]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/socket.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
pid1: include the source unit in UnitRef
[thirdparty/systemd.git] / src / core / socket.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2 /***
3 This file is part of systemd.
4
5 Copyright 2010 Lennart Poettering
6
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
11
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
16
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
19 ***/
20
21 #include <arpa/inet.h>
22 #include <errno.h>
23 #include <fcntl.h>
24 #include <mqueue.h>
25 #include <netinet/tcp.h>
26 #include <signal.h>
27 #include <sys/epoll.h>
28 #include <sys/stat.h>
29 #include <unistd.h>
30 #include <linux/sctp.h>
31
32 #include "alloc-util.h"
33 #include "bpf-firewall.h"
34 #include "bus-error.h"
35 #include "bus-util.h"
36 #include "copy.h"
37 #include "dbus-socket.h"
38 #include "def.h"
39 #include "exit-status.h"
40 #include "fd-util.h"
41 #include "format-util.h"
42 #include "fs-util.h"
43 #include "in-addr-util.h"
44 #include "io-util.h"
45 #include "label.h"
46 #include "log.h"
47 #include "missing.h"
48 #include "mkdir.h"
49 #include "parse-util.h"
50 #include "path-util.h"
51 #include "process-util.h"
52 #include "selinux-util.h"
53 #include "signal-util.h"
54 #include "smack-util.h"
55 #include "socket.h"
56 #include "socket-protocol-list.h"
57 #include "special.h"
58 #include "string-table.h"
59 #include "string-util.h"
60 #include "strv.h"
61 #include "unit-name.h"
62 #include "unit.h"
63 #include "user-util.h"
64
65 struct SocketPeer {
66 unsigned n_ref;
67
68 Socket *socket;
69 union sockaddr_union peer;
70 socklen_t peer_salen;
71 };
72
73 static const UnitActiveState state_translation_table[_SOCKET_STATE_MAX] = {
74 [SOCKET_DEAD] = UNIT_INACTIVE,
75 [SOCKET_START_PRE] = UNIT_ACTIVATING,
76 [SOCKET_START_CHOWN] = UNIT_ACTIVATING,
77 [SOCKET_START_POST] = UNIT_ACTIVATING,
78 [SOCKET_LISTENING] = UNIT_ACTIVE,
79 [SOCKET_RUNNING] = UNIT_ACTIVE,
80 [SOCKET_STOP_PRE] = UNIT_DEACTIVATING,
81 [SOCKET_STOP_PRE_SIGTERM] = UNIT_DEACTIVATING,
82 [SOCKET_STOP_PRE_SIGKILL] = UNIT_DEACTIVATING,
83 [SOCKET_STOP_POST] = UNIT_DEACTIVATING,
84 [SOCKET_FINAL_SIGTERM] = UNIT_DEACTIVATING,
85 [SOCKET_FINAL_SIGKILL] = UNIT_DEACTIVATING,
86 [SOCKET_FAILED] = UNIT_FAILED
87 };
88
89 static int socket_dispatch_io(sd_event_source *source, int fd, uint32_t revents, void *userdata);
90 static int socket_dispatch_timer(sd_event_source *source, usec_t usec, void *userdata);
91
92 static void socket_init(Unit *u) {
93 Socket *s = SOCKET(u);
94
95 assert(u);
96 assert(u->load_state == UNIT_STUB);
97
98 s->backlog = SOMAXCONN;
99 s->timeout_usec = u->manager->default_timeout_start_usec;
100 s->directory_mode = 0755;
101 s->socket_mode = 0666;
102
103 s->max_connections = 64;
104
105 s->priority = -1;
106 s->ip_tos = -1;
107 s->ip_ttl = -1;
108 s->mark = -1;
109
110 s->exec_context.std_output = u->manager->default_std_output;
111 s->exec_context.std_error = u->manager->default_std_error;
112
113 s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
114
115 s->trigger_limit.interval = USEC_INFINITY;
116 s->trigger_limit.burst = (unsigned) -1;
117 }
118
119 static void socket_unwatch_control_pid(Socket *s) {
120 assert(s);
121
122 if (s->control_pid <= 0)
123 return;
124
125 unit_unwatch_pid(UNIT(s), s->control_pid);
126 s->control_pid = 0;
127 }
128
129 static void socket_cleanup_fd_list(SocketPort *p) {
130 assert(p);
131
132 close_many(p->auxiliary_fds, p->n_auxiliary_fds);
133 p->auxiliary_fds = mfree(p->auxiliary_fds);
134 p->n_auxiliary_fds = 0;
135 }
136
137 void socket_free_ports(Socket *s) {
138 SocketPort *p;
139
140 assert(s);
141
142 while ((p = s->ports)) {
143 LIST_REMOVE(port, s->ports, p);
144
145 sd_event_source_unref(p->event_source);
146
147 socket_cleanup_fd_list(p);
148 safe_close(p->fd);
149 free(p->path);
150 free(p);
151 }
152 }
153
154 static void socket_done(Unit *u) {
155 Socket *s = SOCKET(u);
156 SocketPeer *p;
157
158 assert(s);
159
160 socket_free_ports(s);
161
162 while ((p = set_steal_first(s->peers_by_address)))
163 p->socket = NULL;
164
165 s->peers_by_address = set_free(s->peers_by_address);
166
167 s->exec_runtime = exec_runtime_unref(s->exec_runtime, false);
168 exec_command_free_array(s->exec_command, _SOCKET_EXEC_COMMAND_MAX);
169 s->control_command = NULL;
170
171 dynamic_creds_unref(&s->dynamic_creds);
172
173 socket_unwatch_control_pid(s);
174
175 unit_ref_unset(&s->service);
176
177 s->tcp_congestion = mfree(s->tcp_congestion);
178 s->bind_to_device = mfree(s->bind_to_device);
179
180 s->smack = mfree(s->smack);
181 s->smack_ip_in = mfree(s->smack_ip_in);
182 s->smack_ip_out = mfree(s->smack_ip_out);
183
184 strv_free(s->symlinks);
185
186 s->user = mfree(s->user);
187 s->group = mfree(s->group);
188
189 s->fdname = mfree(s->fdname);
190
191 s->timer_event_source = sd_event_source_unref(s->timer_event_source);
192 }
193
194 static int socket_arm_timer(Socket *s, usec_t usec) {
195 int r;
196
197 assert(s);
198
199 if (s->timer_event_source) {
200 r = sd_event_source_set_time(s->timer_event_source, usec);
201 if (r < 0)
202 return r;
203
204 return sd_event_source_set_enabled(s->timer_event_source, SD_EVENT_ONESHOT);
205 }
206
207 if (usec == USEC_INFINITY)
208 return 0;
209
210 r = sd_event_add_time(
211 UNIT(s)->manager->event,
212 &s->timer_event_source,
213 CLOCK_MONOTONIC,
214 usec, 0,
215 socket_dispatch_timer, s);
216 if (r < 0)
217 return r;
218
219 (void) sd_event_source_set_description(s->timer_event_source, "socket-timer");
220
221 return 0;
222 }
223
224 int socket_instantiate_service(Socket *s) {
225 _cleanup_free_ char *prefix = NULL, *name = NULL;
226 int r;
227 Unit *u;
228
229 assert(s);
230
231 /* This fills in s->service if it isn't filled in yet. For
232 * Accept=yes sockets we create the next connection service
233 * here. For Accept=no this is mostly a NOP since the service
234 * is figured out at load time anyway. */
235
236 if (UNIT_DEREF(s->service))
237 return 0;
238
239 if (!s->accept)
240 return 0;
241
242 r = unit_name_to_prefix(UNIT(s)->id, &prefix);
243 if (r < 0)
244 return r;
245
246 if (asprintf(&name, "%s@%u.service", prefix, s->n_accepted) < 0)
247 return -ENOMEM;
248
249 r = manager_load_unit(UNIT(s)->manager, name, NULL, NULL, &u);
250 if (r < 0)
251 return r;
252
253 unit_ref_set(&s->service, UNIT(s), u);
254
255 return unit_add_two_dependencies(UNIT(s), UNIT_BEFORE, UNIT_TRIGGERS, u, false, UNIT_DEPENDENCY_IMPLICIT);
256 }
257
258 static bool have_non_accept_socket(Socket *s) {
259 SocketPort *p;
260
261 assert(s);
262
263 if (!s->accept)
264 return true;
265
266 LIST_FOREACH(port, p, s->ports) {
267
268 if (p->type != SOCKET_SOCKET)
269 return true;
270
271 if (!socket_address_can_accept(&p->address))
272 return true;
273 }
274
275 return false;
276 }
277
278 static int socket_add_mount_dependencies(Socket *s) {
279 SocketPort *p;
280 int r;
281
282 assert(s);
283
284 LIST_FOREACH(port, p, s->ports) {
285 const char *path = NULL;
286
287 if (p->type == SOCKET_SOCKET)
288 path = socket_address_get_path(&p->address);
289 else if (IN_SET(p->type, SOCKET_FIFO, SOCKET_SPECIAL, SOCKET_USB_FUNCTION))
290 path = p->path;
291
292 if (!path)
293 continue;
294
295 r = unit_require_mounts_for(UNIT(s), path, UNIT_DEPENDENCY_FILE);
296 if (r < 0)
297 return r;
298 }
299
300 return 0;
301 }
302
303 static int socket_add_device_dependencies(Socket *s) {
304 char *t;
305
306 assert(s);
307
308 if (!s->bind_to_device || streq(s->bind_to_device, "lo"))
309 return 0;
310
311 t = strjoina("/sys/subsystem/net/devices/", s->bind_to_device);
312 return unit_add_node_dependency(UNIT(s), t, false, UNIT_BINDS_TO, UNIT_DEPENDENCY_FILE);
313 }
314
315 static int socket_add_default_dependencies(Socket *s) {
316 int r;
317 assert(s);
318
319 if (!UNIT(s)->default_dependencies)
320 return 0;
321
322 r = unit_add_dependency_by_name(UNIT(s), UNIT_BEFORE, SPECIAL_SOCKETS_TARGET, NULL, true, UNIT_DEPENDENCY_DEFAULT);
323 if (r < 0)
324 return r;
325
326 if (MANAGER_IS_SYSTEM(UNIT(s)->manager)) {
327 r = unit_add_two_dependencies_by_name(UNIT(s), UNIT_AFTER, UNIT_REQUIRES, SPECIAL_SYSINIT_TARGET, NULL, true, UNIT_DEPENDENCY_DEFAULT);
328 if (r < 0)
329 return r;
330 }
331
332 return unit_add_two_dependencies_by_name(UNIT(s), UNIT_BEFORE, UNIT_CONFLICTS, SPECIAL_SHUTDOWN_TARGET, NULL, true, UNIT_DEPENDENCY_DEFAULT);
333 }
334
335 _pure_ static bool socket_has_exec(Socket *s) {
336 unsigned i;
337 assert(s);
338
339 for (i = 0; i < _SOCKET_EXEC_COMMAND_MAX; i++)
340 if (s->exec_command[i])
341 return true;
342
343 return false;
344 }
345
346 static int socket_add_extras(Socket *s) {
347 Unit *u = UNIT(s);
348 int r;
349
350 assert(s);
351
352 /* Pick defaults for the trigger limit, if nothing was explicitly configured. We pick a relatively high limit
353 * in Accept=yes mode, and a lower limit for Accept=no. Reason: in Accept=yes mode we are invoking accept()
354 * ourselves before the trigger limit can hit, thus incoming connections are taken off the socket queue quickly
355 * and reliably. This is different for Accept=no, where the spawned service has to take the incoming traffic
356 * off the queues, which it might not necessarily do. Moreover, while Accept=no services are supposed to
357 * process whatever is queued in one go, and thus should normally never have to be started frequently. This is
358 * different for Accept=yes where each connection is processed by a new service instance, and thus frequent
359 * service starts are typical. */
360
361 if (s->trigger_limit.interval == USEC_INFINITY)
362 s->trigger_limit.interval = 2 * USEC_PER_SEC;
363
364 if (s->trigger_limit.burst == (unsigned) -1) {
365 if (s->accept)
366 s->trigger_limit.burst = 200;
367 else
368 s->trigger_limit.burst = 20;
369 }
370
371 if (have_non_accept_socket(s)) {
372
373 if (!UNIT_DEREF(s->service)) {
374 Unit *x;
375
376 r = unit_load_related_unit(u, ".service", &x);
377 if (r < 0)
378 return r;
379
380 unit_ref_set(&s->service, u, x);
381 }
382
383 r = unit_add_two_dependencies(u, UNIT_BEFORE, UNIT_TRIGGERS, UNIT_DEREF(s->service), true, UNIT_DEPENDENCY_IMPLICIT);
384 if (r < 0)
385 return r;
386 }
387
388 r = socket_add_mount_dependencies(s);
389 if (r < 0)
390 return r;
391
392 r = socket_add_device_dependencies(s);
393 if (r < 0)
394 return r;
395
396 r = unit_patch_contexts(u);
397 if (r < 0)
398 return r;
399
400 if (socket_has_exec(s)) {
401 r = unit_add_exec_dependencies(u, &s->exec_context);
402 if (r < 0)
403 return r;
404 }
405
406 r = unit_set_default_slice(u);
407 if (r < 0)
