketPeer sa = {}, *i;
598 socklen_t salen = sizeof(sa.peer);
599 int r;
600
601 assert(fd >= 0);
602 assert(s);
603
604 r = getpeername(fd, &sa.peer.sa, &salen);
605 if (r < 0)
606 return log_error_errno(errno, "getpeername failed: %m");
607
359a5bcf 608 if (!IN_SET(sa.peer.sa.sa_family, AF_INET, AF_INET6, AF_VSOCK)) {
166cf510
ZJS		 609 *p = NULL;
610 return 0;
611 }
612
613 i = set_get(s->peers_by_address, &sa);
614 if (i) {
615 *p = socket_peer_ref(i);
616 return 1;
617 }
618
619 remote = socket_peer_new();
620 if (!remote)
621 return log_oom();
622
623 remote->peer = sa.peer;
41733ae1 624 remote->peer_salen = salen;
166cf510
ZJS		 625
626 r = set_put(s->peers_by_address, remote);
627 if (r < 0)
628 return r;
629
630 remote->socket = s;
631
632 *p = remote;
633 remote = NULL;
634
635 return 1;
636}
637
44a6b1b6 638_const_ static const char* listen_lookup(int family, int type) {
7a22745a
LP		 639
640 if (family == AF_NETLINK)
641 return "ListenNetlink";
542563ba
LP		 642
643 if (type == SOCK_STREAM)
644 return "ListenStream";
645 else if (type == SOCK_DGRAM)
646 return "ListenDatagram";
647 else if (type == SOCK_SEQPACKET)
648 return "ListenSequentialPacket";
649
034c6ed7 650 assert_not_reached("Unknown socket type");
542563ba
LP		 651 return NULL;
652}
653
87f0e418 654static void socket_dump(Unit *u, FILE *f, const char *prefix) {
209e9dcd 655 char time_string[FORMAT_TIMESPAN_MAX];
5cb5a6ff 656 SocketExecCommand c;
87f0e418 657 Socket *s = SOCKET(u);
542563ba 658 SocketPort *p;
827d9bf2 659 const char *prefix2, *str;
5cb5a6ff
LP		 660
661 assert(s);
fa068367 662 assert(f);
5cb5a6ff 663
4c940960 664 prefix = strempty(prefix);
63c372cb 665 prefix2 = strjoina(prefix, "\t");
c43d20a0 666
5cb5a6ff
LP		 667 fprintf(f,
668 "%sSocket State: %s\n"
81a5c6d0 669 "%sResult: %s\n"
542563ba 670 "%sBindIPv6Only: %s\n"
b5a0699f
LP		 671 "%sBacklog: %u\n"
672 "%sSocketMode: %04o\n"
4fd5948e
LP		 673 "%sDirectoryMode: %04o\n"
674 "%sKeepAlive: %s\n"
4427c3f4 675 "%sNoDelay: %s\n"
cebf8b20 676 "%sFreeBind: %s\n"
6b6d2dee 677 "%sTransparent: %s\n"
ec6370a2 678 "%sBroadcast: %s\n"
ede3deb4 679 "%sPassCredentials: %s\n"
54ecda32 680 "%sPassSecurity: %s\n"
bd1fe7c7 681 "%sTCPCongestion: %s\n"
16115b0a 682 "%sRemoveOnStop: %s\n"
55301ec0 683 "%sWritable: %s\n"
827d9bf2 684 "%sFileDescriptorName: %s\n"
16115b0a 685 "%sSELinuxContextFromNet: %s\n",
a16e1123 686 prefix, socket_state_to_string(s->state),
81a5c6d0 687 prefix, socket_result_to_string(s->result),
c0120d99 688 prefix, socket_address_bind_ipv6_only_to_string(s->bind_ipv6_only),
b5a0699f
LP		 689 prefix, s->backlog,
690 prefix, s->socket_mode,
4fd5948e
LP		 691 prefix, s->directory_mode,
692 prefix, yes_no(s->keep_alive),
4427c3f4 693 prefix, yes_no(s->no_delay),
cebf8b20 694 prefix, yes_no(s->free_bind),
6b6d2dee 695 prefix, yes_no(s->transparent),
ec6370a2 696 prefix, yes_no(s->broadcast),
d68af586 697 prefix, yes_no(s->pass_cred),
54ecda32 698 prefix, yes_no(s->pass_sec),
bd1fe7c7 699 prefix, strna(s->tcp_congestion),
16115b0a 700 prefix, yes_no(s->remove_on_stop),
55301ec0 701 prefix, yes_no(s->writable),
8dd4c05b 702 prefix, socket_fdname(s),
16115b0a 703 prefix, yes_no(s->selinux_context_from_net));
542563ba 704
70123e68
LP		 705 if (s->control_pid > 0)
706 fprintf(f,
de0671ee
ZJS		 707 "%sControl PID: "PID_FMT"\n",
708 prefix, s->control_pid);
70123e68 709
acbb0225
LP		 710 if (s->bind_to_device)
711 fprintf(f,
712 "%sBindToDevice: %s\n",
713 prefix, s->bind_to_device);
714
4f2d528d
LP		 715 if (s->accept)
716 fprintf(f,
6cf6bbc2
LP		 717 "%sAccepted: %u\n"
718 "%sNConnections: %u\n"
827d9bf2
YW		 719 "%sMaxConnections: %u\n"
720 "%sMaxConnectionsPerSource: %u\n",
6cf6bbc2
LP		 721 prefix, s->n_accepted,
722 prefix, s->n_connections,
827d9bf2
YW		 723 prefix, s->max_connections,
724 prefix, s->max_connections_per_source);
4f2d528d 725
4fd5948e
LP		 726 if (s->priority >= 0)
727 fprintf(f,
728 "%sPriority: %i\n",
729 prefix, s->priority);
730
731 if (s->receive_buffer > 0)
732 fprintf(f,
733 "%sReceiveBuffer: %zu\n",
734 prefix, s->receive_buffer);
735
736 if (s->send_buffer > 0)
737 fprintf(f,
738 "%sSendBuffer: %zu\n",
739 prefix, s->send_buffer);
740
741 if (s->ip_tos >= 0)
742 fprintf(f,
743 "%sIPTOS: %i\n",
744 prefix, s->ip_tos);
745
746 if (s->ip_ttl >= 0)
747 fprintf(f,
748 "%sIPTTL: %i\n",
749 prefix, s->ip_ttl);
750
751 if (s->pipe_size > 0)
752 fprintf(f,
753 "%sPipeSize: %zu\n",
754 prefix, s->pipe_size);
755
756 if (s->mark >= 0)
757 fprintf(f,
758 "%sMark: %i\n",
759 prefix, s->mark);
760
916abb21
LP		 761 if (s->mq_maxmsg > 0)
762 fprintf(f,
763 "%sMessageQueueMaxMessages: %li\n",
764 prefix, s->mq_maxmsg);
765
766 if (s->mq_msgsize > 0)
767 fprintf(f,
768 "%sMessageQueueMessageSize: %li\n",
769 prefix, s->mq_msgsize);
770
718db961 771 if (s->reuse_port)
f7db7a69
SL		 772 fprintf(f,
773 "%sReusePort: %s\n",
718db961 774 prefix, yes_no(s->reuse_port));
f7db7a69 775
0eb59ccf
AK		 776 if (s->smack)
777 fprintf(f,
778 "%sSmackLabel: %s\n",
779 prefix, s->smack);
780
781 if (s->smack_ip_in)
782 fprintf(f,
783 "%sSmackLabelIPIn: %s\n",
784 prefix, s->smack_ip_in);
785
786 if (s->smack_ip_out)
787 fprintf(f,
788 "%sSmackLabelIPOut: %s\n",
789 prefix, s->smack_ip_out);
790
3900e5fd
LP		 791 if (!isempty(s->user) || !isempty(s->group))
792 fprintf(f,
d2a50e3b
LP		 793 "%sSocketUser: %s\n"
794 "%sSocketGroup: %s\n",
3900e5fd
LP		 795 prefix, strna(s->user),
796 prefix, strna(s->group));
797
3cd761e4 798 if (s->keep_alive_time > 0)
209e9dcd 799 fprintf(f,
3cd761e4
LP		 800 "%sKeepAliveTimeSec: %s\n",
801 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->keep_alive_time, USEC_PER_SEC));
209e9dcd 802
3cd761e4 803 if (s->keep_alive_interval)
209e9dcd 804 fprintf(f,
3cd761e4
LP		 805 "%sKeepAliveIntervalSec: %s\n",
806 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->keep_alive_interval, USEC_PER_SEC));
209e9dcd 807
3cd761e4 808 if (s->keep_alive_cnt)
209e9dcd
SS		 809 fprintf(f,
810 "%sKeepAliveProbes: %u\n",
811 prefix, s->keep_alive_cnt);
812
3cd761e4 813 if (s->defer_accept)
cc567c9b 814 fprintf(f,
3cd761e4
LP		 815 "%sDeferAcceptSec: %s\n",
816 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->defer_accept, USEC_PER_SEC));
cc567c9b 817
034c6ed7 818 LIST_FOREACH(port, p, s->ports) {
5cb5a6ff 819
542563ba
LP		 820 if (p->type == SOCKET_SOCKET) {
821 const char *t;
822 int r;
e364ad06 823 char *k = NULL;
542563ba 824
e53fc357
LP		 825 r = socket_address_print(&p->address, &k);
826 if (r < 0)
542563ba
LP		 827 t = strerror(-r);
828 else
829 t = k;
830
7a22745a 831 fprintf(f, "%s%s: %s\n", prefix, listen_lookup(socket_address_family(&p->address), p->address.type), t);
542563ba 832 free(k);
b0a3f2bc
LP		 833 } else if (p->type == SOCKET_SPECIAL)
834 fprintf(f, "%sListenSpecial: %s\n", prefix, p->path);
60252446
PS		 835 else if (p->type == SOCKET_USB_FUNCTION)
836 fprintf(f, "%sListenUSBFunction: %s\n", prefix, p->path);
916abb21
LP		 837 else if (p->type == SOCKET_MQUEUE)
838 fprintf(f, "%sListenMessageQueue: %s\n", prefix, p->path);
b0a3f2bc 839 else
542563ba
LP		 840 fprintf(f, "%sListenFIFO: %s\n", prefix, p->path);
841 }
5cb5a6ff 842
1745fa70
EV		 843 fprintf(f,
844 "%sTriggerLimitIntervalSec: %s\n"
845 "%sTriggerLimitBurst: %u\n",
846 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->trigger_limit.interval, USEC_PER_SEC),
847 prefix, s->trigger_limit.burst);
848
827d9bf2
YW		 849 str = socket_protocol_to_name(s->socket_protocol);
850 if (str)
851 fprintf(f, "%sSocketProtocol: %s\n", prefix, str);
852
853 if (!strv_isempty(s->symlinks)) {
854 char **q;
855
856 fprintf(f, "%sSymlinks:", prefix);
857 STRV_FOREACH(q, s->symlinks)
858 fprintf(f, " %s", *q);
859
860 fprintf(f, "\n");
861 }
862
863 fprintf(f,
864 "%sTimeoutSec: %s\n",
865 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->timeout_usec, USEC_PER_SEC));
866
5cb5a6ff 867 exec_context_dump(&s->exec_context, f, prefix);
4819ff03 868 kill_context_dump(&s->kill_context, f, prefix);
5cb5a6ff 869
e537352b 870 for (c = 0; c < _SOCKET_EXEC_COMMAND_MAX; c++) {
c43d20a0
LP		 871 if (!s->exec_command[c])
872 continue;
5cb5a6ff 873
40d50879 874 fprintf(f, "%s-> %s:\n",
a16e1123 875 prefix, socket_exec_command_to_string(c));
c43d20a0
LP		 876
877 exec_command_dump_list(s->exec_command[c], f, prefix2);
5cb5a6ff 878 }
18f573aa
LP		 879
880 cgroup_context_dump(&s->cgroup_context, f, prefix);
5cb5a6ff
LP		 881}
882
4f2d528d
LP		 883static int instance_from_socket(int fd, unsigned nr, char **instance) {
884 socklen_t l;
885 char *r;
9d16d0c7 886 union sockaddr_union local, remote;
4f2d528d
LP		 887
888 assert(fd >= 0);
889 assert(instance);
890
891 l = sizeof(local);
892 if (getsockname(fd, &local.sa, &l) < 0)
893 return -errno;
894
895 l = sizeof(remote);
896 if (getpeername(fd, &remote.sa, &l) < 0)
897 return -errno;
898
899 switch (local.sa.sa_family) {
900
901 case AF_INET: {
902 uint32_t
8e38570e
LP		 903 a = be32toh(local.in.sin_addr.s_addr),
904 b = be32toh(remote.in.sin_addr.s_addr);
4f2d528d
LP		 905
906 if (asprintf(&r,
77b088c2
LP		 907 "%u-%u.%u.%u.%u:%u-%u.%u.%u.%u:%u",
908 nr,
4f2d528d 909 a >> 24, (a >> 16) & 0xFF, (a >> 8) & 0xFF, a & 0xFF,
8e38570e 910 be16toh(local.in.sin_port),
4f2d528d 911 b >> 24, (b >> 16) & 0xFF, (b >> 8) & 0xFF, b & 0xFF,
8e38570e 912 be16toh(remote.in.sin_port)) < 0)
4f2d528d
LP		 913 return -ENOMEM;
914
915 break;
916 }
917
918 case AF_INET6: {
c65a0b14 919 static const unsigned char ipv4_prefix[] = {
2b061f5a
LP		 920 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xFF, 0xFF
921 };
922
923 if (memcmp(&local.in6.sin6_addr, ipv4_prefix, sizeof(ipv4_prefix)) == 0 &&
924 memcmp(&remote.in6.sin6_addr, ipv4_prefix, sizeof(ipv4_prefix)) == 0) {
925 const uint8_t
926 *a = local.in6.sin6_addr.s6_addr+12,
927 *b = remote.in6.sin6_addr.s6_addr+12;
928
929 if (asprintf(&r,
77b088c2
LP		 930 "%u-%u.%u.%u.%u:%u-%u.%u.%u.%u:%u",
931 nr,
2b061f5a 932 a[0], a[1], a[2], a[3],
8e38570e 933 be16toh(local.in6.sin6_port),
2b061f5a 934 b[0], b[1], b[2], b[3],
8e38570e 935 be16toh(remote.in6.sin6_port)) < 0)
2b061f5a
LP		 936 return -ENOMEM;
937 } else {
938 char a[INET6_ADDRSTRLEN], b[INET6_ADDRSTRLEN];
939
940 if (asprintf(&r,
77b088c2
LP		 941 "%u-%s:%u-%s:%u",
942 nr,
2b061f5a 943 inet_ntop(AF_INET6, &local.in6.sin6_addr, a, sizeof(a)),
8e38570e 944 be16toh(local.in6.sin6_port),
2b061f5a 945 inet_ntop(AF_INET6, &remote.in6.sin6_addr, b, sizeof(b)),
8e38570e 946 be16toh(remote.in6.sin6_port)) < 0)
2b061f5a
LP		 947 return -ENOMEM;
948 }
4f2d528d
LP		 949
950 break;
951 }
952
953 case AF_UNIX: {
954 struct ucred ucred;
eff05270 955 int k;
4f2d528d 956
eff05270 957 k = getpeercred(fd, &ucred);
d38f6e34
ZJS		 958 if (k >= 0) {
959 if (asprintf(&r,
960 "%u-"PID_FMT"-"UID_FMT,
961 nr, ucred.pid, ucred.uid) < 0)
962 return -ENOMEM;
963 } else if (k == -ENODATA) {
964 /* This handles the case where somebody is
965 * connecting from another pid/uid namespace
966 * (e.g. from outside of our container). */
967 if (asprintf(&r,
968 "%u-unknown",
969 nr) < 0)
970 return -ENOMEM;
971 } else
eff05270 972 return k;
2f20a8eb 973
2f20a8eb 974 break;
4f2d528d
LP		 975 }
976
359a5bcf
SH		 977 case AF_VSOCK:
978 if (asprintf(&r,
979 "%u-%u:%u-%u:%u",
980 nr,
