]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/core/socket.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
core: when creating the socket fds for a socket unit, join socket's cgroup first
[thirdparty/systemd.git] / src / core / socket.c
CommitLineData
a7334b09
LP		 1/***
2 This file is part of systemd.
3
4 Copyright 2010 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
5430f7f2
LP		 7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
a7334b09
LP		 9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2 14 Lesser General Public License for more details.
a7334b09 15
5430f7f2 16 You should have received a copy of the GNU Lesser General Public License
a7334b09
LP		 17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18***/
19
e8da24a6 20#include <arpa/inet.h>
83c60c9f
LP		 21#include <errno.h>
22#include <fcntl.h>
916abb21 23#include <mqueue.h>
e8da24a6
LP		 24#include <netinet/tcp.h>
25#include <signal.h>
26#include <sys/epoll.h>
27#include <sys/stat.h>
28#include <unistd.h>
62bc4efc 29#include <linux/sctp.h>
83c60c9f 30
b5efdb8a 31#include "alloc-util.h"
a79279c7 32#include "bpf-firewall.h"
e8da24a6
LP		 33#include "bus-error.h"
34#include "bus-util.h"
35#include "copy.h"
36#include "dbus-socket.h"
37#include "def.h"
38#include "exit-status.h"
3ffd4af2 39#include "fd-util.h"
f97b34a6 40#include "format-util.h"
a79279c7 41#include "in-addr-util.h"
60d9771c 42#include "io-util.h"
e8da24a6 43#include "label.h"
83c60c9f 44#include "log.h"
e8da24a6 45#include "missing.h"
49e942b2 46#include "mkdir.h"
6bedfcbb 47#include "parse-util.h"
9eb977db 48#include "path-util.h"
7b3e062c 49#include "process-util.h"
d7b8eec7 50#include "selinux-util.h"
24882e06 51#include "signal-util.h"
e8da24a6 52#include "smack-util.h"
24882e06 53#include "socket.h"
e8da24a6 54#include "special.h"
8b43440b 55#include "string-table.h"
07630cea 56#include "string-util.h"
e8da24a6
LP		 57#include "strv.h"
58#include "unit-name.h"
e8da24a6 59#include "unit.h"
b1d4f8e1 60#include "user-util.h"
83c60c9f 61
166cf510
ZJS		 62struct SocketPeer {
63 unsigned n_ref;
64
65 Socket *socket;
66 union sockaddr_union peer;
41733ae1 67 socklen_t peer_salen;
166cf510
ZJS		 68};
69
acbb0225 70static const UnitActiveState state_translation_table[_SOCKET_STATE_MAX] = {
87f0e418
LP		 71 [SOCKET_DEAD] = UNIT_INACTIVE,
72 [SOCKET_START_PRE] = UNIT_ACTIVATING,
3900e5fd 73 [SOCKET_START_CHOWN] = UNIT_ACTIVATING,
87f0e418
LP		 74 [SOCKET_START_POST] = UNIT_ACTIVATING,
75 [SOCKET_LISTENING] = UNIT_ACTIVE,
76 [SOCKET_RUNNING] = UNIT_ACTIVE,
77 [SOCKET_STOP_PRE] = UNIT_DEACTIVATING,
78 [SOCKET_STOP_PRE_SIGTERM] = UNIT_DEACTIVATING,
79 [SOCKET_STOP_PRE_SIGKILL] = UNIT_DEACTIVATING,
80 [SOCKET_STOP_POST] = UNIT_DEACTIVATING,
80876c20
LP		 81 [SOCKET_FINAL_SIGTERM] = UNIT_DEACTIVATING,
82 [SOCKET_FINAL_SIGKILL] = UNIT_DEACTIVATING,
fdf20a31 83 [SOCKET_FAILED] = UNIT_FAILED
83c60c9f 84};
5cb5a6ff 85
718db961
LP		 86static int socket_dispatch_io(sd_event_source *source, int fd, uint32_t revents, void *userdata);
87static int socket_dispatch_timer(sd_event_source *source, usec_t usec, void *userdata);
88
a16e1123
LP		 89static void socket_init(Unit *u) {
90 Socket *s = SOCKET(u);
91
92 assert(u);
ac155bb8 93 assert(u->load_state == UNIT_STUB);
a16e1123 94
a16e1123 95 s->backlog = SOMAXCONN;
1f19a534 96 s->timeout_usec = u->manager->default_timeout_start_usec;
a16e1123 97 s->directory_mode = 0755;
9131f660 98 s->socket_mode = 0666;
a16e1123 99
6cf6bbc2
LP		 100 s->max_connections = 64;
101
4fd5948e 102 s->priority = -1;
4fd5948e
LP		 103 s->ip_tos = -1;
104 s->ip_ttl = -1;
4fd5948e 105 s->mark = -1;
4fd5948e 106
ac155bb8
MS		 107 s->exec_context.std_output = u->manager->default_std_output;
108 s->exec_context.std_error = u->manager->default_std_error;
085afe36 109
a16e1123 110 s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
8b26cdbd 111
1f15ce28
LP		 112 s->trigger_limit.interval = USEC_INFINITY;
113 s->trigger_limit.burst = (unsigned) -1;
a16e1123 114}
acbb0225 115
5e94833f
LP		 116static void socket_unwatch_control_pid(Socket *s) {
117 assert(s);
118
119 if (s->control_pid <= 0)
120 return;
121
122 unit_unwatch_pid(UNIT(s), s->control_pid);
123 s->control_pid = 0;
124}
125
15087cdb 126static void socket_cleanup_fd_list(SocketPort *p) {
3ffd4af2 127 assert(p);
15087cdb 128
3ffd4af2 129 close_many(p->auxiliary_fds, p->n_auxiliary_fds);
15087cdb
PS		 130 p->auxiliary_fds = mfree(p->auxiliary_fds);
131 p->n_auxiliary_fds = 0;
132}
133
74051b9b 134void socket_free_ports(Socket *s) {
034c6ed7
LP		 135 SocketPort *p;
136
137 assert(s);
138
139 while ((p = s->ports)) {
71fda00f 140 LIST_REMOVE(port, s->ports, p);
034c6ed7 141
718db961
LP		 142 sd_event_source_unref(p->event_source);
143
15087cdb 144 socket_cleanup_fd_list(p);
03e334a1 145 safe_close(p->fd);
034c6ed7
LP		 146 free(p->path);
147 free(p);
148 }
74051b9b
LP		 149}
150
151static void socket_done(Unit *u) {
152 Socket *s = SOCKET(u);
9d565427 153 SocketPeer *p;
74051b9b
LP		 154
155 assert(s);
156
157 socket_free_ports(s);
034c6ed7 158
9a73653c 159 while ((p = set_steal_first(s->peers_by_address)))
9d565427
SS		 160 p->socket = NULL;
161
9a73653c 162 s->peers_by_address = set_free(s->peers_by_address);
9d565427 163
613b411c 164 s->exec_runtime = exec_runtime_unref(s->exec_runtime);
e537352b 165 exec_command_free_array(s->exec_command, _SOCKET_EXEC_COMMAND_MAX);
034c6ed7
LP		 166 s->control_command = NULL;
167
29206d46
LP		 168 dynamic_creds_unref(&s->dynamic_creds);
169
5e94833f 170 socket_unwatch_control_pid(s);
034c6ed7 171
57020a3a 172 unit_ref_unset(&s->service);
034c6ed7 173
a1e58e8e
LP		 174 s->tcp_congestion = mfree(s->tcp_congestion);
175 s->bind_to_device = mfree(s->bind_to_device);
acbb0225 176
0a78712e
DM		 177 s->smack = mfree(s->smack);
178 s->smack_ip_in = mfree(s->smack_ip_in);
179 s->smack_ip_out = mfree(s->smack_ip_out);
0eb59ccf 180
811ba7a0
LP		 181 strv_free(s->symlinks);
182
0a78712e
DM		 183 s->user = mfree(s->user);
184 s->group = mfree(s->group);
3900e5fd 185
a97b23d6
DM		 186 s->fdname = mfree(s->fdname);
187
718db961
LP		 188 s->timer_event_source = sd_event_source_unref(s->timer_event_source);
189}
190
36c16a7c 191static int socket_arm_timer(Socket *s, usec_t usec) {
718db961
LP		 192 int r;
193
194 assert(s);
195
718db961 196 if (s->timer_event_source) {
36c16a7c 197 r = sd_event_source_set_time(s->timer_event_source, usec);
718db961
LP		 198 if (r < 0)
199 return r;
200
201 return sd_event_source_set_enabled(s->timer_event_source, SD_EVENT_ONESHOT);
202 }
203
36c16a7c
LP		 204 if (usec == USEC_INFINITY)
205 return 0;
206
7dfbe2e3 207 r = sd_event_add_time(
6a0f1f6d
LP		 208 UNIT(s)->manager->event,
209 &s->timer_event_source,
210 CLOCK_MONOTONIC,
36c16a7c 211 usec, 0,
6a0f1f6d 212 socket_dispatch_timer, s);
7dfbe2e3
TG		 213 if (r < 0)
214 return r;
215
216 (void) sd_event_source_set_description(s->timer_event_source, "socket-timer");
217
218 return 0;
5cb5a6ff
LP		 219}
220
8b835fcc
ZJS		 221int socket_instantiate_service(Socket *s) {
222 _cleanup_free_ char *prefix = NULL, *name = NULL;
b15bdda8
LP		 223 int r;
224 Unit *u;
225
226 assert(s);
227
228 /* This fills in s->service if it isn't filled in yet. For
229 * Accept=yes sockets we create the next connection service
230 * here. For Accept=no this is mostly a NOP since the service
231 * is figured out at load time anyway. */
232
7410616c 233 if (UNIT_DEREF(s->service))
b15bdda8
LP		 234 return 0;
235
7410616c
LP		 236 if (!s->accept)
237 return 0;
238
239 r = unit_name_to_prefix(UNIT(s)->id, &prefix);
240 if (r < 0)
241 return r;
b15bdda8 242
315db1a8 243 if (asprintf(&name, "%s@%u.service", prefix, s->n_accepted) < 0)
b15bdda8
LP		 244 return -ENOMEM;
245
1124fe6f 246 r = manager_load_unit(UNIT(s)->manager, name, NULL, NULL, &u);
b15bdda8
LP		 247 if (r < 0)
248 return r;
249
57020a3a
LP		 250 unit_ref_set(&s->service, u);
251
252 return unit_add_two_dependencies(UNIT(s), UNIT_BEFORE, UNIT_TRIGGERS, u, false);
b15bdda8
LP		 253}
254
4f2d528d
LP		 255static bool have_non_accept_socket(Socket *s) {
256 SocketPort *p;
257
258 assert(s);
259
260 if (!s->accept)
261 return true;
262
dd5ad9d4
LP		 263 LIST_FOREACH(port, p, s->ports) {
264
265 if (p->type != SOCKET_SOCKET)
266 return true;
267
4f2d528d
LP		 268 if (!socket_address_can_accept(&p->address))
269 return true;
dd5ad9d4 270 }
4f2d528d
LP		 271
272 return false;
273}
274
a57f7e2c 275static int socket_add_mount_links(Socket *s) {
6e2ef85b 276 SocketPort *p;
6e2ef85b
LP		 277 int r;
278
279 assert(s);
6e2ef85b 280
a57f7e2c
LP		 281 LIST_FOREACH(port, p, s->ports) {
282 const char *path = NULL;
6e2ef85b 283
a57f7e2c
LP		 284 if (p->type == SOCKET_SOCKET)
285 path = socket_address_get_path(&p->address);
60252446 286 else if (IN_SET(p->type, SOCKET_FIFO, SOCKET_SPECIAL, SOCKET_USB_FUNCTION))
a57f7e2c 287 path = p->path;
6e2ef85b 288
a57f7e2c
LP		 289 if (!path)
290 continue;
6e2ef85b 291
a57f7e2c 292 r = unit_require_mounts_for(UNIT(s), path);
b87705cd 293 if (r < 0)
6e2ef85b 294 return r;
b87705cd 295 }
6e2ef85b
LP		 296
297 return 0;
298}
299
300static int socket_add_device_link(Socket *s) {
301 char *t;
6e2ef85b
LP		 302
303 assert(s);
304
7d0c710d 305 if (!s->bind_to_device || streq(s->bind_to_device, "lo"))
6e2ef85b
LP		 306 return 0;
307
63c372cb 308 t = strjoina("/sys/subsystem/net/devices/", s->bind_to_device);
9d06297e 309 return unit_add_node_link(UNIT(s), t, false, UNIT_BINDS_TO);
6e2ef85b
LP		 310}
311
a40eb732
LP		 312static int socket_add_default_dependencies(Socket *s) {
313 int r;
314 assert(s);
315
4c9ea260
LP		 316 if (!UNIT(s)->default_dependencies)
317 return 0;
318
e3d84721
LP		 319 r = unit_add_dependency_by_name(UNIT(s), UNIT_BEFORE, SPECIAL_SOCKETS_TARGET, NULL, true);
320 if (r < 0)
321 return r;
2a77d31d 322
463d0d15 323 if (MANAGER_IS_SYSTEM(UNIT(s)->manager)) {
e3d84721
LP		 324 r = unit_add_two_dependencies_by_name(UNIT(s), UNIT_AFTER, UNIT_REQUIRES, SPECIAL_SYSINIT_TARGET, NULL, true);
325 if (r < 0)
a40eb732 326 return r;
2a77d31d 327 }
a40eb732 328
ead8e478 329 return unit_add_two_dependencies_by_name(UNIT(s), UNIT_BEFORE, UNIT_CONFLICTS, SPECIAL_SHUTDOWN_TARGET, NULL, true);
a40eb732
LP		 330}
331
44a6b1b6 332_pure_ static bool socket_has_exec(Socket *s) {
4cfc6dbe
LP		 333 unsigned i;
334 assert(s);
335
336 for (i = 0; i < _SOCKET_EXEC_COMMAND_MAX; i++)
337 if (s->exec_command[i])
338 return true;
339
340 return false;
341}
342
e821075a
LP		 343static int socket_add_extras(Socket *s) {
344 Unit *u = UNIT(s);
e537352b 345 int r;
44d8db9e 346
e821075a 347 assert(s);
57020a3a 348
1f15ce28
LP		 349 /* Pick defaults for the trigger limit, if nothing was explicitly configured. We pick a relatively high limit
350 * in Accept=yes mode, and a lower limit for Accept=no. Reason: in Accept=yes mode we are invoking accept()
351 * ourselves before the trigger limit can hit, thus incoming connections are taken off the socket queue quickly
352 * and reliably. This is different for Accept=no, where the spawned service has to take the incoming traffic
353 * off the queues, which it might not necessarily do. Moreover, while Accept=no services are supposed to
354 * process whatever is queued in one go, and thus should normally never have to be started frequently. This is
355 * different for Accept=yes where each connection is processed by a new service instance, and thus frequent
356 * service starts are typical. */
357
358 if (s->trigger_limit.interval == USEC_INFINITY)
359 s->trigger_limit.interval = 2 * USEC_PER_SEC;
360
361 if (s->trigger_limit.burst == (unsigned) -1) {
362 if (s->accept)
363 s->trigger_limit.burst = 200;
364 else
365 s->trigger_limit.burst = 20;
366 }
367
e821075a 368 if (have_non_accept_socket(s)) {
23a177ef 369
e821075a
LP		 370 if (!UNIT_DEREF(s->service)) {
371 Unit *x;
57020a3a 372
e821075a 373 r = unit_load_related_unit(u, ".service", &x);
57020a3a 374 if (r < 0)
4f2d528d 375 return r;
e821075a
LP		 376
377 unit_ref_set(&s->service, x);
4f2d528d 378 }
44d8db9e 379
e821075a
LP		 380 r = unit_add_two_dependencies(u, UNIT_BEFORE, UNIT_TRIGGERS, UNIT_DEREF(s->service), true);
381 if (r < 0)
6e2ef85b 382 return r;
e821075a 383 }
6e2ef85b 384
e821075a
LP		 385 r = socket_add_mount_links(s);
386 if (r < 0)
387 return r;
6e2ef85b 388
e821075a