408 return r;
409
410 r = socket_add_default_dependencies(s);
411 if (r < 0)
412 return r;
413
414 return 0;
415 }
416
417 static const char *socket_find_symlink_target(Socket *s) {
418 const char *found = NULL;
419 SocketPort *p;
420
421 LIST_FOREACH(port, p, s->ports) {
422 const char *f = NULL;
423
424 switch (p->type) {
425
426 case SOCKET_FIFO:
427 f = p->path;
428 break;
429
430 case SOCKET_SOCKET:
431 f = socket_address_get_path(&p->address);
432 break;
433
434 default:
435 break;
436 }
437
438 if (f) {
439 if (found)
440 return NULL;
441
442 found = f;
443 }
444 }
445
446 return found;
447 }
448
449 static int socket_verify(Socket *s) {
450 assert(s);
451
452 if (UNIT(s)->load_state != UNIT_LOADED)
453 return 0;
454
455 if (!s->ports) {
456 log_unit_error(UNIT(s), "Unit has no Listen setting (ListenStream=, ListenDatagram=, ListenFIFO=, ...). Refusing.");
457 return -EINVAL;
458 }
459
460 if (s->accept && have_non_accept_socket(s)) {
461 log_unit_error(UNIT(s), "Unit configured for accepting sockets, but sockets are non-accepting. Refusing.");
462 return -EINVAL;
463 }
464
465 if (s->accept && s->max_connections <= 0) {
466 log_unit_error(UNIT(s), "MaxConnection= setting too small. Refusing.");
467 return -EINVAL;
468 }
469
470 if (s->accept && UNIT_DEREF(s->service)) {
471 log_unit_error(UNIT(s), "Explicit service configuration for accepting socket units not supported. Refusing.");
472 return -EINVAL;
473 }
474
475 if (s->exec_context.pam_name && s->kill_context.kill_mode != KILL_CONTROL_GROUP) {
476 log_unit_error(UNIT(s), "Unit has PAM enabled. Kill mode must be set to 'control-group'. Refusing.");
477 return -EINVAL;
478 }
479
480 if (!strv_isempty(s->symlinks) && !socket_find_symlink_target(s)) {
481 log_unit_error(UNIT(s), "Unit has symlinks set but none or more than one node in the file system. Refusing.");
482 return -EINVAL;
483 }
484
485 return 0;
486 }
487
488 static void peer_address_hash_func(const void *p, struct siphash *state) {
489 const SocketPeer *s = p;
490
491 assert(s);
492
493 if (s->peer.sa.sa_family == AF_INET)
494 siphash24_compress(&s->peer.in.sin_addr, sizeof(s->peer.in.sin_addr), state);
495 else if (s->peer.sa.sa_family == AF_INET6)
496 siphash24_compress(&s->peer.in6.sin6_addr, sizeof(s->peer.in6.sin6_addr), state);
497 else if (s->peer.sa.sa_family == AF_VSOCK)
498 siphash24_compress(&s->peer.vm.svm_cid, sizeof(s->peer.vm.svm_cid), state);
499 else
500 assert_not_reached("Unknown address family.");
501 }
502
503 static int peer_address_compare_func(const void *a, const void *b) {
504 const SocketPeer *x = a, *y = b;
505
506 if (x->peer.sa.sa_family < y->peer.sa.sa_family)
507 return -1;
508 if (x->peer.sa.sa_family > y->peer.sa.sa_family)
509 return 1;
510
511 switch(x->peer.sa.sa_family) {
512 case AF_INET:
513 return memcmp(&x->peer.in.sin_addr, &y->peer.in.sin_addr, sizeof(x->peer.in.sin_addr));
514 case AF_INET6:
515 return memcmp(&x->peer.in6.sin6_addr, &y->peer.in6.sin6_addr, sizeof(x->peer.in6.sin6_addr));
516 case AF_VSOCK:
517 if (x->peer.vm.svm_cid < y->peer.vm.svm_cid)
518 return -1;
519 if (x->peer.vm.svm_cid > y->peer.vm.svm_cid)
520 return 1;
521 return 0;
522 }
523 assert_not_reached("Black sheep in the family!");
524 }
525
526 const struct hash_ops peer_address_hash_ops = {
527 .hash = peer_address_hash_func,
528 .compare = peer_address_compare_func
529 };
530
531 static int socket_load(Unit *u) {
532 Socket *s = SOCKET(u);
533 int r;
534
535 assert(u);
536 assert(u->load_state == UNIT_STUB);
537
538 r = set_ensure_allocated(&s->peers_by_address, &peer_address_hash_ops);
539 if (r < 0)
540 return r;
541
542 r = unit_load_fragment_and_dropin(u);
543 if (r < 0)
544 return r;
545
546 if (u->load_state == UNIT_LOADED) {
547 /* This is a new unit? Then let's add in some extras */
548 r = socket_add_extras(s);
549 if (r < 0)
550 return r;
551 }
552
553 return socket_verify(s);
554 }
555
556 static SocketPeer *socket_peer_new(void) {
557 SocketPeer *p;
558
559 p = new0(SocketPeer, 1);
560 if (!p)
561 return NULL;
562
563 p->n_ref = 1;
564
565 return p;
566 }
567
568 SocketPeer *socket_peer_ref(SocketPeer *p) {
569 if (!p)
570 return NULL;
571
572 assert(p->n_ref > 0);
573 p->n_ref++;
574
575 return p;
576 }
577
578 SocketPeer *socket_peer_unref(SocketPeer *p) {
579 if (!p)
580 return NULL;
581
582 assert(p->n_ref > 0);
583
584 p->n_ref--;
585
586 if (p->n_ref > 0)
587 return NULL;
588
589 if (p->socket)
590 set_remove(p->socket->peers_by_address, p);
591
592 return mfree(p);
593 }
594
595 int socket_acquire_peer(Socket *s, int fd, SocketPeer **p) {
596 _cleanup_(socket_peer_unrefp) SocketPeer *remote = NULL;
597 SocketPeer sa = {}, *i;
598 socklen_t salen = sizeof(sa.peer);
599 int r;
600
601 assert(fd >= 0);
602 assert(s);
603
604 r = getpeername(fd, &sa.peer.sa, &salen);
605 if (r < 0)
606 return log_error_errno(errno, "getpeername failed: %m");
607
608 if (!IN_SET(sa.peer.sa.sa_family, AF_INET, AF_INET6, AF_VSOCK)) {
609 *p = NULL;
610 return 0;
611 }
612
613 i = set_get(s->peers_by_address, &sa);
614 if (i) {
615 *p = socket_peer_ref(i);
616 return 1;
617 }
618
619 remote = socket_peer_new();
620 if (!remote)
621 return log_oom();
622
623 remote->peer = sa.peer;
624 remote->peer_salen = salen;
625
626 r = set_put(s->peers_by_address, remote);
627 if (r < 0)
628 return r;
629
630 remote->socket = s;
631
632 *p = remote;
633 remote = NULL;
634
635 return 1;
636 }
637
638 _const_ static const char* listen_lookup(int family, int type) {
639
640 if (family == AF_NETLINK)
641 return "ListenNetlink";
642
643 if (type == SOCK_STREAM)
644 return "ListenStream";
645 else if (type == SOCK_DGRAM)
646 return "ListenDatagram";
647 else if (type == SOCK_SEQPACKET)
648 return "ListenSequentialPacket";
649
650 assert_not_reached("Unknown socket type");
651 return NULL;
652 }
653
654 static void socket_dump(Unit *u, FILE *f, const char *prefix) {
655 char time_string[FORMAT_TIMESPAN_MAX];
656 SocketExecCommand c;
657 Socket *s = SOCKET(u);
658 SocketPort *p;
659 const char *prefix2, *str;
660
661 assert(s);
662 assert(f);
663
664 prefix = strempty(prefix);
665 prefix2 = strjoina(prefix, "\t");
666
667 fprintf(f,
668 "%sSocket State: %s\n"
669 "%sResult: %s\n"
670 "%sBindIPv6Only: %s\n"
671 "%sBacklog: %u\n"
672 "%sSocketMode: %04o\n"
673 "%sDirectoryMode: %04o\n"
674 "%sKeepAlive: %s\n"
675 "%sNoDelay: %s\n"
676 "%sFreeBind: %s\n"
677 "%sTransparent: %s\n"
678 "%sBroadcast: %s\n"
679 "%sPassCredentials: %s\n"
680 "%sPassSecurity: %s\n"
681 "%sTCPCongestion: %s\n"
682 "%sRemoveOnStop: %s\n"
683 "%sWritable: %s\n"
684 "%sFileDescriptorName: %s\n"
685 "%sSELinuxContextFromNet: %s\n",
686 prefix, socket_state_to_string(s->state),
687 prefix, socket_result_to_string(s->result),
688 prefix, socket_address_bind_ipv6_only_to_string(s->bind_ipv6_only),
689 prefix, s->backlog,
690 prefix, s->socket_mode,
691 prefix, s->directory_mode,
692 prefix, yes_no(s->keep_alive),
693 prefix, yes_no(s->no_delay),
694 prefix, yes_no(s->free_bind),
695 prefix, yes_no(s->transparent),
696 prefix, yes_no(s->broadcast),
697 prefix, yes_no(s->pass_cred),
698 prefix, yes_no(s->pass_sec),
699 prefix, strna(s->tcp_congestion),
700 prefix, yes_no(s->remove_on_stop),
701 prefix, yes_no(s->writable),
702 prefix, socket_fdname(s),
703 prefix, yes_no(s->selinux_context_from_net));
704
705 if (s->control_pid > 0)
706 fprintf(f,
707 "%sControl PID: "PID_FMT"\n",
708 prefix, s->control_pid);
709
710 if (s->bind_to_device)
711 fprintf(f,
712 "%sBindToDevice: %s\n",
713 prefix, s->bind_to_device);
714
715 if (s->accept)
716 fprintf(f,
717 "%sAccepted: %u\n"
718 "%sNConnections: %u\n"
719 "%sMaxConnections: %u\n"
720 "%sMaxConnectionsPerSource: %u\n",
721 prefix, s->n_accepted,
722 prefix, s->n_connections,
723 prefix, s->max_connections,
724 prefix, s->max_connections_per_source);
725
726 if (s->priority >= 0)
727 fprintf(f,
728 "%sPriority: %i\n",
729 prefix, s->priority);
730
731 if (s->receive_buffer > 0)
732 fprintf(f,
733 "%sReceiveBuffer: %zu\n",
734 prefix, s->receive_buffer);
735
736 if (s->send_buffer > 0)
737 fprintf(f,
738 "%sSendBuffer: %zu\n",
739 prefix, s->send_buffer);
740
741 if (s->ip_tos >= 0)
742 fprintf(f,
743 "%sIPTOS: %i\n",
744 prefix, s->ip_tos);
745
746 if (s->ip_ttl >= 0)
747 fprintf(f,
748 "%sIPTTL: %i\n",
749 prefix, s->ip_ttl);
750
751 if (s->pipe_size > 0)
752 fprintf(f,
753 "%sPipeSize: %zu\n",
754 prefix, s->pipe_size);
755
756 if (s->mark >= 0)
757 fprintf(f,
758 "%sMark: %i\n",
759 prefix, s->mark);
760
761 if (s->mq_maxmsg > 0)
762 fprintf(f,
763 "%sMessageQueueMaxMessages: %li\n",
764 prefix, s->mq_maxmsg);
765
766 if (s->mq_msgsize > 0)
767 fprintf(f,
768 "%sMessageQueueMessageSize: %li\n",
769 prefix, s->mq_msgsize);
770
771 if (s->reuse_port)
772 fprintf(f,
773 "%sReusePort: %s\n",
774 prefix, yes_no(s->reuse_port));
775
776 if (s->smack)
777 fprintf(f,
778 "%sSmackLabel: %s\n",
779 prefix, s->smack);
780
781 if (s->smack_ip_in)
782 fprintf(f,
783 "%sSmackLabelIPIn: %s\n",
784 prefix, s->smack_ip_in);
785
786 if (s->smack_ip_out)
787 fprintf(f,
788 "%sSmackLabelIPOut: %s\n",
789 prefix, s->smack_ip_out);
790
791 if (!isempty(s->user) || !isempty(s->group))
792 fprintf(f,
793 "%sSocketUser: %s\n"
794 "%sSocketGroup: %s\n",
795 prefix, strna(s->user),
796 prefix, strna(s->group));
797
798 if (s->keep_alive_time > 0)
799 fprintf(f,
800 "%sKeepAliveTimeSec: %s\n",
801 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->keep_alive_time, USEC_PER_SEC));
802
803 if (s->keep_alive_interval)
804 fprintf(f,
805 "%sKeepAliveIntervalSec: %s\n",
806 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->keep_alive_interval, USEC_PER_SEC));
807
808 if (s->keep_alive_cnt)
809 fprintf(f,
810 "%sKeepAliveProbes: %u\n",
811 prefix, s->keep_alive_cnt);
812
813 if (s->defer_accept)
814 fprintf(f,
815 "%sDeferAcceptSec: %s\n",
816 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->defer_accept, USEC_PER_SEC));
817
818 LIST_FOREACH(port, p, s->ports) {
819
820 if (p->type == SOCKET_SOCKET) {
821 const char *t;
822 int r;
823 char *k = NULL;
824
825 r = socket_address_print(&p->address, &k);
826 if (r < 0)
827 t = strerror(-r);
828 else
829 t = k;
830
831 fprintf(f, "%s%s: %s\n", prefix, listen_lookup(socket_address_family(&p->address), p->address.type), t);
832 free(k);
833 } else if (p->type == SOCKET_SPECIAL)
834 fprintf(f, "%sListenSpecial: %s\n", prefix, p->path);
835 else if (p->type == SOCKET_USB_FUNCTION)
836 fprintf(f, "%sListenUSBFunction: %s\n", prefix, p->path);
837 else if (p->type == SOCKET_MQUEUE)
838 fprintf(f, "%sListenMessageQueue: %s\n", prefix, p->path);
839 else
840 fprintf(f, "%sListenFIFO: %s\n", prefix, p->path);