981 local.vm.svm_cid, local.vm.svm_port,
982 remote.vm.svm_cid, remote.vm.svm_port) < 0)
983 return -ENOMEM;
984
985 break;
986
4f2d528d
LP		 987 default:
988 assert_not_reached("Unhandled socket type.");
989 }
990
991 *instance = r;
992 return 0;
993}
994
034c6ed7 995static void socket_close_fds(Socket *s) {
83c60c9f 996 SocketPort *p;
811ba7a0 997 char **i;
83c60c9f
LP		 998
999 assert(s);
1000
034c6ed7 1001 LIST_FOREACH(port, p, s->ports) {
18e854f8 1002 bool was_open;
718db961 1003
18e854f8 1004 was_open = p->fd >= 0;
83c60c9f 1005
18e854f8 1006 p->event_source = sd_event_source_unref(p->event_source);
03e334a1 1007 p->fd = safe_close(p->fd);
15087cdb 1008 socket_cleanup_fd_list(p);
a16e1123 1009
18e854f8
LP		 1010 /* One little note: we should normally not delete any sockets in the file system here! After all some
1011 * other process we spawned might still have a reference of this fd and wants to continue to use
1012 * it. Therefore we normally delete sockets in the file system before we create a new one, not after we
1013 * stopped using one! That all said, if the user explicitly requested this, we'll delete them here
1014 * anyway, but only then. */
bd1fe7c7 1015
18e854f8
LP		 1016 if (!was_open || !s->remove_on_stop)
1017 continue;
1018
1019 switch (p->type) {
bd1fe7c7 1020
18e854f8
LP		 1021 case SOCKET_FIFO:
1022 (void) unlink(p->path);
1023 break;
bd1fe7c7 1024
18e854f8
LP		 1025 case SOCKET_MQUEUE:
1026 (void) mq_unlink(p->path);
1027 break;
bd1fe7c7 1028
18e854f8
LP		 1029 case SOCKET_SOCKET:
1030 (void) socket_address_unlink(&p->address);
1031 break;
bd1fe7c7 1032
18e854f8
LP		 1033 default:
1034 break;
bd1fe7c7 1035 }
83c60c9f 1036 }
811ba7a0
LP		 1037
1038 if (s->remove_on_stop)
1039 STRV_FOREACH(i, s->symlinks)
18e854f8 1040 (void) unlink(*i);
83c60c9f
LP		 1041}
1042
4fd5948e 1043static void socket_apply_socket_options(Socket *s, int fd) {
d53e386d
LP		 1044 int r;
1045
4fd5948e
LP		 1046 assert(s);
1047 assert(fd >= 0);
1048
1049 if (s->keep_alive) {
1050 int b = s->keep_alive;
1051 if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, &b, sizeof(b)) < 0)
f2341e0a 1052 log_unit_warning_errno(UNIT(s), errno, "SO_KEEPALIVE failed: %m");
4fd5948e
LP		 1053 }
1054
209e9dcd
SS		 1055 if (s->keep_alive_time) {
1056 int value = s->keep_alive_time / USEC_PER_SEC;
1057 if (setsockopt(fd, SOL_TCP, TCP_KEEPIDLE, &value, sizeof(value)) < 0)
f2341e0a 1058 log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPIDLE failed: %m");
209e9dcd
SS		 1059 }
1060
1061 if (s->keep_alive_interval) {
920b52e4 1062 int value = s->keep_alive_interval / USEC_PER_SEC;
209e9dcd 1063 if (setsockopt(fd, SOL_TCP, TCP_KEEPINTVL, &value, sizeof(value)) < 0)
f2341e0a 1064 log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPINTVL failed: %m");
209e9dcd
SS		 1065 }
1066
1067 if (s->keep_alive_cnt) {
1068 int value = s->keep_alive_cnt;
172cfe87 1069 if (setsockopt(fd, SOL_TCP, TCP_KEEPCNT, &value, sizeof(value)) < 0)
f2341e0a 1070 log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPCNT failed: %m");
209e9dcd
SS		 1071 }
1072
cc567c9b
SS		 1073 if (s->defer_accept) {
1074 int value = s->defer_accept / USEC_PER_SEC;
1075 if (setsockopt(fd, SOL_TCP, TCP_DEFER_ACCEPT, &value, sizeof(value)) < 0)
f2341e0a 1076 log_unit_warning_errno(UNIT(s), errno, "TCP_DEFER_ACCEPT failed: %m");
cc567c9b
SS		 1077 }
1078
4427c3f4
SS		 1079 if (s->no_delay) {
1080 int b = s->no_delay;
62bc4efc
SS		 1081
1082 if (s->socket_protocol == IPPROTO_SCTP) {
1083 if (setsockopt(fd, SOL_SCTP, SCTP_NODELAY, &b, sizeof(b)) < 0)
1084 log_unit_warning_errno(UNIT(s), errno, "SCTP_NODELAY failed: %m");
1085 } else {
1086 if (setsockopt(fd, SOL_TCP, TCP_NODELAY, &b, sizeof(b)) < 0)
1087 log_unit_warning_errno(UNIT(s), errno, "TCP_NODELAY failed: %m");
1088 }
4427c3f4
SS		 1089 }
1090
ec6370a2
LP		 1091 if (s->broadcast) {
1092 int one = 1;
1093 if (setsockopt(fd, SOL_SOCKET, SO_BROADCAST, &one, sizeof(one)) < 0)
f2341e0a 1094 log_unit_warning_errno(UNIT(s), errno, "SO_BROADCAST failed: %m");
ec6370a2
LP		 1095 }
1096
d68af586
MS		 1097 if (s->pass_cred) {
1098 int one = 1;
1099 if (setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &one, sizeof(one)) < 0)
f2341e0a 1100 log_unit_warning_errno(UNIT(s), errno, "SO_PASSCRED failed: %m");
d68af586
MS		 1101 }
1102
54ecda32
LP		 1103 if (s->pass_sec) {
1104 int one = 1;
1105 if (setsockopt(fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one)) < 0)
f2341e0a 1106 log_unit_warning_errno(UNIT(s), errno, "SO_PASSSEC failed: %m");
54ecda32
LP		 1107 }
1108
4fd5948e
LP		 1109 if (s->priority >= 0)
1110 if (setsockopt(fd, SOL_SOCKET, SO_PRIORITY, &s->priority, sizeof(s->priority)) < 0)
f2341e0a 1111 log_unit_warning_errno(UNIT(s), errno, "SO_PRIORITY failed: %m");
4fd5948e
LP		 1112
1113 if (s->receive_buffer > 0) {
1114 int value = (int) s->receive_buffer;
7d9eaa84
LP		 1115
1116 /* We first try with SO_RCVBUFFORCE, in case we have the perms for that */
1117
b8cef44e 1118 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUFFORCE, &value, sizeof(value)) < 0)
7d9eaa84 1119 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &value, sizeof(value)) < 0)
f2341e0a 1120 log_unit_warning_errno(UNIT(s), errno, "SO_RCVBUF failed: %m");
4fd5948e
LP		 1121 }
1122
1123 if (s->send_buffer > 0) {
1124 int value = (int) s->send_buffer;
b8cef44e 1125 if (setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, &value, sizeof(value)) < 0)
7d9eaa84 1126 if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &value, sizeof(value)) < 0)
f2341e0a 1127 log_unit_warning_errno(UNIT(s), errno, "SO_SNDBUF failed: %m");
4fd5948e
LP		 1128 }
1129
1130 if (s->mark >= 0)
1131 if (setsockopt(fd, SOL_SOCKET, SO_MARK, &s->mark, sizeof(s->mark)) < 0)
f2341e0a 1132 log_unit_warning_errno(UNIT(s), errno, "SO_MARK failed: %m");
4fd5948e
LP		 1133
1134 if (s->ip_tos >= 0)
1135 if (setsockopt(fd, IPPROTO_IP, IP_TOS, &s->ip_tos, sizeof(s->ip_tos)) < 0)
f2341e0a 1136 log_unit_warning_errno(UNIT(s), errno, "IP_TOS failed: %m");
4fd5948e 1137
46925ac5 1138 if (s->ip_ttl >= 0) {
d53e386d 1139 int x;
46925ac5
LP		 1140
1141 r = setsockopt(fd, IPPROTO_IP, IP_TTL, &s->ip_ttl, sizeof(s->ip_ttl));
5bfcc1c6
FF		 1142
1143 if (socket_ipv6_is_supported())
1144 x = setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &s->ip_ttl, sizeof(s->ip_ttl));
1145 else {
1146 x = -1;
1147 errno = EAFNOSUPPORT;
1148 }
46925ac5
LP		 1149
1150 if (r < 0 && x < 0)
f2341e0a 1151 log_unit_warning_errno(UNIT(s), errno, "IP_TTL/IPV6_UNICAST_HOPS failed: %m");
46925ac5 1152 }
cebf8b20
TT		 1153
1154 if (s->tcp_congestion)
1155 if (setsockopt(fd, SOL_TCP, TCP_CONGESTION, s->tcp_congestion, strlen(s->tcp_congestion)+1) < 0)
f2341e0a 1156 log_unit_warning_errno(UNIT(s), errno, "TCP_CONGESTION failed: %m");
0eb59ccf 1157
d53e386d 1158 if (s->smack_ip_in) {
5ab58c20 1159 r = mac_smack_apply_fd(fd, SMACK_ATTR_IPIN, s->smack_ip_in);
d53e386d 1160 if (r < 0)
f2341e0a 1161 log_unit_error_errno(UNIT(s), r, "mac_smack_apply_ip_in_fd: %m");
d53e386d 1162 }
9a4e038c 1163
d53e386d 1164 if (s->smack_ip_out) {
5ab58c20 1165 r = mac_smack_apply_fd(fd, SMACK_ATTR_IPOUT, s->smack_ip_out);
d53e386d 1166 if (r < 0)
f2341e0a 1167 log_unit_error_errno(UNIT(s), r, "mac_smack_apply_ip_out_fd: %m");
d53e386d 1168 }
4fd5948e
LP		 1169}
1170
b15bdda8 1171static void socket_apply_fifo_options(Socket *s, int fd) {
d53e386d
LP		 1172 int r;
1173
4fd5948e
LP		 1174 assert(s);
1175 assert(fd >= 0);
1176
1177 if (s->pipe_size > 0)
1178 if (fcntl(fd, F_SETPIPE_SZ, s->pipe_size) < 0)
ed460b07 1179 log_unit_warning_errno(UNIT(s), errno, "Setting pipe size failed, ignoring: %m");
0eb59ccf 1180
d53e386d 1181 if (s->smack) {
5ab58c20 1182 r = mac_smack_apply_fd(fd, SMACK_ATTR_ACCESS, s->smack);
d53e386d 1183 if (r < 0)
ed460b07 1184 log_unit_error_errno(UNIT(s), r, "SMACK relabelling failed, ignoring: %m");
d53e386d 1185 }
4fd5948e
LP		 1186}
1187
b15bdda8
LP		 1188static int fifo_address_create(
1189 const char *path,
1190 mode_t directory_mode,
e8da24a6 1191 mode_t socket_mode) {
b15bdda8 1192
e8da24a6 1193 _cleanup_close_ int fd = -1;
b15bdda8 1194 mode_t old_mask;
e8da24a6
LP		 1195 struct stat st;
1196 int r;
b15bdda8
LP		 1197
1198 assert(path);
b15bdda8 1199
1af87ab7 1200 (void) mkdir_parents_label(path, directory_mode);
b15bdda8 1201
ecabcf8b 1202 r = mac_selinux_create_file_prepare(path, S_IFIFO);
e9a5ef7c 1203 if (r < 0)
e8da24a6 1204 return r;
b15bdda8
LP		 1205
1206 /* Enforce the right access mode for the fifo */
1207 old_mask = umask(~ socket_mode);
1208
1209 /* Include the original umask in our mask */
e8da24a6 1210 (void) umask(~socket_mode | old_mask);
b15bdda8
LP		 1211
1212 r = mkfifo(path, socket_mode);
e8da24a6 1213 (void) umask(old_mask);
b15bdda8 1214
94bc2731 1215 if (r < 0 && errno != EEXIST) {
b15bdda8
LP		 1216 r = -errno;
1217 goto fail;
1218 }
1219
e8da24a6 1220 fd = open(path, O_RDWR | O_CLOEXEC | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW);
3cc2aff1 1221 if (fd < 0) {
b15bdda8
LP		 1222 r = -errno;
1223 goto fail;
1224 }
1225
ecabcf8b 1226 mac_selinux_create_file_clear();
7a58bfa4 1227
b15bdda8
LP		 1228 if (fstat(fd, &st) < 0) {
1229 r = -errno;
1230 goto fail;
1231 }
1232
1233 if (!S_ISFIFO(st.st_mode) ||
de0200fc 1234 (st.st_mode & 0777) != (socket_mode & ~old_mask) ||
e4f44e73
DR		 1235 st.st_uid != getuid() ||
1236 st.st_gid != getgid()) {
b15bdda8
LP		 1237 r = -EEXIST;
1238 goto fail;
1239 }
1240
e8da24a6
LP		 1241 r = fd;
1242 fd = -1;
1243
1244 return r;
b15bdda8
LP		 1245
1246fail:
ecabcf8b 1247 mac_selinux_create_file_clear();
b15bdda8
LP		 1248 return r;
1249}
1250
55301ec0 1251static int special_address_create(const char *path, bool writable) {
e8da24a6 1252 _cleanup_close_ int fd = -1;
b0a3f2bc 1253 struct stat st;
e8da24a6 1254 int r;
b0a3f2bc
LP		 1255
1256 assert(path);
b0a3f2bc 1257
55301ec0 1258 fd = open(path, (writable ? O_RDWR : O_RDONLY)|O_CLOEXEC|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW);
e8da24a6
LP		 1259 if (fd < 0)
1260 return -errno;
b0a3f2bc 1261
e8da24a6
LP		 1262 if (fstat(fd, &st) < 0)
1263 return -errno;
b0a3f2bc
LP		 1264
1265 /* Check whether this is a /proc, /sys or /dev file or char device */
e8da24a6
LP		 1266 if (!S_ISREG(st.st_mode) && !S_ISCHR(st.st_mode))
1267 return -EEXIST;
b0a3f2bc 1268
e8da24a6
LP		 1269 r = fd;
1270 fd = -1;
b0a3f2bc
LP		 1271
1272 return r;
1273}
1274
36078102 1275static int usbffs_address_create(const char *path) {
60252446
PS		 1276 _cleanup_close_ int fd = -1;
1277 struct stat st;
e8da24a6 1278 int r;
60252446
PS		 1279
1280 assert(path);
60252446
PS		 1281
1282 fd = open(path, O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW);
1283 if (fd < 0)
1284 return -errno;
1285
1286 if (fstat(fd, &st) < 0)
1287 return -errno;
1288
13e785f7 1289 /* Check whether this is a regular file (ffs endpoint) */
60252446
PS		 1290 if (!S_ISREG(st.st_mode))
1291 return -EEXIST;
1292
e8da24a6 1293 r = fd;
60252446
PS		 1294 fd = -1;
1295
e8da24a6 1296 return r;
60252446
PS		 1297}
1298
916abb21
LP		 1299static int mq_address_create(
1300 const char *path,
1301 mode_t mq_mode,
1302 long maxmsg,
e8da24a6 1303 long msgsize) {
916abb21 1304
e8da24a6 1305 _cleanup_close_ int fd = -1;