LP		 389 r = socket_add_device_link(s);
390 if (r < 0)
391 return r;
392
598459ce 393 r = unit_patch_contexts(u);
e821075a
LP		 394 if (r < 0)
395 return r;
396
397 if (socket_has_exec(s)) {
398 r = unit_add_exec_dependencies(u, &s->exec_context);
399 if (r < 0)
400 return r;
23a177ef 401
d79200e2 402 r = unit_set_default_slice(u);
a016b922
LP		 403 if (r < 0)
404 return r;
e821075a 405 }
a016b922 406
4c9ea260
LP		 407 r = socket_add_default_dependencies(s);
408 if (r < 0)
409 return r;
e821075a
LP		 410
411 return 0;
412}
413
811ba7a0
LP		 414static const char *socket_find_symlink_target(Socket *s) {
415 const char *found = NULL;
416 SocketPort *p;
417
418 LIST_FOREACH(port, p, s->ports) {
419 const char *f = NULL;
420
421 switch (p->type) {
422
423 case SOCKET_FIFO:
424 f = p->path;
425 break;
426
427 case SOCKET_SOCKET:
b9495e8d 428 f = socket_address_get_path(&p->address);
811ba7a0
LP		 429 break;
430
431 default:
432 break;
433 }
434
435 if (f) {
436 if (found)
437 return NULL;
438
439 found = f;
440 }
441 }
442
443 return found;
444}
445
e821075a
LP		 446static int socket_verify(Socket *s) {
447 assert(s);
448
449 if (UNIT(s)->load_state != UNIT_LOADED)
450 return 0;
451
452 if (!s->ports) {
da3bddc9 453 log_unit_error(UNIT(s), "Unit has no Listen setting (ListenStream=, ListenDatagram=, ListenFIFO=, ...). Refusing.");
e821075a
LP		 454 return -EINVAL;
455 }
456
457 if (s->accept && have_non_accept_socket(s)) {
f2341e0a 458 log_unit_error(UNIT(s), "Unit configured for accepting sockets, but sockets are non-accepting. Refusing.");
e821075a
LP		 459 return -EINVAL;
460 }
461
462 if (s->accept && s->max_connections <= 0) {
f2341e0a 463 log_unit_error(UNIT(s), "MaxConnection= setting too small. Refusing.");
e821075a
LP		 464 return -EINVAL;
465 }
e06c73cc 466
e821075a 467 if (s->accept && UNIT_DEREF(s->service)) {
f2341e0a 468 log_unit_error(UNIT(s), "Explicit service configuration for accepting socket units not supported. Refusing.");
e821075a
LP		 469 return -EINVAL;
470 }
471
472 if (s->exec_context.pam_name && s->kill_context.kill_mode != KILL_CONTROL_GROUP) {
f2341e0a 473 log_unit_error(UNIT(s), "Unit has PAM enabled. Kill mode must be set to 'control-group'. Refusing.");
e821075a
LP		 474 return -EINVAL;
475 }
476
811ba7a0 477 if (!strv_isempty(s->symlinks) && !socket_find_symlink_target(s)) {
f2341e0a 478 log_unit_error(UNIT(s), "Unit has symlinks set but none or more than one node in the file system. Refusing.");
811ba7a0
LP		 479 return -EINVAL;
480 }
481
e821075a
LP		 482 return 0;
483}
484
9d565427
SS		 485static void peer_address_hash_func(const void *p, struct siphash *state) {
486 const SocketPeer *s = p;
487
488 assert(s);
489
490 if (s->peer.sa.sa_family == AF_INET)
491 siphash24_compress(&s->peer.in.sin_addr, sizeof(s->peer.in.sin_addr), state);
41733ae1 492 else if (s->peer.sa.sa_family == AF_INET6)
9d565427 493 siphash24_compress(&s->peer.in6.sin6_addr, sizeof(s->peer.in6.sin6_addr), state);
359a5bcf
SH		 494 else if (s->peer.sa.sa_family == AF_VSOCK)
495 siphash24_compress(&s->peer.vm.svm_cid, sizeof(s->peer.vm.svm_cid), state);
41733ae1
LP		 496 else
497 assert_not_reached("Unknown address family.");
9d565427
SS		 498}
499
500static int peer_address_compare_func(const void *a, const void *b) {
501 const SocketPeer *x = a, *y = b;
502
503 if (x->peer.sa.sa_family < y->peer.sa.sa_family)
504 return -1;
505 if (x->peer.sa.sa_family > y->peer.sa.sa_family)
506 return 1;
507
508 switch(x->peer.sa.sa_family) {
509 case AF_INET:
510 return memcmp(&x->peer.in.sin_addr, &y->peer.in.sin_addr, sizeof(x->peer.in.sin_addr));
511 case AF_INET6:
512 return memcmp(&x->peer.in6.sin6_addr, &y->peer.in6.sin6_addr, sizeof(x->peer.in6.sin6_addr));
359a5bcf
SH		 513 case AF_VSOCK:
514 if (x->peer.vm.svm_cid < y->peer.vm.svm_cid)
515 return -1;
516 if (x->peer.vm.svm_cid > y->peer.vm.svm_cid)
517 return 1;
518 return 0;
9d565427 519 }
166cf510 520 assert_not_reached("Black sheep in the family!");
9d565427
SS		 521}
522
523const struct hash_ops peer_address_hash_ops = {
524 .hash = peer_address_hash_func,
525 .compare = peer_address_compare_func
526};
527
e821075a
LP		 528static int socket_load(Unit *u) {
529 Socket *s = SOCKET(u);
530 int r;
531
532 assert(u);
533 assert(u->load_state == UNIT_STUB);
534
9a73653c 535 r = set_ensure_allocated(&s->peers_by_address, &peer_address_hash_ops);
9d565427
SS		 536 if (r < 0)
537 return r;
538
e821075a
LP		 539 r = unit_load_fragment_and_dropin(u);
540 if (r < 0)
541 return r;
542
543 if (u->load_state == UNIT_LOADED) {
544 /* This is a new unit? Then let's add in some extras */
545 r = socket_add_extras(s);
e06c73cc
LP		 546 if (r < 0)
547 return r;
23a177ef
LP		 548 }
549
4f2d528d 550 return socket_verify(s);
44d8db9e
LP		 551}
552
166cf510
ZJS		 553static SocketPeer *socket_peer_new(void) {
554 SocketPeer *p;
555
556 p = new0(SocketPeer, 1);
557 if (!p)
558 return NULL;
559
560 p->n_ref = 1;
561
562 return p;
563}
564
565SocketPeer *socket_peer_ref(SocketPeer *p) {
566 if (!p)
567 return NULL;
568
569 assert(p->n_ref > 0);
570 p->n_ref++;
571
572 return p;
573}
574
575SocketPeer *socket_peer_unref(SocketPeer *p) {
576 if (!p)
577 return NULL;
578
579 assert(p->n_ref > 0);
580
581 p->n_ref--;
582
583 if (p->n_ref > 0)
584 return NULL;
585
586 if (p->socket)
587 set_remove(p->socket->peers_by_address, p);
588
589 return mfree(p);
590}
591
3ebcd323 592int socket_acquire_peer(Socket *s, int fd, SocketPeer **p) {
166cf510
ZJS		 593 _cleanup_(socket_peer_unrefp) SocketPeer *remote = NULL;
594 SocketPeer sa = {}, *i;
595 socklen_t salen = sizeof(sa.peer);
596 int r;
597
598 assert(fd >= 0);
599 assert(s);
600
601 r = getpeername(fd, &sa.peer.sa, &salen);
602 if (r < 0)
603 return log_error_errno(errno, "getpeername failed: %m");
604
359a5bcf 605 if (!IN_SET(sa.peer.sa.sa_family, AF_INET, AF_INET6, AF_VSOCK)) {
166cf510
ZJS		 606 *p = NULL;
607 return 0;
608 }
609
610 i = set_get(s->peers_by_address, &sa);
611 if (i) {
612 *p = socket_peer_ref(i);
613 return 1;
614 }
615
616 remote = socket_peer_new();
617 if (!remote)
618 return log_oom();
619
620 remote->peer = sa.peer;
41733ae1 621 remote->peer_salen = salen;
166cf510
ZJS		 622
623 r = set_put(s->peers_by_address, remote);
624 if (r < 0)
625 return r;
626
627 remote->socket = s;
628
629 *p = remote;
630 remote = NULL;
631
632 return 1;
633}
634
44a6b1b6 635_const_ static const char* listen_lookup(int family, int type) {
7a22745a
LP		 636
637 if (family == AF_NETLINK)
638 return "ListenNetlink";
542563ba
LP		 639
640 if (type == SOCK_STREAM)
641 return "ListenStream";
642 else if (type == SOCK_DGRAM)
643 return "ListenDatagram";
644 else if (type == SOCK_SEQPACKET)
645 return "ListenSequentialPacket";
646
034c6ed7 647 assert_not_reached("Unknown socket type");
542563ba
LP		 648 return NULL;
649}
650
87f0e418 651static void socket_dump(Unit *u, FILE *f, const char *prefix) {
209e9dcd 652 char time_string[FORMAT_TIMESPAN_MAX];
5cb5a6ff 653 SocketExecCommand c;
87f0e418 654 Socket *s = SOCKET(u);
542563ba 655 SocketPort *p;
82ba9f08 656 const char *prefix2;
5cb5a6ff
LP		 657
658 assert(s);
fa068367 659 assert(f);
5cb5a6ff 660
4c940960 661 prefix = strempty(prefix);
63c372cb 662 prefix2 = strjoina(prefix, "\t");
c43d20a0 663
5cb5a6ff
LP		 664 fprintf(f,
665 "%sSocket State: %s\n"
81a5c6d0 666 "%sResult: %s\n"
542563ba 667 "%sBindIPv6Only: %s\n"
b5a0699f
LP		 668 "%sBacklog: %u\n"
669 "%sSocketMode: %04o\n"
4fd5948e
LP		 670 "%sDirectoryMode: %04o\n"
671 "%sKeepAlive: %s\n"
4427c3f4 672 "%sNoDelay: %s\n"
cebf8b20 673 "%sFreeBind: %s\n"
6b6d2dee 674 "%sTransparent: %s\n"
ec6370a2 675 "%sBroadcast: %s\n"
ede3deb4 676 "%sPassCredentials: %s\n"
54ecda32 677 "%sPassSecurity: %s\n"
bd1fe7c7 678 "%sTCPCongestion: %s\n"
16115b0a 679 "%sRemoveOnStop: %s\n"
55301ec0 680 "%sWritable: %s\n"
8dd4c05b 681 "%sFDName: %s\n"
16115b0a 682 "%sSELinuxContextFromNet: %s\n",
a16e1123 683 prefix, socket_state_to_string(s->state),
81a5c6d0 684 prefix, socket_result_to_string(s->result),
c0120d99 685 prefix, socket_address_bind_ipv6_only_to_string(s->bind_ipv6_only),
b5a0699f
LP		 686 prefix, s->backlog,
687 prefix, s->socket_mode,
4fd5948e
LP		 688 prefix, s->directory_mode,
689 prefix, yes_no(s->keep_alive),
4427c3f4 690 prefix, yes_no(s->no_delay),
cebf8b20 691 prefix, yes_no(s->free_bind),
6b6d2dee 692 prefix, yes_no(s->transparent),
ec6370a2 693 prefix, yes_no(s->broadcast),
d68af586 694 prefix, yes_no(s->pass_cred),
54ecda32 695 prefix, yes_no(s->pass_sec),
bd1fe7c7 696 prefix, strna(s->tcp_congestion),
16115b0a 697 prefix, yes_no(s->remove_on_stop),
55301ec0 698 prefix, yes_no(s->writable),
8dd4c05b 699 prefix, socket_fdname(s),
16115b0a 700 prefix, yes_no(s->selinux_context_from_net));
542563ba 701
70123e68
LP		 702 if (s->control_pid > 0)
703 fprintf(f,
de0671ee
ZJS		 704 "%sControl PID: "PID_FMT"\n",
705 prefix, s->control_pid);
70123e68 706
acbb0225
LP		 707 if (s->bind_to_device)
708 fprintf(f,
709 "%sBindToDevice: %s\n",
710 prefix, s->bind_to_device);
711
4f2d528d
LP		 712 if (s->accept)
713 fprintf(f,
6cf6bbc2
LP		 714 "%sAccepted: %u\n"
715 "%sNConnections: %u\n"
716 "%sMaxConnections: %u\n",
717 prefix, s->n_accepted,
718 prefix, s->n_connections,
719 prefix, s->max_connections);
4f2d528d 720
4fd5948e
LP		 721 if (s->priority >= 0)
722 fprintf(f,
723 "%sPriority: %i\n",
724 prefix, s->priority);
725
726 if (s->receive_buffer > 0)
727 fprintf(f,
728 "%sReceiveBuffer: %zu\n",
729 prefix, s->receive_buffer);
730
731 if (s->send_buffer > 0)
732 fprintf(f,
733 "%sSendBuffer: %zu\n",
734 prefix, s->send_buffer);
735
736 if (s->ip_tos >= 0)
737 fprintf(f,
738 "%sIPTOS: %i\n",
739 prefix, s->ip_tos);
740
741 if (s->ip_ttl >= 0)
742 fprintf(f,
743 "%sIPTTL: %i\n",
744 prefix, s->ip_ttl);
745
746 if (s->pipe_size > 0)
747 fprintf(f,
748 "%sPipeSize: %zu\n",
749 prefix, s->pipe_size);
750
751 if (s->mark >= 0)
752 fprintf(f,
753 "%sMark: %i\n",
754 prefix, s->mark);
755
916abb21
LP		 756 if (s->mq_maxmsg > 0)
757 fprintf(f,
758 "%sMessageQueueMaxMessages: %li\n",
759 prefix, s->mq_maxmsg);
760
761 if (s->mq_msgsize > 0)
762 fprintf(f,
763 "%sMessageQueueMessageSize: %li\n",
764 prefix, s->mq_msgsize);
765
718db961 766 if (s->reuse_port)
f7db7a69
SL		 767 fprintf(f,
768 "%sReusePort: %s\n",
718db961 769 prefix, yes_no(s->reuse_port));
f7db7a69 770
0eb59ccf
AK		 771 if (s->smack)
772 fprintf(f,
773 "%sSmackLabel: %s\n",
774 prefix, s->smack);
775
776 if (s->smack_ip_in)
777 fprintf(f,
778 "%sSmackLabelIPIn: %s\n",
779 prefix, s->smack_ip_in);
780
781 if (s->smack_ip_out)
782 fprintf(f,
783 "%sSmackLabelIPOut: %s\n",
784 prefix, s->smack_ip_out);
785
3900e5fd
LP		 786 if (!isempty(s->user) || !isempty(s->group))
787 fprintf(f,
d2a50e3b
LP		 788 "%sSocketUser: %s\n"
789 "%sSocketGroup: %s\n",
3900e5fd
LP		 790 prefix, strna(s->user),
791 prefix, strna(s->group));
792
3cd761e4 793 if (s->keep_alive_time > 0)
209e9dcd 794 fprintf(f,
3cd761e4
LP		 795 "%sKeepAliveTimeSec: %s\n",
796 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->keep_alive_time, USEC_PER_SEC));
209e9dcd 797
3cd761e4 798 if (s->keep_alive_interval)
209e9dcd 799 fprintf(f,
3cd761e4
LP		 800 "%sKeepAliveIntervalSec: %s\n",
801 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->keep_alive_interval, USEC_PER_SEC));
209e9dcd 802
3cd761e4 803 if (s->keep_alive_cnt)
209e9dcd
SS		 804 fprintf(f,
805 "%sKeepAliveProbes: %u\n",
806 prefix, s->keep_alive_cnt);
807
3cd761e4 808 if (s->defer_accept)
cc567c9b 809 fprintf(f,
3cd761e4
LP		 810 "%sDeferAcceptSec: %s\n",
811 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->defer_accept, USEC_PER_SEC));
cc567c9b 812
034c6ed7 813 LIST_FOREACH(port, p, s->ports) {
5cb5a6ff 814
542563ba
LP		 815 if (p->type == SOCKET_SOCKET) {
816 const char *t;
817 int r;
e364ad06 818 char *k = NULL;
542563ba 819
e53fc357
LP		 820 r = socket_address_print(&p->address, &k);
821 if (r < 0)
542563ba
LP		 822 t = strerror(-r);
823 else
824 t = k;
825
7a22745a 826 fprintf(f, "%s%s: %s\n", prefix, listen_lookup(socket_address_family(&p->address), p->address.type), t);
542563ba 827 free(k);
b0a3f2bc
LP		 828 } else if (p->type == SOCKET_SPECIAL)
829 fprintf(f, "%sListenSpecial: %s\n", prefix, p->path);
60252446
PS		 830 else if (p->type == SOCKET_USB_FUNCTION)
831 fprintf(f, "%sListenUSBFunction: %s\n", prefix, p->path);