841 }
842
843 fprintf(f,
844 "%sTriggerLimitIntervalSec: %s\n"
845 "%sTriggerLimitBurst: %u\n",
846 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->trigger_limit.interval, USEC_PER_SEC),
847 prefix, s->trigger_limit.burst);
848
849 str = socket_protocol_to_name(s->socket_protocol);
850 if (str)
851 fprintf(f, "%sSocketProtocol: %s\n", prefix, str);
852
853 if (!strv_isempty(s->symlinks)) {
854 char **q;
855
856 fprintf(f, "%sSymlinks:", prefix);
857 STRV_FOREACH(q, s->symlinks)
858 fprintf(f, " %s", *q);
859
860 fprintf(f, "\n");
861 }
862
863 fprintf(f,
864 "%sTimeoutSec: %s\n",
865 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->timeout_usec, USEC_PER_SEC));
866
867 exec_context_dump(&s->exec_context, f, prefix);
868 kill_context_dump(&s->kill_context, f, prefix);
869
870 for (c = 0; c < _SOCKET_EXEC_COMMAND_MAX; c++) {
871 if (!s->exec_command[c])
872 continue;
873
874 fprintf(f, "%s-> %s:\n",
875 prefix, socket_exec_command_to_string(c));
876
877 exec_command_dump_list(s->exec_command[c], f, prefix2);
878 }
879
880 cgroup_context_dump(&s->cgroup_context, f, prefix);
881 }
882
883 static int instance_from_socket(int fd, unsigned nr, char **instance) {
884 socklen_t l;
885 char *r;
886 union sockaddr_union local, remote;
887
888 assert(fd >= 0);
889 assert(instance);
890
891 l = sizeof(local);
892 if (getsockname(fd, &local.sa, &l) < 0)
893 return -errno;
894
895 l = sizeof(remote);
896 if (getpeername(fd, &remote.sa, &l) < 0)
897 return -errno;
898
899 switch (local.sa.sa_family) {
900
901 case AF_INET: {
902 uint32_t
903 a = be32toh(local.in.sin_addr.s_addr),
904 b = be32toh(remote.in.sin_addr.s_addr);
905
906 if (asprintf(&r,
907 "%u-%u.%u.%u.%u:%u-%u.%u.%u.%u:%u",
908 nr,
909 a >> 24, (a >> 16) & 0xFF, (a >> 8) & 0xFF, a & 0xFF,
910 be16toh(local.in.sin_port),
911 b >> 24, (b >> 16) & 0xFF, (b >> 8) & 0xFF, b & 0xFF,
912 be16toh(remote.in.sin_port)) < 0)
913 return -ENOMEM;
914
915 break;
916 }
917
918 case AF_INET6: {
919 static const unsigned char ipv4_prefix[] = {
920 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xFF, 0xFF
921 };
922
923 if (memcmp(&local.in6.sin6_addr, ipv4_prefix, sizeof(ipv4_prefix)) == 0 &&
924 memcmp(&remote.in6.sin6_addr, ipv4_prefix, sizeof(ipv4_prefix)) == 0) {
925 const uint8_t
926 *a = local.in6.sin6_addr.s6_addr+12,
927 *b = remote.in6.sin6_addr.s6_addr+12;
928
929 if (asprintf(&r,
930 "%u-%u.%u.%u.%u:%u-%u.%u.%u.%u:%u",
931 nr,
932 a[0], a[1], a[2], a[3],
933 be16toh(local.in6.sin6_port),
934 b[0], b[1], b[2], b[3],
935 be16toh(remote.in6.sin6_port)) < 0)
936 return -ENOMEM;
937 } else {
938 char a[INET6_ADDRSTRLEN], b[INET6_ADDRSTRLEN];
939
940 if (asprintf(&r,
941 "%u-%s:%u-%s:%u",
942 nr,
943 inet_ntop(AF_INET6, &local.in6.sin6_addr, a, sizeof(a)),
944 be16toh(local.in6.sin6_port),
945 inet_ntop(AF_INET6, &remote.in6.sin6_addr, b, sizeof(b)),
946 be16toh(remote.in6.sin6_port)) < 0)
947 return -ENOMEM;
948 }
949
950 break;
951 }
952
953 case AF_UNIX: {
954 struct ucred ucred;
955 int k;
956
957 k = getpeercred(fd, &ucred);
958 if (k >= 0) {
959 if (asprintf(&r,
960 "%u-"PID_FMT"-"UID_FMT,
961 nr, ucred.pid, ucred.uid) < 0)
962 return -ENOMEM;
963 } else if (k == -ENODATA) {
964 /* This handles the case where somebody is
965 * connecting from another pid/uid namespace
966 * (e.g. from outside of our container). */
967 if (asprintf(&r,
968 "%u-unknown",
969 nr) < 0)
970 return -ENOMEM;
971 } else
972 return k;
973
974 break;
975 }
976
977 case AF_VSOCK:
978 if (asprintf(&r,
979 "%u-%u:%u-%u:%u",
980 nr,
981 local.vm.svm_cid, local.vm.svm_port,
982 remote.vm.svm_cid, remote.vm.svm_port) < 0)
983 return -ENOMEM;
984
985 break;
986
987 default:
988 assert_not_reached("Unhandled socket type.");
989 }
990
991 *instance = r;
992 return 0;
993 }
994
995 static void socket_close_fds(Socket *s) {
996 SocketPort *p;
997 char **i;
998
999 assert(s);
1000
1001 LIST_FOREACH(port, p, s->ports) {
1002 bool was_open;
1003
1004 was_open = p->fd >= 0;
1005
1006 p->event_source = sd_event_source_unref(p->event_source);
1007 p->fd = safe_close(p->fd);
1008 socket_cleanup_fd_list(p);
1009
1010 /* One little note: we should normally not delete any sockets in the file system here! After all some
1011 * other process we spawned might still have a reference of this fd and wants to continue to use
1012 * it. Therefore we normally delete sockets in the file system before we create a new one, not after we
1013 * stopped using one! That all said, if the user explicitly requested this, we'll delete them here
1014 * anyway, but only then. */
1015
1016 if (!was_open || !s->remove_on_stop)
1017 continue;
1018
1019 switch (p->type) {
1020
1021 case SOCKET_FIFO:
1022 (void) unlink(p->path);
1023 break;
1024
1025 case SOCKET_MQUEUE:
1026 (void) mq_unlink(p->path);
1027 break;
1028
1029 case SOCKET_SOCKET:
1030 (void) socket_address_unlink(&p->address);
1031 break;
1032
1033 default:
1034 break;
1035 }
1036 }
1037
1038 if (s->remove_on_stop)
1039 STRV_FOREACH(i, s->symlinks)
1040 (void) unlink(*i);
1041 }
1042
1043 static void socket_apply_socket_options(Socket *s, int fd) {
1044 int r;
1045
1046 assert(s);
1047 assert(fd >= 0);
1048
1049 if (s->keep_alive) {
1050 int b = s->keep_alive;
1051 if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, &b, sizeof(b)) < 0)
1052 log_unit_warning_errno(UNIT(s), errno, "SO_KEEPALIVE failed: %m");
1053 }
1054
1055 if (s->keep_alive_time) {
1056 int value = s->keep_alive_time / USEC_PER_SEC;
1057 if (setsockopt(fd, SOL_TCP, TCP_KEEPIDLE, &value, sizeof(value)) < 0)
1058 log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPIDLE failed: %m");
1059 }
1060
1061 if (s->keep_alive_interval) {
1062 int value = s->keep_alive_interval / USEC_PER_SEC;
1063 if (setsockopt(fd, SOL_TCP, TCP_KEEPINTVL, &value, sizeof(value)) < 0)
1064 log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPINTVL failed: %m");
1065 }
1066
1067 if (s->keep_alive_cnt) {
1068 int value = s->keep_alive_cnt;
1069 if (setsockopt(fd, SOL_TCP, TCP_KEEPCNT, &value, sizeof(value)) < 0)
1070 log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPCNT failed: %m");
1071 }
1072
1073 if (s->defer_accept) {
1074 int value = s->defer_accept / USEC_PER_SEC;
1075 if (setsockopt(fd, SOL_TCP, TCP_DEFER_ACCEPT, &value, sizeof(value)) < 0)
1076 log_unit_warning_errno(UNIT(s), errno, "TCP_DEFER_ACCEPT failed: %m");
1077 }
1078
1079 if (s->no_delay) {
1080 int b = s->no_delay;
1081
1082 if (s->socket_protocol == IPPROTO_SCTP) {
1083 if (setsockopt(fd, SOL_SCTP, SCTP_NODELAY, &b, sizeof(b)) < 0)
1084 log_unit_warning_errno(UNIT(s), errno, "SCTP_NODELAY failed: %m");
1085 } else {
1086 if (setsockopt(fd, SOL_TCP, TCP_NODELAY, &b, sizeof(b)) < 0)
1087 log_unit_warning_errno(UNIT(s), errno, "TCP_NODELAY failed: %m");
1088 }
1089 }
1090
1091 if (s->broadcast) {
1092 int one = 1;
1093 if (setsockopt(fd, SOL_SOCKET, SO_BROADCAST, &one, sizeof(one)) < 0)
1094 log_unit_warning_errno(UNIT(s), errno, "SO_BROADCAST failed: %m");
1095 }
1096
1097 if (s->pass_cred) {
1098 int one = 1;
1099 if (setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &one, sizeof(one)) < 0)
1100 log_unit_warning_errno(UNIT(s), errno, "SO_PASSCRED failed: %m");
1101 }
1102
1103 if (s->pass_sec) {
1104 int one = 1;
1105 if (setsockopt(fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one)) < 0)
1106 log_unit_warning_errno(UNIT(s), errno, "SO_PASSSEC failed: %m");
1107 }
1108
1109 if (s->priority >= 0)
1110 if (setsockopt(fd, SOL_SOCKET, SO_PRIORITY, &s->priority, sizeof(s->priority)) < 0)
1111 log_unit_warning_errno(UNIT(s), errno, "SO_PRIORITY failed: %m");
1112
1113 if (s->receive_buffer > 0) {
1114 int value = (int) s->receive_buffer;
1115
1116 /* We first try with SO_RCVBUFFORCE, in case we have the perms for that */
1117
1118 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUFFORCE, &value, sizeof(value)) < 0)
1119 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &value, sizeof(value)) < 0)
1120 log_unit_warning_errno(UNIT(s), errno, "SO_RCVBUF failed: %m");
1121 }
1122
1123 if (s->send_buffer > 0) {
1124 int value = (int) s->send_buffer;
1125 if (setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, &value, sizeof(value)) < 0)
1126 if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &value, sizeof(value)) < 0)
1127 log_unit_warning_errno(UNIT(s), errno, "SO_SNDBUF failed: %m");
1128 }
1129
1130 if (s->mark >= 0)
1131 if (setsockopt(fd, SOL_SOCKET, SO_MARK, &s->mark, sizeof(s->mark)) < 0)
1132 log_unit_warning_errno(UNIT(s), errno, "SO_MARK failed: %m");
1133
1134 if (s->ip_tos >= 0)
1135 if (setsockopt(fd, IPPROTO_IP, IP_TOS, &s->ip_tos, sizeof(s->ip_tos)) < 0)
1136 log_unit_warning_errno(UNIT(s), errno, "IP_TOS failed: %m");
1137
1138 if (s->ip_ttl >= 0) {
1139 int x;
1140
1141 r = setsockopt(fd, IPPROTO_IP, IP_TTL, &s->ip_ttl, sizeof(s->ip_ttl));
1142
1143 if (socket_ipv6_is_supported())
1144 x = setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &s->ip_ttl, sizeof(s->ip_ttl));
1145 else {
1146 x = -1;
1147 errno = EAFNOSUPPORT;
1148 }
1149
1150 if (r < 0 && x < 0)
1151 log_unit_warning_errno(UNIT(s), errno, "IP_TTL/IPV6_UNICAST_HOPS failed: %m");
1152 }
1153
1154 if (s->tcp_congestion)
1155 if (setsockopt(fd, SOL_TCP, TCP_CONGESTION, s->tcp_congestion, strlen(s->tcp_congestion)+1) < 0)
1156 log_unit_warning_errno(UNIT(s), errno, "TCP_CONGESTION failed: %m");
1157
1158 if (s->smack_ip_in) {
1159 r = mac_smack_apply_fd(fd, SMACK_ATTR_IPIN, s->smack_ip_in);
1160 if (r < 0)
1161 log_unit_error_errno(UNIT(s), r, "mac_smack_apply_ip_in_fd: %m");
1162 }
1163
1164 if (s->smack_ip_out) {
1165 r = mac_smack_apply_fd(fd, SMACK_ATTR_IPOUT, s->smack_ip_out);
1166 if (r < 0)
1167 log_unit_error_errno(UNIT(s), r, "mac_smack_apply_ip_out_fd: %m");
1168 }
1169 }
1170
1171 static void socket_apply_fifo_options(Socket *s, int fd) {
1172 int r;
1173
1174 assert(s);
1175 assert(fd >= 0);
1176
1177 if (s->pipe_size > 0)
1178 if (fcntl(fd, F_SETPIPE_SZ, s->pipe_size) < 0)
1179 log_unit_warning_errno(UNIT(s), errno, "Setting pipe size failed, ignoring: %m");
1180
1181 if (s->smack) {
1182 r = mac_smack_apply_fd(fd, SMACK_ATTR_ACCESS, s->smack);
1183 if (r < 0)
1184 log_unit_error_errno(UNIT(s), r, "SMACK relabelling failed, ignoring: %m");
1185 }
1186 }
1187
1188 static int fifo_address_create(
1189 const char *path,
1190 mode_t directory_mode,
1191 mode_t socket_mode) {
1192
1193 _cleanup_close_ int fd = -1;
1194 mode_t old_mask;
1195 struct stat st;
1196 int r;
1197
1198 assert(path);
1199
1200 (void) mkdir_parents_label(path, directory_mode);
1201
1202 r = mac_selinux_create_file_prepare(path, S_IFIFO);
1203 if (r < 0)
1204 return r;