916abb21
LP		 1306 struct stat st;
1307 mode_t old_mask;
1308 struct mq_attr _attr, *attr = NULL;
e8da24a6 1309 int r;
916abb21
LP		 1310
1311 assert(path);
916abb21
LP		 1312
1313 if (maxmsg > 0 && msgsize > 0) {
e8da24a6
LP		 1314 _attr = (struct mq_attr) {
1315 .mq_flags = O_NONBLOCK,
1316 .mq_maxmsg = maxmsg,
1317 .mq_msgsize = msgsize,
1318 };
916abb21
LP		 1319 attr = &_attr;
1320 }
1321
1322 /* Enforce the right access mode for the mq */
1323 old_mask = umask(~ mq_mode);
1324
1325 /* Include the original umask in our mask */
e8da24a6 1326 (void) umask(~mq_mode | old_mask);
916abb21 1327 fd = mq_open(path, O_RDONLY|O_CLOEXEC|O_NONBLOCK|O_CREAT, mq_mode, attr);
e8da24a6 1328 (void) umask(old_mask);
916abb21 1329
e8da24a6
LP		 1330 if (fd < 0)
1331 return -errno;
916abb21 1332
e8da24a6
LP		 1333 if (fstat(fd, &st) < 0)
1334 return -errno;
916abb21
LP		 1335
1336 if ((st.st_mode & 0777) != (mq_mode & ~old_mask) ||
1337 st.st_uid != getuid() ||
e8da24a6
LP		 1338 st.st_gid != getgid())
1339 return -EEXIST;
916abb21 1340
e8da24a6
LP		 1341 r = fd;
1342 fd = -1;
916abb21 1343
916abb21
LP		 1344 return r;
1345}
1346
811ba7a0
LP		 1347static int socket_symlink(Socket *s) {
1348 const char *p;
1349 char **i;
95f7fbbf 1350 int r;
811ba7a0
LP		 1351
1352 assert(s);
1353
1354 p = socket_find_symlink_target(s);
1355 if (!p)
1356 return 0;
1357
95f7fbbf 1358 STRV_FOREACH(i, s->symlinks) {
1af87ab7
LP		 1359 (void) mkdir_parents_label(*i, s->directory_mode);
1360
95f7fbbf 1361 r = symlink_idempotent(p, *i);
22b20752
LP		 1362
1363 if (r == -EEXIST && s->remove_on_stop) {
1364 /* If there's already something where we want to create the symlink, and the destructive
1365 * RemoveOnStop= mode is set, then we might as well try to remove what already exists and try
1366 * again. */
1367
1368 if (unlink(*i) >= 0)
1369 r = symlink_idempotent(p, *i);
1370 }
1371
95f7fbbf
LP		 1372 if (r < 0)
1373 log_unit_warning_errno(UNIT(s), r, "Failed to create symlink %s → %s, ignoring: %m", p, *i);
1374 }
811ba7a0
LP		 1375
1376 return 0;
1377}
1378
36078102 1379static int usbffs_write_descs(int fd, Service *s) {
6b7e5923
PS		 1380 int r;
1381
1382 if (!s->usb_function_descriptors || !s->usb_function_strings)
1383 return -EINVAL;
1384
1c876927 1385 r = copy_file_fd(s->usb_function_descriptors, fd, 0);
6b7e5923 1386 if (r < 0)
e8da24a6 1387 return r;
6b7e5923 1388
1c876927 1389 return copy_file_fd(s->usb_function_strings, fd, 0);
6b7e5923
PS		 1390}
1391
36078102 1392static int usbffs_select_ep(const struct dirent *d) {
60252446
PS		 1393 return d->d_name[0] != '.' && !streq(d->d_name, "ep0");
1394}
1395
36078102 1396static int usbffs_dispatch_eps(SocketPort *p) {
60252446 1397 _cleanup_free_ struct dirent **ent = NULL;
36078102 1398 int r, i, n, k;
60252446 1399
00bb64ec 1400 r = scandir(p->path, &ent, usbffs_select_ep, alphasort);
60252446
PS		 1401 if (r < 0)
1402 return -errno;
1403
1404 n = r;
1405 p->auxiliary_fds = new(int, n);
1406 if (!p->auxiliary_fds)
1407 return -ENOMEM;
1408
1409 p->n_auxiliary_fds = n;
1410
1411 k = 0;
1412 for (i = 0; i < n; ++i) {
1413 _cleanup_free_ char *ep = NULL;
1414
00bb64ec 1415 ep = path_make_absolute(ent[i]->d_name, p->path);
60252446
PS		 1416 if (!ep)
1417 return -ENOMEM;
1418
1419 path_kill_slashes(ep);
1420
36078102 1421 r = usbffs_address_create(ep);
60252446
PS		 1422 if (r < 0)
1423 goto fail;
1424
e8da24a6
LP		 1425 p->auxiliary_fds[k] = r;
1426
60252446
PS		 1427 ++k;
1428 free(ent[i]);
1429 }
1430
1431 return r;
1432
1433fail:
e8da24a6 1434 close_many(p->auxiliary_fds, k);
60252446
PS		 1435 p->auxiliary_fds = mfree(p->auxiliary_fds);
1436 p->n_auxiliary_fds = 0;
1437
1438 return r;
1439}
1440
d24e561d
LP		 1441static int socket_determine_selinux_label(Socket *s, char **ret) {
1442 ExecCommand *c;
1443 int r;
1444
1445 assert(s);
1446 assert(ret);
1447
1448 if (s->selinux_context_from_net) {
1449 /* If this is requested, get label from the network label */
1450
1451 r = mac_selinux_get_our_label(ret);
1452 if (r == -EOPNOTSUPP)
1453 goto no_label;
1454
1455 } else {
1456 /* Otherwise, get it from the executable we are about to start */
1457 r = socket_instantiate_service(s);
1458 if (r < 0)
1459 return r;
1460
1461 if (!UNIT_ISSET(s->service))
1462 goto no_label;
1463
1464 c = SERVICE(UNIT_DEREF(s->service))->exec_command[SERVICE_EXEC_START];
1465 if (!c)
1466 goto no_label;
1467
1468 r = mac_selinux_get_create_label_from_exe(c->path, ret);
4c701096 1469 if (IN_SET(r, -EPERM, -EOPNOTSUPP))
d24e561d
LP		 1470 goto no_label;
1471 }
1472
1473 return r;
1474
1475no_label:
1476 *ret = NULL;
1477 return 0;
1478}
1479
a79279c7
LP		 1480static int socket_address_listen_do(
1481 Socket *s,
1482 const SocketAddress *address,
1483 const char *label) {
1484
1485 assert(s);
1486 assert(address);
1487
1488 return socket_address_listen(
1489 address,
1490 SOCK_CLOEXEC|SOCK_NONBLOCK,
1491 s->backlog,
1492 s->bind_ipv6_only,
1493 s->bind_to_device,
1494 s->reuse_port,
1495 s->free_bind,
1496 s->transparent,
1497 s->directory_mode,
1498 s->socket_mode,
1499 label);
1500}
1501
1502static int socket_address_listen_in_cgroup(
1503 Socket *s,
1504 const SocketAddress *address,
1505 const char *label) {
1506
1507 _cleanup_close_pair_ int pair[2] = { -1, -1 };
1508 int fd, r;
1509 pid_t pid;
1510
1511 assert(s);
1512 assert(address);
1513
1514 /* This is a wrapper around socket_address_listen(), that forks off a helper process inside the socket's cgroup
1515 * in which the socket is actually created. This way we ensure the socket is actually properly attached to the
1516 * unit's cgroup for the purpose of BPF filtering and such. */
1517
1518 if (!IN_SET(address->sockaddr.sa.sa_family, AF_INET, AF_INET6))
1519 goto shortcut; /* BPF filtering only applies to IPv4 + IPv6, shortcut things for other protocols */
1520
1521 r = bpf_firewall_supported();
1522 if (r < 0)
1523 return r;
2ae7ee58 1524 if (r == BPF_FIREWALL_UNSUPPORTED) /* If BPF firewalling isn't supported anyway — there's no point in this forking complexity */
a79279c7
LP		 1525 goto shortcut;
1526
1527 if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, pair) < 0)
1528 return log_unit_error_errno(UNIT(s), errno, "Failed to create communication channel: %m");
1529
4c253ed1 1530 r = unit_fork_helper_process(UNIT(s), "(sd-listen)", &pid);
a79279c7
LP		 1531 if (r < 0)
1532 return log_unit_error_errno(UNIT(s), r, "Failed to fork off listener stub process: %m");
1533 if (r == 0) {
1534 /* Child */
1535
1536 pair[0] = safe_close(pair[0]);
1537
1538 fd = socket_address_listen_do(s, address, label);
1539 if (fd < 0) {
1540 log_unit_error_errno(UNIT(s), fd, "Failed to create listening socket: %m");
1541 _exit(EXIT_FAILURE);
1542 }
1543
1544 r = send_one_fd(pair[1], fd, 0);
1545 if (r < 0) {
1546 log_unit_error_errno(UNIT(s), r, "Failed to send listening socket to parent: %m");
1547 _exit(EXIT_FAILURE);
1548 }
1549
1550 _exit(EXIT_SUCCESS);
1551 }
1552
1553 pair[1] = safe_close(pair[1]);
1554 fd = receive_one_fd(pair[0], 0);
1555
1556 /* We synchronously wait for the helper, as it shouldn't be slow */
d2e0ac3d 1557 r = wait_for_terminate_and_check("(sd-listen)", pid, WAIT_LOG_ABNORMAL);
a79279c7
LP		 1558 if (r < 0) {
1559 safe_close(fd);
1560 return r;
1561 }
1562
1563 if (fd < 0)
1564 return log_unit_error_errno(UNIT(s), fd, "Failed to receive listening socket: %m");
1565
1566 return fd;
1567
1568shortcut:
1569 fd = socket_address_listen_do(s, address, label);
1570 if (fd < 0)
1571 return log_error_errno(fd, "Failed to create listening socket: %m");
1572
1573 return fd;
1574}
1575
034c6ed7 1576static int socket_open_fds(Socket *s) {
710a6b50
LP		 1577 _cleanup_(mac_selinux_freep) char *label = NULL;
1578 bool know_label = false;
83c60c9f
LP		 1579 SocketPort *p;
1580 int r;
1581
1582 assert(s);
1583
034c6ed7 1584 LIST_FOREACH(port, p, s->ports) {
83c60c9f 1585
034c6ed7
LP		 1586 if (p->fd >= 0)
1587 continue;
83c60c9f 1588
00411a13
LP		 1589 switch (p->type) {
1590
1591 case SOCKET_SOCKET:
049f8642 1592
7f416dae 1593 if (!know_label) {
d24e561d
LP		 1594 /* Figure out label, if we don't it know yet. We do it once, for the first socket where
1595 * we need this and remember it for the rest. */
7f416dae 1596
d24e561d
LP		 1597 r = socket_determine_selinux_label(s, &label);
1598 if (r < 0)
1599 goto rollback;
049f8642
LP		 1600
1601 know_label = true;
1602 }
1603
74bb646e 1604 /* Apply the socket protocol */
d24e561d 1605 switch (p->address.type) {
d2a50e3b 1606
74bb646e
SS		 1607 case SOCK_STREAM:
1608 case SOCK_SEQPACKET:
d24e561d
LP		 1609 if (s->socket_protocol == IPPROTO_SCTP)
1610 p->address.protocol = s->socket_protocol;
74bb646e 1611 break;
d2a50e3b 1612
74bb646e 1613 case SOCK_DGRAM:
d24e561d
LP		 1614 if (s->socket_protocol == IPPROTO_UDPLITE)
1615 p->address.protocol = s->socket_protocol;
74bb646e
SS		 1616 break;
1617 }
1618
a79279c7 1619 r = socket_address_listen_in_cgroup(s, &p->address, label);
175a3d25 1620 if (r < 0)
83c60c9f
LP		 1621 goto rollback;
1622
175a3d25 1623 p->fd = r;
4fd5948e 1624 socket_apply_socket_options(s, p->fd);
811ba7a0 1625 socket_symlink(s);
00411a13 1626 break;
4fd5948e 1627
00411a13 1628 case SOCKET_SPECIAL:
b0a3f2bc 1629
55301ec0 1630 p->fd = special_address_create(p->path, s->writable);
e8da24a6
LP		 1631 if (p->fd < 0) {
1632 r = p->fd;
b0a3f2bc 1633 goto rollback;
e8da24a6 1634 }
00411a13 1635 break;
b0a3f2bc 1636
00411a13 1637 case SOCKET_FIFO:
83c60c9f 1638
e8da24a6 1639 p->fd = fifo_address_create(
175a3d25
LP		 1640 p->path,
1641 s->directory_mode,
e8da24a6
LP		 1642 s->socket_mode);
1643 if (p->fd < 0) {
1644 r = p->fd;
83c60c9f 1645 goto rollback;
e8da24a6 1646 }
83c60c9f 1647
b15bdda8 1648 socket_apply_fifo_options(s, p->fd);
811ba7a0 1649 socket_symlink(s);
00411a13 1650 break;
811ba7a0 1651
00411a13 1652 case SOCKET_MQUEUE:
83c60c9f 1653
e8da24a6 1654 p->fd = mq_address_create(
175a3d25
LP		 1655 p->path,
1656 s->socket_mode,
1657 s->mq_maxmsg,
e8da24a6
LP		 1658 s->mq_msgsize);
1659 if (p->fd < 0) {
1660 r = p->fd;
916abb21 1661 goto rollback;
e8da24a6 1662 }
00411a13 1663 break;
e8da24a6 1664
d2a50e3b 1665 case SOCKET_USB_FUNCTION: {
27a6ea91 1666 _cleanup_free_ char *ep = NULL;
60252446 1667
27a6ea91
GB		 1668 ep = path_make_absolute("ep0", p->path);
1669
1670 p->fd = usbffs_address_create(ep);
e8da24a6
LP		 1671 if (p->fd < 0) {
1672 r = p->fd;
60252446 1673 goto rollback;
e8da24a6 1674 }
60252446 1675
36078102 1676 r = usbffs_write_descs(p->fd, SERVICE(UNIT_DEREF(s->service)));
6b7e5923
PS		 1677 if (r < 0)
1678 goto rollback;
1679
36078102 1680 r = usbffs_dispatch_eps(p);
60252446
PS		 1681 if (r < 0)
1682 goto rollback;
00411a13
LP		 1683
1684 break;
27a6ea91 1685 }
00411a13 1686 default:
b15bdda8 1687 assert_not_reached("Unknown port type");
00411a13 1688 }
034c6ed7
LP		 1689 }
1690
1691 return 0;
1692
1693rollback:
1694 socket_close_fds(s);
1695 return r;
1696}
1697
1698static void socket_unwatch_fds(Socket *s) {
1699 SocketPort *p;
718db961 1700 int r;
9152c765 1701
034c6ed7
LP		 1702 assert(s);
1703
1704 LIST_FOREACH(port, p, s->ports) {
1705 if (p->fd < 0)
1706 continue;
1707
a4152e3f
LP		 1708 if (!p->event_source)
1709 continue;
1710