916abb21
LP		 832 else if (p->type == SOCKET_MQUEUE)
833 fprintf(f, "%sListenMessageQueue: %s\n", prefix, p->path);
b0a3f2bc 834 else
542563ba
LP		 835 fprintf(f, "%sListenFIFO: %s\n", prefix, p->path);
836 }
5cb5a6ff 837
1745fa70
EV		 838 fprintf(f,
839 "%sTriggerLimitIntervalSec: %s\n"
840 "%sTriggerLimitBurst: %u\n",
841 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->trigger_limit.interval, USEC_PER_SEC),
842 prefix, s->trigger_limit.burst);
843
5cb5a6ff 844 exec_context_dump(&s->exec_context, f, prefix);
4819ff03 845 kill_context_dump(&s->kill_context, f, prefix);
5cb5a6ff 846
e537352b 847 for (c = 0; c < _SOCKET_EXEC_COMMAND_MAX; c++) {
c43d20a0
LP		 848 if (!s->exec_command[c])
849 continue;
5cb5a6ff 850
40d50879 851 fprintf(f, "%s-> %s:\n",
a16e1123 852 prefix, socket_exec_command_to_string(c));
c43d20a0
LP		 853
854 exec_command_dump_list(s->exec_command[c], f, prefix2);
5cb5a6ff 855 }
18f573aa
LP		 856
857 cgroup_context_dump(&s->cgroup_context, f, prefix);
5cb5a6ff
LP		 858}
859
4f2d528d
LP		 860static int instance_from_socket(int fd, unsigned nr, char **instance) {
861 socklen_t l;
862 char *r;
9d16d0c7 863 union sockaddr_union local, remote;
4f2d528d
LP		 864
865 assert(fd >= 0);
866 assert(instance);
867
868 l = sizeof(local);
869 if (getsockname(fd, &local.sa, &l) < 0)
870 return -errno;
871
872 l = sizeof(remote);
873 if (getpeername(fd, &remote.sa, &l) < 0)
874 return -errno;
875
876 switch (local.sa.sa_family) {
877
878 case AF_INET: {
879 uint32_t
8e38570e
LP		 880 a = be32toh(local.in.sin_addr.s_addr),
881 b = be32toh(remote.in.sin_addr.s_addr);
4f2d528d
LP		 882
883 if (asprintf(&r,
77b088c2
LP		 884 "%u-%u.%u.%u.%u:%u-%u.%u.%u.%u:%u",
885 nr,
4f2d528d 886 a >> 24, (a >> 16) & 0xFF, (a >> 8) & 0xFF, a & 0xFF,
8e38570e 887 be16toh(local.in.sin_port),
4f2d528d 888 b >> 24, (b >> 16) & 0xFF, (b >> 8) & 0xFF, b & 0xFF,
8e38570e 889 be16toh(remote.in.sin_port)) < 0)
4f2d528d
LP		 890 return -ENOMEM;
891
892 break;
893 }
894
895 case AF_INET6: {
c65a0b14 896 static const unsigned char ipv4_prefix[] = {
2b061f5a
LP		 897 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xFF, 0xFF
898 };
899
900 if (memcmp(&local.in6.sin6_addr, ipv4_prefix, sizeof(ipv4_prefix)) == 0 &&
901 memcmp(&remote.in6.sin6_addr, ipv4_prefix, sizeof(ipv4_prefix)) == 0) {
902 const uint8_t
903 *a = local.in6.sin6_addr.s6_addr+12,
904 *b = remote.in6.sin6_addr.s6_addr+12;
905
906 if (asprintf(&r,
77b088c2
LP		 907 "%u-%u.%u.%u.%u:%u-%u.%u.%u.%u:%u",
908 nr,
2b061f5a 909 a[0], a[1], a[2], a[3],
8e38570e 910 be16toh(local.in6.sin6_port),
2b061f5a 911 b[0], b[1], b[2], b[3],
8e38570e 912 be16toh(remote.in6.sin6_port)) < 0)
2b061f5a
LP		 913 return -ENOMEM;
914 } else {
915 char a[INET6_ADDRSTRLEN], b[INET6_ADDRSTRLEN];
916
917 if (asprintf(&r,
77b088c2
LP		 918 "%u-%s:%u-%s:%u",
919 nr,
2b061f5a 920 inet_ntop(AF_INET6, &local.in6.sin6_addr, a, sizeof(a)),
8e38570e 921 be16toh(local.in6.sin6_port),
2b061f5a 922 inet_ntop(AF_INET6, &remote.in6.sin6_addr, b, sizeof(b)),
8e38570e 923 be16toh(remote.in6.sin6_port)) < 0)
2b061f5a
LP		 924 return -ENOMEM;
925 }
4f2d528d
LP		 926
927 break;
928 }
929
930 case AF_UNIX: {
931 struct ucred ucred;
eff05270 932 int k;
4f2d528d 933
eff05270 934 k = getpeercred(fd, &ucred);
d38f6e34
ZJS		 935 if (k >= 0) {
936 if (asprintf(&r,
937 "%u-"PID_FMT"-"UID_FMT,
938 nr, ucred.pid, ucred.uid) < 0)
939 return -ENOMEM;
940 } else if (k == -ENODATA) {
941 /* This handles the case where somebody is
942 * connecting from another pid/uid namespace
943 * (e.g. from outside of our container). */
944 if (asprintf(&r,
945 "%u-unknown",
946 nr) < 0)
947 return -ENOMEM;
948 } else
eff05270 949 return k;
2f20a8eb 950
2f20a8eb 951 break;
4f2d528d
LP		 952 }
953
359a5bcf
SH		 954 case AF_VSOCK:
955 if (asprintf(&r,
956 "%u-%u:%u-%u:%u",
957 nr,
958 local.vm.svm_cid, local.vm.svm_port,
959 remote.vm.svm_cid, remote.vm.svm_port) < 0)
960 return -ENOMEM;
961
962 break;
963
4f2d528d
LP		 964 default:
965 assert_not_reached("Unhandled socket type.");
966 }
967
968 *instance = r;
969 return 0;
970}
971
034c6ed7 972static void socket_close_fds(Socket *s) {
83c60c9f 973 SocketPort *p;
811ba7a0 974 char **i;
83c60c9f
LP		 975
976 assert(s);
977
034c6ed7 978 LIST_FOREACH(port, p, s->ports) {
18e854f8 979 bool was_open;
718db961 980
18e854f8 981 was_open = p->fd >= 0;
83c60c9f 982
18e854f8 983 p->event_source = sd_event_source_unref(p->event_source);
03e334a1 984 p->fd = safe_close(p->fd);
15087cdb 985 socket_cleanup_fd_list(p);
a16e1123 986
18e854f8
LP		 987 /* One little note: we should normally not delete any sockets in the file system here! After all some
988 * other process we spawned might still have a reference of this fd and wants to continue to use
989 * it. Therefore we normally delete sockets in the file system before we create a new one, not after we
990 * stopped using one! That all said, if the user explicitly requested this, we'll delete them here
991 * anyway, but only then. */
bd1fe7c7 992
18e854f8
LP		 993 if (!was_open || !s->remove_on_stop)
994 continue;
995
996 switch (p->type) {
bd1fe7c7 997
18e854f8
LP		 998 case SOCKET_FIFO:
999 (void) unlink(p->path);
1000 break;
bd1fe7c7 1001
18e854f8
LP		 1002 case SOCKET_MQUEUE:
1003 (void) mq_unlink(p->path);
1004 break;
bd1fe7c7 1005
18e854f8
LP		 1006 case SOCKET_SOCKET:
1007 (void) socket_address_unlink(&p->address);
1008 break;
bd1fe7c7 1009
18e854f8
LP		 1010 default:
1011 break;
bd1fe7c7 1012 }
83c60c9f 1013 }
811ba7a0
LP		 1014
1015 if (s->remove_on_stop)
1016 STRV_FOREACH(i, s->symlinks)
18e854f8 1017 (void) unlink(*i);
83c60c9f
LP		 1018}
1019
4fd5948e 1020static void socket_apply_socket_options(Socket *s, int fd) {
d53e386d
LP		 1021 int r;
1022
4fd5948e
LP		 1023 assert(s);
1024 assert(fd >= 0);
1025
1026 if (s->keep_alive) {
1027 int b = s->keep_alive;
1028 if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, &b, sizeof(b)) < 0)
f2341e0a 1029 log_unit_warning_errno(UNIT(s), errno, "SO_KEEPALIVE failed: %m");
4fd5948e
LP		 1030 }
1031
209e9dcd
SS		 1032 if (s->keep_alive_time) {
1033 int value = s->keep_alive_time / USEC_PER_SEC;
1034 if (setsockopt(fd, SOL_TCP, TCP_KEEPIDLE, &value, sizeof(value)) < 0)
f2341e0a 1035 log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPIDLE failed: %m");
209e9dcd
SS		 1036 }
1037
1038 if (s->keep_alive_interval) {
920b52e4 1039 int value = s->keep_alive_interval / USEC_PER_SEC;
209e9dcd 1040 if (setsockopt(fd, SOL_TCP, TCP_KEEPINTVL, &value, sizeof(value)) < 0)
f2341e0a 1041 log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPINTVL failed: %m");
209e9dcd
SS		 1042 }
1043
1044 if (s->keep_alive_cnt) {
1045 int value = s->keep_alive_cnt;
172cfe87 1046 if (setsockopt(fd, SOL_TCP, TCP_KEEPCNT, &value, sizeof(value)) < 0)
f2341e0a 1047 log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPCNT failed: %m");
209e9dcd
SS		 1048 }
1049
cc567c9b
SS		 1050 if (s->defer_accept) {
1051 int value = s->defer_accept / USEC_PER_SEC;
1052 if (setsockopt(fd, SOL_TCP, TCP_DEFER_ACCEPT, &value, sizeof(value)) < 0)
f2341e0a 1053 log_unit_warning_errno(UNIT(s), errno, "TCP_DEFER_ACCEPT failed: %m");
cc567c9b
SS		 1054 }
1055
4427c3f4
SS		 1056 if (s->no_delay) {
1057 int b = s->no_delay;
62bc4efc
SS		 1058
1059 if (s->socket_protocol == IPPROTO_SCTP) {
1060 if (setsockopt(fd, SOL_SCTP, SCTP_NODELAY, &b, sizeof(b)) < 0)
1061 log_unit_warning_errno(UNIT(s), errno, "SCTP_NODELAY failed: %m");
1062 } else {
1063 if (setsockopt(fd, SOL_TCP, TCP_NODELAY, &b, sizeof(b)) < 0)
1064 log_unit_warning_errno(UNIT(s), errno, "TCP_NODELAY failed: %m");
1065 }
4427c3f4
SS		 1066 }
1067
ec6370a2
LP		 1068 if (s->broadcast) {
1069 int one = 1;
1070 if (setsockopt(fd, SOL_SOCKET, SO_BROADCAST, &one, sizeof(one)) < 0)
f2341e0a 1071 log_unit_warning_errno(UNIT(s), errno, "SO_BROADCAST failed: %m");
ec6370a2
LP		 1072 }
1073
d68af586
MS		 1074 if (s->pass_cred) {
1075 int one = 1;
1076 if (setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &one, sizeof(one)) < 0)
f2341e0a 1077 log_unit_warning_errno(UNIT(s), errno, "SO_PASSCRED failed: %m");
d68af586
MS		 1078 }
1079
54ecda32
LP		 1080 if (s->pass_sec) {
1081 int one = 1;
1082 if (setsockopt(fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one)) < 0)
f2341e0a 1083 log_unit_warning_errno(UNIT(s), errno, "SO_PASSSEC failed: %m");
54ecda32
LP		 1084 }
1085
4fd5948e
LP		 1086 if (s->priority >= 0)
1087 if (setsockopt(fd, SOL_SOCKET, SO_PRIORITY, &s->priority, sizeof(s->priority)) < 0)
f2341e0a 1088 log_unit_warning_errno(UNIT(s), errno, "SO_PRIORITY failed: %m");
4fd5948e
LP		 1089
1090 if (s->receive_buffer > 0) {
1091 int value = (int) s->receive_buffer;
7d9eaa84
LP		 1092
1093 /* We first try with SO_RCVBUFFORCE, in case we have the perms for that */
1094
b8cef44e 1095 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUFFORCE, &value, sizeof(value)) < 0)
7d9eaa84 1096 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &value, sizeof(value)) < 0)
f2341e0a 1097 log_unit_warning_errno(UNIT(s), errno, "SO_RCVBUF failed: %m");
4fd5948e
LP		 1098 }
1099
1100 if (s->send_buffer > 0) {
1101 int value = (int) s->send_buffer;
b8cef44e 1102 if (setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, &value, sizeof(value)) < 0)
7d9eaa84 1103 if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &value, sizeof(value)) < 0)
f2341e0a 1104 log_unit_warning_errno(UNIT(s), errno, "SO_SNDBUF failed: %m");
4fd5948e
LP		 1105 }
1106
1107 if (s->mark >= 0)
1108 if (setsockopt(fd, SOL_SOCKET, SO_MARK, &s->mark, sizeof(s->mark)) < 0)
f2341e0a 1109 log_unit_warning_errno(UNIT(s), errno, "SO_MARK failed: %m");
4fd5948e
LP		 1110
1111 if (s->ip_tos >= 0)
1112 if (setsockopt(fd, IPPROTO_IP, IP_TOS, &s->ip_tos, sizeof(s->ip_tos)) < 0)
f2341e0a 1113 log_unit_warning_errno(UNIT(s), errno, "IP_TOS failed: %m");
4fd5948e 1114
46925ac5 1115 if (s->ip_ttl >= 0) {
d53e386d 1116 int x;
46925ac5
LP		 1117
1118 r = setsockopt(fd, IPPROTO_IP, IP_TTL, &s->ip_ttl, sizeof(s->ip_ttl));
5bfcc1c6
FF		 1119
1120 if (socket_ipv6_is_supported())
1121 x = setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &s->ip_ttl, sizeof(s->ip_ttl));
1122 else {
1123 x = -1;
1124 errno = EAFNOSUPPORT;
1125 }
46925ac5
LP		 1126
1127 if (r < 0 && x < 0)
f2341e0a 1128 log_unit_warning_errno(UNIT(s), errno, "IP_TTL/IPV6_UNICAST_HOPS failed: %m");
46925ac5 1129 }
cebf8b20
TT		 1130
1131 if (s->tcp_congestion)
1132 if (setsockopt(fd, SOL_TCP, TCP_CONGESTION, s->tcp_congestion, strlen(s->tcp_congestion)+1) < 0)
f2341e0a 1133 log_unit_warning_errno(UNIT(s), errno, "TCP_CONGESTION failed: %m");
0eb59ccf 1134
d53e386d 1135 if (s->smack_ip_in) {
5ab58c20 1136 r = mac_smack_apply_fd(fd, SMACK_ATTR_IPIN, s->smack_ip_in);
d53e386d 1137 if (r < 0)
f2341e0a 1138 log_unit_error_errno(UNIT(s), r, "mac_smack_apply_ip_in_fd: %m");
d53e386d 1139 }
9a4e038c 1140
d53e386d 1141 if (s->smack_ip_out) {
5ab58c20 1142 r = mac_smack_apply_fd(fd, SMACK_ATTR_IPOUT, s->smack_ip_out);
d53e386d 1143 if (r < 0)
f2341e0a 1144 log_unit_error_errno(UNIT(s), r, "mac_smack_apply_ip_out_fd: %m");
d53e386d 1145 }
4fd5948e
LP		 1146}
1147
b15bdda8 1148static void socket_apply_fifo_options(Socket *s, int fd) {
d53e386d
LP		 1149 int r;
1150
4fd5948e
LP		 1151 assert(s);
1152 assert(fd >= 0);
1153
1154 if (s->pipe_size > 0)
1155 if (fcntl(fd, F_SETPIPE_SZ, s->pipe_size) < 0)
ed460b07 1156 log_unit_warning_errno(UNIT(s), errno, "Setting pipe size failed, ignoring: %m");
0eb59ccf 1157
d53e386d 1158 if (s->smack) {
5ab58c20 1159 r = mac_smack_apply_fd(fd, SMACK_ATTR_ACCESS, s->smack);
d53e386d 1160 if (r < 0)
ed460b07 1161 log_unit_error_errno(UNIT(s), r, "SMACK relabelling failed, ignoring: %m");
d53e386d 1162 }
4fd5948e
LP		 1163}
1164
b15bdda8
LP		 1165static int fifo_address_create(
1166 const char *path,
1167 mode_t directory_mode,
e8da24a6 1168 mode_t socket_mode) {
b15bdda8 1169
e8da24a6 1170 _cleanup_close_ int fd = -1;
b15bdda8 1171 mode_t old_mask;
e8da24a6
LP		 1172 struct stat st;
1173 int r;
b15bdda8
LP		 1174
1175 assert(path);
b15bdda8 1176
d2e54fae 1177 mkdir_parents_label(path, directory_mode);
b15bdda8 1178
ecabcf8b 1179 r = mac_selinux_create_file_prepare(path, S_IFIFO);
e9a5ef7c 1180 if (r < 0)
e8da24a6 1181 return r;
b15bdda8
LP		 1182
1183 /* Enforce the right access mode for the fifo */