1205
1206 /* Enforce the right access mode for the fifo */
1207 old_mask = umask(~ socket_mode);
1208
1209 /* Include the original umask in our mask */
1210 (void) umask(~socket_mode | old_mask);
1211
1212 r = mkfifo(path, socket_mode);
1213 (void) umask(old_mask);
1214
1215 if (r < 0 && errno != EEXIST) {
1216 r = -errno;
1217 goto fail;
1218 }
1219
1220 fd = open(path, O_RDWR | O_CLOEXEC | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW);
1221 if (fd < 0) {
1222 r = -errno;
1223 goto fail;
1224 }
1225
1226 mac_selinux_create_file_clear();
1227
1228 if (fstat(fd, &st) < 0) {
1229 r = -errno;
1230 goto fail;
1231 }
1232
1233 if (!S_ISFIFO(st.st_mode) ||
1234 (st.st_mode & 0777) != (socket_mode & ~old_mask) ||
1235 st.st_uid != getuid() ||
1236 st.st_gid != getgid()) {
1237 r = -EEXIST;
1238 goto fail;
1239 }
1240
1241 r = fd;
1242 fd = -1;
1243
1244 return r;
1245
1246 fail:
1247 mac_selinux_create_file_clear();
1248 return r;
1249 }
1250
1251 static int special_address_create(const char *path, bool writable) {
1252 _cleanup_close_ int fd = -1;
1253 struct stat st;
1254 int r;
1255
1256 assert(path);
1257
1258 fd = open(path, (writable ? O_RDWR : O_RDONLY)|O_CLOEXEC|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW);
1259 if (fd < 0)
1260 return -errno;
1261
1262 if (fstat(fd, &st) < 0)
1263 return -errno;
1264
1265 /* Check whether this is a /proc, /sys or /dev file or char device */
1266 if (!S_ISREG(st.st_mode) && !S_ISCHR(st.st_mode))
1267 return -EEXIST;
1268
1269 r = fd;
1270 fd = -1;
1271
1272 return r;
1273 }
1274
1275 static int usbffs_address_create(const char *path) {
1276 _cleanup_close_ int fd = -1;
1277 struct stat st;
1278 int r;
1279
1280 assert(path);
1281
1282 fd = open(path, O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW);
1283 if (fd < 0)
1284 return -errno;
1285
1286 if (fstat(fd, &st) < 0)
1287 return -errno;
1288
1289 /* Check whether this is a regular file (ffs endpoint) */
1290 if (!S_ISREG(st.st_mode))
1291 return -EEXIST;
1292
1293 r = fd;
1294 fd = -1;
1295
1296 return r;
1297 }
1298
1299 static int mq_address_create(
1300 const char *path,
1301 mode_t mq_mode,
1302 long maxmsg,
1303 long msgsize) {
1304
1305 _cleanup_close_ int fd = -1;
1306 struct stat st;
1307 mode_t old_mask;
1308 struct mq_attr _attr, *attr = NULL;
1309 int r;
1310
1311 assert(path);
1312
1313 if (maxmsg > 0 && msgsize > 0) {
1314 _attr = (struct mq_attr) {
1315 .mq_flags = O_NONBLOCK,
1316 .mq_maxmsg = maxmsg,
1317 .mq_msgsize = msgsize,
1318 };
1319 attr = &_attr;
1320 }
1321
1322 /* Enforce the right access mode for the mq */
1323 old_mask = umask(~ mq_mode);
1324
1325 /* Include the original umask in our mask */
1326 (void) umask(~mq_mode | old_mask);
1327 fd = mq_open(path, O_RDONLY|O_CLOEXEC|O_NONBLOCK|O_CREAT, mq_mode, attr);
1328 (void) umask(old_mask);
1329
1330 if (fd < 0)
1331 return -errno;
1332
1333 if (fstat(fd, &st) < 0)
1334 return -errno;
1335
1336 if ((st.st_mode & 0777) != (mq_mode & ~old_mask) ||
1337 st.st_uid != getuid() ||
1338 st.st_gid != getgid())
1339 return -EEXIST;
1340
1341 r = fd;
1342 fd = -1;
1343
1344 return r;
1345 }
1346
1347 static int socket_symlink(Socket *s) {
1348 const char *p;
1349 char **i;
1350 int r;
1351
1352 assert(s);
1353
1354 p = socket_find_symlink_target(s);
1355 if (!p)
1356 return 0;
1357
1358 STRV_FOREACH(i, s->symlinks) {
1359 (void) mkdir_parents_label(*i, s->directory_mode);
1360
1361 r = symlink_idempotent(p, *i);
1362
1363 if (r == -EEXIST && s->remove_on_stop) {
1364 /* If there's already something where we want to create the symlink, and the destructive
1365 * RemoveOnStop= mode is set, then we might as well try to remove what already exists and try
1366 * again. */
1367
1368 if (unlink(*i) >= 0)
1369 r = symlink_idempotent(p, *i);
1370 }
1371
1372 if (r < 0)
1373 log_unit_warning_errno(UNIT(s), r, "Failed to create symlink %s → %s, ignoring: %m", p, *i);
1374 }
1375
1376 return 0;
1377 }
1378
1379 static int usbffs_write_descs(int fd, Service *s) {
1380 int r;
1381
1382 if (!s->usb_function_descriptors || !s->usb_function_strings)
1383 return -EINVAL;
1384
1385 r = copy_file_fd(s->usb_function_descriptors, fd, 0);
1386 if (r < 0)
1387 return r;
1388
1389 return copy_file_fd(s->usb_function_strings, fd, 0);
1390 }
1391
1392 static int usbffs_select_ep(const struct dirent *d) {
1393 return d->d_name[0] != '.' && !streq(d->d_name, "ep0");
1394 }
1395
1396 static int usbffs_dispatch_eps(SocketPort *p) {
1397 _cleanup_free_ struct dirent **ent = NULL;
1398 int r, i, n, k;
1399
1400 r = scandir(p->path, &ent, usbffs_select_ep, alphasort);
1401 if (r < 0)
1402 return -errno;
1403
1404 n = r;
1405 p->auxiliary_fds = new(int, n);
1406 if (!p->auxiliary_fds)
1407 return -ENOMEM;
1408
1409 p->n_auxiliary_fds = n;
1410
1411 k = 0;
1412 for (i = 0; i < n; ++i) {
1413 _cleanup_free_ char *ep = NULL;
1414
1415 ep = path_make_absolute(ent[i]->d_name, p->path);
1416 if (!ep)
1417 return -ENOMEM;
1418
1419 path_kill_slashes(ep);
1420
1421 r = usbffs_address_create(ep);
1422 if (r < 0)
1423 goto fail;
1424
1425 p->auxiliary_fds[k] = r;
1426
1427 ++k;
1428 free(ent[i]);
1429 }
1430
1431 return r;
1432
1433 fail:
1434 close_many(p->auxiliary_fds, k);
1435 p->auxiliary_fds = mfree(p->auxiliary_fds);
1436 p->n_auxiliary_fds = 0;
1437
1438 return r;
1439 }
1440
1441 static int socket_determine_selinux_label(Socket *s, char **ret) {
1442 ExecCommand *c;
1443 int r;
1444
1445 assert(s);
1446 assert(ret);
1447
1448 if (s->selinux_context_from_net) {
1449 /* If this is requested, get label from the network label */
1450
1451 r = mac_selinux_get_our_label(ret);
1452 if (r == -EOPNOTSUPP)
1453 goto no_label;
1454
1455 } else {
1456 /* Otherwise, get it from the executable we are about to start */
1457 r = socket_instantiate_service(s);
1458 if (r < 0)
1459 return r;
1460
1461 if (!UNIT_ISSET(s->service))
1462 goto no_label;
1463
1464 c = SERVICE(UNIT_DEREF(s->service))->exec_command[SERVICE_EXEC_START];
1465 if (!c)
1466 goto no_label;
1467
1468 r = mac_selinux_get_create_label_from_exe(c->path, ret);
1469 if (IN_SET(r, -EPERM, -EOPNOTSUPP))
1470 goto no_label;
1471 }
1472
1473 return r;
1474
1475 no_label:
1476 *ret = NULL;
1477 return 0;
1478 }
1479
1480 static int socket_address_listen_do(
1481 Socket *s,
1482 const SocketAddress *address,
1483 const char *label) {
1484
1485 assert(s);
1486 assert(address);
1487
1488 return socket_address_listen(
1489 address,
1490 SOCK_CLOEXEC|SOCK_NONBLOCK,
1491 s->backlog,
1492 s->bind_ipv6_only,
1493 s->bind_to_device,
1494 s->reuse_port,
1495 s->free_bind,
1496 s->transparent,
1497 s->directory_mode,
1498 s->socket_mode,
1499 label);
1500 }
1501
1502 static int socket_address_listen_in_cgroup(
1503 Socket *s,
1504 const SocketAddress *address,
1505 const char *label) {
1506
1507 _cleanup_close_pair_ int pair[2] = { -1, -1 };
1508 int fd, r;
1509 pid_t pid;
1510
1511 assert(s);
1512 assert(address);
1513
1514 /* This is a wrapper around socket_address_listen(), that forks off a helper process inside the socket's cgroup
1515 * in which the socket is actually created. This way we ensure the socket is actually properly attached to the
1516 * unit's cgroup for the purpose of BPF filtering and such. */
1517
1518 if (!IN_SET(address->sockaddr.sa.sa_family, AF_INET, AF_INET6))
1519 goto shortcut; /* BPF filtering only applies to IPv4 + IPv6, shortcut things for other protocols */
1520
1521 r = bpf_firewall_supported();
1522 if (r < 0)
1523 return r;
1524 if (r == 0) /* If BPF firewalling isn't supported anyway — there's no point in this forking complexity */
1525 goto shortcut;
1526
1527 if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, pair) < 0)
1528 return log_unit_error_errno(UNIT(s), errno, "Failed to create communication channel: %m");
1529
1530 r = unit_fork_helper_process(UNIT(s), "(sd-listen)", &pid);
1531 if (r < 0)
1532 return log_unit_error_errno(UNIT(s), r, "Failed to fork off listener stub process: %m");
1533 if (r == 0) {
1534 /* Child */
1535
1536 pair[0] = safe_close(pair[0]);
1537
1538 fd = socket_address_listen_do(s, address, label);
1539 if (fd < 0) {
1540 log_unit_error_errno(UNIT(s), fd, "Failed to create listening socket: %m");
1541 _exit(EXIT_FAILURE);
1542 }
1543
1544 r = send_one_fd(pair[1], fd, 0);
1545 if (r < 0) {
1546 log_unit_error_errno(UNIT(s), r, "Failed to send listening socket to parent: %m");
1547 _exit(EXIT_FAILURE);
1548 }
1549
1550 _exit(EXIT_SUCCESS);
1551 }
1552
1553 pair[1] = safe_close(pair[1]);
1554 fd = receive_one_fd(pair[0], 0);
1555
1556 /* We synchronously wait for the helper, as it shouldn't be slow */
1557 r = wait_for_terminate_and_check("(sd-listen)", pid, WAIT_LOG_ABNORMAL);
1558 if (r < 0) {
1559 safe_close(fd);
1560 return r;
1561 }
1562
1563 if (fd < 0)
1564 return log_unit_error_errno(UNIT(s), fd, "Failed to receive listening socket: %m");
1565
1566 return fd;
1567
1568 shortcut:
1569 fd = socket_address_listen_do(s, address, label);
1570 if (fd < 0)
1571 return log_error_errno(fd, "Failed to create listening socket: %m");
1572
1573 return fd;
1574 }
1575
1576 static int socket_open_fds(Socket *s) {
1577 _cleanup_(mac_selinux_freep) char *label = NULL;
1578 bool know_label = false;
1579 SocketPort *p;
1580 int r;
1581
1582 assert(s);
1583
1584 LIST_FOREACH(port, p, s->ports) {
1585
1586 if (p->fd >= 0)
1587 continue;
1588
1589 switch (p->type) {
1590
1591 case SOCKET_SOCKET:
1592
1593 if (!know_label) {
1594 /* Figure out label, if we don't it know yet. We do it once, for the first socket where
1595 * we need this and remember it for the rest. */
1596
1597 r = socket_determine_selinux_label(s, &label);
1598 if (r < 0)
1599 goto rollback;
1600
1601 know_label = true;
1602 }
1603
1604 /* Apply the socket protocol */
1605 switch (p->address.type) {
1606
1607 case SOCK_STREAM:
1608 case SOCK_SEQPACKET:
1609 if (s->socket_protocol == IPPROTO_SCTP)
1610 p->address.protocol = s->socket_protocol;
1611 break;
1612
1613 case SOCK_DGRAM:
1614 if (s->socket_protocol == IPPROTO_UDPLITE)
1615 p->address.protocol = s->socket_protocol;
1616 break;
1617 }
1618
1619 r = socket_address_listen_in_cgroup(s, &p->address, label);
1620 if (r < 0)
1621 goto rollback;
1622
1623 p->fd = r;
1624 socket_apply_socket_options(s, p->fd);
1625 socket_symlink(s);
1626 break;
1627
1628 case SOCKET_SPECIAL:
1629
1630 p->fd = special_address_create(p->path, s->writable);
1631 if (p->fd < 0) {
1632 r = p->fd;
1633 goto rollback;
1634 }
1635 break;
1636
1637 case SOCKET_FIFO:
1638
1639 p->fd = fifo_address_create(
1640 p->path,
1641 s->directory_mode,
1642 s->socket_mode);
1643 if (p->fd < 0) {
1644 r = p->fd;