1711 r = sd_event_source_set_enabled(p->event_source, SD_EVENT_OFF);
1712 if (r < 0)
f2341e0a 1713 log_unit_debug_errno(UNIT(s), r, "Failed to disable event source: %m");
83c60c9f 1714 }
034c6ed7
LP		 1715}
1716
1717static int socket_watch_fds(Socket *s) {
1718 SocketPort *p;
1719 int r;
1720
1721 assert(s);
83c60c9f 1722
034c6ed7
LP		 1723 LIST_FOREACH(port, p, s->ports) {
1724 if (p->fd < 0)
1725 continue;
1726
cbf60d0a 1727 if (p->event_source) {
718db961 1728 r = sd_event_source_set_enabled(p->event_source, SD_EVENT_ON);
cbf60d0a
LP		 1729 if (r < 0)
1730 goto fail;
1731 } else {
151b9b96 1732 r = sd_event_add_io(UNIT(s)->manager->event, &p->event_source, p->fd, EPOLLIN, socket_dispatch_io, p);
cbf60d0a
LP		 1733 if (r < 0)
1734 goto fail;
4f2d528d 1735
cbf60d0a 1736 (void) sd_event_source_set_description(p->event_source, "socket-port-io");
718db961 1737 }
034c6ed7 1738 }
83c60c9f 1739
542563ba 1740 return 0;
83c60c9f 1741
034c6ed7 1742fail:
cbf60d0a 1743 log_unit_warning_errno(UNIT(s), r, "Failed to watch listening fds: %m");
034c6ed7
LP		 1744 socket_unwatch_fds(s);
1745 return r;
1746}
1747
01a8b467
LP		 1748enum {
1749 SOCKET_OPEN_NONE,
1750 SOCKET_OPEN_SOME,
1751 SOCKET_OPEN_ALL,
1752};
1753
1754static int socket_check_open(Socket *s) {
1755 bool have_open = false, have_closed = false;
1756 SocketPort *p;
1757
1758 assert(s);
1759
1760 LIST_FOREACH(port, p, s->ports) {
1761 if (p->fd < 0)
1762 have_closed = true;
1763 else
1764 have_open = true;
1765
1766 if (have_open && have_closed)
1767 return SOCKET_OPEN_SOME;
1768 }
1769
1770 if (have_open)
1771 return SOCKET_OPEN_ALL;
1772
1773 return SOCKET_OPEN_NONE;
1774}
1775
034c6ed7
LP		 1776static void socket_set_state(Socket *s, SocketState state) {
1777 SocketState old_state;
1778 assert(s);
1779
1780 old_state = s->state;
1781 s->state = state;
1782
bd1fe7c7
LP		 1783 if (!IN_SET(state,
1784 SOCKET_START_PRE,
3900e5fd 1785 SOCKET_START_CHOWN,
bd1fe7c7
LP		 1786 SOCKET_START_POST,
1787 SOCKET_STOP_PRE,
1788 SOCKET_STOP_PRE_SIGTERM,
1789 SOCKET_STOP_PRE_SIGKILL,
1790 SOCKET_STOP_POST,
1791 SOCKET_FINAL_SIGTERM,
1792 SOCKET_FINAL_SIGKILL)) {
718db961
LP		 1793
1794 s->timer_event_source = sd_event_source_unref(s->timer_event_source);
5e94833f 1795 socket_unwatch_control_pid(s);
034c6ed7 1796 s->control_command = NULL;
a16e1123 1797 s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
e537352b 1798 }
034c6ed7 1799
a16e1123
LP		 1800 if (state != SOCKET_LISTENING)
1801 socket_unwatch_fds(s);
1802
bd1fe7c7 1803 if (!IN_SET(state,
3900e5fd 1804 SOCKET_START_CHOWN,
bd1fe7c7
LP		 1805 SOCKET_START_POST,
1806 SOCKET_LISTENING,
1807 SOCKET_RUNNING,
1808 SOCKET_STOP_PRE,
1809 SOCKET_STOP_PRE_SIGTERM,
1810 SOCKET_STOP_PRE_SIGKILL))
034c6ed7
LP		 1811 socket_close_fds(s);
1812
e537352b 1813 if (state != old_state)
f2341e0a 1814 log_unit_debug(UNIT(s), "Changed %s -> %s", socket_state_to_string(old_state), socket_state_to_string(state));
acbb0225 1815
e2f3b44c 1816 unit_notify(UNIT(s), state_translation_table[old_state], state_translation_table[state], true);
034c6ed7
LP		 1817}
1818
be847e82 1819static int socket_coldplug(Unit *u) {
a16e1123
LP		 1820 Socket *s = SOCKET(u);
1821 int r;
1822
1823 assert(s);
1824 assert(s->state == SOCKET_DEAD);
1825
e821075a
LP		 1826 if (s->deserialized_state == s->state)
1827 return 0;
a16e1123 1828
c386f588
LP		 1829 if (s->control_pid > 0 &&
1830 pid_is_unwaited(s->control_pid) &&
1831 IN_SET(s->deserialized_state,
3900e5fd
LP		 1832 SOCKET_START_PRE,
1833 SOCKET_START_CHOWN,
1834 SOCKET_START_POST,
1835 SOCKET_STOP_PRE,
1836 SOCKET_STOP_PRE_SIGTERM,
1837 SOCKET_STOP_PRE_SIGKILL,
1838 SOCKET_STOP_POST,
1839 SOCKET_FINAL_SIGTERM,
1840 SOCKET_FINAL_SIGKILL)) {
a16e1123 1841
e821075a
LP		 1842 r = unit_watch_pid(UNIT(s), s->control_pid);
1843 if (r < 0)
1844 return r;
a16e1123 1845
36c16a7c 1846 r = socket_arm_timer(s, usec_add(u->state_change_timestamp.monotonic, s->timeout_usec));
e821075a
LP		 1847 if (r < 0)
1848 return r;
1849 }
a16e1123 1850
3900e5fd
LP		 1851 if (IN_SET(s->deserialized_state,
1852 SOCKET_START_CHOWN,
1853 SOCKET_START_POST,
1854 SOCKET_LISTENING,
01a8b467
LP		 1855 SOCKET_RUNNING)) {
1856
1857 /* Originally, we used to simply reopen all sockets here that we didn't have file descriptors
1858 * for. However, this is problematic, as we won't traverse throught the SOCKET_START_CHOWN state for
1859 * them, and thus the UID/GID wouldn't be right. Hence, instead simply check if we have all fds open,
1860 * and if there's a mismatch, warn loudly. */
1861
1862 r = socket_check_open(s);
1863 if (r == SOCKET_OPEN_NONE)
1864 log_unit_warning(UNIT(s),
1865 "Socket unit configuration has changed while unit has been running, "
1866 "no open socket file descriptor left. "
1867 "The socket unit is not functional until restarted.");
1868 else if (r == SOCKET_OPEN_SOME)
1869 log_unit_warning(UNIT(s),
1870 "Socket unit configuration has changed while unit has been running, "
1871 "and some socket file descriptors have not been opened yet. "
1872 "The socket unit is not fully functional until restarted.");
e821075a 1873 }
a16e1123 1874
e821075a
LP		 1875 if (s->deserialized_state == SOCKET_LISTENING) {
1876 r = socket_watch_fds(s);
1877 if (r < 0)
1878 return r;
a16e1123
LP		 1879 }
1880
e8a565cb 1881 if (!IN_SET(s->deserialized_state, SOCKET_DEAD, SOCKET_FAILED)) {
29206d46 1882 (void) unit_setup_dynamic_creds(u);
e8a565cb
YW		 1883 (void) unit_setup_exec_runtime(u);
1884 }
29206d46 1885
e821075a 1886 socket_set_state(s, s->deserialized_state);
a16e1123
LP		 1887 return 0;
1888}
1889
e537352b 1890static int socket_spawn(Socket *s, ExecCommand *c, pid_t *_pid) {
3c7416b6 1891
9fa95f85 1892 ExecParameters exec_params = {
1703fa41 1893 .flags = EXEC_APPLY_SANDBOXING|EXEC_APPLY_CHROOT|EXEC_APPLY_TTY_STDIN,
c39f1ce2
LP		 1894 .stdin_fd = -1,
1895 .stdout_fd = -1,
1896 .stderr_fd = -1,
9fa95f85 1897 };
3c7416b6
LP		 1898 pid_t pid;
1899 int r;
034c6ed7
LP		 1900
1901 assert(s);
1902 assert(c);
1903 assert(_pid);
1904
3c7416b6 1905 r = unit_prepare_exec(UNIT(s));
29206d46
LP		 1906 if (r < 0)
1907 return r;
1908
36c16a7c 1909 r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
36697dc0 1910 if (r < 0)
36c16a7c 1911 return r;
034c6ed7 1912
f0d47797 1913 unit_set_exec_params(UNIT(s), &exec_params);
3536f49e 1914
5125e762 1915 exec_params.argv = c->argv;
9fa95f85 1916
f2341e0a
LP		 1917 r = exec_spawn(UNIT(s),
1918 c,
9e2f7c11 1919 &s->exec_context,
9fa95f85 1920 &exec_params,
613b411c 1921 s->exec_runtime,
29206d46 1922 &s->dynamic_creds,
9e2f7c11 1923 &pid);
cee288ad 1924 if (r < 0)
36c16a7c 1925 return r;
9e2f7c11 1926
3900e5fd 1927 r = unit_watch_pid(UNIT(s), pid);
9e2f7c11 1928 if (r < 0)
3900e5fd 1929 /* FIXME: we need to do something here */
36c16a7c 1930 return r;
034c6ed7 1931
3900e5fd 1932 *_pid = pid;
3536f49e 1933
3900e5fd 1934 return 0;
3900e5fd
LP		 1935}
1936
1937static int socket_chown(Socket *s, pid_t *_pid) {
1938 pid_t pid;
1939 int r;
1940
36c16a7c 1941 r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
3900e5fd
LP		 1942 if (r < 0)
1943 goto fail;
1944
1945 /* We have to resolve the user names out-of-process, hence
1946 * let's fork here. It's messy, but well, what can we do? */
1947
4c253ed1 1948 r = unit_fork_helper_process(UNIT(s), "(sd-chown)", &pid);
a79279c7
LP		 1949 if (r < 0)
1950 return r;
1951 if (r == 0) {
fed1e721
LP		 1952 uid_t uid = UID_INVALID;
1953 gid_t gid = GID_INVALID;
a79279c7 1954 SocketPort *p;
3900e5fd 1955
a79279c7 1956 /* Child */
3900e5fd
LP		 1957
1958 if (!isempty(s->user)) {
1959 const char *user = s->user;
1960
1961 r = get_user_creds(&user, &uid, &gid, NULL, NULL);
1962 if (r < 0) {
a79279c7
LP		 1963 log_unit_error_errno(UNIT(s), r, "Failed to resolve user %s: %m", user);
1964 _exit(EXIT_USER);
3900e5fd
LP		 1965 }
1966 }
1967
1968 if (!isempty(s->group)) {
1969 const char *group = s->group;
1970
1971 r = get_group_creds(&group, &gid);
1972 if (r < 0) {
a79279c7
LP		 1973 log_unit_error_errno(UNIT(s), r, "Failed to resolve group %s: %m", group);
1974 _exit(EXIT_GROUP);
3900e5fd
LP		 1975 }
1976 }
1977
1978 LIST_FOREACH(port, p, s->ports) {
e5a1c18d 1979 const char *path = NULL;
3900e5fd
LP		 1980
1981 if (p->type == SOCKET_SOCKET)
1982 path = socket_address_get_path(&p->address);
1983 else if (p->type == SOCKET_FIFO)
1984 path = p->path;
1985
1986 if (!path)
1987 continue;
1988
1989 if (chown(path, uid, gid) < 0) {
a79279c7
LP		 1990 log_unit_error_errno(UNIT(s), errno, "Failed to chown(): %m");
1991 _exit(EXIT_CHOWN);
3900e5fd
LP		 1992 }
1993 }
1994
a79279c7 1995 _exit(EXIT_SUCCESS);
3900e5fd
LP		 1996 }
1997
718db961
LP		 1998 r = unit_watch_pid(UNIT(s), pid);
1999 if (r < 0)
034c6ed7 2000 goto fail;
83c60c9f 2001
034c6ed7 2002 *_pid = pid;
034c6ed7
LP		 2003 return 0;
2004
2005fail:
718db961 2006 s->timer_event_source = sd_event_source_unref(s->timer_event_source);
83c60c9f 2007 return r;
542563ba
LP		 2008}
2009
cfc4eb4c 2010static void socket_enter_dead(Socket *s, SocketResult f) {
034c6ed7
LP		 2011 assert(s);
2012
a0fef983 2013 if (s->result == SOCKET_SUCCESS)
cfc4eb4c 2014 s->result = f;
034c6ed7 2015
ed77d407
LP		 2016 if (s->result != SOCKET_SUCCESS)
2017 log_unit_warning(UNIT(s), "Failed with result '%s'.", socket_result_to_string(s->result));
2018
29206d46
LP		 2019 socket_set_state(s, s->result != SOCKET_SUCCESS ? SOCKET_FAILED : SOCKET_DEAD);
2020
e8a565cb 2021 s->exec_runtime = exec_runtime_unref(s->exec_runtime, true);
613b411c 2022
3536f49e 2023 exec_context_destroy_runtime_directory(&s->exec_context, UNIT(s)->manager->prefix[EXEC_DIRECTORY_RUNTIME]);
e66cf1a3 2024
00d9ef85
LP		 2025 unit_unref_uid_gid(UNIT(s), true);
2026
29206d46 2027 dynamic_creds_destroy(&s->dynamic_creds);
034c6ed7
LP		 2028}
2029
cfc4eb4c 2030static void socket_enter_signal(Socket *s, SocketState state, SocketResult f);
80876c20 2031
cfc4eb4c 2032static void socket_enter_stop_post(Socket *s, SocketResult f) {
034c6ed7
LP		 2033 int r;
2034 assert(s);
2035
a0fef983 2036 if (s->result == SOCKET_SUCCESS)
cfc4eb4c 2037 s->result = f;
034c6ed7 2038
5e94833f 2039 socket_unwatch_control_pid(s);
a16e1123 2040 s->control_command_id = SOCKET_EXEC_STOP_POST;
3900e5fd 2041 s->control_command = s->exec_command[SOCKET_EXEC_STOP_POST];
a16e1123 2042
3900e5fd
LP		 2043 if (s->control_command) {
2044 r = socket_spawn(s, s->control_command, &s->control_pid);
2045 if (r < 0)
034c6ed7
LP		 2046 goto fail;
2047
80876c20
LP		 2048 socket_set_state(s, SOCKET_STOP_POST);
2049 } else
cfc4eb4c 2050 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_SUCCESS);
034c6ed7
LP		 2051
2052 return;
2053
2054fail:
f2341e0a 2055 log_unit_warning_errno(UNIT(s), r, "Failed to run 'stop-post' task: %m");
cfc4eb4c 2056 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_RESOURCES);
034c6ed7
LP		 2057}
2058
cfc4eb4c 2059static void socket_enter_signal(Socket *s, SocketState state, SocketResult f) {
034c6ed7
LP		 2060 int r;
2061
2062 assert(s);
2063
a0fef983 2064 if (s->result == SOCKET_SUCCESS)
cfc4eb4c 2065 s->result = f;
034c6ed7 2066
cd2086fe
LP		 2067 r = unit_kill_context(
2068 UNIT(s),
2069 &s->kill_context,
ec2ce0c5 2070 !IN_SET(state, SOCKET_STOP_PRE_SIGTERM, SOCKET_FINAL_SIGTERM) ?