1184 old_mask = umask(~ socket_mode);
1185
1186 /* Include the original umask in our mask */
e8da24a6 1187 (void) umask(~socket_mode | old_mask);
b15bdda8
LP		 1188
1189 r = mkfifo(path, socket_mode);
e8da24a6 1190 (void) umask(old_mask);
b15bdda8 1191
94bc2731 1192 if (r < 0 && errno != EEXIST) {
b15bdda8
LP		 1193 r = -errno;
1194 goto fail;
1195 }
1196
e8da24a6 1197 fd = open(path, O_RDWR | O_CLOEXEC | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW);
3cc2aff1 1198 if (fd < 0) {
b15bdda8
LP		 1199 r = -errno;
1200 goto fail;
1201 }
1202
ecabcf8b 1203 mac_selinux_create_file_clear();
7a58bfa4 1204
b15bdda8
LP		 1205 if (fstat(fd, &st) < 0) {
1206 r = -errno;
1207 goto fail;
1208 }
1209
1210 if (!S_ISFIFO(st.st_mode) ||
de0200fc 1211 (st.st_mode & 0777) != (socket_mode & ~old_mask) ||
e4f44e73
DR		 1212 st.st_uid != getuid() ||
1213 st.st_gid != getgid()) {
b15bdda8
LP		 1214 r = -EEXIST;
1215 goto fail;
1216 }
1217
e8da24a6
LP		 1218 r = fd;
1219 fd = -1;
1220
1221 return r;
b15bdda8
LP		 1222
1223fail:
ecabcf8b 1224 mac_selinux_create_file_clear();
b15bdda8
LP		 1225 return r;
1226}
1227
55301ec0 1228static int special_address_create(const char *path, bool writable) {
e8da24a6 1229 _cleanup_close_ int fd = -1;
b0a3f2bc 1230 struct stat st;
e8da24a6 1231 int r;
b0a3f2bc
LP		 1232
1233 assert(path);
b0a3f2bc 1234
55301ec0 1235 fd = open(path, (writable ? O_RDWR : O_RDONLY)|O_CLOEXEC|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW);
e8da24a6
LP		 1236 if (fd < 0)
1237 return -errno;
b0a3f2bc 1238
e8da24a6
LP		 1239 if (fstat(fd, &st) < 0)
1240 return -errno;
b0a3f2bc
LP		 1241
1242 /* Check whether this is a /proc, /sys or /dev file or char device */
e8da24a6
LP		 1243 if (!S_ISREG(st.st_mode) && !S_ISCHR(st.st_mode))
1244 return -EEXIST;
b0a3f2bc 1245
e8da24a6
LP		 1246 r = fd;
1247 fd = -1;
b0a3f2bc
LP		 1248
1249 return r;
1250}
1251
36078102 1252static int usbffs_address_create(const char *path) {
60252446
PS		 1253 _cleanup_close_ int fd = -1;
1254 struct stat st;
e8da24a6 1255 int r;
60252446
PS		 1256
1257 assert(path);
60252446
PS		 1258
1259 fd = open(path, O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW);
1260 if (fd < 0)
1261 return -errno;
1262
1263 if (fstat(fd, &st) < 0)
1264 return -errno;
1265
13e785f7 1266 /* Check whether this is a regular file (ffs endpoint) */
60252446
PS		 1267 if (!S_ISREG(st.st_mode))
1268 return -EEXIST;
1269
e8da24a6 1270 r = fd;
60252446
PS		 1271 fd = -1;
1272
e8da24a6 1273 return r;
60252446
PS		 1274}
1275
916abb21
LP		 1276static int mq_address_create(
1277 const char *path,
1278 mode_t mq_mode,
1279 long maxmsg,
e8da24a6 1280 long msgsize) {
916abb21 1281
e8da24a6 1282 _cleanup_close_ int fd = -1;
916abb21
LP		 1283 struct stat st;
1284 mode_t old_mask;
1285 struct mq_attr _attr, *attr = NULL;
e8da24a6 1286 int r;
916abb21
LP		 1287
1288 assert(path);
916abb21
LP		 1289
1290 if (maxmsg > 0 && msgsize > 0) {
e8da24a6
LP		 1291 _attr = (struct mq_attr) {
1292 .mq_flags = O_NONBLOCK,
1293 .mq_maxmsg = maxmsg,
1294 .mq_msgsize = msgsize,
1295 };
916abb21
LP		 1296 attr = &_attr;
1297 }
1298
1299 /* Enforce the right access mode for the mq */
1300 old_mask = umask(~ mq_mode);
1301
1302 /* Include the original umask in our mask */
e8da24a6 1303 (void) umask(~mq_mode | old_mask);
916abb21 1304 fd = mq_open(path, O_RDONLY|O_CLOEXEC|O_NONBLOCK|O_CREAT, mq_mode, attr);
e8da24a6 1305 (void) umask(old_mask);
916abb21 1306
e8da24a6
LP		 1307 if (fd < 0)
1308 return -errno;
916abb21 1309
e8da24a6
LP		 1310 if (fstat(fd, &st) < 0)
1311 return -errno;
916abb21
LP		 1312
1313 if ((st.st_mode & 0777) != (mq_mode & ~old_mask) ||
1314 st.st_uid != getuid() ||
e8da24a6
LP		 1315 st.st_gid != getgid())
1316 return -EEXIST;
916abb21 1317
e8da24a6
LP		 1318 r = fd;
1319 fd = -1;
916abb21 1320
916abb21
LP		 1321 return r;
1322}
1323
811ba7a0
LP		 1324static int socket_symlink(Socket *s) {
1325 const char *p;
1326 char **i;
1327
1328 assert(s);
1329
1330 p = socket_find_symlink_target(s);
1331 if (!p)
1332 return 0;
1333
1334 STRV_FOREACH(i, s->symlinks)
43b133b4 1335 symlink_label(p, *i);
811ba7a0
LP		 1336
1337 return 0;
1338}
1339
36078102 1340static int usbffs_write_descs(int fd, Service *s) {
6b7e5923
PS		 1341 int r;
1342
1343 if (!s->usb_function_descriptors || !s->usb_function_strings)
1344 return -EINVAL;
1345
1c876927 1346 r = copy_file_fd(s->usb_function_descriptors, fd, 0);
6b7e5923 1347 if (r < 0)
e8da24a6 1348 return r;
6b7e5923 1349
1c876927 1350 return copy_file_fd(s->usb_function_strings, fd, 0);
6b7e5923
PS		 1351}
1352
36078102 1353static int usbffs_select_ep(const struct dirent *d) {
60252446
PS		 1354 return d->d_name[0] != '.' && !streq(d->d_name, "ep0");
1355}
1356
36078102 1357static int usbffs_dispatch_eps(SocketPort *p) {
60252446 1358 _cleanup_free_ struct dirent **ent = NULL;
36078102 1359 int r, i, n, k;
60252446 1360
00bb64ec 1361 r = scandir(p->path, &ent, usbffs_select_ep, alphasort);
60252446
PS		 1362 if (r < 0)
1363 return -errno;
1364
1365 n = r;
1366 p->auxiliary_fds = new(int, n);
1367 if (!p->auxiliary_fds)
1368 return -ENOMEM;
1369
1370 p->n_auxiliary_fds = n;
1371
1372 k = 0;
1373 for (i = 0; i < n; ++i) {
1374 _cleanup_free_ char *ep = NULL;
1375
00bb64ec 1376 ep = path_make_absolute(ent[i]->d_name, p->path);
60252446
PS		 1377 if (!ep)
1378 return -ENOMEM;
1379
1380 path_kill_slashes(ep);
1381
36078102 1382 r = usbffs_address_create(ep);
60252446
PS		 1383 if (r < 0)
1384 goto fail;
1385
e8da24a6
LP		 1386 p->auxiliary_fds[k] = r;
1387
60252446
PS		 1388 ++k;
1389 free(ent[i]);
1390 }
1391
1392 return r;
1393
1394fail:
e8da24a6 1395 close_many(p->auxiliary_fds, k);
60252446
PS		 1396 p->auxiliary_fds = mfree(p->auxiliary_fds);
1397 p->n_auxiliary_fds = 0;
1398
1399 return r;
1400}
1401
d24e561d
LP		 1402static int socket_determine_selinux_label(Socket *s, char **ret) {
1403 ExecCommand *c;
1404 int r;
1405
1406 assert(s);
1407 assert(ret);
1408
1409 if (s->selinux_context_from_net) {
1410 /* If this is requested, get label from the network label */
1411
1412 r = mac_selinux_get_our_label(ret);
1413 if (r == -EOPNOTSUPP)
1414 goto no_label;
1415
1416 } else {
1417 /* Otherwise, get it from the executable we are about to start */
1418 r = socket_instantiate_service(s);
1419 if (r < 0)
1420 return r;
1421
1422 if (!UNIT_ISSET(s->service))
1423 goto no_label;
1424
1425 c = SERVICE(UNIT_DEREF(s->service))->exec_command[SERVICE_EXEC_START];
1426 if (!c)
1427 goto no_label;
1428
1429 r = mac_selinux_get_create_label_from_exe(c->path, ret);
1430 if (r == -EPERM || r == -EOPNOTSUPP)
1431 goto no_label;
1432 }
1433
1434 return r;
1435
1436no_label:
1437 *ret = NULL;
1438 return 0;
1439}
1440
a79279c7
LP		 1441static int socket_address_listen_do(
1442 Socket *s,
1443 const SocketAddress *address,
1444 const char *label) {
1445
1446 assert(s);
1447 assert(address);
1448
1449 return socket_address_listen(
1450 address,
1451 SOCK_CLOEXEC|SOCK_NONBLOCK,
1452 s->backlog,
1453 s->bind_ipv6_only,
1454 s->bind_to_device,
1455 s->reuse_port,
1456 s->free_bind,
1457 s->transparent,
1458 s->directory_mode,
1459 s->socket_mode,
1460 label);
1461}
1462
1463static int socket_address_listen_in_cgroup(
1464 Socket *s,
1465 const SocketAddress *address,
1466 const char *label) {
1467
1468 _cleanup_close_pair_ int pair[2] = { -1, -1 };
1469 int fd, r;
1470 pid_t pid;
1471
1472 assert(s);
1473 assert(address);
1474
1475 /* This is a wrapper around socket_address_listen(), that forks off a helper process inside the socket's cgroup
1476 * in which the socket is actually created. This way we ensure the socket is actually properly attached to the
1477 * unit's cgroup for the purpose of BPF filtering and such. */
1478
1479 if (!IN_SET(address->sockaddr.sa.sa_family, AF_INET, AF_INET6))
1480 goto shortcut; /* BPF filtering only applies to IPv4 + IPv6, shortcut things for other protocols */
1481
1482 r = bpf_firewall_supported();
1483 if (r < 0)
1484 return r;
1485 if (r == 0) /* If BPF firewalling isn't supported anyway — there's no point in this forking complexity */
1486 goto shortcut;
1487
1488 if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, pair) < 0)
1489 return log_unit_error_errno(UNIT(s), errno, "Failed to create communication channel: %m");
1490
1491 r = unit_fork_helper_process(UNIT(s), &pid);
1492 if (r < 0)
1493 return log_unit_error_errno(UNIT(s), r, "Failed to fork off listener stub process: %m");
1494 if (r == 0) {
1495 /* Child */
1496
1497 pair[0] = safe_close(pair[0]);
1498
1499 fd = socket_address_listen_do(s, address, label);
1500 if (fd < 0) {
1501 log_unit_error_errno(UNIT(s), fd, "Failed to create listening socket: %m");
1502 _exit(EXIT_FAILURE);
1503 }
1504
1505 r = send_one_fd(pair[1], fd, 0);
1506 if (r < 0) {
1507 log_unit_error_errno(UNIT(s), r, "Failed to send listening socket to parent: %m");
1508 _exit(EXIT_FAILURE);
1509 }
1510
1511 _exit(EXIT_SUCCESS);
1512 }
1513
1514 pair[1] = safe_close(pair[1]);
1515 fd = receive_one_fd(pair[0], 0);
1516
1517 /* We synchronously wait for the helper, as it shouldn't be slow */
1518 r = wait_for_terminate_and_warn("listen-cgroup-helper", pid, false);
1519 if (r < 0) {
1520 safe_close(fd);
1521 return r;
1522 }
1523
1524 if (fd < 0)
1525 return log_unit_error_errno(UNIT(s), fd, "Failed to receive listening socket: %m");
1526
1527 return fd;
1528
1529shortcut:
1530 fd = socket_address_listen_do(s, address, label);
1531 if (fd < 0)
1532 return log_error_errno(fd, "Failed to create listening socket: %m");
1533
1534 return fd;
1535}
1536
034c6ed7 1537static int socket_open_fds(Socket *s) {
710a6b50
LP		 1538 _cleanup_(mac_selinux_freep) char *label = NULL;
1539 bool know_label = false;
83c60c9f
LP		 1540 SocketPort *p;
1541 int r;
1542
1543 assert(s);
1544
034c6ed7 1545 LIST_FOREACH(port, p, s->ports) {
83c60c9f 1546
034c6ed7
LP		 1547 if (p->fd >= 0)
1548 continue;
83c60c9f 1549
00411a13
LP		 1550 switch (p->type) {
1551
1552 case SOCKET_SOCKET:
049f8642 1553
7f416dae 1554 if (!know_label) {
d24e561d
LP		 1555 /* Figure out label, if we don't it know yet. We do it once, for the first socket where
1556 * we need this and remember it for the rest. */
7f416dae 1557
d24e561d
LP		 1558 r = socket_determine_selinux_label(s, &label);
1559 if (r < 0)
1560 goto rollback;
049f8642
LP		 1561
1562 know_label = true;
1563 }
1564
74bb646e 1565 /* Apply the socket protocol */
d24e561d 1566 switch (p->address.type) {
d2a50e3b 1567
74bb646e
SS		 1568 case SOCK_STREAM:
1569 case SOCK_SEQPACKET:
d24e561d
LP		 1570 if (s->socket_protocol == IPPROTO_SCTP)
1571 p->address.protocol = s->socket_protocol;
74bb646e 1572 break;
d2a50e3b 1573
74bb646e 1574 case SOCK_DGRAM:
d24e561d
LP		 1575 if (s->socket_protocol == IPPROTO_UDPLITE)
1576 p->address.protocol = s->socket_protocol;
74bb646e
SS		 1577 break;
1578 }
1579
a79279c7 1580 r = socket_address_listen_in_cgroup(s, &p->address, label);
175a3d25 1581 if (r < 0)
83c60c9f
LP		 1582 goto rollback;
1583
175a3d25 1584 p->fd = r;
4fd5948e 1585 socket_apply_socket_options(s, p->fd);
811ba7a0 1586 socket_symlink(s);
00411a13 1587 break;
4fd5948e 1588
00411a13 1589 case SOCKET_SPECIAL:
b0a3f2bc 1590
55301ec0 1591 p->fd = special_address_create(p->path, s->writable);
e8da24a6
LP		 1592 if (p->fd < 0) {
1593 r = p->fd;
b0a3f2bc 1594 goto rollback;
e8da24a6 1595 }
00411a13 1596 break;
b0a3f2bc 1597
00411a13 1598 case SOCKET_FIFO:
83c60c9f 1599
e8da24a6 1600 p->fd = fifo_address_create(
175a3d25
LP		 1601 p->path,
1602 s->directory_mode,
e8da24a6
LP		 1603 s->socket_mode);
1604 if (p->fd < 0) {
1605 r = p->fd;
83c60c9f 1606 goto rollback;
e8da24a6 1607 }
83c60c9f 1608
b15bdda8 1609 socket_apply_fifo_options(s, p->fd);
811ba7a0 1610 socket_symlink(s);
00411a13 1611 break;
811ba7a0 1612
00411a13 1613 case SOCKET_MQUEUE:
83c60c9f 1614
e8da24a6 1615 p->fd = mq_address_create(
175a3d25
LP		 1616 p->path,
1617 s->socket_mode,
1618 s->mq_maxmsg,
e8da24a6
LP		 1619 s->mq_msgsize);
1620 if (p->fd < 0) {
1621 r = p->fd;
916abb21 1622 goto rollback;
e8da24a6 1623 }
00411a13 1624 break;
e8da24a6 1625
d2a50e3b 1626 case SOCKET_USB_FUNCTION: {
27a6ea91 1627 _cleanup_free_ char *ep = NULL;
60252446 1628
27a6ea91
GB		 1629 ep = path_make_absolute("ep0", p->path);
1630
1631 p->fd = usbffs_address_create(ep);