1645 goto rollback;
1646 }
1647
1648 socket_apply_fifo_options(s, p->fd);
1649 socket_symlink(s);
1650 break;
1651
1652 case SOCKET_MQUEUE:
1653
1654 p->fd = mq_address_create(
1655 p->path,
1656 s->socket_mode,
1657 s->mq_maxmsg,
1658 s->mq_msgsize);
1659 if (p->fd < 0) {
1660 r = p->fd;
1661 goto rollback;
1662 }
1663 break;
1664
1665 case SOCKET_USB_FUNCTION: {
1666 _cleanup_free_ char *ep = NULL;
1667
1668 ep = path_make_absolute("ep0", p->path);
1669
1670 p->fd = usbffs_address_create(ep);
1671 if (p->fd < 0) {
1672 r = p->fd;
1673 goto rollback;
1674 }
1675
1676 r = usbffs_write_descs(p->fd, SERVICE(UNIT_DEREF(s->service)));
1677 if (r < 0)
1678 goto rollback;
1679
1680 r = usbffs_dispatch_eps(p);
1681 if (r < 0)
1682 goto rollback;
1683
1684 break;
1685 }
1686 default:
1687 assert_not_reached("Unknown port type");
1688 }
1689 }
1690
1691 return 0;
1692
1693 rollback:
1694 socket_close_fds(s);
1695 return r;
1696 }
1697
1698 static void socket_unwatch_fds(Socket *s) {
1699 SocketPort *p;
1700 int r;
1701
1702 assert(s);
1703
1704 LIST_FOREACH(port, p, s->ports) {
1705 if (p->fd < 0)
1706 continue;
1707
1708 if (!p->event_source)
1709 continue;
1710
1711 r = sd_event_source_set_enabled(p->event_source, SD_EVENT_OFF);
1712 if (r < 0)
1713 log_unit_debug_errno(UNIT(s), r, "Failed to disable event source: %m");
1714 }
1715 }
1716
1717 static int socket_watch_fds(Socket *s) {
1718 SocketPort *p;
1719 int r;
1720
1721 assert(s);
1722
1723 LIST_FOREACH(port, p, s->ports) {
1724 if (p->fd < 0)
1725 continue;
1726
1727 if (p->event_source) {
1728 r = sd_event_source_set_enabled(p->event_source, SD_EVENT_ON);
1729 if (r < 0)
1730 goto fail;
1731 } else {
1732 r = sd_event_add_io(UNIT(s)->manager->event, &p->event_source, p->fd, EPOLLIN, socket_dispatch_io, p);
1733 if (r < 0)
1734 goto fail;
1735
1736 (void) sd_event_source_set_description(p->event_source, "socket-port-io");
1737 }
1738 }
1739
1740 return 0;
1741
1742 fail:
1743 log_unit_warning_errno(UNIT(s), r, "Failed to watch listening fds: %m");
1744 socket_unwatch_fds(s);
1745 return r;
1746 }
1747
1748 enum {
1749 SOCKET_OPEN_NONE,
1750 SOCKET_OPEN_SOME,
1751 SOCKET_OPEN_ALL,
1752 };
1753
1754 static int socket_check_open(Socket *s) {
1755 bool have_open = false, have_closed = false;
1756 SocketPort *p;
1757
1758 assert(s);
1759
1760 LIST_FOREACH(port, p, s->ports) {
1761 if (p->fd < 0)
1762 have_closed = true;
1763 else
1764 have_open = true;
1765
1766 if (have_open && have_closed)
1767 return SOCKET_OPEN_SOME;
1768 }
1769
1770 if (have_open)
1771 return SOCKET_OPEN_ALL;
1772
1773 return SOCKET_OPEN_NONE;
1774 }
1775
1776 static void socket_set_state(Socket *s, SocketState state) {
1777 SocketState old_state;
1778 assert(s);
1779
1780 old_state = s->state;
1781 s->state = state;
1782
1783 if (!IN_SET(state,
1784 SOCKET_START_PRE,
1785 SOCKET_START_CHOWN,
1786 SOCKET_START_POST,
1787 SOCKET_STOP_PRE,
1788 SOCKET_STOP_PRE_SIGTERM,
1789 SOCKET_STOP_PRE_SIGKILL,
1790 SOCKET_STOP_POST,
1791 SOCKET_FINAL_SIGTERM,
1792 SOCKET_FINAL_SIGKILL)) {
1793
1794 s->timer_event_source = sd_event_source_unref(s->timer_event_source);
1795 socket_unwatch_control_pid(s);
1796 s->control_command = NULL;
1797 s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
1798 }
1799
1800 if (state != SOCKET_LISTENING)
1801 socket_unwatch_fds(s);
1802
1803 if (!IN_SET(state,
1804 SOCKET_START_CHOWN,
1805 SOCKET_START_POST,
1806 SOCKET_LISTENING,
1807 SOCKET_RUNNING,
1808 SOCKET_STOP_PRE,
1809 SOCKET_STOP_PRE_SIGTERM,
1810 SOCKET_STOP_PRE_SIGKILL))
1811 socket_close_fds(s);
1812
1813 if (state != old_state)
1814 log_unit_debug(UNIT(s), "Changed %s -> %s", socket_state_to_string(old_state), socket_state_to_string(state));
1815
1816 unit_notify(UNIT(s), state_translation_table[old_state], state_translation_table[state], true);
1817 }
1818
1819 static int socket_coldplug(Unit *u) {
1820 Socket *s = SOCKET(u);
1821 int r;
1822
1823 assert(s);
1824 assert(s->state == SOCKET_DEAD);
1825
1826 if (s->deserialized_state == s->state)
1827 return 0;
1828
1829 if (s->control_pid > 0 &&
1830 pid_is_unwaited(s->control_pid) &&
1831 IN_SET(s->deserialized_state,
1832 SOCKET_START_PRE,
1833 SOCKET_START_CHOWN,
1834 SOCKET_START_POST,
1835 SOCKET_STOP_PRE,
1836 SOCKET_STOP_PRE_SIGTERM,
1837 SOCKET_STOP_PRE_SIGKILL,
1838 SOCKET_STOP_POST,
1839 SOCKET_FINAL_SIGTERM,
1840 SOCKET_FINAL_SIGKILL)) {
1841
1842 r = unit_watch_pid(UNIT(s), s->control_pid);
1843 if (r < 0)
1844 return r;
1845
1846 r = socket_arm_timer(s, usec_add(u->state_change_timestamp.monotonic, s->timeout_usec));
1847 if (r < 0)
1848 return r;
1849 }
1850
1851 if (IN_SET(s->deserialized_state,
1852 SOCKET_START_CHOWN,
1853 SOCKET_START_POST,
1854 SOCKET_LISTENING,
1855 SOCKET_RUNNING)) {
1856
1857 /* Originally, we used to simply reopen all sockets here that we didn't have file descriptors
1858 * for. However, this is problematic, as we won't traverse throught the SOCKET_START_CHOWN state for
1859 * them, and thus the UID/GID wouldn't be right. Hence, instead simply check if we have all fds open,
1860 * and if there's a mismatch, warn loudly. */
1861
1862 r = socket_check_open(s);
1863 if (r == SOCKET_OPEN_NONE)
1864 log_unit_warning(UNIT(s),
1865 "Socket unit configuration has changed while unit has been running, "
1866 "no open socket file descriptor left. "
1867 "The socket unit is not functional until restarted.");
1868 else if (r == SOCKET_OPEN_SOME)
1869 log_unit_warning(UNIT(s),
1870 "Socket unit configuration has changed while unit has been running, "
1871 "and some socket file descriptors have not been opened yet. "
1872 "The socket unit is not fully functional until restarted.");
1873 }
1874
1875 if (s->deserialized_state == SOCKET_LISTENING) {
1876 r = socket_watch_fds(s);
1877 if (r < 0)
1878 return r;
1879 }
1880
1881 if (!IN_SET(s->deserialized_state, SOCKET_DEAD, SOCKET_FAILED)) {
1882 (void) unit_setup_dynamic_creds(u);
1883 (void) unit_setup_exec_runtime(u);
1884 }
1885
1886 socket_set_state(s, s->deserialized_state);
1887 return 0;
1888 }
1889
1890 static int socket_spawn(Socket *s, ExecCommand *c, pid_t *_pid) {
1891
1892 ExecParameters exec_params = {
1893 .flags = EXEC_APPLY_SANDBOXING|EXEC_APPLY_CHROOT|EXEC_APPLY_TTY_STDIN,
1894 .stdin_fd = -1,
1895 .stdout_fd = -1,
1896 .stderr_fd = -1,
1897 };
1898 pid_t pid;
1899 int r;
1900
1901 assert(s);
1902 assert(c);
1903 assert(_pid);
1904
1905 r = unit_prepare_exec(UNIT(s));
1906 if (r < 0)
1907 return r;
1908
1909 r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
1910 if (r < 0)
1911 return r;
1912
1913 manager_set_exec_params(UNIT(s)->manager, &exec_params);
1914 unit_set_exec_params(UNIT(s), &exec_params);
1915
1916 exec_params.argv = c->argv;
1917
1918 r = exec_spawn(UNIT(s),
1919 c,
1920 &s->exec_context,
1921 &exec_params,
1922 s->exec_runtime,
1923 &s->dynamic_creds,
1924 &pid);
1925 if (r < 0)
1926 return r;
1927
1928 r = unit_watch_pid(UNIT(s), pid);
1929 if (r < 0)
1930 /* FIXME: we need to do something here */
1931 return r;
1932
1933 *_pid = pid;
1934
1935 return 0;
1936 }
1937
1938 static int socket_chown(Socket *s, pid_t *_pid) {
1939 pid_t pid;
1940 int r;
1941
1942 r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
1943 if (r < 0)
1944 goto fail;
1945
1946 /* We have to resolve the user names out-of-process, hence
1947 * let's fork here. It's messy, but well, what can we do? */
1948
1949 r = unit_fork_helper_process(UNIT(s), "(sd-chown)", &pid);
1950 if (r < 0)
1951 return r;
1952 if (r == 0) {
1953 uid_t uid = UID_INVALID;
1954 gid_t gid = GID_INVALID;
1955 SocketPort *p;
1956
1957 /* Child */
1958
1959 if (!isempty(s->user)) {
1960 const char *user = s->user;
1961
1962 r = get_user_creds(&user, &uid, &gid, NULL, NULL);
1963 if (r < 0) {
1964 log_unit_error_errno(UNIT(s), r, "Failed to resolve user %s: %m", user);
1965 _exit(EXIT_USER);
1966 }
1967 }
1968
1969 if (!isempty(s->group)) {
1970 const char *group = s->group;
1971
1972 r = get_group_creds(&group, &gid);
1973 if (r < 0) {
1974 log_unit_error_errno(UNIT(s), r, "Failed to resolve group %s: %m", group);
1975 _exit(EXIT_GROUP);
1976 }
1977 }
1978
1979 LIST_FOREACH(port, p, s->ports) {
1980 const char *path = NULL;
1981
1982 if (p->type == SOCKET_SOCKET)
1983 path = socket_address_get_path(&p->address);
1984 else if (p->type == SOCKET_FIFO)
1985 path = p->path;
1986
1987 if (!path)
1988 continue;
1989
1990 if (chown(path, uid, gid) < 0) {
1991 log_unit_error_errno(UNIT(s), errno, "Failed to chown(): %m");
1992 _exit(EXIT_CHOWN);
1993 }
1994 }
1995
1996 _exit(EXIT_SUCCESS);
1997 }
1998
1999 r = unit_watch_pid(UNIT(s), pid);
2000 if (r < 0)
2001 goto fail;
2002
2003 *_pid = pid;
2004 return 0;
2005
2006 fail:
2007 s->timer_event_source = sd_event_source_unref(s->timer_event_source);
2008 return r;
2009 }
2010
2011 static void socket_enter_dead(Socket *s, SocketResult f) {
2012 assert(s);
2013
2014 if (s->result == SOCKET_SUCCESS)
2015 s->result = f;
2016
2017 if (s->result != SOCKET_SUCCESS)
2018 log_unit_warning(UNIT(s), "Failed with result '%s'.", socket_result_to_string(s->result));
2019
2020 socket_set_state(s, s->result != SOCKET_SUCCESS ? SOCKET_FAILED : SOCKET_DEAD);
2021
2022 s->exec_runtime = exec_runtime_unref(s->exec_runtime, true);
2023
2024 exec_context_destroy_runtime_directory(&s->exec_context, UNIT(s)->manager->prefix[EXEC_DIRECTORY_RUNTIME]);
2025
2026 unit_unref_uid_gid(UNIT(s), true);
2027
2028 dynamic_creds_destroy(&s->dynamic_creds);
2029 }
2030
2031 static void socket_enter_signal(Socket *s, SocketState state, SocketResult f);
2032
2033 static void socket_enter_stop_post(Socket *s, SocketResult f) {
2034 int r;
2035 assert(s);
2036
2037 if (s->result == SOCKET_SUCCESS)
2038 s->result = f;
2039
2040 socket_unwatch_control_pid(s);
2041 s->control_command_id = SOCKET_EXEC_STOP_POST;
2042 s->control_command = s->exec_command[SOCKET_EXEC_STOP_POST];
2043
2044 if (s->control_command) {
2045 r = socket_spawn(s, s->control_command, &s->control_pid);
2046 if (r < 0)
2047 goto fail;
2048
2049 socket_set_state(s, SOCKET_STOP_POST);
2050 } else
2051 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_SUCCESS);
2052
2053 return;
2054
2055 fail:
2056 log_unit_warning_errno(UNIT(s), r, "Failed to run 'stop-post' task: %m");
2057 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_RESOURCES);
2058 }
2059
2060 static void socket_enter_signal(Socket *s, SocketState state, SocketResult f) {
2061 int r;
2062
2063 assert(s);
2064
2065 if (s->result == SOCKET_SUCCESS)
2066 s->result = f;
2067
2068 r = unit_kill_context(
2069 UNIT(s),
2070 &s->kill_context,
2071 !IN_SET(state, SOCKET_STOP_PRE_SIGTERM, SOCKET_FINAL_SIGTERM) ?