db2cb23b 2071 KILL_KILL : KILL_TERMINATE,
cd2086fe
LP		 2072 -1,
2073 s->control_pid,
2074 false);
2075 if (r < 0)
2076 goto fail;
034c6ed7 2077
cd2086fe 2078 if (r > 0) {
36c16a7c 2079 r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
36697dc0 2080 if (r < 0)
80876c20 2081 goto fail;
d6ea93e3 2082
80876c20 2083 socket_set_state(s, state);
ac84d1fb
LP		 2084 } else if (state == SOCKET_STOP_PRE_SIGTERM)
2085 socket_enter_signal(s, SOCKET_STOP_PRE_SIGKILL, SOCKET_SUCCESS);
2086 else if (state == SOCKET_STOP_PRE_SIGKILL)
cfc4eb4c 2087 socket_enter_stop_post(s, SOCKET_SUCCESS);
ac84d1fb
LP		 2088 else if (state == SOCKET_FINAL_SIGTERM)
2089 socket_enter_signal(s, SOCKET_FINAL_SIGKILL, SOCKET_SUCCESS);
80876c20 2090 else
cfc4eb4c 2091 socket_enter_dead(s, SOCKET_SUCCESS);
034c6ed7
LP		 2092
2093 return;
2094
2095fail:
f2341e0a 2096 log_unit_warning_errno(UNIT(s), r, "Failed to kill processes: %m");
034c6ed7 2097
3742095b 2098 if (IN_SET(state, SOCKET_STOP_PRE_SIGTERM, SOCKET_STOP_PRE_SIGKILL))
cfc4eb4c 2099 socket_enter_stop_post(s, SOCKET_FAILURE_RESOURCES);
034c6ed7 2100 else
cfc4eb4c 2101 socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
034c6ed7
LP		 2102}
2103
cfc4eb4c 2104static void socket_enter_stop_pre(Socket *s, SocketResult f) {
034c6ed7
LP		 2105 int r;
2106 assert(s);
2107
a0fef983 2108 if (s->result == SOCKET_SUCCESS)
cfc4eb4c 2109 s->result = f;
034c6ed7 2110
5e94833f 2111 socket_unwatch_control_pid(s);
a16e1123 2112 s->control_command_id = SOCKET_EXEC_STOP_PRE;
3900e5fd 2113 s->control_command = s->exec_command[SOCKET_EXEC_STOP_PRE];
a16e1123 2114
3900e5fd
LP		 2115 if (s->control_command) {
2116 r = socket_spawn(s, s->control_command, &s->control_pid);
2117 if (r < 0)
034c6ed7
LP		 2118 goto fail;
2119
80876c20
LP		 2120 socket_set_state(s, SOCKET_STOP_PRE);
2121 } else
cfc4eb4c 2122 socket_enter_stop_post(s, SOCKET_SUCCESS);
034c6ed7
LP		 2123
2124 return;
2125
2126fail:
f2341e0a 2127 log_unit_warning_errno(UNIT(s), r, "Failed to run 'stop-pre' task: %m");
cfc4eb4c 2128 socket_enter_stop_post(s, SOCKET_FAILURE_RESOURCES);
034c6ed7
LP		 2129}
2130
e9af15c3
LP		 2131static void socket_enter_listening(Socket *s) {
2132 int r;
2133 assert(s);
2134
cfc4eb4c
LP		 2135 r = socket_watch_fds(s);
2136 if (r < 0) {
f2341e0a 2137 log_unit_warning_errno(UNIT(s), r, "Failed to watch sockets: %m");
e9af15c3
LP		 2138 goto fail;
2139 }
2140
2141 socket_set_state(s, SOCKET_LISTENING);
2142 return;
2143
2144fail:
cfc4eb4c 2145 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
e9af15c3
LP		 2146}
2147
034c6ed7
LP		 2148static void socket_enter_start_post(Socket *s) {
2149 int r;
2150 assert(s);
2151
3900e5fd
LP		 2152 socket_unwatch_control_pid(s);
2153 s->control_command_id = SOCKET_EXEC_START_POST;
2154 s->control_command = s->exec_command[SOCKET_EXEC_START_POST];
2155
2156 if (s->control_command) {
2157 r = socket_spawn(s, s->control_command, &s->control_pid);
2158 if (r < 0) {
f2341e0a 2159 log_unit_warning_errno(UNIT(s), r, "Failed to run 'start-post' task: %m");
3900e5fd
LP		 2160 goto fail;
2161 }
2162
2163 socket_set_state(s, SOCKET_START_POST);
2164 } else
2165 socket_enter_listening(s);
2166
2167 return;
2168
2169fail:
2170 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2171}
2172
2173static void socket_enter_start_chown(Socket *s) {
2174 int r;
2175
2176 assert(s);
2177
cfc4eb4c
LP		 2178 r = socket_open_fds(s);
2179 if (r < 0) {
f2341e0a 2180 log_unit_warning_errno(UNIT(s), r, "Failed to listen on sockets: %m");
034c6ed7
LP		 2181 goto fail;
2182 }
2183
3900e5fd 2184 if (!isempty(s->user) || !isempty(s->group)) {
5e94833f 2185
3900e5fd
LP		 2186 socket_unwatch_control_pid(s);
2187 s->control_command_id = SOCKET_EXEC_START_CHOWN;
2188 s->control_command = NULL;
a16e1123 2189
3900e5fd 2190 r = socket_chown(s, &s->control_pid);
cfc4eb4c 2191 if (r < 0) {
f2341e0a 2192 log_unit_warning_errno(UNIT(s), r, "Failed to fork 'start-chown' task: %m");
034c6ed7
LP		 2193 goto fail;
2194 }
2195
3900e5fd 2196 socket_set_state(s, SOCKET_START_CHOWN);
80876c20 2197 } else
3900e5fd 2198 socket_enter_start_post(s);
034c6ed7
LP		 2199
2200 return;
2201
2202fail:
cfc4eb4c 2203 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
034c6ed7
LP		 2204}
2205
2206static void socket_enter_start_pre(Socket *s) {
2207 int r;
2208 assert(s);
2209
5e94833f 2210 socket_unwatch_control_pid(s);
a4634b21
LP		 2211
2212 unit_warn_leftover_processes(UNIT(s));
2213
a16e1123 2214 s->control_command_id = SOCKET_EXEC_START_PRE;
3900e5fd 2215 s->control_command = s->exec_command[SOCKET_EXEC_START_PRE];
a16e1123 2216
3900e5fd 2217 if (s->control_command) {
e821075a 2218 r = socket_spawn(s, s->control_command, &s->control_pid);
3900e5fd 2219 if (r < 0) {
f2341e0a 2220 log_unit_warning_errno(UNIT(s), r, "Failed to run 'start-pre' task: %m");
034c6ed7 2221 goto fail;
3900e5fd 2222 }
034c6ed7 2223
80876c20
LP		 2224 socket_set_state(s, SOCKET_START_PRE);
2225 } else
3900e5fd 2226 socket_enter_start_chown(s);
034c6ed7
LP		 2227
2228 return;
2229
2230fail:
cfc4eb4c 2231 socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
034c6ed7
LP		 2232}
2233
60d9771c
LP		 2234static void flush_ports(Socket *s) {
2235 SocketPort *p;
2236
2237 /* Flush all incoming traffic, regardless if actual bytes or new connections, so that this socket isn't busy
2238 * anymore */
2239
2240 LIST_FOREACH(port, p, s->ports) {
2241 if (p->fd < 0)
2242 continue;
2243
2244 (void) flush_accept(p->fd);
2245 (void) flush_fd(p->fd);
2246 }
2247}
2248
4f2d528d 2249static void socket_enter_running(Socket *s, int cfd) {
4afd3348 2250 _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
034c6ed7
LP		 2251 int r;
2252
8b26cdbd
LP		 2253 /* Note that this call takes possession of the connection fd passed. It either has to assign it somewhere or
2254 * close it. */
2255
034c6ed7
LP		 2256 assert(s);
2257
60d9771c 2258 /* We don't take connections anymore if we are supposed to shut down anyway */
31afa0a4 2259 if (unit_stop_pending(UNIT(s))) {
e821075a 2260
f2341e0a 2261 log_unit_debug(UNIT(s), "Suppressing connection request since unit stop is scheduled.");
5d909e3e 2262
7c610628 2263 if (cfd >= 0)
8b26cdbd 2264 cfd = safe_close(cfd);
60d9771c
LP		 2265 else
2266 flush_ports(s);
7c610628 2267
ba3e67a7
LP		 2268 return;
2269 }
2270
8b26cdbd
LP		 2271 if (!ratelimit_test(&s->trigger_limit)) {
2272 safe_close(cfd);
2273 log_unit_warning(UNIT(s), "Trigger limit hit, refusing further activation.");
2274 socket_enter_stop_pre(s, SOCKET_FAILURE_TRIGGER_LIMIT_HIT);
2275 return;
2276 }
2277
4f2d528d 2278 if (cfd < 0) {
f976f3f6 2279 bool pending = false;
eef85c4a
LP		 2280 Unit *other;
2281 Iterator i;
2282 void *v;
f976f3f6
LP		 2283
2284 /* If there's already a start pending don't bother to
2285 * do anything */
eef85c4a 2286 HASHMAP_FOREACH_KEY(v, other, UNIT(s)->dependencies[UNIT_TRIGGERS], i)
e821075a 2287 if (unit_active_or_pending(other)) {
57020a3a
LP		 2288 pending = true;
2289 break;
2290 }
f976f3f6 2291
1a710b43 2292 if (!pending) {
640ace4a 2293 if (!UNIT_ISSET(s->service)) {
f2341e0a 2294 log_unit_error(UNIT(s), "Service to activate vanished, refusing activation.");
640ace4a
LP		 2295 r = -ENOENT;
2296 goto fail;
2297 }
2298
4bd29fe5 2299 r = manager_add_job(UNIT(s)->manager, JOB_START, UNIT_DEREF(s->service), JOB_REPLACE, &error, NULL);
1a710b43 2300 if (r < 0)
f976f3f6 2301 goto fail;
1a710b43 2302 }
4f2d528d
LP		 2303
2304 socket_set_state(s, SOCKET_RUNNING);
2305 } else {
e55001eb 2306 _cleanup_free_ char *prefix = NULL, *instance = NULL, *name = NULL;
9d565427 2307 _cleanup_(socket_peer_unrefp) SocketPeer *p = NULL;
b15bdda8 2308 Service *service;
4f2d528d 2309
6cf6bbc2 2310 if (s->n_connections >= s->max_connections) {
ea8f50f8 2311 log_unit_warning(UNIT(s), "Too many incoming connections (%u), dropping connection.",
166cf510 2312 s->n_connections);
03e334a1 2313 safe_close(cfd);
6cf6bbc2
LP		 2314 return;
2315 }
2316
9d565427 2317 if (s->max_connections_per_source > 0) {
166cf510 2318 r = socket_acquire_peer(s, cfd, &p);
9d565427
SS		 2319 if (r < 0) {
2320 safe_close(cfd);
2321 return;
166cf510 2322 } else if (r > 0 && p->n_ref > s->max_connections_per_source) {
ea8f50f8
ZJS		 2323 _cleanup_free_ char *t = NULL;
2324
41733ae1 2325 (void) sockaddr_pretty(&p->peer.sa, p->peer_salen, true, false, &t);
ea8f50f8 2326
166cf510 2327 log_unit_warning(UNIT(s),
ea8f50f8
ZJS		 2328 "Too many incoming connections (%u) from source %s, dropping connection.",
2329 p->n_ref, strnull(t));
9d565427 2330 safe_close(cfd);
9d565427
SS		 2331 return;
2332 }
2333 }
2334
1a710b43
MS		 2335 r = socket_instantiate_service(s);
2336 if (r < 0)
b15bdda8
LP		 2337 goto fail;
2338
1a710b43
MS		 2339 r = instance_from_socket(cfd, s->n_accepted, &instance);
2340 if (r < 0) {
2341 if (r != -ENOTCONN)
2342 goto fail;
2343
2344 /* ENOTCONN is legitimate if TCP RST was received.