e8da24a6
LP		 1632 if (p->fd < 0) {
1633 r = p->fd;
60252446 1634 goto rollback;
e8da24a6 1635 }
60252446 1636
36078102 1637 r = usbffs_write_descs(p->fd, SERVICE(UNIT_DEREF(s->service)));
6b7e5923
PS		 1638 if (r < 0)
1639 goto rollback;
1640
36078102 1641 r = usbffs_dispatch_eps(p);
60252446
PS		 1642 if (r < 0)
1643 goto rollback;
00411a13
LP		 1644
1645 break;
27a6ea91 1646 }
00411a13 1647 default:
b15bdda8 1648 assert_not_reached("Unknown port type");
00411a13 1649 }
034c6ed7
LP		 1650 }
1651
1652 return 0;
1653
1654rollback:
1655 socket_close_fds(s);
1656 return r;
1657}
1658
1659static void socket_unwatch_fds(Socket *s) {
1660 SocketPort *p;
718db961 1661 int r;
9152c765 1662
034c6ed7
LP		 1663 assert(s);
1664
1665 LIST_FOREACH(port, p, s->ports) {
1666 if (p->fd < 0)
1667 continue;
1668
a4152e3f
LP		 1669 if (!p->event_source)
1670 continue;
1671
1672 r = sd_event_source_set_enabled(p->event_source, SD_EVENT_OFF);
1673 if (r < 0)
f2341e0a 1674 log_unit_debug_errno(UNIT(s), r, "Failed to disable event source: %m");
83c60c9f 1675 }
034c6ed7
LP		 1676}
1677
1678static int socket_watch_fds(Socket *s) {
1679 SocketPort *p;
1680 int r;
1681
1682 assert(s);
83c60c9f 1683
034c6ed7
LP		 1684 LIST_FOREACH(port, p, s->ports) {
1685 if (p->fd < 0)
1686 continue;
1687
cbf60d0a 1688 if (p->event_source) {
718db961 1689 r = sd_event_source_set_enabled(p->event_source, SD_EVENT_ON);
cbf60d0a
LP		 1690 if (r < 0)
1691 goto fail;
1692 } else {
151b9b96 1693 r = sd_event_add_io(UNIT(s)->manager->event, &p->event_source, p->fd, EPOLLIN, socket_dispatch_io, p);
cbf60d0a
LP		 1694 if (r < 0)
1695 goto fail;
4f2d528d 1696
cbf60d0a 1697 (void) sd_event_source_set_description(p->event_source, "socket-port-io");
718db961 1698 }
034c6ed7 1699 }
83c60c9f 1700
542563ba 1701 return 0;
83c60c9f 1702
034c6ed7 1703fail:
cbf60d0a 1704 log_unit_warning_errno(UNIT(s), r, "Failed to watch listening fds: %m");
034c6ed7
LP		 1705 socket_unwatch_fds(s);
1706 return r;
1707}
1708
01a8b467
LP		 1709enum {
1710 SOCKET_OPEN_NONE,
1711 SOCKET_OPEN_SOME,
1712 SOCKET_OPEN_ALL,
1713};
1714
1715static int socket_check_open(Socket *s) {
1716 bool have_open = false, have_closed = false;
1717 SocketPort *p;
1718
1719 assert(s);
1720
1721 LIST_FOREACH(port, p, s->ports) {
1722 if (p->fd < 0)
1723 have_closed = true;
1724 else
1725 have_open = true;
1726
1727 if (have_open && have_closed)
1728 return SOCKET_OPEN_SOME;
1729 }
1730
1731 if (have_open)
1732 return SOCKET_OPEN_ALL;
1733
1734 return SOCKET_OPEN_NONE;
1735}
1736
034c6ed7
LP		 1737static void socket_set_state(Socket *s, SocketState state) {
1738 SocketState old_state;
1739 assert(s);
1740
1741 old_state = s->state;
1742 s->state = state;
1743
bd1fe7c7
LP		 1744 if (!IN_SET(state,
1745 SOCKET_START_PRE,
3900e5fd 1746 SOCKET_START_CHOWN,
bd1fe7c7
LP		 1747 SOCKET_START_POST,
1748 SOCKET_STOP_PRE,
1749 SOCKET_STOP_PRE_SIGTERM,
1750 SOCKET_STOP_PRE_SIGKILL,
1751 SOCKET_STOP_POST,
1752 SOCKET_FINAL_SIGTERM,
1753 SOCKET_FINAL_SIGKILL)) {
718db961
LP		 1754
1755 s->timer_event_source = sd_event_source_unref(s->timer_event_source);
5e94833f 1756 socket_unwatch_control_pid(s);
034c6ed7 1757 s->control_command = NULL;
a16e1123 1758 s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
e537352b 1759 }
034c6ed7 1760
a16e1123
LP		 1761 if (state != SOCKET_LISTENING)
1762 socket_unwatch_fds(s);
1763
bd1fe7c7 1764 if (!IN_SET(state,
3900e5fd 1765 SOCKET_START_CHOWN,
bd1fe7c7
LP		 1766 SOCKET_START_POST,
1767 SOCKET_LISTENING,
1768 SOCKET_RUNNING,
1769 SOCKET_STOP_PRE,
1770 SOCKET_STOP_PRE_SIGTERM,
1771 SOCKET_STOP_PRE_SIGKILL))
034c6ed7
LP		 1772 socket_close_fds(s);
1773
e537352b 1774 if (state != old_state)
f2341e0a 1775 log_unit_debug(UNIT(s), "Changed %s -> %s", socket_state_to_string(old_state), socket_state_to_string(state));
acbb0225 1776
e2f3b44c 1777 unit_notify(UNIT(s), state_translation_table[old_state], state_translation_table[state], true);
034c6ed7
LP		 1778}
1779
be847e82 1780static int socket_coldplug(Unit *u) {
a16e1123
LP		 1781 Socket *s = SOCKET(u);
1782 int r;
1783
1784 assert(s);
1785 assert(s->state == SOCKET_DEAD);
1786
e821075a
LP		 1787 if (s->deserialized_state == s->state)
1788 return 0;
a16e1123 1789
c386f588
LP		 1790 if (s->control_pid > 0 &&
1791 pid_is_unwaited(s->control_pid) &&
1792 IN_SET(s->deserialized_state,
3900e5fd
LP		 1793 SOCKET_START_PRE,
1794 SOCKET_START_CHOWN,
1795 SOCKET_START_POST,
1796 SOCKET_STOP_PRE,
1797 SOCKET_STOP_PRE_SIGTERM,
1798 SOCKET_STOP_PRE_SIGKILL,
1799 SOCKET_STOP_POST,
1800 SOCKET_FINAL_SIGTERM,
1801 SOCKET_FINAL_SIGKILL)) {
a16e1123 1802
e821075a
LP		 1803 r = unit_watch_pid(UNIT(s), s->control_pid);
1804 if (r < 0)
1805 return r;
a16e1123 1806
36c16a7c 1807 r = socket_arm_timer(s, usec_add(u->state_change_timestamp.monotonic, s->timeout_usec));
e821075a
LP		 1808 if (r < 0)
1809 return r;
1810 }
a16e1123 1811
3900e5fd
LP		 1812 if (IN_SET(s->deserialized_state,
1813 SOCKET_START_CHOWN,
1814 SOCKET_START_POST,
1815 SOCKET_LISTENING,
01a8b467
LP		 1816 SOCKET_RUNNING)) {
1817
1818 /* Originally, we used to simply reopen all sockets here that we didn't have file descriptors
1819 * for. However, this is problematic, as we won't traverse throught the SOCKET_START_CHOWN state for
1820 * them, and thus the UID/GID wouldn't be right. Hence, instead simply check if we have all fds open,
1821 * and if there's a mismatch, warn loudly. */
1822
1823 r = socket_check_open(s);
1824 if (r == SOCKET_OPEN_NONE)
1825 log_unit_warning(UNIT(s),
1826 "Socket unit configuration has changed while unit has been running, "
1827 "no open socket file descriptor left. "
1828 "The socket unit is not functional until restarted.");
1829 else if (r == SOCKET_OPEN_SOME)
1830 log_unit_warning(UNIT(s),
1831 "Socket unit configuration has changed while unit has been running, "
1832 "and some socket file descriptors have not been opened yet. "
1833 "The socket unit is not fully functional until restarted.");
e821075a 1834 }
a16e1123 1835
e821075a
LP		 1836 if (s->deserialized_state == SOCKET_LISTENING) {
1837 r = socket_watch_fds(s);
1838 if (r < 0)
1839 return r;
a16e1123
LP		 1840 }
1841
29206d46
LP		 1842 if (!IN_SET(s->deserialized_state, SOCKET_DEAD, SOCKET_FAILED))
1843 (void) unit_setup_dynamic_creds(u);
1844
e821075a 1845 socket_set_state(s, s->deserialized_state);
a16e1123
LP		 1846 return 0;
1847}
1848
e537352b 1849static int socket_spawn(Socket *s, ExecCommand *c, pid_t *_pid) {
034c6ed7
LP		 1850 pid_t pid;
1851 int r;
9fa95f85 1852 ExecParameters exec_params = {
1703fa41 1853 .flags = EXEC_APPLY_SANDBOXING|EXEC_APPLY_CHROOT|EXEC_APPLY_TTY_STDIN,
c39f1ce2
LP		 1854 .stdin_fd = -1,
1855 .stdout_fd = -1,
1856 .stderr_fd = -1,
9fa95f85 1857 };
034c6ed7
LP		 1858
1859 assert(s);
1860 assert(c);
1861 assert(_pid);
1862
5ad096b3 1863 (void) unit_realize_cgroup(UNIT(s));
906c06f6
DM		 1864 if (s->reset_accounting) {
1865 (void) unit_reset_cpu_accounting(UNIT(s));
1866 (void) unit_reset_ip_accounting(UNIT(s));
1867 s->reset_accounting = false;
5ad096b3 1868 }
4ad49000 1869
613b411c
LP		 1870 r = unit_setup_exec_runtime(UNIT(s));
1871 if (r < 0)
36c16a7c 1872 return r;
613b411c 1873
29206d46
LP		 1874 r = unit_setup_dynamic_creds(UNIT(s));
1875 if (r < 0)
1876 return r;
1877
36c16a7c 1878 r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
36697dc0 1879 if (r < 0)
36c16a7c 1880 return r;
034c6ed7 1881
19bbdd98 1882 manager_set_exec_params(UNIT(s)->manager, &exec_params);
f0d47797 1883 unit_set_exec_params(UNIT(s), &exec_params);
3536f49e 1884
5125e762 1885 exec_params.argv = c->argv;
9fa95f85 1886
f2341e0a
LP		 1887 r = exec_spawn(UNIT(s),
1888 c,
9e2f7c11 1889 &s->exec_context,
9fa95f85 1890 &exec_params,
613b411c 1891 s->exec_runtime,
29206d46 1892 &s->dynamic_creds,
9e2f7c11 1893 &pid);
cee288ad 1894 if (r < 0)
36c16a7c 1895 return r;
9e2f7c11 1896
3900e5fd 1897 r = unit_watch_pid(UNIT(s), pid);
9e2f7c11 1898 if (r < 0)
3900e5fd 1899 /* FIXME: we need to do something here */
36c16a7c 1900 return r;
034c6ed7 1901
3900e5fd 1902 *_pid = pid;
3536f49e 1903
3900e5fd 1904 return 0;
3900e5fd
LP		 1905}
1906
1907static int socket_chown(Socket *s, pid_t *_pid) {
1908 pid_t pid;
1909 int r;
1910
36c16a7c 1911 r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
3900e5fd
LP		 1912 if (r < 0)
1913 goto fail;
1914
1915 /* We have to resolve the user names out-of-process, hence
1916 * let's fork here. It's messy, but well, what can we do? */
1917
a79279c7
LP		 1918 r = unit_fork_helper_process(UNIT(s), &pid);
1919 if (r < 0)
1920 return r;
1921 if (r == 0) {
fed1e721
LP		 1922 uid_t uid = UID_INVALID;
1923 gid_t gid = GID_INVALID;
a79279c7 1924 SocketPort *p;
3900e5fd 1925
a79279c7 1926 /* Child */
3900e5fd
LP		 1927
1928 if (!isempty(s->user)) {
1929 const char *user = s->user;
1930
1931 r = get_user_creds(&user, &uid, &gid, NULL, NULL);
1932 if (r < 0) {
a79279c7
LP		 1933 log_unit_error_errno(UNIT(s), r, "Failed to resolve user %s: %m", user);
1934 _exit(EXIT_USER);
3900e5fd
LP		 1935 }
1936 }
1937
1938 if (!isempty(s->group)) {
1939 const char *group = s->group;
1940
1941 r = get_group_creds(&group, &gid);
1942 if (r < 0) {
a79279c7
LP		 1943 log_unit_error_errno(UNIT(s), r, "Failed to resolve group %s: %m", group);
1944 _exit(EXIT_GROUP);
3900e5fd
LP		 1945 }
1946 }
1947
1948 LIST_FOREACH(port, p, s->ports) {
e5a1c18d 1949 const char *path = NULL;
3900e5fd
LP		 1950
1951 if (p->type == SOCKET_SOCKET)
1952 path = socket_address_get_path(&p->address);
1953 else if (p->type == SOCKET_FIFO)
1954 path = p->path;
1955
1956 if (!path)
1957 continue;
1958
1959 if (chown(path, uid, gid) < 0) {
a79279c7
LP		 1960 log_unit_error_errno(UNIT(s), errno, "Failed to chown(): %m");
1961 _exit(EXIT_CHOWN);
3900e5fd
LP		 1962 }
1963 }
1964
a79279c7 1965 _exit(EXIT_SUCCESS);
3900e5fd
LP		 1966 }
1967
718db961
LP		 1968 r = unit_watch_pid(UNIT(s), pid);
1969 if (r < 0)
034c6ed7 1970 goto fail;
83c60c9f 1971
034c6ed7 1972 *_pid = pid;
034c6ed7
LP		 1973 return 0;
1974
1975fail:
718db961 1976 s->timer_event_source = sd_event_source_unref(s->timer_event_source);
83c60c9f 1977 return r;
542563ba
LP		 1978}
1979
cfc4eb4c 1980static void socket_enter_dead(Socket *s, SocketResult f) {
034c6ed7
LP		 1981 assert(s);
1982
a0fef983 1983 if (s->result == SOCKET_SUCCESS)
cfc4eb4c 1984 s->result = f;
034c6ed7 1985
29206d46
LP		 1986 socket_set_state(s, s->result != SOCKET_SUCCESS ? SOCKET_FAILED : SOCKET_DEAD);
1987
613b411c
LP		 1988 exec_runtime_destroy(s->exec_runtime);
1989 s->exec_runtime = exec_runtime_unref(s->exec_runtime);
1990
3536f49e 1991 exec_context_destroy_runtime_directory(&s->exec_context, UNIT(s)->manager->prefix[EXEC_DIRECTORY_RUNTIME]);
e66cf1a3 1992
00d9ef85
LP		 1993 unit_unref_uid_gid(UNIT(s), true);
1994
29206d46 1995 dynamic_creds_destroy(&s->dynamic_creds);
034c6ed7
LP		 1996}
1997
cfc4eb4c 1998static void socket_enter_signal(Socket *s, SocketState state, SocketResult f);
80876c20 1999
cfc4eb4c 2000static void socket_enter_stop_post(Socket *s, SocketResult f) {
034c6ed7
LP		 2001 int r;
2002 assert(s);
2003
a0fef983 2004 if (s->result == SOCKET_SUCCESS)
cfc4eb4c 2005 s->result = f;
034c6ed7 2006
5e94833f 2007 socket_unwatch_control_pid(s);
a16e1123 2008 s->control_command_id = SOCKET_EXEC_STOP_POST;
3900e5fd 2009 s->control_command = s->exec_command[SOCKET_EXEC_STOP_POST];
a16e1123 2010
3900e5fd
LP		 2011 if (s->control_command) {
2012 r = socket_spawn(s, s->control_command, &s->control_pid);
2013 if (r < 0)
034c6ed7
LP		 2014 goto fail;
2015
80876c20
LP		 2016 socket_set_state(s, SOCKET_STOP_POST);
2017 } else
cfc4eb4c 2018 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_SUCCESS);
034c6ed7
LP		 2019
2020 return;
2021
2022fail:
f2341e0a 2023 log_unit_warning_errno(UNIT(s), r, "Failed to run 'stop-post' task: %m");
cfc4eb4c 2024 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_RESOURCES);
034c6ed7
LP		 2025}
2026
cfc4eb4c 2027static void socket_enter_signal(Socket *s, SocketState state, SocketResult f) {
034c6ed7
LP		 2028 int r;
2029
2030 assert(s);
2031
a0fef983 2032 if (s->result == SOCKET_SUCCESS)
cfc4eb4c 2033 s->result = f;
034c6ed7 2034
cd2086fe
LP		 2035 r = unit_kill_context(
2036 UNIT(s),
2037 &s->kill_context,
db2cb23b
UTL		 2038 (state != SOCKET_STOP_PRE_SIGTERM && state != SOCKET_FINAL_SIGTERM) ?