2072 KILL_KILL : KILL_TERMINATE,
2073 -1,
2074 s->control_pid,
2075 false);
2076 if (r < 0)
2077 goto fail;
2078
2079 if (r > 0) {
2080 r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
2081 if (r < 0)
2082 goto fail;
2083
2084 socket_set_state(s, state);
2085 } else if (state == SOCKET_STOP_PRE_SIGTERM)
2086 socket_enter_signal(s, SOCKET_STOP_PRE_SIGKILL, SOCKET_SUCCESS);
2087 else if (state == SOCKET_STOP_PRE_SIGKILL)
2088 socket_enter_stop_post(s, SOCKET_SUCCESS);
2089 else if (state == SOCKET_FINAL_SIGTERM)
2090 socket_enter_signal(s, SOCKET_FINAL_SIGKILL, SOCKET_SUCCESS);
2091 else
2092 socket_enter_dead(s, SOCKET_SUCCESS);
2093
2094 return;
2095
2096 fail:
2097 log_unit_warning_errno(UNIT(s), r, "Failed to kill processes: %m");
2098
2099 if (IN_SET(state, SOCKET_STOP_PRE_SIGTERM, SOCKET_STOP_PRE_SIGKILL))
2100 socket_enter_stop_post(s, SOCKET_FAILURE_RESOURCES);
2101 else
2102 socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
2103 }
2104
2105 static void socket_enter_stop_pre(Socket *s, SocketResult f) {
2106 int r;
2107 assert(s);
2108
2109 if (s->result == SOCKET_SUCCESS)
2110 s->result = f;
2111
2112 socket_unwatch_control_pid(s);
2113 s->control_command_id = SOCKET_EXEC_STOP_PRE;
2114 s->control_command = s->exec_command[SOCKET_EXEC_STOP_PRE];
2115
2116 if (s->control_command) {
2117 r = socket_spawn(s, s->control_command, &s->control_pid);
2118 if (r < 0)
2119 goto fail;
2120
2121 socket_set_state(s, SOCKET_STOP_PRE);
2122 } else
2123 socket_enter_stop_post(s, SOCKET_SUCCESS);
2124
2125 return;
2126
2127 fail:
2128 log_unit_warning_errno(UNIT(s), r, "Failed to run 'stop-pre' task: %m");
2129 socket_enter_stop_post(s, SOCKET_FAILURE_RESOURCES);
2130 }
2131
2132 static void socket_enter_listening(Socket *s) {
2133 int r;
2134 assert(s);
2135
2136 r = socket_watch_fds(s);
2137 if (r < 0) {
2138 log_unit_warning_errno(UNIT(s), r, "Failed to watch sockets: %m");
2139 goto fail;
2140 }
2141
2142 socket_set_state(s, SOCKET_LISTENING);
2143 return;
2144
2145 fail:
2146 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2147 }
2148
2149 static void socket_enter_start_post(Socket *s) {
2150 int r;
2151 assert(s);
2152
2153 socket_unwatch_control_pid(s);
2154 s->control_command_id = SOCKET_EXEC_START_POST;
2155 s->control_command = s->exec_command[SOCKET_EXEC_START_POST];
2156
2157 if (s->control_command) {
2158 r = socket_spawn(s, s->control_command, &s->control_pid);
2159 if (r < 0) {
2160 log_unit_warning_errno(UNIT(s), r, "Failed to run 'start-post' task: %m");
2161 goto fail;
2162 }
2163
2164 socket_set_state(s, SOCKET_START_POST);
2165 } else
2166 socket_enter_listening(s);
2167
2168 return;
2169
2170 fail:
2171 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2172 }
2173
2174 static void socket_enter_start_chown(Socket *s) {
2175 int r;
2176
2177 assert(s);
2178
2179 r = socket_open_fds(s);
2180 if (r < 0) {
2181 log_unit_warning_errno(UNIT(s), r, "Failed to listen on sockets: %m");
2182 goto fail;
2183 }
2184
2185 if (!isempty(s->user) || !isempty(s->group)) {
2186
2187 socket_unwatch_control_pid(s);
2188 s->control_command_id = SOCKET_EXEC_START_CHOWN;
2189 s->control_command = NULL;
2190
2191 r = socket_chown(s, &s->control_pid);
2192 if (r < 0) {
2193 log_unit_warning_errno(UNIT(s), r, "Failed to fork 'start-chown' task: %m");
2194 goto fail;
2195 }
2196
2197 socket_set_state(s, SOCKET_START_CHOWN);
2198 } else
2199 socket_enter_start_post(s);
2200
2201 return;
2202
2203 fail:
2204 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2205 }
2206
2207 static void socket_enter_start_pre(Socket *s) {
2208 int r;
2209 assert(s);
2210
2211 socket_unwatch_control_pid(s);
2212
2213 unit_warn_leftover_processes(UNIT(s));
2214
2215 s->control_command_id = SOCKET_EXEC_START_PRE;
2216 s->control_command = s->exec_command[SOCKET_EXEC_START_PRE];
2217
2218 if (s->control_command) {
2219 r = socket_spawn(s, s->control_command, &s->control_pid);
2220 if (r < 0) {
2221 log_unit_warning_errno(UNIT(s), r, "Failed to run 'start-pre' task: %m");
2222 goto fail;
2223 }
2224
2225 socket_set_state(s, SOCKET_START_PRE);
2226 } else
2227 socket_enter_start_chown(s);
2228
2229 return;
2230
2231 fail:
2232 socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
2233 }
2234
2235 static void flush_ports(Socket *s) {
2236 SocketPort *p;
2237
2238 /* Flush all incoming traffic, regardless if actual bytes or new connections, so that this socket isn't busy
2239 * anymore */
2240
2241 LIST_FOREACH(port, p, s->ports) {
2242 if (p->fd < 0)
2243 continue;
2244
2245 (void) flush_accept(p->fd);
2246 (void) flush_fd(p->fd);
2247 }
2248 }
2249
2250 static void socket_enter_running(Socket *s, int cfd) {
2251 _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
2252 int r;
2253
2254 /* Note that this call takes possession of the connection fd passed. It either has to assign it somewhere or
2255 * close it. */
2256
2257 assert(s);
2258
2259 /* We don't take connections anymore if we are supposed to shut down anyway */
2260 if (unit_stop_pending(UNIT(s))) {
2261
2262 log_unit_debug(UNIT(s), "Suppressing connection request since unit stop is scheduled.");
2263
2264 if (cfd >= 0)
2265 cfd = safe_close(cfd);
2266 else
2267 flush_ports(s);
2268
2269 return;
2270 }
2271
2272 if (!ratelimit_test(&s->trigger_limit)) {
2273 safe_close(cfd);
2274 log_unit_warning(UNIT(s), "Trigger limit hit, refusing further activation.");
2275 socket_enter_stop_pre(s, SOCKET_FAILURE_TRIGGER_LIMIT_HIT);
2276 return;
2277 }
2278
2279 if (cfd < 0) {
2280 bool pending = false;
2281 Unit *other;
2282 Iterator i;
2283 void *v;
2284
2285 /* If there's already a start pending don't bother to
2286 * do anything */
2287 HASHMAP_FOREACH_KEY(v, other, UNIT(s)->dependencies[UNIT_TRIGGERS], i)
2288 if (unit_active_or_pending(other)) {
2289 pending = true;
2290 break;
2291 }
2292
2293 if (!pending) {
2294 if (!UNIT_ISSET(s->service)) {
2295 log_unit_error(UNIT(s), "Service to activate vanished, refusing activation.");
2296 r = -ENOENT;
2297 goto fail;
2298 }
2299
2300 r = manager_add_job(UNIT(s)->manager, JOB_START, UNIT_DEREF(s->service), JOB_REPLACE, &error, NULL);
2301 if (r < 0)
2302 goto fail;
2303 }
2304
2305 socket_set_state(s, SOCKET_RUNNING);
2306 } else {
2307 _cleanup_free_ char *prefix = NULL, *instance = NULL, *name = NULL;
2308 _cleanup_(socket_peer_unrefp) SocketPeer *p = NULL;
2309 Service *service;
2310
2311 if (s->n_connections >= s->max_connections) {
2312 log_unit_warning(UNIT(s), "Too many incoming connections (%u), dropping connection.",
2313 s->n_connections);
2314 safe_close(cfd);
2315 return;
2316 }
2317
2318 if (s->max_connections_per_source > 0) {
2319 r = socket_acquire_peer(s, cfd, &p);
2320 if (r < 0) {
2321 safe_close(cfd);
2322 return;
2323 } else if (r > 0 && p->n_ref > s->max_connections_per_source) {
2324 _cleanup_free_ char *t = NULL;
2325
2326 (void) sockaddr_pretty(&p->peer.sa, p->peer_salen, true, false, &t);
2327
2328 log_unit_warning(UNIT(s),
2329 "Too many incoming connections (%u) from source %s, dropping connection.",
2330 p->n_ref, strnull(t));
2331 safe_close(cfd);
2332 return;
2333 }
2334 }
2335
2336 r = socket_instantiate_service(s);
2337 if (r < 0)
2338 goto fail;
2339
2340 r = instance_from_socket(cfd, s->n_accepted, &instance);
2341 if (r < 0) {
2342 if (r != -ENOTCONN)
2343 goto fail;
2344
2345 /* ENOTCONN is legitimate if TCP RST was received.
2346 * This connection is over, but the socket unit lives on. */
2347 log_unit_debug(UNIT(s), "Got ENOTCONN on incoming socket, assuming aborted connection attempt, ignoring.");
2348 safe_close(cfd);
2349 return;
2350 }
2351
2352 r = unit_name_to_prefix(UNIT(s)->id, &prefix);
2353 if (r < 0)
2354 goto fail;
2355
2356 r = unit_name_build(prefix, instance, ".service", &name);
2357 if (r < 0)
2358 goto fail;
2359
2360 r = unit_add_name(UNIT_DEREF(s->service), name);
2361 if (r < 0)
2362 goto fail;
2363
2364 service = SERVICE(UNIT_DEREF(s->service));
2365 unit_ref_unset(&s->service);
2366
2367 s->n_accepted++;
2368 unit_choose_id(UNIT(service), name);
2369
2370 r = service_set_socket_fd(service, cfd, s, s->selinux_context_from_net);
2371 if (r < 0)
2372 goto fail;
2373
2374 cfd = -1; /* We passed ownership of the fd to the service now. Forget it here. */
2375 s->n_connections++;
2376
2377 service->peer = p; /* Pass ownership of the peer reference */
2378 p = NULL;
2379
2380 r = manager_add_job(UNIT(s)->manager, JOB_START, UNIT(service), JOB_REPLACE, &error, NULL);
2381 if (r < 0) {
2382 /* We failed to activate the new service, but it still exists. Let's make sure the service
2383 * closes and forgets the connection fd again, immediately. */
2384 service_close_socket_fd(service);
2385 goto fail;
2386 }
2387
2388 /* Notify clients about changed counters */
2389 unit_add_to_dbus_queue(UNIT(s));
2390 }
2391
2392 return;
2393
2394 fail:
2395 log_unit_warning(UNIT(s), "Failed to queue service startup job (Maybe the service file is missing or not a %s unit?): %s",
2396 cfd >= 0 ? "template" : "non-template",
2397 bus_error_message(&error, r));
2398
2399 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2400 safe_close(cfd);
2401 }
2402
2403 static void socket_run_next(Socket *s) {
2404 int r;
2405
2406 assert(s);
2407 assert(s->control_command);
2408 assert(s->control_command->command_next);
2409
2410 socket_unwatch_control_pid(s);
2411
2412 s->control_command = s->control_command->command_next;
2413
2414 r = socket_spawn(s, s->control_command, &s->control_pid);
2415 if (r < 0)
2416 goto fail;
2417
2418 return;
2419
2420 fail:
2421 log_unit_warning_errno(UNIT(s), r, "Failed to run next task: %m");
2422
2423 if (s->state == SOCKET_START_POST)
2424 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2425 else if (s->state == SOCKET_STOP_POST)
2426 socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
2427 else
2428 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_RESOURCES);
2429 }
2430
2431 static int socket_start(Unit *u) {
2432 Socket *s = SOCKET(u);
2433 int r;
2434
2435 assert(s);
2436
2437 /* We cannot fulfill this request right now, try again later
2438 * please! */
2439 if (IN_SET(s->state,
2440 SOCKET_STOP_PRE,
2441 SOCKET_STOP_PRE_SIGKILL,
2442 SOCKET_STOP_PRE_SIGTERM,
2443 SOCKET_STOP_POST,
2444 SOCKET_FINAL_SIGTERM,
2445 SOCKET_FINAL_SIGKILL))
2446 return -EAGAIN;
2447
2448 /* Already on it! */
2449 if (IN_SET(s->state,
2450 SOCKET_START_PRE,
2451 SOCKET_START_CHOWN,
2452 SOCKET_START_POST))
2453 return 0;
2454
2455 /* Cannot run this without the service being around */
2456 if (UNIT_ISSET(s->service)) {
2457 Service *service;
2458
2459 service = SERVICE(UNIT_DEREF(s->service));
2460
2461 if (UNIT(service)->load_state != UNIT_LOADED) {
2462 log_unit_error(u, "Socket service %s not loaded, refusing.", UNIT(service)->id);
2463 return -ENOENT;
2464 }
2465
2466 /* If the service is already active we cannot start the
2467 * socket */
2468 if (!IN_SET(service->state, SERVICE_DEAD, SERVICE_FAILED, SERVICE_AUTO_RESTART)) {
2469 log_unit_error(u, "Socket service %s already active, refusing.", UNIT(service)->id);
2470 return -EBUSY;
2471 }
2472 }
2473
2474 assert(IN_SET(s->state, SOCKET_DEAD, SOCKET_FAILED));
2475
2476 r = unit_start_limit_test(u);
2477 if (r < 0) {
2478 socket_enter_dead(s, SOCKET_FAILURE_START_LIMIT_HIT);
2479 return r;
2480 }
2481
2482 r = unit_acquire_invocation_id(u);
2483 if (r < 0)
2484 return r;
2485
2486 s->result = SOCKET_SUCCESS;
2487
2488 u->reset_accounting = true;
2489
2490 socket_enter_start_pre(s);
2491 return 1;
2492 }
2493
2494 static int socket_stop(Unit *u) {
2495 Socket *s = SOCKET(u);
2496
2497 assert(s);
2498
2499 /* Already on it */
2500 if (IN_SET(s->state,
2501 SOCKET_STOP_PRE,
2502 SOCKET_STOP_PRE_SIGTERM,
2503 SOCKET_STOP_PRE_SIGKILL,