2345 * This connection is over, but the socket unit lives on. */
8b26cdbd 2346 log_unit_debug(UNIT(s), "Got ENOTCONN on incoming socket, assuming aborted connection attempt, ignoring.");
03e334a1 2347 safe_close(cfd);
1a710b43
MS		 2348 return;
2349 }
4f2d528d 2350
7410616c
LP		 2351 r = unit_name_to_prefix(UNIT(s)->id, &prefix);
2352 if (r < 0)
4f2d528d 2353 goto fail;
4f2d528d 2354
7410616c
LP		 2355 r = unit_name_build(prefix, instance, ".service", &name);
2356 if (r < 0)
b6dbbe1c 2357 goto fail;
4f2d528d 2358
1a710b43 2359 r = unit_add_name(UNIT_DEREF(s->service), name);
e55001eb 2360 if (r < 0)
4f2d528d 2361 goto fail;
b15bdda8 2362
57020a3a
LP		 2363 service = SERVICE(UNIT_DEREF(s->service));
2364 unit_ref_unset(&s->service);
6c073082 2365
e4f67317 2366 s->n_accepted++;
b15bdda8 2367 unit_choose_id(UNIT(service), name);
b15bdda8 2368
16115b0a 2369 r = service_set_socket_fd(service, cfd, s, s->selinux_context_from_net);
1a710b43 2370 if (r < 0)
4f2d528d
LP		 2371 goto fail;
2372
8b26cdbd 2373 cfd = -1; /* We passed ownership of the fd to the service now. Forget it here. */
313cefa1 2374 s->n_connections++;
6cf6bbc2 2375
166cf510
ZJS		 2376 service->peer = p; /* Pass ownership of the peer reference */
2377 p = NULL;
9d565427 2378
4bd29fe5 2379 r = manager_add_job(UNIT(s)->manager, JOB_START, UNIT(service), JOB_REPLACE, &error, NULL);
3e7a1f50
LP		 2380 if (r < 0) {
2381 /* We failed to activate the new service, but it still exists. Let's make sure the service
2382 * closes and forgets the connection fd again, immediately. */
2383 service_close_socket_fd(service);
4f2d528d 2384 goto fail;
3e7a1f50 2385 }
c4e2ceae
LP		 2386
2387 /* Notify clients about changed counters */
2388 unit_add_to_dbus_queue(UNIT(s));
4f2d528d 2389 }
034c6ed7 2390
034c6ed7
LP		 2391 return;
2392
2393fail:
f2341e0a
LP		 2394 log_unit_warning(UNIT(s), "Failed to queue service startup job (Maybe the service file is missing or not a %s unit?): %s",
2395 cfd >= 0 ? "template" : "non-template",
718db961 2396 bus_error_message(&error, r));
e821075a 2397
60089004 2398 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
03e334a1 2399 safe_close(cfd);
034c6ed7
LP		 2400}
2401
cfc4eb4c 2402static void socket_run_next(Socket *s) {
034c6ed7
LP		 2403 int r;
2404
2405 assert(s);
2406 assert(s->control_command);
2407 assert(s->control_command->command_next);
2408
5e94833f
LP		 2409 socket_unwatch_control_pid(s);
2410
034c6ed7
LP		 2411 s->control_command = s->control_command->command_next;
2412
e821075a
LP		 2413 r = socket_spawn(s, s->control_command, &s->control_pid);
2414 if (r < 0)
034c6ed7
LP		 2415 goto fail;
2416
2417 return;
2418
2419fail:
f2341e0a 2420 log_unit_warning_errno(UNIT(s), r, "Failed to run next task: %m");
80876c20
LP		 2421
2422 if (s->state == SOCKET_START_POST)
cfc4eb4c 2423 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
034c6ed7 2424 else if (s->state == SOCKET_STOP_POST)
cfc4eb4c 2425 socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
034c6ed7 2426 else
cfc4eb4c 2427 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_RESOURCES);
034c6ed7
LP		 2428}
2429
87f0e418
LP		 2430static int socket_start(Unit *u) {
2431 Socket *s = SOCKET(u);
07299350 2432 int r;
83c60c9f
LP		 2433
2434 assert(s);
2435
034c6ed7
LP		 2436 /* We cannot fulfill this request right now, try again later
2437 * please! */
3900e5fd
LP		 2438 if (IN_SET(s->state,
2439 SOCKET_STOP_PRE,
2440 SOCKET_STOP_PRE_SIGKILL,
2441 SOCKET_STOP_PRE_SIGTERM,
2442 SOCKET_STOP_POST,
2443 SOCKET_FINAL_SIGTERM,
2444 SOCKET_FINAL_SIGKILL))
034c6ed7
LP		 2445 return -EAGAIN;
2446
a4152e3f 2447 /* Already on it! */
3900e5fd
LP		 2448 if (IN_SET(s->state,
2449 SOCKET_START_PRE,
2450 SOCKET_START_CHOWN,
2451 SOCKET_START_POST))
034c6ed7 2452 return 0;
83c60c9f 2453
034c6ed7 2454 /* Cannot run this without the service being around */
9444b1f2 2455 if (UNIT_ISSET(s->service)) {
57020a3a
LP		 2456 Service *service;
2457
2458 service = SERVICE(UNIT_DEREF(s->service));
2459
1124fe6f 2460 if (UNIT(service)->load_state != UNIT_LOADED) {
f2341e0a 2461 log_unit_error(u, "Socket service %s not loaded, refusing.", UNIT(service)->id);
4f2d528d 2462 return -ENOENT;
4ac9236f 2463 }
4f2d528d 2464
35b8ca3a 2465 /* If the service is already active we cannot start the
4f2d528d 2466 * socket */
ec2ce0c5 2467 if (!IN_SET(service->state, SERVICE_DEAD, SERVICE_FAILED, SERVICE_AUTO_RESTART)) {
f2341e0a 2468 log_unit_error(u, "Socket service %s already active, refusing.", UNIT(service)->id);
4f2d528d 2469 return -EBUSY;
4ac9236f 2470 }
4f2d528d 2471 }
e537352b 2472
3742095b 2473 assert(IN_SET(s->state, SOCKET_DEAD, SOCKET_FAILED));
83c60c9f 2474
07299350
LP		 2475 r = unit_start_limit_test(u);
2476 if (r < 0) {
2477 socket_enter_dead(s, SOCKET_FAILURE_START_LIMIT_HIT);
2478 return r;
2479 }
2480
4b58153d
LP		 2481 r = unit_acquire_invocation_id(u);
2482 if (r < 0)
2483 return r;
2484
cfc4eb4c 2485 s->result = SOCKET_SUCCESS;
3c7416b6
LP		 2486
2487 u->reset_accounting = true;
5ad096b3 2488
034c6ed7 2489 socket_enter_start_pre(s);
82a2b6bb 2490 return 1;
034c6ed7 2491}
83c60c9f 2492
87f0e418
LP		 2493static int socket_stop(Unit *u) {
2494 Socket *s = SOCKET(u);
034c6ed7
LP		 2495
2496 assert(s);
2497
e537352b 2498 /* Already on it */
3900e5fd
LP		 2499 if (IN_SET(s->state,
2500 SOCKET_STOP_PRE,
2501 SOCKET_STOP_PRE_SIGTERM,
2502 SOCKET_STOP_PRE_SIGKILL,
2503 SOCKET_STOP_POST,
2504 SOCKET_FINAL_SIGTERM,
2505 SOCKET_FINAL_SIGKILL))
e537352b
LP		 2506 return 0;
2507
3f6c78dc
LP		 2508 /* If there's already something running we go directly into
2509 * kill mode. */
3900e5fd
LP		 2510 if (IN_SET(s->state,
2511 SOCKET_START_PRE,
2512 SOCKET_START_CHOWN,
2513 SOCKET_START_POST)) {
cfc4eb4c 2514 socket_enter_signal(s, SOCKET_STOP_PRE_SIGTERM, SOCKET_SUCCESS);
3f6c78dc
LP		 2515 return -EAGAIN;
2516 }
2517
3742095b 2518 assert(IN_SET(s->state, SOCKET_LISTENING, SOCKET_RUNNING));
83c60c9f 2519
cfc4eb4c 2520 socket_enter_stop_pre(s, SOCKET_SUCCESS);
82a2b6bb 2521 return 1;
542563ba
LP		 2522}
2523
a16e1123
LP		 2524static int socket_serialize(Unit *u, FILE *f, FDSet *fds) {
2525 Socket *s = SOCKET(u);
2526 SocketPort *p;
2527 int r;
2528
2529 assert(u);
2530 assert(f);
2531 assert(fds);
2532
2533 unit_serialize_item(u, f, "state", socket_state_to_string(s->state));
cfc4eb4c 2534 unit_serialize_item(u, f, "result", socket_result_to_string(s->result));
a16e1123
LP		 2535 unit_serialize_item_format(u, f, "n-accepted", "%u", s->n_accepted);
2536
2537 if (s->control_pid > 0)
de0671ee 2538 unit_serialize_item_format(u, f, "control-pid", PID_FMT, s->control_pid);
a16e1123
LP		 2539
2540 if (s->control_command_id >= 0)
2541 unit_serialize_item(u, f, "control-command", socket_exec_command_to_string(s->control_command_id));
2542
2543 LIST_FOREACH(port, p, s->ports) {
2544 int copy;
2545
2546 if (p->fd < 0)
2547 continue;
2548
613b411c
LP		 2549 copy = fdset_put_dup(fds, p->fd);
2550 if (copy < 0)
a16e1123
LP		 2551 return copy;
2552
2553 if (p->type == SOCKET_SOCKET) {
613b411c 2554 _cleanup_free_ char *t = NULL;
a16e1123 2555
ee092817
LP		 2556 r = socket_address_print(&p->address, &t);
2557 if (r < 0)
a16e1123
LP		 2558 return r;
2559
7a22745a
LP		 2560 if (socket_address_family(&p->address) == AF_NETLINK)
2561 unit_serialize_item_format(u, f, "netlink", "%i %s", copy, t);
2562 else
2563 unit_serialize_item_format(u, f, "socket", "%i %i %s", copy, p->address.type, t);
613b411c 2564
b0a3f2bc
LP		 2565 } else if (p->type == SOCKET_SPECIAL)
2566 unit_serialize_item_format(u, f, "special", "%i %s", copy, p->path);
ee092817
LP		 2567 else if (p->type == SOCKET_MQUEUE)
2568 unit_serialize_item_format(u, f, "mqueue", "%i %s", copy, p->path);
60252446
PS		 2569 else if (p->type == SOCKET_USB_FUNCTION)
2570 unit_serialize_item_format(u, f, "ffs", "%i %s", copy, p->path);
b0a3f2bc 2571 else {
a16e1123
LP		 2572 assert(p->type == SOCKET_FIFO);
2573 unit_serialize_item_format(u, f, "fifo", "%i %s", copy, p->path);
2574 }
2575 }
2576
2577 return 0;
2578}
2579
80a58668
ZJS		 2580static void socket_port_take_fd(SocketPort *p, FDSet *fds, int fd) {
2581 safe_close(p->fd);
2582 p->fd = fdset_remove(fds, fd);
2583}
2584
a16e1123
LP		 2585static int socket_deserialize_item(Unit *u, const char *key, const char *value, FDSet *fds) {
2586 Socket *s = SOCKET(u);
a16e1123
LP		 2587
2588 assert(u);
2589 assert(key);
2590 assert(value);
a16e1123
LP		 2591
2592 if (streq(key, "state")) {
2593 SocketState state;
2594
ee092817
LP		 2595 state = socket_state_from_string(value);
2596 if (state < 0)
f2341e0a 2597 log_unit_debug(u, "Failed to parse state value: %s", value);
a16e1123
LP		 2598 else
2599 s->deserialized_state = state;
cfc4eb4c
LP		 2600 } else if (streq(key, "result")) {
2601 SocketResult f;
a16e1123 2602
cfc4eb4c
LP		 2603 f = socket_result_from_string(value);
2604 if (f < 0)
f2341e0a 2605 log_unit_debug(u, "Failed to parse result value: %s", value);
cfc4eb4c
LP		 2606 else if (f != SOCKET_SUCCESS)
2607 s->result = f;
a16e1123
LP		 2608
2609 } else if (streq(key, "n-accepted")) {
2610 unsigned k;
2611
e364ad06 2612 if (safe_atou(value, &k) < 0)
f2341e0a 2613 log_unit_debug(u, "Failed to parse n-accepted value: %s", value);
a16e1123
LP		 2614 else
2615 s->n_accepted += k;
2616 } else if (streq(key, "control-pid")) {
5925dd3c 2617 pid_t pid;
a16e1123 2618
e364ad06 2619 if (parse_pid(value, &pid) < 0)
f2341e0a 2620 log_unit_debug(u, "Failed to parse control-pid value: %s", value);
a16e1123 2621 else
5925dd3c 2622 s->control_pid = pid;
a16e1123
LP		 2623 } else if (streq(key, "control-command")) {
2624 SocketExecCommand id;
2625
66870f90
ZJS		 2626 id = socket_exec_command_from_string(value);
2627 if (id < 0)
f2341e0a 2628 log_unit_debug(u, "Failed to parse exec-command value: %s", value);
a16e1123
LP		 2629 else {
2630 s->control_command_id = id;
2631 s->control_command = s->exec_command[id];
2632 }
2633 } else if (streq(key, "fifo")) {
2634 int fd, skip = 0;
2635 SocketPort *p;
2636
2637 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
f2341e0a 2638 log_unit_debug(u, "Failed to parse fifo value: %s", value);
80a58668 2639 else
a16e1123 2640 LIST_FOREACH(port, p, s->ports)
b0a3f2bc 2641 if (p->type == SOCKET_FIFO &&
e3f791a2 2642 path_equal_or_files_same(p->path, value+skip, 0)) {
80a58668 2643 socket_port_take_fd(p, fds, fd);
b0a3f2bc 2644 break;
80a58668 2645 }
b0a3f2bc
LP		 2646
2647 } else if (streq(key, "special")) {
2648 int fd, skip = 0;
2649 SocketPort *p;
2650
2651 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
f2341e0a 2652 log_unit_debug(u, "Failed to parse special value: %s", value);
80a58668 2653 else
b0a3f2bc
LP		 2654 LIST_FOREACH(port, p, s->ports)
2655 if (p->type == SOCKET_SPECIAL &&
e3f791a2 2656 path_equal_or_files_same(p->path, value+skip, 0)) {
80a58668 2657 socket_port_take_fd(p, fds, fd);
a16e1123 2658 break;
80a58668 2659 }
a16e1123 2660
ee092817
LP		 2661 } else if (streq(key, "mqueue")) {
2662 int fd, skip = 0;
2663 SocketPort *p;
2664
2665 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