2039 KILL_KILL : KILL_TERMINATE,
cd2086fe
LP		 2040 -1,
2041 s->control_pid,
2042 false);
2043 if (r < 0)
2044 goto fail;
034c6ed7 2045
cd2086fe 2046 if (r > 0) {
36c16a7c 2047 r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
36697dc0 2048 if (r < 0)
80876c20 2049 goto fail;
d6ea93e3 2050
80876c20 2051 socket_set_state(s, state);
ac84d1fb
LP		 2052 } else if (state == SOCKET_STOP_PRE_SIGTERM)
2053 socket_enter_signal(s, SOCKET_STOP_PRE_SIGKILL, SOCKET_SUCCESS);
2054 else if (state == SOCKET_STOP_PRE_SIGKILL)
cfc4eb4c 2055 socket_enter_stop_post(s, SOCKET_SUCCESS);
ac84d1fb
LP		 2056 else if (state == SOCKET_FINAL_SIGTERM)
2057 socket_enter_signal(s, SOCKET_FINAL_SIGKILL, SOCKET_SUCCESS);
80876c20 2058 else
cfc4eb4c 2059 socket_enter_dead(s, SOCKET_SUCCESS);
034c6ed7
LP		 2060
2061 return;
2062
2063fail:
f2341e0a 2064 log_unit_warning_errno(UNIT(s), r, "Failed to kill processes: %m");
034c6ed7
LP		 2065
2066 if (state == SOCKET_STOP_PRE_SIGTERM || state == SOCKET_STOP_PRE_SIGKILL)
cfc4eb4c 2067 socket_enter_stop_post(s, SOCKET_FAILURE_RESOURCES);
034c6ed7 2068 else
cfc4eb4c 2069 socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
034c6ed7
LP		 2070}
2071
cfc4eb4c 2072static void socket_enter_stop_pre(Socket *s, SocketResult f) {
034c6ed7
LP		 2073 int r;
2074 assert(s);
2075
a0fef983 2076 if (s->result == SOCKET_SUCCESS)
cfc4eb4c 2077 s->result = f;
034c6ed7 2078
5e94833f 2079 socket_unwatch_control_pid(s);
a16e1123 2080 s->control_command_id = SOCKET_EXEC_STOP_PRE;
3900e5fd 2081 s->control_command = s->exec_command[SOCKET_EXEC_STOP_PRE];
a16e1123 2082
3900e5fd
LP		 2083 if (s->control_command) {
2084 r = socket_spawn(s, s->control_command, &s->control_pid);
2085 if (r < 0)
034c6ed7
LP		 2086 goto fail;
2087
80876c20
LP		 2088 socket_set_state(s, SOCKET_STOP_PRE);
2089 } else
cfc4eb4c 2090 socket_enter_stop_post(s, SOCKET_SUCCESS);
034c6ed7
LP		 2091
2092 return;
2093
2094fail:
f2341e0a 2095 log_unit_warning_errno(UNIT(s), r, "Failed to run 'stop-pre' task: %m");
cfc4eb4c 2096 socket_enter_stop_post(s, SOCKET_FAILURE_RESOURCES);
034c6ed7
LP		 2097}
2098
e9af15c3
LP		 2099static void socket_enter_listening(Socket *s) {
2100 int r;
2101 assert(s);
2102
cfc4eb4c
LP		 2103 r = socket_watch_fds(s);
2104 if (r < 0) {
f2341e0a 2105 log_unit_warning_errno(UNIT(s), r, "Failed to watch sockets: %m");
e9af15c3
LP		 2106 goto fail;
2107 }
2108
2109 socket_set_state(s, SOCKET_LISTENING);
2110 return;
2111
2112fail:
cfc4eb4c 2113 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
e9af15c3
LP		 2114}
2115
034c6ed7
LP		 2116static void socket_enter_start_post(Socket *s) {
2117 int r;
2118 assert(s);
2119
3900e5fd
LP		 2120 socket_unwatch_control_pid(s);
2121 s->control_command_id = SOCKET_EXEC_START_POST;
2122 s->control_command = s->exec_command[SOCKET_EXEC_START_POST];
2123
2124 if (s->control_command) {
2125 r = socket_spawn(s, s->control_command, &s->control_pid);
2126 if (r < 0) {
f2341e0a 2127 log_unit_warning_errno(UNIT(s), r, "Failed to run 'start-post' task: %m");
3900e5fd
LP		 2128 goto fail;
2129 }
2130
2131 socket_set_state(s, SOCKET_START_POST);
2132 } else
2133 socket_enter_listening(s);
2134
2135 return;
2136
2137fail:
2138 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2139}
2140
2141static void socket_enter_start_chown(Socket *s) {
2142 int r;
2143
2144 assert(s);
2145
cfc4eb4c
LP		 2146 r = socket_open_fds(s);
2147 if (r < 0) {
f2341e0a 2148 log_unit_warning_errno(UNIT(s), r, "Failed to listen on sockets: %m");
034c6ed7
LP		 2149 goto fail;
2150 }
2151
3900e5fd 2152 if (!isempty(s->user) || !isempty(s->group)) {
5e94833f 2153
3900e5fd
LP		 2154 socket_unwatch_control_pid(s);
2155 s->control_command_id = SOCKET_EXEC_START_CHOWN;
2156 s->control_command = NULL;
a16e1123 2157
3900e5fd 2158 r = socket_chown(s, &s->control_pid);
cfc4eb4c 2159 if (r < 0) {
f2341e0a 2160 log_unit_warning_errno(UNIT(s), r, "Failed to fork 'start-chown' task: %m");
034c6ed7
LP		 2161 goto fail;
2162 }
2163
3900e5fd 2164 socket_set_state(s, SOCKET_START_CHOWN);
80876c20 2165 } else
3900e5fd 2166 socket_enter_start_post(s);
034c6ed7
LP		 2167
2168 return;
2169
2170fail:
cfc4eb4c 2171 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
034c6ed7
LP		 2172}
2173
2174static void socket_enter_start_pre(Socket *s) {
2175 int r;
2176 assert(s);
2177
5e94833f 2178 socket_unwatch_control_pid(s);
a16e1123 2179 s->control_command_id = SOCKET_EXEC_START_PRE;
3900e5fd 2180 s->control_command = s->exec_command[SOCKET_EXEC_START_PRE];
a16e1123 2181
3900e5fd 2182 if (s->control_command) {
e821075a 2183 r = socket_spawn(s, s->control_command, &s->control_pid);
3900e5fd 2184 if (r < 0) {
f2341e0a 2185 log_unit_warning_errno(UNIT(s), r, "Failed to run 'start-pre' task: %m");
034c6ed7 2186 goto fail;
3900e5fd 2187 }
034c6ed7 2188
80876c20
LP		 2189 socket_set_state(s, SOCKET_START_PRE);
2190 } else
3900e5fd 2191 socket_enter_start_chown(s);
034c6ed7
LP		 2192
2193 return;
2194
2195fail:
cfc4eb4c 2196 socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
034c6ed7
LP		 2197}
2198
60d9771c
LP		 2199static void flush_ports(Socket *s) {
2200 SocketPort *p;
2201
2202 /* Flush all incoming traffic, regardless if actual bytes or new connections, so that this socket isn't busy
2203 * anymore */
2204
2205 LIST_FOREACH(port, p, s->ports) {
2206 if (p->fd < 0)
2207 continue;
2208
2209 (void) flush_accept(p->fd);
2210 (void) flush_fd(p->fd);
2211 }
2212}
2213
4f2d528d 2214static void socket_enter_running(Socket *s, int cfd) {
4afd3348 2215 _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
034c6ed7
LP		 2216 int r;
2217
8b26cdbd
LP		 2218 /* Note that this call takes possession of the connection fd passed. It either has to assign it somewhere or
2219 * close it. */
2220
034c6ed7
LP		 2221 assert(s);
2222
60d9771c 2223 /* We don't take connections anymore if we are supposed to shut down anyway */
31afa0a4 2224 if (unit_stop_pending(UNIT(s))) {
e821075a 2225
f2341e0a 2226 log_unit_debug(UNIT(s), "Suppressing connection request since unit stop is scheduled.");
5d909e3e 2227
7c610628 2228 if (cfd >= 0)
8b26cdbd 2229 cfd = safe_close(cfd);
60d9771c
LP		 2230 else
2231 flush_ports(s);
7c610628 2232
ba3e67a7
LP		 2233 return;
2234 }
2235
8b26cdbd
LP		 2236 if (!ratelimit_test(&s->trigger_limit)) {
2237 safe_close(cfd);
2238 log_unit_warning(UNIT(s), "Trigger limit hit, refusing further activation.");
2239 socket_enter_stop_pre(s, SOCKET_FAILURE_TRIGGER_LIMIT_HIT);
2240 return;
2241 }
2242
4f2d528d 2243 if (cfd < 0) {
57020a3a 2244 Iterator i;
e821075a 2245 Unit *other;
f976f3f6 2246 bool pending = false;
f976f3f6
LP		 2247
2248 /* If there's already a start pending don't bother to
2249 * do anything */
e821075a
LP		 2250 SET_FOREACH(other, UNIT(s)->dependencies[UNIT_TRIGGERS], i)
2251 if (unit_active_or_pending(other)) {
57020a3a
LP		 2252 pending = true;
2253 break;
2254 }
f976f3f6 2255
1a710b43 2256 if (!pending) {
640ace4a 2257 if (!UNIT_ISSET(s->service)) {
f2341e0a 2258 log_unit_error(UNIT(s), "Service to activate vanished, refusing activation.");
640ace4a
LP		 2259 r = -ENOENT;
2260 goto fail;
2261 }
2262
4bd29fe5 2263 r = manager_add_job(UNIT(s)->manager, JOB_START, UNIT_DEREF(s->service), JOB_REPLACE, &error, NULL);
1a710b43 2264 if (r < 0)
f976f3f6 2265 goto fail;
1a710b43 2266 }
4f2d528d
LP		 2267
2268 socket_set_state(s, SOCKET_RUNNING);
2269 } else {
e55001eb 2270 _cleanup_free_ char *prefix = NULL, *instance = NULL, *name = NULL;
9d565427 2271 _cleanup_(socket_peer_unrefp) SocketPeer *p = NULL;
b15bdda8 2272 Service *service;
4f2d528d 2273
6cf6bbc2 2274 if (s->n_connections >= s->max_connections) {
ea8f50f8 2275 log_unit_warning(UNIT(s), "Too many incoming connections (%u), dropping connection.",
166cf510 2276 s->n_connections);
03e334a1 2277 safe_close(cfd);
6cf6bbc2
LP		 2278 return;
2279 }
2280
9d565427 2281 if (s->max_connections_per_source > 0) {
166cf510 2282 r = socket_acquire_peer(s, cfd, &p);
9d565427
SS		 2283 if (r < 0) {
2284 safe_close(cfd);
2285 return;
166cf510 2286 } else if (r > 0 && p->n_ref > s->max_connections_per_source) {
ea8f50f8
ZJS		 2287 _cleanup_free_ char *t = NULL;
2288
41733ae1 2289 (void) sockaddr_pretty(&p->peer.sa, p->peer_salen, true, false, &t);
ea8f50f8 2290
166cf510 2291 log_unit_warning(UNIT(s),
ea8f50f8
ZJS		 2292 "Too many incoming connections (%u) from source %s, dropping connection.",
2293 p->n_ref, strnull(t));
9d565427 2294 safe_close(cfd);
9d565427
SS		 2295 return;
2296 }
2297 }
2298
1a710b43
MS		 2299 r = socket_instantiate_service(s);
2300 if (r < 0)
b15bdda8
LP		 2301 goto fail;
2302
1a710b43
MS		 2303 r = instance_from_socket(cfd, s->n_accepted, &instance);
2304 if (r < 0) {
2305 if (r != -ENOTCONN)
2306 goto fail;
2307
2308 /* ENOTCONN is legitimate if TCP RST was received.
2309 * This connection is over, but the socket unit lives on. */
8b26cdbd 2310 log_unit_debug(UNIT(s), "Got ENOTCONN on incoming socket, assuming aborted connection attempt, ignoring.");
03e334a1 2311 safe_close(cfd);
1a710b43
MS		 2312 return;
2313 }
4f2d528d 2314
7410616c
LP		 2315 r = unit_name_to_prefix(UNIT(s)->id, &prefix);
2316 if (r < 0)
4f2d528d 2317 goto fail;
4f2d528d 2318
7410616c
LP		 2319 r = unit_name_build(prefix, instance, ".service", &name);
2320 if (r < 0)
b6dbbe1c 2321 goto fail;
4f2d528d 2322
1a710b43 2323 r = unit_add_name(UNIT_DEREF(s->service), name);
e55001eb 2324 if (r < 0)
4f2d528d 2325 goto fail;
b15bdda8 2326
57020a3a
LP		 2327 service = SERVICE(UNIT_DEREF(s->service));
2328 unit_ref_unset(&s->service);
6c073082 2329
e4f67317 2330 s->n_accepted++;
b15bdda8 2331 unit_choose_id(UNIT(service), name);
b15bdda8 2332
16115b0a 2333 r = service_set_socket_fd(service, cfd, s, s->selinux_context_from_net);
1a710b43 2334 if (r < 0)
4f2d528d
LP		 2335 goto fail;
2336
8b26cdbd 2337 cfd = -1; /* We passed ownership of the fd to the service now. Forget it here. */
313cefa1 2338 s->n_connections++;
6cf6bbc2 2339
166cf510
ZJS		 2340 service->peer = p; /* Pass ownership of the peer reference */
2341 p = NULL;
9d565427 2342
4bd29fe5 2343 r = manager_add_job(UNIT(s)->manager, JOB_START, UNIT(service), JOB_REPLACE, &error, NULL);
3e7a1f50
LP		 2344 if (r < 0) {
2345 /* We failed to activate the new service, but it still exists. Let's make sure the service
2346 * closes and forgets the connection fd again, immediately. */
2347 service_close_socket_fd(service);
4f2d528d 2348 goto fail;
3e7a1f50 2349 }
c4e2ceae
LP		 2350
2351 /* Notify clients about changed counters */
2352 unit_add_to_dbus_queue(UNIT(s));
4f2d528d 2353 }
034c6ed7 2354
034c6ed7
LP		 2355 return;
2356
2357fail:
f2341e0a
LP		 2358 log_unit_warning(UNIT(s), "Failed to queue service startup job (Maybe the service file is missing or not a %s unit?): %s",
2359 cfd >= 0 ? "template" : "non-template",
718db961 2360 bus_error_message(&error, r));
e821075a 2361
60089004 2362 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
03e334a1 2363 safe_close(cfd);
034c6ed7
LP		 2364}
2365
cfc4eb4c 2366static void socket_run_next(Socket *s) {
034c6ed7
LP		 2367 int r;
2368
2369 assert(s);
2370 assert(s->control_command);
2371 assert(s->control_command->command_next);
2372
5e94833f
LP		 2373 socket_unwatch_control_pid(s);
2374
034c6ed7
LP		 2375 s->control_command = s->control_command->command_next;
2376
e821075a
LP		 2377 r = socket_spawn(s, s->control_command, &s->control_pid);
2378 if (r < 0)
034c6ed7
LP		 2379 goto fail;
2380
2381 return;
2382
2383fail:
f2341e0a 2384 log_unit_warning_errno(UNIT(s), r, "Failed to run next task: %m");
80876c20
LP		 2385
2386 if (s->state == SOCKET_START_POST)
cfc4eb4c 2387 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
034c6ed7 2388 else if (s->state == SOCKET_STOP_POST)
cfc4eb4c 2389 socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
034c6ed7 2390 else
cfc4eb4c 2391 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_RESOURCES);
034c6ed7
LP		 2392}
2393
87f0e418
LP		 2394static int socket_start(Unit *u) {
2395 Socket *s = SOCKET(u);
07299350 2396 int r;
83c60c9f
LP		 2397
2398 assert(s);
2399
034c6ed7
LP		 2400 /* We cannot fulfill this request right now, try again later
2401 * please! */
3900e5fd
LP		 2402 if (IN_SET(s->state,
2403 SOCKET_STOP_PRE,
2404 SOCKET_STOP_PRE_SIGKILL,
2405 SOCKET_STOP_PRE_SIGTERM,
2406 SOCKET_STOP_POST,
2407 SOCKET_FINAL_SIGTERM,
2408 SOCKET_FINAL_SIGKILL))
034c6ed7
LP		 2409 return -EAGAIN;
2410
a4152e3f 2411 /* Already on it! */
3900e5fd
LP		 2412 if (IN_SET(s->state,
2413 SOCKET_START_PRE,
2414 SOCKET_START_CHOWN,
2415 SOCKET_START_POST))
034c6ed7 2416 return 0;
83c60c9f 2417
034c6ed7 2418 /* Cannot run this without the service being around */
9444b1f2 2419 if (UNIT_ISSET(s->service)) {
57020a3a
LP		 2420 Service *service;
2421
2422 service = SERVICE(UNIT_DEREF(s->service));
2423
1124fe6f 2424 if (UNIT(service)->load_state != UNIT_LOADED) {
f2341e0a 2425 log_unit_error(u, "Socket service %s not loaded, refusing.", UNIT(service)->id);
4f2d528d 2426 return -ENOENT;
4ac9236f 2427 }
4f2d528d 2428
35b8ca3a 2429 /* If the service is already active we cannot start the
4f2d528d 2430 * socket */
57020a3a
LP		 2431 if (service->state != SERVICE_DEAD &&
2432 service->state != SERVICE_FAILED &&
2433 service->state != SERVICE_AUTO_RESTART) {
f2341e0a 2434 log_unit_error(u, "Socket service %s already active, refusing.", UNIT(service)->id);
4f2d528d 2435 return -EBUSY;
4ac9236f 2436 }
4f2d528d 2437 }
e537352b 2438
fdf20a31 2439 assert(s->state == SOCKET_DEAD || s->state == SOCKET_FAILED);
83c60c9f 2440
07299350
LP		 2441 r = unit_start_limit_test(u);
2442 if (r < 0) {
2443 socket_enter_dead(s, SOCKET_FAILURE_START_LIMIT_HIT);
2444 return r;
2445 }
2446
4b58153d
LP		 2447 r = unit_acquire_invocation_id(u);
2448 if (r < 0)