2504 SOCKET_STOP_POST,
2505 SOCKET_FINAL_SIGTERM,
2506 SOCKET_FINAL_SIGKILL))
2507 return 0;
2508
2509 /* If there's already something running we go directly into
2510 * kill mode. */
2511 if (IN_SET(s->state,
2512 SOCKET_START_PRE,
2513 SOCKET_START_CHOWN,
2514 SOCKET_START_POST)) {
2515 socket_enter_signal(s, SOCKET_STOP_PRE_SIGTERM, SOCKET_SUCCESS);
2516 return -EAGAIN;
2517 }
2518
2519 assert(IN_SET(s->state, SOCKET_LISTENING, SOCKET_RUNNING));
2520
2521 socket_enter_stop_pre(s, SOCKET_SUCCESS);
2522 return 1;
2523 }
2524
2525 static int socket_serialize(Unit *u, FILE *f, FDSet *fds) {
2526 Socket *s = SOCKET(u);
2527 SocketPort *p;
2528 int r;
2529
2530 assert(u);
2531 assert(f);
2532 assert(fds);
2533
2534 unit_serialize_item(u, f, "state", socket_state_to_string(s->state));
2535 unit_serialize_item(u, f, "result", socket_result_to_string(s->result));
2536 unit_serialize_item_format(u, f, "n-accepted", "%u", s->n_accepted);
2537
2538 if (s->control_pid > 0)
2539 unit_serialize_item_format(u, f, "control-pid", PID_FMT, s->control_pid);
2540
2541 if (s->control_command_id >= 0)
2542 unit_serialize_item(u, f, "control-command", socket_exec_command_to_string(s->control_command_id));
2543
2544 LIST_FOREACH(port, p, s->ports) {
2545 int copy;
2546
2547 if (p->fd < 0)
2548 continue;
2549
2550 copy = fdset_put_dup(fds, p->fd);
2551 if (copy < 0)
2552 return copy;
2553
2554 if (p->type == SOCKET_SOCKET) {
2555 _cleanup_free_ char *t = NULL;
2556
2557 r = socket_address_print(&p->address, &t);
2558 if (r < 0)
2559 return r;
2560
2561 if (socket_address_family(&p->address) == AF_NETLINK)
2562 unit_serialize_item_format(u, f, "netlink", "%i %s", copy, t);
2563 else
2564 unit_serialize_item_format(u, f, "socket", "%i %i %s", copy, p->address.type, t);
2565
2566 } else if (p->type == SOCKET_SPECIAL)
2567 unit_serialize_item_format(u, f, "special", "%i %s", copy, p->path);
2568 else if (p->type == SOCKET_MQUEUE)
2569 unit_serialize_item_format(u, f, "mqueue", "%i %s", copy, p->path);
2570 else if (p->type == SOCKET_USB_FUNCTION)
2571 unit_serialize_item_format(u, f, "ffs", "%i %s", copy, p->path);
2572 else {
2573 assert(p->type == SOCKET_FIFO);
2574 unit_serialize_item_format(u, f, "fifo", "%i %s", copy, p->path);
2575 }
2576 }
2577
2578 return 0;
2579 }
2580
2581 static void socket_port_take_fd(SocketPort *p, FDSet *fds, int fd) {
2582 safe_close(p->fd);
2583 p->fd = fdset_remove(fds, fd);
2584 }
2585
2586 static int socket_deserialize_item(Unit *u, const char *key, const char *value, FDSet *fds) {
2587 Socket *s = SOCKET(u);
2588
2589 assert(u);
2590 assert(key);
2591 assert(value);
2592
2593 if (streq(key, "state")) {
2594 SocketState state;
2595
2596 state = socket_state_from_string(value);
2597 if (state < 0)
2598 log_unit_debug(u, "Failed to parse state value: %s", value);
2599 else
2600 s->deserialized_state = state;
2601 } else if (streq(key, "result")) {
2602 SocketResult f;
2603
2604 f = socket_result_from_string(value);
2605 if (f < 0)
2606 log_unit_debug(u, "Failed to parse result value: %s", value);
2607 else if (f != SOCKET_SUCCESS)
2608 s->result = f;
2609
2610 } else if (streq(key, "n-accepted")) {
2611 unsigned k;
2612
2613 if (safe_atou(value, &k) < 0)
2614 log_unit_debug(u, "Failed to parse n-accepted value: %s", value);
2615 else
2616 s->n_accepted += k;
2617 } else if (streq(key, "control-pid")) {
2618 pid_t pid;
2619
2620 if (parse_pid(value, &pid) < 0)
2621 log_unit_debug(u, "Failed to parse control-pid value: %s", value);
2622 else
2623 s->control_pid = pid;
2624 } else if (streq(key, "control-command")) {
2625 SocketExecCommand id;
2626
2627 id = socket_exec_command_from_string(value);
2628 if (id < 0)
2629 log_unit_debug(u, "Failed to parse exec-command value: %s", value);
2630 else {
2631 s->control_command_id = id;
2632 s->control_command = s->exec_command[id];
2633 }
2634 } else if (streq(key, "fifo")) {
2635 int fd, skip = 0;
2636 SocketPort *p;
2637
2638 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2639 log_unit_debug(u, "Failed to parse fifo value: %s", value);
2640 else
2641 LIST_FOREACH(port, p, s->ports)
2642 if (p->type == SOCKET_FIFO &&
2643 path_equal_or_files_same(p->path, value+skip, 0)) {
2644 socket_port_take_fd(p, fds, fd);
2645 break;
2646 }
2647
2648 } else if (streq(key, "special")) {
2649 int fd, skip = 0;
2650 SocketPort *p;
2651
2652 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2653 log_unit_debug(u, "Failed to parse special value: %s", value);
2654 else
2655 LIST_FOREACH(port, p, s->ports)
2656 if (p->type == SOCKET_SPECIAL &&
2657 path_equal_or_files_same(p->path, value+skip, 0)) {
2658 socket_port_take_fd(p, fds, fd);
2659 break;
2660 }
2661
2662 } else if (streq(key, "mqueue")) {
2663 int fd, skip = 0;
2664 SocketPort *p;
2665
2666 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2667 log_unit_debug(u, "Failed to parse mqueue value: %s", value);
2668 else
2669 LIST_FOREACH(port, p, s->ports)
2670 if (p->type == SOCKET_MQUEUE &&
2671 streq(p->path, value+skip)) {
2672 socket_port_take_fd(p, fds, fd);
2673 break;
2674 }
2675
2676 } else if (streq(key, "socket")) {
2677 int fd, type, skip = 0;
2678 SocketPort *p;
2679
2680 if (sscanf(value, "%i %i %n", &fd, &type, &skip) < 2 || fd < 0 || type < 0 || !fdset_contains(fds, fd))
2681 log_unit_debug(u, "Failed to parse socket value: %s", value);
2682 else
2683 LIST_FOREACH(port, p, s->ports)
2684 if (socket_address_is(&p->address, value+skip, type)) {
2685 socket_port_take_fd(p, fds, fd);
2686 break;
2687 }
2688
2689 } else if (streq(key, "netlink")) {
2690 int fd, skip = 0;
2691 SocketPort *p;
2692
2693 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2694 log_unit_debug(u, "Failed to parse socket value: %s", value);
2695 else
2696 LIST_FOREACH(port, p, s->ports)
2697 if (socket_address_is_netlink(&p->address, value+skip)) {
2698 socket_port_take_fd(p, fds, fd);
2699 break;
2700 }
2701
2702 } else if (streq(key, "ffs")) {
2703 int fd, skip = 0;
2704 SocketPort *p;
2705
2706 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2707 log_unit_debug(u, "Failed to parse ffs value: %s", value);
2708 else
2709 LIST_FOREACH(port, p, s->ports)
2710 if (p->type == SOCKET_USB_FUNCTION &&
2711 path_equal_or_files_same(p->path, value+skip, 0)) {
2712 socket_port_take_fd(p, fds, fd);
2713 break;
2714 }
2715
2716 } else
2717 log_unit_debug(UNIT(s), "Unknown serialization key: %s", key);
2718
2719 return 0;
2720 }
2721
2722 static void socket_distribute_fds(Unit *u, FDSet *fds) {
2723 Socket *s = SOCKET(u);
2724 SocketPort *p;
2725
2726 assert(u);
2727
2728 LIST_FOREACH(port, p, s->ports) {
2729 Iterator i;
2730 int fd;
2731
2732 if (p->type != SOCKET_SOCKET)
2733 continue;
2734
2735 if (p->fd >= 0)
2736 continue;
2737
2738 FDSET_FOREACH(fd, fds, i) {
2739 if (socket_address_matches_fd(&p->address, fd)) {
2740 p->fd = fdset_remove(fds, fd);
2741 s->deserialized_state = SOCKET_LISTENING;
2742 break;
2743 }
2744 }
2745 }
2746 }
2747
2748 _pure_ static UnitActiveState socket_active_state(Unit *u) {
2749 assert(u);
2750
2751 return state_translation_table[SOCKET(u)->state];
2752 }
2753
2754 _pure_ static const char *socket_sub_state_to_string(Unit *u) {
2755 assert(u);
2756
2757 return socket_state_to_string(SOCKET(u)->state);
2758 }
2759
2760 const char* socket_port_type_to_string(SocketPort *p) {
2761
2762 assert(p);
2763
2764 switch (p->type) {
2765
2766 case SOCKET_SOCKET:
2767
2768 switch (p->address.type) {
2769
2770 case SOCK_STREAM:
2771 return "Stream";
2772
2773 case SOCK_DGRAM:
2774 return "Datagram";
2775
2776 case SOCK_SEQPACKET:
2777 return "SequentialPacket";
2778
2779 case SOCK_RAW:
2780 if (socket_address_family(&p->address) == AF_NETLINK)
2781 return "Netlink";
2782
2783 _fallthrough_;
2784 default:
2785 return NULL;
2786 }
2787
2788 case SOCKET_SPECIAL:
2789 return "Special";
2790
2791 case SOCKET_MQUEUE:
2792 return "MessageQueue";
2793
2794 case SOCKET_FIFO:
2795 return "FIFO";
2796
2797 case SOCKET_USB_FUNCTION:
2798 return "USBFunction";
2799
2800 default:
2801 return NULL;
2802 }
2803 }
2804
2805 SocketType socket_port_type_from_string(const char *s) {
2806 assert(s);
2807
2808 if (STR_IN_SET(s, "Stream", "Datagram", "SequentialPacket", "Netlink"))
2809 return SOCKET_SOCKET;
2810 else if (streq(s, "Special"))
2811 return SOCKET_SPECIAL;
2812 else if (streq(s, "MessageQueue"))
2813 return SOCKET_MQUEUE;
2814 else if (streq(s, "FIFO"))
2815 return SOCKET_FIFO;
2816 else if (streq(s, "USBFunction"))
2817 return SOCKET_USB_FUNCTION;
2818 else
2819 return _SOCKET_TYPE_INVALID;
2820 }
2821
2822 _pure_ static bool socket_may_gc(Unit *u) {
2823 Socket *s = SOCKET(u);
2824
2825 assert(u);
2826
2827 return s->n_connections == 0;
2828 }
2829
2830 static int socket_accept_do(Socket *s, int fd) {
2831 int cfd;
2832
2833 assert(s);
2834 assert(fd >= 0);
2835
2836 for (;;) {
2837 cfd = accept4(fd, NULL, NULL, SOCK_NONBLOCK);
2838 if (cfd < 0) {
2839 if (errno == EINTR)
2840 continue;
2841
2842 return -errno;
2843 }
2844
2845 break;
2846 }
2847
2848 return cfd;
2849 }
2850
2851 static int socket_accept_in_cgroup(Socket *s, SocketPort *p, int fd) {
2852 _cleanup_close_pair_ int pair[2] = { -1, -1 };
2853 int cfd, r;
2854 pid_t pid;
2855
2856 assert(s);
2857 assert(p);
2858 assert(fd >= 0);
2859
2860 /* Similar to socket_address_listen_in_cgroup(), but for accept() rathern than socket(): make sure that any
2861 * connection socket is also properly associated with the cgroup. */
2862
2863 if (!IN_SET(p->address.sockaddr.sa.sa_family, AF_INET, AF_INET6))
2864 goto shortcut;
2865
2866 r = bpf_firewall_supported();
2867 if (r < 0)
2868 return r;
2869 if (r == 0)
2870 goto shortcut;
2871
2872 if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, pair) < 0)
2873 return log_unit_error_errno(UNIT(s), errno, "Failed to create communication channel: %m");
2874
2875 r = unit_fork_helper_process(UNIT(s), "(sd-accept)", &pid);
2876 if (r < 0)
2877 return log_unit_error_errno(UNIT(s), r, "Failed to fork off accept stub process: %m");
2878 if (r == 0) {
2879 /* Child */
2880
2881 pair[0] = safe_close(pair[0]);
2882
2883 cfd = socket_accept_do(s, fd);
2884 if (cfd < 0) {
2885 log_unit_error_errno(UNIT(s), cfd, "Failed to accept connection socket: %m");
2886 _exit(EXIT_FAILURE);
2887 }
2888
2889 r = send_one_fd(pair[1], cfd, 0);
2890 if (r < 0) {
2891 log_unit_error_errno(UNIT(s), r, "Failed to send connection socket to parent: %m");
2892 _exit(EXIT_FAILURE);
2893 }
2894
2895 _exit(EXIT_SUCCESS);
2896 }
2897
2898 pair[1] = safe_close(pair[1]);
2899 cfd = receive_one_fd(pair[0], 0);
2900
2901 /* We synchronously wait for the helper, as it shouldn't be slow */
2902 r = wait_for_terminate_and_check("(sd-accept)", pid, WAIT_LOG_ABNORMAL);
2903 if (r < 0) {
2904 safe_close(cfd);
2905 return r;
2906 }
2907
2908 if (cfd < 0)
2909 return log_unit_error_errno(UNIT(s), cfd, "Failed to receive connection socket: %m");
2910
2911 return cfd;
2912
2913 shortcut:
2914 cfd = socket_accept_do(s, fd);
2915 if (cfd < 0)
2916 return log_unit_error_errno(UNIT(s), cfd, "Failed to accept connection socket: %m");
2917
2918 return cfd;
2919 }
2920
2921 static int socket_dispatch_io(sd_event_source *source, int fd, uint32_t revents, void *userdata) {
2922 SocketPort *p = userdata;
2923 int cfd = -1;
2924
2925 assert(p);
2926 assert(fd >= 0);
2927
2928 if (p->socket->state != SOCKET_LISTENING)
2929 return 0;
2930
2931 log_unit_debug(UNIT(p->socket), "Incoming traffic");
2932
2933 if (revents != EPOLLIN) {
2934
2935 if (revents & EPOLLHUP)
2936 log_unit_error(UNIT(p->socket), "Got POLLHUP on a listening socket. The service probably invoked shutdown() on it, and should better not do that.");
2937 else
2938 log_unit_error(UNIT(p->socket), "Got unexpected poll event (0x%x) on socket.", revents);