f2341e0a 2666 log_unit_debug(u, "Failed to parse mqueue value: %s", value);
80a58668 2667 else
ee092817
LP		 2668 LIST_FOREACH(port, p, s->ports)
2669 if (p->type == SOCKET_MQUEUE &&
80a58668
ZJS		 2670 streq(p->path, value+skip)) {
2671 socket_port_take_fd(p, fds, fd);
ee092817 2672 break;
80a58668 2673 }
ee092817 2674
a16e1123 2675 } else if (streq(key, "socket")) {
27ca8d7a 2676 int fd, type, skip = 0;
a16e1123
LP		 2677 SocketPort *p;
2678
27ca8d7a 2679 if (sscanf(value, "%i %i %n", &fd, &type, &skip) < 2 || fd < 0 || type < 0 || !fdset_contains(fds, fd))
f2341e0a 2680 log_unit_debug(u, "Failed to parse socket value: %s", value);
80a58668 2681 else
a16e1123 2682 LIST_FOREACH(port, p, s->ports)
80a58668
ZJS		 2683 if (socket_address_is(&p->address, value+skip, type)) {
2684 socket_port_take_fd(p, fds, fd);
a16e1123 2685 break;
80a58668 2686 }
a16e1123 2687
7a22745a
LP		 2688 } else if (streq(key, "netlink")) {
2689 int fd, skip = 0;
2690 SocketPort *p;
2691
2692 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
f2341e0a 2693 log_unit_debug(u, "Failed to parse socket value: %s", value);
80a58668 2694 else
7a22745a 2695 LIST_FOREACH(port, p, s->ports)
80a58668
ZJS		 2696 if (socket_address_is_netlink(&p->address, value+skip)) {
2697 socket_port_take_fd(p, fds, fd);
7a22745a 2698 break;
80a58668 2699 }
60252446
PS		 2700
2701 } else if (streq(key, "ffs")) {
2702 int fd, skip = 0;
2703 SocketPort *p;
2704
2705 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2706 log_unit_debug(u, "Failed to parse ffs value: %s", value);
80a58668 2707 else
60252446
PS		 2708 LIST_FOREACH(port, p, s->ports)
2709 if (p->type == SOCKET_USB_FUNCTION &&
e3f791a2 2710 path_equal_or_files_same(p->path, value+skip, 0)) {
80a58668 2711 socket_port_take_fd(p, fds, fd);
60252446 2712 break;
80a58668 2713 }
60252446 2714
a16e1123 2715 } else
f2341e0a 2716 log_unit_debug(UNIT(s), "Unknown serialization key: %s", key);
a16e1123
LP		 2717
2718 return 0;
2719}
2720
9ff1a6f1 2721static void socket_distribute_fds(Unit *u, FDSet *fds) {
01e10de3
LP		 2722 Socket *s = SOCKET(u);
2723 SocketPort *p;
2724
2725 assert(u);
2726
2727 LIST_FOREACH(port, p, s->ports) {
2728 Iterator i;
2729 int fd;
2730
2731 if (p->type != SOCKET_SOCKET)
2732 continue;
2733
2734 if (p->fd >= 0)
2735 continue;
2736
2737 FDSET_FOREACH(fd, fds, i) {
2738 if (socket_address_matches_fd(&p->address, fd)) {
2739 p->fd = fdset_remove(fds, fd);
2740 s->deserialized_state = SOCKET_LISTENING;
2741 break;
2742 }
2743 }
2744 }
01e10de3
LP		 2745}
2746
44a6b1b6 2747_pure_ static UnitActiveState socket_active_state(Unit *u) {
87f0e418 2748 assert(u);
5cb5a6ff 2749
acbb0225 2750 return state_translation_table[SOCKET(u)->state];
5cb5a6ff
LP		 2751}
2752
44a6b1b6 2753_pure_ static const char *socket_sub_state_to_string(Unit *u) {
10a94420
LP		 2754 assert(u);
2755
a16e1123 2756 return socket_state_to_string(SOCKET(u)->state);
10a94420
LP		 2757}
2758
67419600
OS		 2759const char* socket_port_type_to_string(SocketPort *p) {
2760
2761 assert(p);
2762
2763 switch (p->type) {
718db961
LP		 2764
2765 case SOCKET_SOCKET:
2766
2767 switch (p->address.type) {
2768
2769 case SOCK_STREAM:
2770 return "Stream";
2771
2772 case SOCK_DGRAM:
2773 return "Datagram";
2774
2775 case SOCK_SEQPACKET:
2776 return "SequentialPacket";
2777
2778 case SOCK_RAW:
2779 if (socket_address_family(&p->address) == AF_NETLINK)
2780 return "Netlink";
2781
4831981d 2782 _fallthrough_;
718db961
LP		 2783 default:
2784 return NULL;
2785 }
2786
2787 case SOCKET_SPECIAL:
2788 return "Special";
2789
2790 case SOCKET_MQUEUE:
2791 return "MessageQueue";
2792
2793 case SOCKET_FIFO:
2794 return "FIFO";
2795
60252446
PS		 2796 case SOCKET_USB_FUNCTION:
2797 return "USBFunction";
2798
718db961
LP		 2799 default:
2800 return NULL;
67419600
OS		 2801 }
2802}
2803
038ed5a4
YW		 2804SocketType socket_port_type_from_string(const char *s) {
2805 assert(s);
2806
e045e325
YW		 2807 if (STR_IN_SET(s, "Stream", "Datagram", "SequentialPacket", "Netlink"))
2808 return SOCKET_SOCKET;
2809 else if (streq(s, "Special"))
2810 return SOCKET_SPECIAL;
2811 else if (streq(s, "MessageQueue"))
2812 return SOCKET_MQUEUE;
2813 else if (streq(s, "FIFO"))
2814 return SOCKET_FIFO;
2815 else if (streq(s, "USBFunction"))
2816 return SOCKET_USB_FUNCTION;
038ed5a4
YW		 2817 else
2818 return _SOCKET_TYPE_INVALID;
2819}
2820
f2f725e5 2821_pure_ static bool socket_may_gc(Unit *u) {
6cf6bbc2
LP		 2822 Socket *s = SOCKET(u);
2823
2824 assert(u);
2825
f2f725e5 2826 return s->n_connections == 0;
6cf6bbc2
LP		 2827}
2828
a79279c7
LP		 2829static int socket_accept_do(Socket *s, int fd) {
2830 int cfd;
2831
2832 assert(s);
2833 assert(fd >= 0);
2834
2835 for (;;) {
2836 cfd = accept4(fd, NULL, NULL, SOCK_NONBLOCK);
2837 if (cfd < 0) {
2838 if (errno == EINTR)
2839 continue;
2840
2841 return -errno;
2842 }
2843
2844 break;
2845 }
2846
2847 return cfd;
2848}
2849
2850static int socket_accept_in_cgroup(Socket *s, SocketPort *p, int fd) {
2851 _cleanup_close_pair_ int pair[2] = { -1, -1 };
2852 int cfd, r;
2853 pid_t pid;
2854
2855 assert(s);
2856 assert(p);
2857 assert(fd >= 0);
2858
2859 /* Similar to socket_address_listen_in_cgroup(), but for accept() rathern than socket(): make sure that any
2860 * connection socket is also properly associated with the cgroup. */
2861
2862 if (!IN_SET(p->address.sockaddr.sa.sa_family, AF_INET, AF_INET6))
2863 goto shortcut;
2864
2865 r = bpf_firewall_supported();
2866 if (r < 0)
2867 return r;
2ae7ee58 2868 if (r == BPF_FIREWALL_UNSUPPORTED)
a79279c7
LP		 2869 goto shortcut;
2870
2871 if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, pair) < 0)
2872 return log_unit_error_errno(UNIT(s), errno, "Failed to create communication channel: %m");
2873
4c253ed1 2874 r = unit_fork_helper_process(UNIT(s), "(sd-accept)", &pid);
a79279c7
LP		 2875 if (r < 0)
2876 return log_unit_error_errno(UNIT(s), r, "Failed to fork off accept stub process: %m");
2877 if (r == 0) {
2878 /* Child */
2879
2880 pair[0] = safe_close(pair[0]);
2881
2882 cfd = socket_accept_do(s, fd);
2883 if (cfd < 0) {
2884 log_unit_error_errno(UNIT(s), cfd, "Failed to accept connection socket: %m");
2885 _exit(EXIT_FAILURE);
2886 }
2887
2888 r = send_one_fd(pair[1], cfd, 0);
2889 if (r < 0) {
2890 log_unit_error_errno(UNIT(s), r, "Failed to send connection socket to parent: %m");
2891 _exit(EXIT_FAILURE);
2892 }
2893
2894 _exit(EXIT_SUCCESS);
2895 }
2896
2897 pair[1] = safe_close(pair[1]);
2898 cfd = receive_one_fd(pair[0], 0);
2899
2900 /* We synchronously wait for the helper, as it shouldn't be slow */
d2e0ac3d 2901 r = wait_for_terminate_and_check("(sd-accept)", pid, WAIT_LOG_ABNORMAL);
a79279c7
LP		 2902 if (r < 0) {
2903 safe_close(cfd);
2904 return r;
2905 }
2906
2907 if (cfd < 0)
2908 return log_unit_error_errno(UNIT(s), cfd, "Failed to receive connection socket: %m");
2909
2910 return cfd;
2911
2912shortcut:
2913 cfd = socket_accept_do(s, fd);
2914 if (cfd < 0)
2915 return log_unit_error_errno(UNIT(s), cfd, "Failed to accept connection socket: %m");
2916
2917 return cfd;
2918}
2919
718db961
LP		 2920static int socket_dispatch_io(sd_event_source *source, int fd, uint32_t revents, void *userdata) {
2921 SocketPort *p = userdata;
4f2d528d 2922 int cfd = -1;
9152c765 2923
718db961 2924 assert(p);
8d567588 2925 assert(fd >= 0);
9152c765 2926
718db961
LP		 2927 if (p->socket->state != SOCKET_LISTENING)
2928 return 0;
871d7de4 2929
f2341e0a 2930 log_unit_debug(UNIT(p->socket), "Incoming traffic");
9152c765 2931
718db961 2932 if (revents != EPOLLIN) {
641e01dc 2933
718db961 2934 if (revents & EPOLLHUP)
f2341e0a 2935 log_unit_error(UNIT(p->socket), "Got POLLHUP on a listening socket. The service probably invoked shutdown() on it, and should better not do that.");
641e01dc 2936 else
f2341e0a 2937 log_unit_error(UNIT(p->socket), "Got unexpected poll event (0x%x) on socket.", revents);
8d567588 2938 goto fail;
4f2d528d
LP		 2939 }
2940
718db961
LP		 2941 if (p->socket->accept &&
2942 p->type == SOCKET_SOCKET &&
2943 socket_address_can_accept(&p->address)) {
2944
a79279c7
LP		 2945 cfd = socket_accept_in_cgroup(p->socket, p, fd);
2946 if (cfd < 0)
2947 goto fail;
4fd5948e 2948
718db961 2949 socket_apply_socket_options(p->socket, cfd);
4f2d528d 2950 }
9152c765 2951
718db961
LP		 2952 socket_enter_running(p->socket, cfd);
2953 return 0;
8d567588
LP		 2954
2955fail:
718db961
LP		 2956 socket_enter_stop_pre(p->socket, SOCKET_FAILURE_RESOURCES);
2957 return 0;
9152c765
LP		 2958}
2959
87f0e418
LP		 2960static void socket_sigchld_event(Unit *u, pid_t pid, int code, int status) {
2961 Socket *s = SOCKET(u);
cfc4eb4c 2962 SocketResult f;
5cb5a6ff
LP		 2963
2964 assert(s);
034c6ed7 2965 assert(pid >= 0);
5cb5a6ff 2966
8c47c732
LP		 2967 if (pid != s->control_pid)
2968 return;
542563ba 2969
034c6ed7
LP		 2970 s->control_pid = 0;
2971
1f0958f6 2972 if (is_clean_exit(code, status, EXIT_CLEAN_COMMAND, NULL))
cfc4eb4c
LP		 2973 f = SOCKET_SUCCESS;
2974 else if (code == CLD_EXITED)
2975 f = SOCKET_FAILURE_EXIT_CODE;
2976 else if (code == CLD_KILLED)
2977 f = SOCKET_FAILURE_SIGNAL;
2978 else if (code == CLD_DUMPED)
2979 f = SOCKET_FAILURE_CORE_DUMP;
2980 else
a4152e3f 2981 assert_not_reached("Unknown sigchld code");
8c47c732 2982
b708e7ce 2983 if (s->control_command) {
6ea832a2 2984 exec_status_exit(&s->control_command->exec_status, &s->exec_context, pid, code, status);
a16e1123 2985
3ed0cd26 2986 if (s->control_command->flags & EXEC_COMMAND_IGNORE_FAILURE)
cfc4eb4c 2987 f = SOCKET_SUCCESS;
b708e7ce
LP		 2988 }
2989
f2341e0a
LP		 2990 log_unit_full(u, f == SOCKET_SUCCESS ? LOG_DEBUG : LOG_NOTICE, 0,
2991 "Control process exited, code=%s status=%i",
2992 sigchld_code_to_string(code), status);
034c6ed7 2993
a0fef983 2994 if (s->result == SOCKET_SUCCESS)
cfc4eb4c
LP		 2995 s->result = f;
2996
2997 if (s->control_command &&
2998 s->control_command->command_next &&
2999 f == SOCKET_SUCCESS) {
3000
f2341e0a 3001 log_unit_debug(u, "Running next command for state %s", socket_state_to_string(s->state));
cfc4eb4c 3002 socket_run_next(s);
acbb0225 3003 } else {
a16e1123
LP		 3004 s->control_command = NULL;
3005 s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
3006
034c6ed7
LP		 3007 /* No further commands for this step, so let's figure
3008 * out what to do next */
5cb5a6ff 3009
f2341e0a 3010 log_unit_debug(u, "Got final SIGCHLD for state %s", socket_state_to_string(s->state));
acbb0225 3011
034c6ed7
LP		 3012 switch (s->state) {
3013
3014 case SOCKET_START_PRE:
cfc4eb4c 3015 if (f == SOCKET_SUCCESS)
3900e5fd 3016 socket_enter_start_chown(s);
034c6ed7 3017 else
cfc4eb4c 3018 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, f);
034c6ed7
LP		 3019 break;
3020
3900e5fd
LP		 3021 case SOCKET_START_CHOWN:
3022 if (f == SOCKET_SUCCESS)
3023 socket_enter_start_post(s);
3024 else
3025 socket_enter_stop_pre(s, f);
3026 break;
3027
034c6ed7 3028 case SOCKET_START_POST:
cfc4eb4c 3029 if (f == SOCKET_SUCCESS)
e9af15c3 3030 socket_enter_listening(s);