2449 return r;
2450
cfc4eb4c 2451 s->result = SOCKET_SUCCESS;
906c06f6 2452 s->reset_accounting = true;
5ad096b3 2453
034c6ed7 2454 socket_enter_start_pre(s);
82a2b6bb 2455 return 1;
034c6ed7 2456}
83c60c9f 2457
87f0e418
LP		 2458static int socket_stop(Unit *u) {
2459 Socket *s = SOCKET(u);
034c6ed7
LP		 2460
2461 assert(s);
2462
e537352b 2463 /* Already on it */
3900e5fd
LP		 2464 if (IN_SET(s->state,
2465 SOCKET_STOP_PRE,
2466 SOCKET_STOP_PRE_SIGTERM,
2467 SOCKET_STOP_PRE_SIGKILL,
2468 SOCKET_STOP_POST,
2469 SOCKET_FINAL_SIGTERM,
2470 SOCKET_FINAL_SIGKILL))
e537352b
LP		 2471 return 0;
2472
3f6c78dc
LP		 2473 /* If there's already something running we go directly into
2474 * kill mode. */
3900e5fd
LP		 2475 if (IN_SET(s->state,
2476 SOCKET_START_PRE,
2477 SOCKET_START_CHOWN,
2478 SOCKET_START_POST)) {
cfc4eb4c 2479 socket_enter_signal(s, SOCKET_STOP_PRE_SIGTERM, SOCKET_SUCCESS);
3f6c78dc
LP		 2480 return -EAGAIN;
2481 }
2482
034c6ed7 2483 assert(s->state == SOCKET_LISTENING || s->state == SOCKET_RUNNING);
83c60c9f 2484
cfc4eb4c 2485 socket_enter_stop_pre(s, SOCKET_SUCCESS);
82a2b6bb 2486 return 1;
542563ba
LP		 2487}
2488
a16e1123
LP		 2489static int socket_serialize(Unit *u, FILE *f, FDSet *fds) {
2490 Socket *s = SOCKET(u);
2491 SocketPort *p;
2492 int r;
2493
2494 assert(u);
2495 assert(f);
2496 assert(fds);
2497
2498 unit_serialize_item(u, f, "state", socket_state_to_string(s->state));
cfc4eb4c 2499 unit_serialize_item(u, f, "result", socket_result_to_string(s->result));
a16e1123
LP		 2500 unit_serialize_item_format(u, f, "n-accepted", "%u", s->n_accepted);
2501
2502 if (s->control_pid > 0)
de0671ee 2503 unit_serialize_item_format(u, f, "control-pid", PID_FMT, s->control_pid);
a16e1123
LP		 2504
2505 if (s->control_command_id >= 0)
2506 unit_serialize_item(u, f, "control-command", socket_exec_command_to_string(s->control_command_id));
2507
2508 LIST_FOREACH(port, p, s->ports) {
2509 int copy;
2510
2511 if (p->fd < 0)
2512 continue;
2513
613b411c
LP		 2514 copy = fdset_put_dup(fds, p->fd);
2515 if (copy < 0)
a16e1123
LP		 2516 return copy;
2517
2518 if (p->type == SOCKET_SOCKET) {
613b411c 2519 _cleanup_free_ char *t = NULL;
a16e1123 2520
ee092817
LP		 2521 r = socket_address_print(&p->address, &t);
2522 if (r < 0)
a16e1123
LP		 2523 return r;
2524
7a22745a
LP		 2525 if (socket_address_family(&p->address) == AF_NETLINK)
2526 unit_serialize_item_format(u, f, "netlink", "%i %s", copy, t);
2527 else
2528 unit_serialize_item_format(u, f, "socket", "%i %i %s", copy, p->address.type, t);
613b411c 2529
b0a3f2bc
LP		 2530 } else if (p->type == SOCKET_SPECIAL)
2531 unit_serialize_item_format(u, f, "special", "%i %s", copy, p->path);
ee092817
LP		 2532 else if (p->type == SOCKET_MQUEUE)
2533 unit_serialize_item_format(u, f, "mqueue", "%i %s", copy, p->path);
60252446
PS		 2534 else if (p->type == SOCKET_USB_FUNCTION)
2535 unit_serialize_item_format(u, f, "ffs", "%i %s", copy, p->path);
b0a3f2bc 2536 else {
a16e1123
LP		 2537 assert(p->type == SOCKET_FIFO);
2538 unit_serialize_item_format(u, f, "fifo", "%i %s", copy, p->path);
2539 }
2540 }
2541
2542 return 0;
2543}
2544
80a58668
ZJS		 2545static void socket_port_take_fd(SocketPort *p, FDSet *fds, int fd) {
2546 safe_close(p->fd);
2547 p->fd = fdset_remove(fds, fd);
2548}
2549
a16e1123
LP		 2550static int socket_deserialize_item(Unit *u, const char *key, const char *value, FDSet *fds) {
2551 Socket *s = SOCKET(u);
a16e1123
LP		 2552
2553 assert(u);
2554 assert(key);
2555 assert(value);
a16e1123
LP		 2556
2557 if (streq(key, "state")) {
2558 SocketState state;
2559
ee092817
LP		 2560 state = socket_state_from_string(value);
2561 if (state < 0)
f2341e0a 2562 log_unit_debug(u, "Failed to parse state value: %s", value);
a16e1123
LP		 2563 else
2564 s->deserialized_state = state;
cfc4eb4c
LP		 2565 } else if (streq(key, "result")) {
2566 SocketResult f;
a16e1123 2567
cfc4eb4c
LP		 2568 f = socket_result_from_string(value);
2569 if (f < 0)
f2341e0a 2570 log_unit_debug(u, "Failed to parse result value: %s", value);
cfc4eb4c
LP		 2571 else if (f != SOCKET_SUCCESS)
2572 s->result = f;
a16e1123
LP		 2573
2574 } else if (streq(key, "n-accepted")) {
2575 unsigned k;
2576
e364ad06 2577 if (safe_atou(value, &k) < 0)
f2341e0a 2578 log_unit_debug(u, "Failed to parse n-accepted value: %s", value);
a16e1123
LP		 2579 else
2580 s->n_accepted += k;
2581 } else if (streq(key, "control-pid")) {
5925dd3c 2582 pid_t pid;
a16e1123 2583
e364ad06 2584 if (parse_pid(value, &pid) < 0)
f2341e0a 2585 log_unit_debug(u, "Failed to parse control-pid value: %s", value);
a16e1123 2586 else
5925dd3c 2587 s->control_pid = pid;
a16e1123
LP		 2588 } else if (streq(key, "control-command")) {
2589 SocketExecCommand id;
2590
66870f90
ZJS		 2591 id = socket_exec_command_from_string(value);
2592 if (id < 0)
f2341e0a 2593 log_unit_debug(u, "Failed to parse exec-command value: %s", value);
a16e1123
LP		 2594 else {
2595 s->control_command_id = id;
2596 s->control_command = s->exec_command[id];
2597 }
2598 } else if (streq(key, "fifo")) {
2599 int fd, skip = 0;
2600 SocketPort *p;
2601
2602 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
f2341e0a 2603 log_unit_debug(u, "Failed to parse fifo value: %s", value);
80a58668 2604 else
a16e1123 2605 LIST_FOREACH(port, p, s->ports)
b0a3f2bc 2606 if (p->type == SOCKET_FIFO &&
e3f791a2 2607 path_equal_or_files_same(p->path, value+skip, 0)) {
80a58668 2608 socket_port_take_fd(p, fds, fd);
b0a3f2bc 2609 break;
80a58668 2610 }
b0a3f2bc
LP		 2611
2612 } else if (streq(key, "special")) {
2613 int fd, skip = 0;
2614 SocketPort *p;
2615
2616 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
f2341e0a 2617 log_unit_debug(u, "Failed to parse special value: %s", value);
80a58668 2618 else
b0a3f2bc
LP		 2619 LIST_FOREACH(port, p, s->ports)
2620 if (p->type == SOCKET_SPECIAL &&
e3f791a2 2621 path_equal_or_files_same(p->path, value+skip, 0)) {
80a58668 2622 socket_port_take_fd(p, fds, fd);
a16e1123 2623 break;
80a58668 2624 }
a16e1123 2625
ee092817
LP		 2626 } else if (streq(key, "mqueue")) {
2627 int fd, skip = 0;
2628 SocketPort *p;
2629
2630 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
f2341e0a 2631 log_unit_debug(u, "Failed to parse mqueue value: %s", value);
80a58668 2632 else
ee092817
LP		 2633 LIST_FOREACH(port, p, s->ports)
2634 if (p->type == SOCKET_MQUEUE &&
80a58668
ZJS		 2635 streq(p->path, value+skip)) {
2636 socket_port_take_fd(p, fds, fd);
ee092817 2637 break;
80a58668 2638 }
ee092817 2639
a16e1123 2640 } else if (streq(key, "socket")) {
27ca8d7a 2641 int fd, type, skip = 0;
a16e1123
LP		 2642 SocketPort *p;
2643
27ca8d7a 2644 if (sscanf(value, "%i %i %n", &fd, &type, &skip) < 2 || fd < 0 || type < 0 || !fdset_contains(fds, fd))
f2341e0a 2645 log_unit_debug(u, "Failed to parse socket value: %s", value);
80a58668 2646 else
a16e1123 2647 LIST_FOREACH(port, p, s->ports)
80a58668
ZJS		 2648 if (socket_address_is(&p->address, value+skip, type)) {
2649 socket_port_take_fd(p, fds, fd);
a16e1123 2650 break;
80a58668 2651 }
a16e1123 2652
7a22745a
LP		 2653 } else if (streq(key, "netlink")) {
2654 int fd, skip = 0;
2655 SocketPort *p;
2656
2657 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
f2341e0a 2658 log_unit_debug(u, "Failed to parse socket value: %s", value);
80a58668 2659 else
7a22745a 2660 LIST_FOREACH(port, p, s->ports)
80a58668
ZJS		 2661 if (socket_address_is_netlink(&p->address, value+skip)) {
2662 socket_port_take_fd(p, fds, fd);
7a22745a 2663 break;
80a58668 2664 }
60252446
PS		 2665
2666 } else if (streq(key, "ffs")) {
2667 int fd, skip = 0;
2668 SocketPort *p;
2669
2670 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2671 log_unit_debug(u, "Failed to parse ffs value: %s", value);
80a58668 2672 else
60252446
PS		 2673 LIST_FOREACH(port, p, s->ports)
2674 if (p->type == SOCKET_USB_FUNCTION &&
e3f791a2 2675 path_equal_or_files_same(p->path, value+skip, 0)) {
80a58668 2676 socket_port_take_fd(p, fds, fd);
60252446 2677 break;
80a58668 2678 }
60252446 2679
a16e1123 2680 } else
f2341e0a 2681 log_unit_debug(UNIT(s), "Unknown serialization key: %s", key);
a16e1123
LP		 2682
2683 return 0;
2684}
2685
9ff1a6f1 2686static void socket_distribute_fds(Unit *u, FDSet *fds) {
01e10de3
LP		 2687 Socket *s = SOCKET(u);
2688 SocketPort *p;
2689
2690 assert(u);
2691
2692 LIST_FOREACH(port, p, s->ports) {
2693 Iterator i;
2694 int fd;
2695
2696 if (p->type != SOCKET_SOCKET)
2697 continue;
2698
2699 if (p->fd >= 0)
2700 continue;
2701
2702 FDSET_FOREACH(fd, fds, i) {
2703 if (socket_address_matches_fd(&p->address, fd)) {
2704 p->fd = fdset_remove(fds, fd);
2705 s->deserialized_state = SOCKET_LISTENING;
2706 break;
2707 }
2708 }
2709 }
01e10de3
LP		 2710}
2711
44a6b1b6 2712_pure_ static UnitActiveState socket_active_state(Unit *u) {
87f0e418 2713 assert(u);
5cb5a6ff 2714
acbb0225 2715 return state_translation_table[SOCKET(u)->state];
5cb5a6ff
LP		 2716}
2717
44a6b1b6 2718_pure_ static const char *socket_sub_state_to_string(Unit *u) {
10a94420
LP		 2719 assert(u);
2720
a16e1123 2721 return socket_state_to_string(SOCKET(u)->state);
10a94420
LP		 2722}
2723
67419600
OS		 2724const char* socket_port_type_to_string(SocketPort *p) {
2725
2726 assert(p);
2727
2728 switch (p->type) {
718db961
LP		 2729
2730 case SOCKET_SOCKET:
2731
2732 switch (p->address.type) {
2733
2734 case SOCK_STREAM:
2735 return "Stream";
2736
2737 case SOCK_DGRAM:
2738 return "Datagram";
2739
2740 case SOCK_SEQPACKET:
2741 return "SequentialPacket";
2742
2743 case SOCK_RAW:
2744 if (socket_address_family(&p->address) == AF_NETLINK)
2745 return "Netlink";
2746
ec251fe7 2747 /* fall through */
718db961
LP		 2748 default:
2749 return NULL;
2750 }
2751
2752 case SOCKET_SPECIAL:
2753 return "Special";
2754
2755 case SOCKET_MQUEUE:
2756 return "MessageQueue";
2757
2758 case SOCKET_FIFO:
2759 return "FIFO";
2760
60252446
PS		 2761 case SOCKET_USB_FUNCTION:
2762 return "USBFunction";
2763
718db961
LP		 2764 default:
2765 return NULL;
67419600
OS		 2766 }
2767}
2768
44a6b1b6 2769_pure_ static bool socket_check_gc(Unit *u) {
6cf6bbc2
LP		 2770 Socket *s = SOCKET(u);
2771
2772 assert(u);
2773
2774 return s->n_connections > 0;
2775}
2776
a79279c7
LP		 2777static int socket_accept_do(Socket *s, int fd) {
2778 int cfd;
2779
2780 assert(s);
2781 assert(fd >= 0);
2782
2783 for (;;) {
2784 cfd = accept4(fd, NULL, NULL, SOCK_NONBLOCK);
2785 if (cfd < 0) {
2786 if (errno == EINTR)
2787 continue;
2788
2789 return -errno;
2790 }
2791
2792 break;
2793 }
2794
2795 return cfd;
2796}
2797
2798static int socket_accept_in_cgroup(Socket *s, SocketPort *p, int fd) {
2799 _cleanup_close_pair_ int pair[2] = { -1, -1 };
2800 int cfd, r;
2801 pid_t pid;
2802
2803 assert(s);
2804 assert(p);
2805 assert(fd >= 0);
2806
2807 /* Similar to socket_address_listen_in_cgroup(), but for accept() rathern than socket(): make sure that any
2808 * connection socket is also properly associated with the cgroup. */
2809
2810 if (!IN_SET(p->address.sockaddr.sa.sa_family, AF_INET, AF_INET6))
2811 goto shortcut;
2812
2813 r = bpf_firewall_supported();
2814 if (r < 0)
2815 return r;
2816 if (r == 0)
2817 goto shortcut;
2818
2819 if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, pair) < 0)
2820 return log_unit_error_errno(UNIT(s), errno, "Failed to create communication channel: %m");
2821
2822 r = unit_fork_helper_process(UNIT(s), &pid);
2823 if (r < 0)
2824 return log_unit_error_errno(UNIT(s), r, "Failed to fork off accept stub process: %m");
2825 if (r == 0) {
2826 /* Child */
2827
2828 pair[0] = safe_close(pair[0]);
2829
2830 cfd = socket_accept_do(s, fd);
2831 if (cfd < 0) {
2832 log_unit_error_errno(UNIT(s), cfd, "Failed to accept connection socket: %m");
2833 _exit(EXIT_FAILURE);
2834 }
2835
2836 r = send_one_fd(pair[1], cfd, 0);
2837 if (r < 0) {
2838 log_unit_error_errno(UNIT(s), r, "Failed to send connection socket to parent: %m");
2839 _exit(EXIT_FAILURE);
2840 }
2841
2842 _exit(EXIT_SUCCESS);
2843 }
2844
2845 pair[1] = safe_close(pair[1]);
2846 cfd = receive_one_fd(pair[0], 0);
2847
2848 /* We synchronously wait for the helper, as it shouldn't be slow */
2849 r = wait_for_terminate_and_warn("accept-cgroup-helper", pid, false);
2850 if (r < 0) {
2851 safe_close(cfd);
2852 return r;
2853 }
2854
2855 if (cfd < 0)
2856 return log_unit_error_errno(UNIT(s), cfd, "Failed to receive connection socket: %m");
2857
2858 return cfd;
2859
2860shortcut:
2861 cfd = socket_accept_do(s, fd);
2862 if (cfd < 0)
2863 return log_unit_error_errno(UNIT(s), cfd, "Failed to accept connection socket: %m");
2864
2865 return cfd;
2866}
2867
718db961
LP		 2868static int socket_dispatch_io(sd_event_source *source, int fd, uint32_t revents, void *userdata) {
2869 SocketPort *p = userdata;
4f2d528d 2870 int cfd = -1;
9152c765 2871
718db961 2872 assert(p);
8d567588 2873 assert(fd >= 0);
9152c765 2874
718db961
LP		 2875 if (p->socket->state != SOCKET_LISTENING)
2876 return 0;
871d7de4 2877
f2341e0a 2878 log_unit_debug(UNIT(p->socket), "Incoming traffic");
9152c765 2879
718db961 2880 if (revents != EPOLLIN) {
641e01dc 2881
718db961 2882 if (revents & EPOLLHUP)
f2341e0a 2883 log_unit_error(UNIT(p->socket), "Got POLLHUP on a listening socket. The service probably invoked shutdown() on it, and should better not do that.");
641e01dc 2884 else
f2341e0a 2885 log_unit_error(UNIT(p->socket), "Got unexpected poll event (0x%x) on socket.", revents);
8d567588 2886 goto fail;
4f2d528d
LP		 2887 }
2888
718db961
LP		 2889 if (p->socket->accept &&
2890 p->type == SOCKET_SOCKET &&
2891 socket_address_can_accept(&p->address)) {
2892
a79279c7
LP		 2893 cfd = socket_accept_in_cgroup(p->socket, p, fd);
2894 if (cfd < 0)
2895 goto fail;
4fd5948e 2896
718db961 2897 socket_apply_socket_options(p->socket, cfd);