2939 goto fail;
2940 }
2941
2942 if (p->socket->accept &&
2943 p->type == SOCKET_SOCKET &&
2944 socket_address_can_accept(&p->address)) {
2945
2946 cfd = socket_accept_in_cgroup(p->socket, p, fd);
2947 if (cfd < 0)
2948 goto fail;
2949
2950 socket_apply_socket_options(p->socket, cfd);
2951 }
2952
2953 socket_enter_running(p->socket, cfd);
2954 return 0;
2955
2956 fail:
2957 socket_enter_stop_pre(p->socket, SOCKET_FAILURE_RESOURCES);
2958 return 0;
2959 }
2960
2961 static void socket_sigchld_event(Unit *u, pid_t pid, int code, int status) {
2962 Socket *s = SOCKET(u);
2963 SocketResult f;
2964
2965 assert(s);
2966 assert(pid >= 0);
2967
2968 if (pid != s->control_pid)
2969 return;
2970
2971 s->control_pid = 0;
2972
2973 if (is_clean_exit(code, status, EXIT_CLEAN_COMMAND, NULL))
2974 f = SOCKET_SUCCESS;
2975 else if (code == CLD_EXITED)
2976 f = SOCKET_FAILURE_EXIT_CODE;
2977 else if (code == CLD_KILLED)
2978 f = SOCKET_FAILURE_SIGNAL;
2979 else if (code == CLD_DUMPED)
2980 f = SOCKET_FAILURE_CORE_DUMP;
2981 else
2982 assert_not_reached("Unknown sigchld code");
2983
2984 if (s->control_command) {
2985 exec_status_exit(&s->control_command->exec_status, &s->exec_context, pid, code, status);
2986
2987 if (s->control_command->flags & EXEC_COMMAND_IGNORE_FAILURE)
2988 f = SOCKET_SUCCESS;
2989 }
2990
2991 log_unit_full(u, f == SOCKET_SUCCESS ? LOG_DEBUG : LOG_NOTICE, 0,
2992 "Control process exited, code=%s status=%i",
2993 sigchld_code_to_string(code), status);
2994
2995 if (s->result == SOCKET_SUCCESS)
2996 s->result = f;
2997
2998 if (s->control_command &&
2999 s->control_command->command_next &&
3000 f == SOCKET_SUCCESS) {
3001
3002 log_unit_debug(u, "Running next command for state %s", socket_state_to_string(s->state));
3003 socket_run_next(s);
3004 } else {
3005 s->control_command = NULL;
3006 s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
3007
3008 /* No further commands for this step, so let's figure
3009 * out what to do next */
3010
3011 log_unit_debug(u, "Got final SIGCHLD for state %s", socket_state_to_string(s->state));
3012
3013 switch (s->state) {
3014
3015 case SOCKET_START_PRE:
3016 if (f == SOCKET_SUCCESS)
3017 socket_enter_start_chown(s);
3018 else
3019 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, f);
3020 break;
3021
3022 case SOCKET_START_CHOWN:
3023 if (f == SOCKET_SUCCESS)
3024 socket_enter_start_post(s);
3025 else
3026 socket_enter_stop_pre(s, f);
3027 break;
3028
3029 case SOCKET_START_POST:
3030 if (f == SOCKET_SUCCESS)
3031 socket_enter_listening(s);
3032 else
3033 socket_enter_stop_pre(s, f);
3034 break;
3035
3036 case SOCKET_STOP_PRE:
3037 case SOCKET_STOP_PRE_SIGTERM:
3038 case SOCKET_STOP_PRE_SIGKILL:
3039 socket_enter_stop_post(s, f);
3040 break;
3041
3042 case SOCKET_STOP_POST:
3043 case SOCKET_FINAL_SIGTERM:
3044 case SOCKET_FINAL_SIGKILL:
3045 socket_enter_dead(s, f);
3046 break;
3047
3048 default:
3049 assert_not_reached("Uh, control process died at wrong time.");
3050 }
3051 }
3052
3053 /* Notify clients about changed exit status */
3054 unit_add_to_dbus_queue(u);
3055 }
3056
3057 static int socket_dispatch_timer(sd_event_source *source, usec_t usec, void *userdata) {
3058 Socket *s = SOCKET(userdata);
3059
3060 assert(s);
3061 assert(s->timer_event_source == source);
3062
3063 switch (s->state) {
3064
3065 case SOCKET_START_PRE:
3066 log_unit_warning(UNIT(s), "Starting timed out. Terminating.");
3067 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_TIMEOUT);
3068 break;
3069
3070 case SOCKET_START_CHOWN:
3071 case SOCKET_START_POST:
3072 log_unit_warning(UNIT(s), "Starting timed out. Stopping.");
3073 socket_enter_stop_pre(s, SOCKET_FAILURE_TIMEOUT);
3074 break;
3075
3076 case SOCKET_STOP_PRE:
3077 log_unit_warning(UNIT(s), "Stopping timed out. Terminating.");
3078 socket_enter_signal(s, SOCKET_STOP_PRE_SIGTERM, SOCKET_FAILURE_TIMEOUT);
3079 break;
3080
3081 case SOCKET_STOP_PRE_SIGTERM:
3082 if (s->kill_context.send_sigkill) {
3083 log_unit_warning(UNIT(s), "Stopping timed out. Killing.");
3084 socket_enter_signal(s, SOCKET_STOP_PRE_SIGKILL, SOCKET_FAILURE_TIMEOUT);
3085 } else {
3086 log_unit_warning(UNIT(s), "Stopping timed out. Skipping SIGKILL. Ignoring.");
3087 socket_enter_stop_post(s, SOCKET_FAILURE_TIMEOUT);
3088 }
3089 break;
3090
3091 case SOCKET_STOP_PRE_SIGKILL:
3092 log_unit_warning(UNIT(s), "Processes still around after SIGKILL. Ignoring.");
3093 socket_enter_stop_post(s, SOCKET_FAILURE_TIMEOUT);
3094 break;
3095
3096 case SOCKET_STOP_POST:
3097 log_unit_warning(UNIT(s), "Stopping timed out (2). Terminating.");
3098 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_TIMEOUT);
3099 break;
3100
3101 case SOCKET_FINAL_SIGTERM:
3102 if (s->kill_context.send_sigkill) {
3103 log_unit_warning(UNIT(s), "Stopping timed out (2). Killing.");
3104 socket_enter_signal(s, SOCKET_FINAL_SIGKILL, SOCKET_FAILURE_TIMEOUT);
3105 } else {
3106 log_unit_warning(UNIT(s), "Stopping timed out (2). Skipping SIGKILL. Ignoring.");
3107 socket_enter_dead(s, SOCKET_FAILURE_TIMEOUT);
3108 }
3109 break;
3110
3111 case SOCKET_FINAL_SIGKILL:
3112 log_unit_warning(UNIT(s), "Still around after SIGKILL (2). Entering failed mode.");
3113 socket_enter_dead(s, SOCKET_FAILURE_TIMEOUT);
3114 break;
3115
3116 default:
3117 assert_not_reached("Timeout at wrong time.");
3118 }
3119
3120 return 0;
3121 }
3122
3123 int socket_collect_fds(Socket *s, int **fds) {
3124 int *rfds, k = 0, n = 0;
3125 SocketPort *p;
3126
3127 assert(s);
3128 assert(fds);
3129
3130 /* Called from the service code for requesting our fds */
3131
3132 LIST_FOREACH(port, p, s->ports) {
3133 if (p->fd >= 0)
3134 n++;
3135 n += p->n_auxiliary_fds;
3136 }
3137
3138 if (n <= 0) {
3139 *fds = NULL;
3140 return 0;
3141 }
3142
3143 rfds = new(int, n);
3144 if (!rfds)
3145 return -ENOMEM;
3146
3147 LIST_FOREACH(port, p, s->ports) {
3148 int i;
3149
3150 if (p->fd >= 0)
3151 rfds[k++] = p->fd;
3152 for (i = 0; i < p->n_auxiliary_fds; ++i)
3153 rfds[k++] = p->auxiliary_fds[i];
3154 }
3155
3156 assert(k == n);
3157
3158 *fds = rfds;
3159 return n;
3160 }
3161
3162 static void socket_reset_failed(Unit *u) {
3163 Socket *s = SOCKET(u);
3164
3165 assert(s);
3166
3167 if (s->state == SOCKET_FAILED)
3168 socket_set_state(s, SOCKET_DEAD);
3169
3170 s->result = SOCKET_SUCCESS;
3171 }
3172
3173 void socket_connection_unref(Socket *s) {
3174 assert(s);
3175
3176 /* The service is dead. Yay!
3177 *
3178 * This is strictly for one-instance-per-connection
3179 * services. */
3180
3181 assert(s->n_connections > 0);
3182 s->n_connections--;
3183
3184 log_unit_debug(UNIT(s), "One connection closed, %u left.", s->n_connections);
3185 }
3186
3187 static void socket_trigger_notify(Unit *u, Unit *other) {
3188 Socket *s = SOCKET(u);
3189
3190 assert(u);
3191 assert(other);
3192
3193 /* Filter out invocations with bogus state */
3194 if (other->load_state != UNIT_LOADED || other->type != UNIT_SERVICE)
3195 return;
3196
3197 /* Don't propagate state changes from the service if we are already down */
3198 if (!IN_SET(s->state, SOCKET_RUNNING, SOCKET_LISTENING))
3199 return;
3200
3201 /* We don't care for the service state if we are in Accept=yes mode */
3202 if (s->accept)
3203 return;
3204
3205 /* Propagate start limit hit state */
3206 if (other->start_limit_hit) {
3207 socket_enter_stop_pre(s, SOCKET_FAILURE_SERVICE_START_LIMIT_HIT);
3208 return;
3209 }
3210
3211 /* Don't propagate anything if there's still a job queued */
3212 if (other->job)
3213 return;
3214
3215 if (IN_SET(SERVICE(other)->state,
3216 SERVICE_DEAD, SERVICE_FAILED,
3217 SERVICE_FINAL_SIGTERM, SERVICE_FINAL_SIGKILL,
3218 SERVICE_AUTO_RESTART))
3219 socket_enter_listening(s);
3220
3221 if (SERVICE(other)->state == SERVICE_RUNNING)
3222 socket_set_state(s, SOCKET_RUNNING);
3223 }
3224
3225 static int socket_kill(Unit *u, KillWho who, int signo, sd_bus_error *error) {
3226 return unit_kill_common(u, who, signo, -1, SOCKET(u)->control_pid, error);
3227 }
3228
3229 static int socket_get_timeout(Unit *u, usec_t *timeout) {
3230 Socket *s = SOCKET(u);
3231 usec_t t;
3232 int r;
3233
3234 if (!s->timer_event_source)
3235 return 0;
3236
3237 r = sd_event_source_get_time(s->timer_event_source, &t);
3238 if (r < 0)
3239 return r;
3240 if (t == USEC_INFINITY)
3241 return 0;
3242
3243 *timeout = t;
3244 return 1;
3245 }
3246
3247 char *socket_fdname(Socket *s) {
3248 assert(s);
3249
3250 /* Returns the name to use for $LISTEN_NAMES. If the user
3251 * didn't specify anything specifically, use the socket unit's
3252 * name as fallback. */
3253
3254 return s->fdname ?: UNIT(s)->id;
3255 }
3256
3257 static int socket_control_pid(Unit *u) {
3258 Socket *s = SOCKET(u);
3259
3260 assert(s);
3261
3262 return s->control_pid;
3263 }
3264
3265 static const char* const socket_exec_command_table[_SOCKET_EXEC_COMMAND_MAX] = {
3266 [SOCKET_EXEC_START_PRE] = "ExecStartPre",
3267 [SOCKET_EXEC_START_CHOWN] = "ExecStartChown",
3268 [SOCKET_EXEC_START_POST] = "ExecStartPost",
3269 [SOCKET_EXEC_STOP_PRE] = "ExecStopPre",
3270 [SOCKET_EXEC_STOP_POST] = "ExecStopPost"
3271 };
3272
3273 DEFINE_STRING_TABLE_LOOKUP(socket_exec_command, SocketExecCommand);
3274
3275 static const char* const socket_result_table[_SOCKET_RESULT_MAX] = {
3276 [SOCKET_SUCCESS] = "success",
3277 [SOCKET_FAILURE_RESOURCES] = "resources",
3278 [SOCKET_FAILURE_TIMEOUT] = "timeout",
3279 [SOCKET_FAILURE_EXIT_CODE] = "exit-code",
3280 [SOCKET_FAILURE_SIGNAL] = "signal",
3281 [SOCKET_FAILURE_CORE_DUMP] = "core-dump",
3282 [SOCKET_FAILURE_START_LIMIT_HIT] = "start-limit-hit",
3283 [SOCKET_FAILURE_TRIGGER_LIMIT_HIT] = "trigger-limit-hit",
3284 [SOCKET_FAILURE_SERVICE_START_LIMIT_HIT] = "service-start-limit-hit"
3285 };
3286
3287 DEFINE_STRING_TABLE_LOOKUP(socket_result, SocketResult);
3288
3289 const UnitVTable socket_vtable = {
3290 .object_size = sizeof(Socket),
3291 .exec_context_offset = offsetof(Socket, exec_context),
3292 .cgroup_context_offset = offsetof(Socket, cgroup_context),
3293 .kill_context_offset = offsetof(Socket, kill_context),
3294 .exec_runtime_offset = offsetof(Socket, exec_runtime),
3295 .dynamic_creds_offset = offsetof(Socket, dynamic_creds),
3296
3297 .sections =
3298 "Unit\0"
3299 "Socket\0"
3300 "Install\0",
3301 .private_section = "Socket",
3302
3303 .can_transient = true,
3304
3305 .init = socket_init,
3306 .done = socket_done,
3307 .load = socket_load,
3308
3309 .coldplug = socket_coldplug,
3310
3311 .dump = socket_dump,
3312
3313 .start = socket_start,
3314 .stop = socket_stop,
3315
3316 .kill = socket_kill,
3317
3318 .get_timeout = socket_get_timeout,
3319
3320 .serialize = socket_serialize,
3321 .deserialize_item = socket_deserialize_item,
3322 .distribute_fds = socket_distribute_fds,
3323
3324 .active_state = socket_active_state,
3325 .sub_state_to_string = socket_sub_state_to_string,
3326
3327 .may_gc = socket_may_gc,
3328
3329 .sigchld_event = socket_sigchld_event,
3330
3331 .trigger_notify = socket_trigger_notify,
3332
3333 .reset_failed = socket_reset_failed,
3334
3335 .control_pid = socket_control_pid,
3336
3337 .bus_vtable = bus_socket_vtable,
3338 .bus_set_property = bus_socket_set_property,
3339 .bus_commit_properties = bus_socket_commit_properties,
3340
3341 .status_message_formats = {
3342 /*.starting_stopping = {
3343 [0] = "Starting socket %s...",
3344 [1] = "Stopping socket %s...",
3345 },*/
3346 .finished_start_job = {
3347 [JOB_DONE] = "Listening on %s.",
3348 [JOB_FAILED] = "Failed to listen on %s.",
3349 [JOB_TIMEOUT] = "Timed out starting %s.",
3350 },
3351 .finished_stop_job = {
3352 [JOB_DONE] = "Closed %s.",
3353 [JOB_FAILED] = "Failed stopping %s.",
3354 [JOB_TIMEOUT] = "Timed out stopping %s.",
3355 },
3356 },
3357 };
Unnamed repository; edit this file 'description' to name the repository.