034c6ed7 3031 else
cfc4eb4c 3032 socket_enter_stop_pre(s, f);
034c6ed7
LP		 3033 break;
3034
3035 case SOCKET_STOP_PRE:
3036 case SOCKET_STOP_PRE_SIGTERM:
3037 case SOCKET_STOP_PRE_SIGKILL:
cfc4eb4c 3038 socket_enter_stop_post(s, f);
034c6ed7
LP		 3039 break;
3040
3041 case SOCKET_STOP_POST:
80876c20
LP		 3042 case SOCKET_FINAL_SIGTERM:
3043 case SOCKET_FINAL_SIGKILL:
cfc4eb4c 3044 socket_enter_dead(s, f);
034c6ed7
LP		 3045 break;
3046
3047 default:
3048 assert_not_reached("Uh, control process died at wrong time.");
3049 }
3050 }
c4e2ceae
LP		 3051
3052 /* Notify clients about changed exit status */
3053 unit_add_to_dbus_queue(u);
034c6ed7 3054}
5cb5a6ff 3055
718db961
LP		 3056static int socket_dispatch_timer(sd_event_source *source, usec_t usec, void *userdata) {
3057 Socket *s = SOCKET(userdata);
5cb5a6ff 3058
034c6ed7 3059 assert(s);
718db961 3060 assert(s->timer_event_source == source);
034c6ed7
LP		 3061
3062 switch (s->state) {
3063
3064 case SOCKET_START_PRE:
f2341e0a 3065 log_unit_warning(UNIT(s), "Starting timed out. Terminating.");
cfc4eb4c 3066 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_TIMEOUT);
da19d5c1 3067 break;
80876c20 3068
3900e5fd 3069 case SOCKET_START_CHOWN:
034c6ed7 3070 case SOCKET_START_POST:
f2341e0a 3071 log_unit_warning(UNIT(s), "Starting timed out. Stopping.");
cfc4eb4c 3072 socket_enter_stop_pre(s, SOCKET_FAILURE_TIMEOUT);
034c6ed7
LP		 3073 break;
3074
3075 case SOCKET_STOP_PRE:
f2341e0a 3076 log_unit_warning(UNIT(s), "Stopping timed out. Terminating.");
cfc4eb4c 3077 socket_enter_signal(s, SOCKET_STOP_PRE_SIGTERM, SOCKET_FAILURE_TIMEOUT);
034c6ed7
LP		 3078 break;
3079
3080 case SOCKET_STOP_PRE_SIGTERM:
4819ff03 3081 if (s->kill_context.send_sigkill) {
f2341e0a 3082 log_unit_warning(UNIT(s), "Stopping timed out. Killing.");
cfc4eb4c 3083 socket_enter_signal(s, SOCKET_STOP_PRE_SIGKILL, SOCKET_FAILURE_TIMEOUT);
ba035df2 3084 } else {
f2341e0a 3085 log_unit_warning(UNIT(s), "Stopping timed out. Skipping SIGKILL. Ignoring.");
cfc4eb4c 3086 socket_enter_stop_post(s, SOCKET_FAILURE_TIMEOUT);
ba035df2 3087 }
034c6ed7
LP		 3088 break;
3089
3090 case SOCKET_STOP_PRE_SIGKILL:
f2341e0a 3091 log_unit_warning(UNIT(s), "Processes still around after SIGKILL. Ignoring.");
cfc4eb4c 3092 socket_enter_stop_post(s, SOCKET_FAILURE_TIMEOUT);
034c6ed7
LP		 3093 break;
3094
3095 case SOCKET_STOP_POST:
f2341e0a 3096 log_unit_warning(UNIT(s), "Stopping timed out (2). Terminating.");
cfc4eb4c 3097 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_TIMEOUT);
034c6ed7
LP		 3098 break;
3099
80876c20 3100 case SOCKET_FINAL_SIGTERM:
4819ff03 3101 if (s->kill_context.send_sigkill) {
f2341e0a 3102 log_unit_warning(UNIT(s), "Stopping timed out (2). Killing.");
cfc4eb4c 3103 socket_enter_signal(s, SOCKET_FINAL_SIGKILL, SOCKET_FAILURE_TIMEOUT);
ba035df2 3104 } else {
f2341e0a 3105 log_unit_warning(UNIT(s), "Stopping timed out (2). Skipping SIGKILL. Ignoring.");
cfc4eb4c 3106 socket_enter_dead(s, SOCKET_FAILURE_TIMEOUT);
ba035df2 3107 }
034c6ed7
LP		 3108 break;
3109
80876c20 3110 case SOCKET_FINAL_SIGKILL:
f2341e0a 3111 log_unit_warning(UNIT(s), "Still around after SIGKILL (2). Entering failed mode.");
cfc4eb4c 3112 socket_enter_dead(s, SOCKET_FAILURE_TIMEOUT);
034c6ed7
LP		 3113 break;
3114
3115 default:
3116 assert_not_reached("Timeout at wrong time.");
3117 }
718db961
LP		 3118
3119 return 0;
5cb5a6ff
LP		 3120}
3121
79c7626d
LP		 3122int socket_collect_fds(Socket *s, int **fds) {
3123 int *rfds, k = 0, n = 0;
44d8db9e
LP		 3124 SocketPort *p;
3125
3126 assert(s);
3127 assert(fds);
44d8db9e
LP		 3128
3129 /* Called from the service code for requesting our fds */
3130
15087cdb 3131 LIST_FOREACH(port, p, s->ports) {
44d8db9e 3132 if (p->fd >= 0)
79c7626d
LP		 3133 n++;
3134 n += p->n_auxiliary_fds;
15087cdb 3135 }
44d8db9e 3136
79c7626d 3137 if (n <= 0) {
de3756ab 3138 *fds = NULL;
de3756ab
LP		 3139 return 0;
3140 }
3141
79c7626d 3142 rfds = new(int, n);
e5403f09 3143 if (!rfds)
44d8db9e
LP		 3144 return -ENOMEM;
3145
15087cdb 3146 LIST_FOREACH(port, p, s->ports) {
79c7626d
LP		 3147 int i;
3148
44d8db9e
LP		 3149 if (p->fd >= 0)
3150 rfds[k++] = p->fd;
15087cdb
PS		 3151 for (i = 0; i < p->n_auxiliary_fds; ++i)
3152 rfds[k++] = p->auxiliary_fds[i];
3153 }
44d8db9e 3154
79c7626d 3155 assert(k == n);
44d8db9e
LP		 3156
3157 *fds = rfds;
79c7626d 3158 return n;
44d8db9e
LP		 3159}
3160
e821075a
LP		 3161static void socket_reset_failed(Unit *u) {
3162 Socket *s = SOCKET(u);
3163
3164 assert(s);
3165
3166 if (s->state == SOCKET_FAILED)
3167 socket_set_state(s, SOCKET_DEAD);
3168
3169 s->result = SOCKET_SUCCESS;
3170}
3171
6cf6bbc2
LP		 3172void socket_connection_unref(Socket *s) {
3173 assert(s);
3174
3175 /* The service is dead. Yay!
3176 *
35b8ca3a 3177 * This is strictly for one-instance-per-connection
6cf6bbc2
LP		 3178 * services. */
3179
3180 assert(s->n_connections > 0);
3181 s->n_connections--;
3182
f2341e0a 3183 log_unit_debug(UNIT(s), "One connection closed, %u left.", s->n_connections);
5632e374
LP		 3184}
3185
d137a488
UTL		 3186static void socket_trigger_notify(Unit *u, Unit *other) {
3187 Socket *s = SOCKET(u);
d137a488
UTL		 3188
3189 assert(u);
3190 assert(other);
3191
d14e3a0d
LP		 3192 /* Filter out invocations with bogus state */
3193 if (other->load_state != UNIT_LOADED || other->type != UNIT_SERVICE)
3194 return;
3195
3196 /* Don't propagate state changes from the service if we are already down */
3197 if (!IN_SET(s->state, SOCKET_RUNNING, SOCKET_LISTENING))
d137a488
UTL		 3198 return;
3199
d14e3a0d
LP		 3200 /* We don't care for the service state if we are in Accept=yes mode */
3201 if (s->accept)
3202 return;
3203
3204 /* Propagate start limit hit state */
6bf0f408
LP		 3205 if (other->start_limit_hit) {
3206 socket_enter_stop_pre(s, SOCKET_FAILURE_SERVICE_START_LIMIT_HIT);
d137a488 3207 return;
6bf0f408 3208 }
d137a488 3209
d14e3a0d
LP		 3210 /* Don't propagate anything if there's still a job queued */
3211 if (other->job)
6bf0f408 3212 return;
d137a488 3213
6bf0f408
LP		 3214 if (IN_SET(SERVICE(other)->state,
3215 SERVICE_DEAD, SERVICE_FAILED,
3216 SERVICE_FINAL_SIGTERM, SERVICE_FINAL_SIGKILL,
3217 SERVICE_AUTO_RESTART))
3218 socket_enter_listening(s);
d137a488 3219
6bf0f408 3220 if (SERVICE(other)->state == SERVICE_RUNNING)
d137a488
UTL		 3221 socket_set_state(s, SOCKET_RUNNING);
3222}
3223
718db961 3224static int socket_kill(Unit *u, KillWho who, int signo, sd_bus_error *error) {
814cc562 3225 return unit_kill_common(u, who, signo, -1, SOCKET(u)->control_pid, error);
8a0867d6
LP		 3226}
3227
7a7821c8 3228static int socket_get_timeout(Unit *u, usec_t *timeout) {
68db7a3b 3229 Socket *s = SOCKET(u);
7a7821c8 3230 usec_t t;
68db7a3b
ZJS		 3231 int r;
3232
3233 if (!s->timer_event_source)
3234 return 0;
3235
7a7821c8 3236 r = sd_event_source_get_time(s->timer_event_source, &t);
68db7a3b
ZJS		 3237 if (r < 0)
3238 return r;
7a7821c8
LP		 3239 if (t == USEC_INFINITY)
3240 return 0;
68db7a3b 3241
7a7821c8 3242 *timeout = t;
68db7a3b
ZJS		 3243 return 1;
3244}
3245
8dd4c05b
LP		 3246char *socket_fdname(Socket *s) {
3247 assert(s);
3248
3249 /* Returns the name to use for $LISTEN_NAMES. If the user
3250 * didn't specify anything specifically, use the socket unit's
3251 * name as fallback. */
3252
84500122 3253 return s->fdname ?: UNIT(s)->id;
8dd4c05b
LP		 3254}
3255
291d565a
LP		 3256static int socket_control_pid(Unit *u) {
3257 Socket *s = SOCKET(u);
3258
3259 assert(s);
3260
3261 return s->control_pid;
3262}
3263
a16e1123 3264static const char* const socket_exec_command_table[_SOCKET_EXEC_COMMAND_MAX] = {
836bb1cd
YW		 3265 [SOCKET_EXEC_START_PRE] = "ExecStartPre",
3266 [SOCKET_EXEC_START_CHOWN] = "ExecStartChown",
3267 [SOCKET_EXEC_START_POST] = "ExecStartPost",
3268 [SOCKET_EXEC_STOP_PRE] = "ExecStopPre",
3269 [SOCKET_EXEC_STOP_POST] = "ExecStopPost"
a16e1123
LP		 3270};
3271
3272DEFINE_STRING_TABLE_LOOKUP(socket_exec_command, SocketExecCommand);
3273
cfc4eb4c
LP		 3274static const char* const socket_result_table[_SOCKET_RESULT_MAX] = {
3275 [SOCKET_SUCCESS] = "success",
3276 [SOCKET_FAILURE_RESOURCES] = "resources",
3277 [SOCKET_FAILURE_TIMEOUT] = "timeout",
3278 [SOCKET_FAILURE_EXIT_CODE] = "exit-code",
3279 [SOCKET_FAILURE_SIGNAL] = "signal",
c2f34808 3280 [SOCKET_FAILURE_CORE_DUMP] = "core-dump",
07299350 3281 [SOCKET_FAILURE_START_LIMIT_HIT] = "start-limit-hit",
8b26cdbd 3282 [SOCKET_FAILURE_TRIGGER_LIMIT_HIT] = "trigger-limit-hit",
6bf0f408 3283 [SOCKET_FAILURE_SERVICE_START_LIMIT_HIT] = "service-start-limit-hit"
cfc4eb4c
LP		 3284};
3285
3286DEFINE_STRING_TABLE_LOOKUP(socket_result, SocketResult);
3287
87f0e418 3288const UnitVTable socket_vtable = {
7d17cfbc 3289 .object_size = sizeof(Socket),
718db961
LP		 3290 .exec_context_offset = offsetof(Socket, exec_context),
3291 .cgroup_context_offset = offsetof(Socket, cgroup_context),
3292 .kill_context_offset = offsetof(Socket, kill_context),
613b411c 3293 .exec_runtime_offset = offsetof(Socket, exec_runtime),
29206d46 3294 .dynamic_creds_offset = offsetof(Socket, dynamic_creds),
3ef63c31 3295
f975e971
LP		 3296 .sections =
3297 "Unit\0"
3298 "Socket\0"
3299 "Install\0",
4ad49000 3300 .private_section = "Socket",
71645aca 3301
9c0320e7
YW		 3302 .can_transient = true,
3303
034c6ed7
LP		 3304 .init = socket_init,
3305 .done = socket_done,
a16e1123
LP		 3306 .load = socket_load,
3307
3308 .coldplug = socket_coldplug,
034c6ed7 3309
5cb5a6ff
LP		 3310 .dump = socket_dump,
3311
542563ba
LP		 3312 .start = socket_start,
3313 .stop = socket_stop,
5cb5a6ff 3314
718db961
LP		 3315 .kill = socket_kill,
3316
68db7a3b
ZJS		 3317 .get_timeout = socket_get_timeout,
3318
a16e1123
LP		 3319 .serialize = socket_serialize,
3320 .deserialize_item = socket_deserialize_item,
01e10de3 3321 .distribute_fds = socket_distribute_fds,
a16e1123 3322
5cb5a6ff 3323 .active_state = socket_active_state,
10a94420 3324 .sub_state_to_string = socket_sub_state_to_string,
5cb5a6ff 3325
f2f725e5 3326 .may_gc = socket_may_gc,
6cf6bbc2 3327
034c6ed7 3328 .sigchld_event = socket_sigchld_event,
4139c1b2 3329
d137a488
UTL		 3330 .trigger_notify = socket_trigger_notify,
3331
fdf20a31 3332 .reset_failed = socket_reset_failed,
5632e374 3333
291d565a
LP		 3334 .control_pid = socket_control_pid,
3335
718db961 3336 .bus_vtable = bus_socket_vtable,
74c964d3
LP		 3337 .bus_set_property = bus_socket_set_property,
3338 .bus_commit_properties = bus_socket_commit_properties,
c6918296
MS		 3339
3340 .status_message_formats = {
3341 /*.starting_stopping = {
3342 [0] = "Starting socket %s...",
3343 [1] = "Stopping socket %s...",
3344 },*/
3345 .finished_start_job = {
3346 [JOB_DONE] = "Listening on %s.",
3347 [JOB_FAILED] = "Failed to listen on %s.",
c6918296
MS		 3348 [JOB_TIMEOUT] = "Timed out starting %s.",
3349 },
3350 .finished_stop_job = {
3351 [JOB_DONE] = "Closed %s.",
3352 [JOB_FAILED] = "Failed stopping %s.",
3353 [JOB_TIMEOUT] = "Timed out stopping %s.",
3354 },
3355 },
5cb5a6ff 3356};
Unnamed repository; edit this file 'description' to name the repository.