4f2d528d 2898 }
9152c765 2899
718db961
LP		 2900 socket_enter_running(p->socket, cfd);
2901 return 0;
8d567588
LP		 2902
2903fail:
718db961
LP		 2904 socket_enter_stop_pre(p->socket, SOCKET_FAILURE_RESOURCES);
2905 return 0;
9152c765
LP		 2906}
2907
87f0e418
LP		 2908static void socket_sigchld_event(Unit *u, pid_t pid, int code, int status) {
2909 Socket *s = SOCKET(u);
cfc4eb4c 2910 SocketResult f;
5cb5a6ff
LP		 2911
2912 assert(s);
034c6ed7 2913 assert(pid >= 0);
5cb5a6ff 2914
8c47c732
LP		 2915 if (pid != s->control_pid)
2916 return;
542563ba 2917
034c6ed7
LP		 2918 s->control_pid = 0;
2919
1f0958f6 2920 if (is_clean_exit(code, status, EXIT_CLEAN_COMMAND, NULL))
cfc4eb4c
LP		 2921 f = SOCKET_SUCCESS;
2922 else if (code == CLD_EXITED)
2923 f = SOCKET_FAILURE_EXIT_CODE;
2924 else if (code == CLD_KILLED)
2925 f = SOCKET_FAILURE_SIGNAL;
2926 else if (code == CLD_DUMPED)
2927 f = SOCKET_FAILURE_CORE_DUMP;
2928 else
a4152e3f 2929 assert_not_reached("Unknown sigchld code");
8c47c732 2930
b708e7ce 2931 if (s->control_command) {
6ea832a2 2932 exec_status_exit(&s->control_command->exec_status, &s->exec_context, pid, code, status);
a16e1123 2933
3ed0cd26 2934 if (s->control_command->flags & EXEC_COMMAND_IGNORE_FAILURE)
cfc4eb4c 2935 f = SOCKET_SUCCESS;
b708e7ce
LP		 2936 }
2937
f2341e0a
LP		 2938 log_unit_full(u, f == SOCKET_SUCCESS ? LOG_DEBUG : LOG_NOTICE, 0,
2939 "Control process exited, code=%s status=%i",
2940 sigchld_code_to_string(code), status);
034c6ed7 2941
a0fef983 2942 if (s->result == SOCKET_SUCCESS)
cfc4eb4c
LP		 2943 s->result = f;
2944
2945 if (s->control_command &&
2946 s->control_command->command_next &&
2947 f == SOCKET_SUCCESS) {
2948
f2341e0a 2949 log_unit_debug(u, "Running next command for state %s", socket_state_to_string(s->state));
cfc4eb4c 2950 socket_run_next(s);
acbb0225 2951 } else {
a16e1123
LP		 2952 s->control_command = NULL;
2953 s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
2954
034c6ed7
LP		 2955 /* No further commands for this step, so let's figure
2956 * out what to do next */
5cb5a6ff 2957
f2341e0a 2958 log_unit_debug(u, "Got final SIGCHLD for state %s", socket_state_to_string(s->state));
acbb0225 2959
034c6ed7
LP		 2960 switch (s->state) {
2961
2962 case SOCKET_START_PRE:
cfc4eb4c 2963 if (f == SOCKET_SUCCESS)
3900e5fd 2964 socket_enter_start_chown(s);
034c6ed7 2965 else
cfc4eb4c 2966 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, f);
034c6ed7
LP		 2967 break;
2968
3900e5fd
LP		 2969 case SOCKET_START_CHOWN:
2970 if (f == SOCKET_SUCCESS)
2971 socket_enter_start_post(s);
2972 else
2973 socket_enter_stop_pre(s, f);
2974 break;
2975
034c6ed7 2976 case SOCKET_START_POST:
cfc4eb4c 2977 if (f == SOCKET_SUCCESS)
e9af15c3 2978 socket_enter_listening(s);
034c6ed7 2979 else
cfc4eb4c 2980 socket_enter_stop_pre(s, f);
034c6ed7
LP		 2981 break;
2982
2983 case SOCKET_STOP_PRE:
2984 case SOCKET_STOP_PRE_SIGTERM:
2985 case SOCKET_STOP_PRE_SIGKILL:
cfc4eb4c 2986 socket_enter_stop_post(s, f);
034c6ed7
LP		 2987 break;
2988
2989 case SOCKET_STOP_POST:
80876c20
LP		 2990 case SOCKET_FINAL_SIGTERM:
2991 case SOCKET_FINAL_SIGKILL:
cfc4eb4c 2992 socket_enter_dead(s, f);
034c6ed7
LP		 2993 break;
2994
2995 default:
2996 assert_not_reached("Uh, control process died at wrong time.");
2997 }
2998 }
c4e2ceae
LP		 2999
3000 /* Notify clients about changed exit status */
3001 unit_add_to_dbus_queue(u);
034c6ed7 3002}
5cb5a6ff 3003
718db961
LP		 3004static int socket_dispatch_timer(sd_event_source *source, usec_t usec, void *userdata) {
3005 Socket *s = SOCKET(userdata);
5cb5a6ff 3006
034c6ed7 3007 assert(s);
718db961 3008 assert(s->timer_event_source == source);
034c6ed7
LP		 3009
3010 switch (s->state) {
3011
3012 case SOCKET_START_PRE:
f2341e0a 3013 log_unit_warning(UNIT(s), "Starting timed out. Terminating.");
cfc4eb4c 3014 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_TIMEOUT);
da19d5c1 3015 break;
80876c20 3016
3900e5fd 3017 case SOCKET_START_CHOWN:
034c6ed7 3018 case SOCKET_START_POST:
f2341e0a 3019 log_unit_warning(UNIT(s), "Starting timed out. Stopping.");
cfc4eb4c 3020 socket_enter_stop_pre(s, SOCKET_FAILURE_TIMEOUT);
034c6ed7
LP		 3021 break;
3022
3023 case SOCKET_STOP_PRE:
f2341e0a 3024 log_unit_warning(UNIT(s), "Stopping timed out. Terminating.");
cfc4eb4c 3025 socket_enter_signal(s, SOCKET_STOP_PRE_SIGTERM, SOCKET_FAILURE_TIMEOUT);
034c6ed7
LP		 3026 break;
3027
3028 case SOCKET_STOP_PRE_SIGTERM:
4819ff03 3029 if (s->kill_context.send_sigkill) {
f2341e0a 3030 log_unit_warning(UNIT(s), "Stopping timed out. Killing.");
cfc4eb4c 3031 socket_enter_signal(s, SOCKET_STOP_PRE_SIGKILL, SOCKET_FAILURE_TIMEOUT);
ba035df2 3032 } else {
f2341e0a 3033 log_unit_warning(UNIT(s), "Stopping timed out. Skipping SIGKILL. Ignoring.");
cfc4eb4c 3034 socket_enter_stop_post(s, SOCKET_FAILURE_TIMEOUT);
ba035df2 3035 }
034c6ed7
LP		 3036 break;
3037
3038 case SOCKET_STOP_PRE_SIGKILL:
f2341e0a 3039 log_unit_warning(UNIT(s), "Processes still around after SIGKILL. Ignoring.");
cfc4eb4c 3040 socket_enter_stop_post(s, SOCKET_FAILURE_TIMEOUT);
034c6ed7
LP		 3041 break;
3042
3043 case SOCKET_STOP_POST:
f2341e0a 3044 log_unit_warning(UNIT(s), "Stopping timed out (2). Terminating.");
cfc4eb4c 3045 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_TIMEOUT);
034c6ed7
LP		 3046 break;
3047
80876c20 3048 case SOCKET_FINAL_SIGTERM:
4819ff03 3049 if (s->kill_context.send_sigkill) {
f2341e0a 3050 log_unit_warning(UNIT(s), "Stopping timed out (2). Killing.");
cfc4eb4c 3051 socket_enter_signal(s, SOCKET_FINAL_SIGKILL, SOCKET_FAILURE_TIMEOUT);
ba035df2 3052 } else {
f2341e0a 3053 log_unit_warning(UNIT(s), "Stopping timed out (2). Skipping SIGKILL. Ignoring.");
cfc4eb4c 3054 socket_enter_dead(s, SOCKET_FAILURE_TIMEOUT);
ba035df2 3055 }
034c6ed7
LP		 3056 break;
3057
80876c20 3058 case SOCKET_FINAL_SIGKILL:
f2341e0a 3059 log_unit_warning(UNIT(s), "Still around after SIGKILL (2). Entering failed mode.");
cfc4eb4c 3060 socket_enter_dead(s, SOCKET_FAILURE_TIMEOUT);
034c6ed7
LP		 3061 break;
3062
3063 default:
3064 assert_not_reached("Timeout at wrong time.");
3065 }
718db961
LP		 3066
3067 return 0;
5cb5a6ff
LP		 3068}
3069
79c7626d
LP		 3070int socket_collect_fds(Socket *s, int **fds) {
3071 int *rfds, k = 0, n = 0;
44d8db9e
LP		 3072 SocketPort *p;
3073
3074 assert(s);
3075 assert(fds);
44d8db9e
LP		 3076
3077 /* Called from the service code for requesting our fds */
3078
15087cdb 3079 LIST_FOREACH(port, p, s->ports) {
44d8db9e 3080 if (p->fd >= 0)
79c7626d
LP		 3081 n++;
3082 n += p->n_auxiliary_fds;
15087cdb 3083 }
44d8db9e 3084
79c7626d 3085 if (n <= 0) {
de3756ab 3086 *fds = NULL;
de3756ab
LP		 3087 return 0;
3088 }
3089
79c7626d 3090 rfds = new(int, n);
e5403f09 3091 if (!rfds)
44d8db9e
LP		 3092 return -ENOMEM;
3093
15087cdb 3094 LIST_FOREACH(port, p, s->ports) {
79c7626d
LP		 3095 int i;
3096
44d8db9e
LP		 3097 if (p->fd >= 0)
3098 rfds[k++] = p->fd;
15087cdb
PS		 3099 for (i = 0; i < p->n_auxiliary_fds; ++i)
3100 rfds[k++] = p->auxiliary_fds[i];
3101 }
44d8db9e 3102
79c7626d 3103 assert(k == n);
44d8db9e
LP		 3104
3105 *fds = rfds;
79c7626d 3106 return n;
44d8db9e
LP		 3107}
3108
e821075a
LP		 3109static void socket_reset_failed(Unit *u) {
3110 Socket *s = SOCKET(u);
3111
3112 assert(s);
3113
3114 if (s->state == SOCKET_FAILED)
3115 socket_set_state(s, SOCKET_DEAD);
3116
3117 s->result = SOCKET_SUCCESS;
3118}
3119
6cf6bbc2
LP		 3120void socket_connection_unref(Socket *s) {
3121 assert(s);
3122
3123 /* The service is dead. Yay!
3124 *
35b8ca3a 3125 * This is strictly for one-instance-per-connection
6cf6bbc2
LP		 3126 * services. */
3127
3128 assert(s->n_connections > 0);
3129 s->n_connections--;
3130
f2341e0a 3131 log_unit_debug(UNIT(s), "One connection closed, %u left.", s->n_connections);
5632e374
LP		 3132}
3133
d137a488
UTL		 3134static void socket_trigger_notify(Unit *u, Unit *other) {
3135 Socket *s = SOCKET(u);
d137a488
UTL		 3136
3137 assert(u);
3138 assert(other);
3139
d14e3a0d
LP		 3140 /* Filter out invocations with bogus state */
3141 if (other->load_state != UNIT_LOADED || other->type != UNIT_SERVICE)
3142 return;
3143
3144 /* Don't propagate state changes from the service if we are already down */
3145 if (!IN_SET(s->state, SOCKET_RUNNING, SOCKET_LISTENING))
d137a488
UTL		 3146 return;
3147
d14e3a0d
LP		 3148 /* We don't care for the service state if we are in Accept=yes mode */
3149 if (s->accept)
3150 return;
3151
3152 /* Propagate start limit hit state */
6bf0f408
LP		 3153 if (other->start_limit_hit) {
3154 socket_enter_stop_pre(s, SOCKET_FAILURE_SERVICE_START_LIMIT_HIT);
d137a488 3155 return;
6bf0f408 3156 }
d137a488 3157
d14e3a0d
LP		 3158 /* Don't propagate anything if there's still a job queued */
3159 if (other->job)
6bf0f408 3160 return;
d137a488 3161
6bf0f408
LP		 3162 if (IN_SET(SERVICE(other)->state,
3163 SERVICE_DEAD, SERVICE_FAILED,
3164 SERVICE_FINAL_SIGTERM, SERVICE_FINAL_SIGKILL,
3165 SERVICE_AUTO_RESTART))
3166 socket_enter_listening(s);
d137a488 3167
6bf0f408 3168 if (SERVICE(other)->state == SERVICE_RUNNING)
d137a488
UTL		 3169 socket_set_state(s, SOCKET_RUNNING);
3170}
3171
718db961 3172static int socket_kill(Unit *u, KillWho who, int signo, sd_bus_error *error) {
814cc562 3173 return unit_kill_common(u, who, signo, -1, SOCKET(u)->control_pid, error);
8a0867d6
LP		 3174}
3175
7a7821c8 3176static int socket_get_timeout(Unit *u, usec_t *timeout) {
68db7a3b 3177 Socket *s = SOCKET(u);
7a7821c8 3178 usec_t t;
68db7a3b
ZJS		 3179 int r;
3180
3181 if (!s->timer_event_source)
3182 return 0;
3183
7a7821c8 3184 r = sd_event_source_get_time(s->timer_event_source, &t);
68db7a3b
ZJS		 3185 if (r < 0)
3186 return r;
7a7821c8
LP		 3187 if (t == USEC_INFINITY)
3188 return 0;
68db7a3b 3189
7a7821c8 3190 *timeout = t;
68db7a3b
ZJS		 3191 return 1;
3192}
3193
8dd4c05b
LP		 3194char *socket_fdname(Socket *s) {
3195 assert(s);
3196
3197 /* Returns the name to use for $LISTEN_NAMES. If the user
3198 * didn't specify anything specifically, use the socket unit's
3199 * name as fallback. */
3200
3201 if (s->fdname)
3202 return s->fdname;
3203
3204 return UNIT(s)->id;
3205}
3206
291d565a
LP		 3207static int socket_control_pid(Unit *u) {
3208 Socket *s = SOCKET(u);
3209
3210 assert(s);
3211
3212 return s->control_pid;
3213}
3214
a16e1123
LP		 3215static const char* const socket_exec_command_table[_SOCKET_EXEC_COMMAND_MAX] = {
3216 [SOCKET_EXEC_START_PRE] = "StartPre",
3900e5fd 3217 [SOCKET_EXEC_START_CHOWN] = "StartChown",
a16e1123
LP		 3218 [SOCKET_EXEC_START_POST] = "StartPost",
3219 [SOCKET_EXEC_STOP_PRE] = "StopPre",
3220 [SOCKET_EXEC_STOP_POST] = "StopPost"
3221};
3222
3223DEFINE_STRING_TABLE_LOOKUP(socket_exec_command, SocketExecCommand);
3224
cfc4eb4c
LP		 3225static const char* const socket_result_table[_SOCKET_RESULT_MAX] = {
3226 [SOCKET_SUCCESS] = "success",
3227 [SOCKET_FAILURE_RESOURCES] = "resources",
3228 [SOCKET_FAILURE_TIMEOUT] = "timeout",
3229 [SOCKET_FAILURE_EXIT_CODE] = "exit-code",
3230 [SOCKET_FAILURE_SIGNAL] = "signal",
c2f34808 3231 [SOCKET_FAILURE_CORE_DUMP] = "core-dump",
07299350 3232 [SOCKET_FAILURE_START_LIMIT_HIT] = "start-limit-hit",
8b26cdbd 3233 [SOCKET_FAILURE_TRIGGER_LIMIT_HIT] = "trigger-limit-hit",
6bf0f408 3234 [SOCKET_FAILURE_SERVICE_START_LIMIT_HIT] = "service-start-limit-hit"
cfc4eb4c
LP		 3235};
3236
3237DEFINE_STRING_TABLE_LOOKUP(socket_result, SocketResult);
3238
87f0e418 3239const UnitVTable socket_vtable = {
7d17cfbc 3240 .object_size = sizeof(Socket),
718db961
LP		 3241 .exec_context_offset = offsetof(Socket, exec_context),
3242 .cgroup_context_offset = offsetof(Socket, cgroup_context),
3243 .kill_context_offset = offsetof(Socket, kill_context),
613b411c 3244 .exec_runtime_offset = offsetof(Socket, exec_runtime),
29206d46 3245 .dynamic_creds_offset = offsetof(Socket, dynamic_creds),
3ef63c31 3246
f975e971
LP		 3247 .sections =
3248 "Unit\0"
3249 "Socket\0"
3250 "Install\0",
4ad49000 3251 .private_section = "Socket",
71645aca 3252
034c6ed7
LP		 3253 .init = socket_init,
3254 .done = socket_done,
a16e1123
LP		 3255 .load = socket_load,
3256
3257 .coldplug = socket_coldplug,
034c6ed7 3258
5cb5a6ff
LP		 3259 .dump = socket_dump,
3260
542563ba
LP		 3261 .start = socket_start,
3262 .stop = socket_stop,
5cb5a6ff 3263
718db961
LP		 3264 .kill = socket_kill,
3265
68db7a3b
ZJS		 3266 .get_timeout = socket_get_timeout,
3267
a16e1123
LP		 3268 .serialize = socket_serialize,
3269 .deserialize_item = socket_deserialize_item,
01e10de3 3270 .distribute_fds = socket_distribute_fds,
a16e1123 3271
5cb5a6ff 3272 .active_state = socket_active_state,
10a94420 3273 .sub_state_to_string = socket_sub_state_to_string,
5cb5a6ff 3274
6cf6bbc2
LP		 3275 .check_gc = socket_check_gc,
3276
034c6ed7 3277 .sigchld_event = socket_sigchld_event,
4139c1b2 3278
d137a488
UTL		 3279 .trigger_notify = socket_trigger_notify,
3280
fdf20a31 3281 .reset_failed = socket_reset_failed,
5632e374 3282
291d565a
LP		 3283 .control_pid = socket_control_pid,
3284
718db961 3285 .bus_vtable = bus_socket_vtable,
74c964d3
LP		 3286 .bus_set_property = bus_socket_set_property,
3287 .bus_commit_properties = bus_socket_commit_properties,
c6918296
MS		 3288
3289 .status_message_formats = {
3290 /*.starting_stopping = {
3291 [0] = "Starting socket %s...",
3292 [1] = "Stopping socket %s...",
3293 },*/
3294 .finished_start_job = {
3295 [JOB_DONE] = "Listening on %s.",
3296 [JOB_FAILED] = "Failed to listen on %s.",
c6918296
MS		 3297 [JOB_TIMEOUT] = "Timed out starting %s.",
3298 },
3299 .finished_stop_job = {
3300 [JOB_DONE] = "Closed %s.",
3301 [JOB_FAILED] = "Failed stopping %s.",
3302 [JOB_TIMEOUT] = "Timed out stopping %s.",
3303 },
3304 },
5cb5a6ff 3305};
Unnamed repository; edit this file 'description' to name the repository.