1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2010 Lennart Poettering
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
21 #include <arpa/inet.h>
25 #include <netinet/tcp.h>
27 #include <sys/epoll.h>
30 #include <linux/sctp.h>
32 #include "alloc-util.h"
33 #include "bpf-firewall.h"
34 #include "bus-error.h"
37 #include "dbus-socket.h"
39 #include "exit-status.h"
41 #include "format-util.h"
43 #include "in-addr-util.h"
49 #include "parse-util.h"
50 #include "path-util.h"
51 #include "process-util.h"
52 #include "selinux-util.h"
53 #include "signal-util.h"
54 #include "smack-util.h"
56 #include "socket-protocol-list.h"
58 #include "string-table.h"
59 #include "string-util.h"
61 #include "unit-name.h"
63 #include "user-util.h"
69 union sockaddr_union peer
;
73 static const UnitActiveState state_translation_table
[_SOCKET_STATE_MAX
] = {
74 [SOCKET_DEAD
] = UNIT_INACTIVE
,
75 [SOCKET_START_PRE
] = UNIT_ACTIVATING
,
76 [SOCKET_START_CHOWN
] = UNIT_ACTIVATING
,
77 [SOCKET_START_POST
] = UNIT_ACTIVATING
,
78 [SOCKET_LISTENING
] = UNIT_ACTIVE
,
79 [SOCKET_RUNNING
] = UNIT_ACTIVE
,
80 [SOCKET_STOP_PRE
] = UNIT_DEACTIVATING
,
81 [SOCKET_STOP_PRE_SIGTERM
] = UNIT_DEACTIVATING
,
82 [SOCKET_STOP_PRE_SIGKILL
] = UNIT_DEACTIVATING
,
83 [SOCKET_STOP_POST
] = UNIT_DEACTIVATING
,
84 [SOCKET_FINAL_SIGTERM
] = UNIT_DEACTIVATING
,
85 [SOCKET_FINAL_SIGKILL
] = UNIT_DEACTIVATING
,
86 [SOCKET_FAILED
] = UNIT_FAILED
89 static int socket_dispatch_io(sd_event_source
*source
, int fd
, uint32_t revents
, void *userdata
);
90 static int socket_dispatch_timer(sd_event_source
*source
, usec_t usec
, void *userdata
);
92 static void socket_init(Unit
*u
) {
93 Socket
*s
= SOCKET(u
);
96 assert(u
->load_state
== UNIT_STUB
);
98 s
->backlog
= SOMAXCONN
;
99 s
->timeout_usec
= u
->manager
->default_timeout_start_usec
;
100 s
->directory_mode
= 0755;
101 s
->socket_mode
= 0666;
103 s
->max_connections
= 64;
110 s
->exec_context
.std_output
= u
->manager
->default_std_output
;
111 s
->exec_context
.std_error
= u
->manager
->default_std_error
;
113 s
->control_command_id
= _SOCKET_EXEC_COMMAND_INVALID
;
115 s
->trigger_limit
.interval
= USEC_INFINITY
;
116 s
->trigger_limit
.burst
= (unsigned) -1;
119 static void socket_unwatch_control_pid(Socket
*s
) {
122 if (s
->control_pid
<= 0)
125 unit_unwatch_pid(UNIT(s
), s
->control_pid
);
129 static void socket_cleanup_fd_list(SocketPort
*p
) {
132 close_many(p
->auxiliary_fds
, p
->n_auxiliary_fds
);
133 p
->auxiliary_fds
= mfree(p
->auxiliary_fds
);
134 p
->n_auxiliary_fds
= 0;
137 void socket_free_ports(Socket
*s
) {
142 while ((p
= s
->ports
)) {
143 LIST_REMOVE(port
, s
->ports
, p
);
145 sd_event_source_unref(p
->event_source
);
147 socket_cleanup_fd_list(p
);
154 static void socket_done(Unit
*u
) {
155 Socket
*s
= SOCKET(u
);
160 socket_free_ports(s
);
162 while ((p
= set_steal_first(s
->peers_by_address
)))
165 s
->peers_by_address
= set_free(s
->peers_by_address
);
167 s
->exec_runtime
= exec_runtime_unref(s
->exec_runtime
, false);
168 exec_command_free_array(s
->exec_command
, _SOCKET_EXEC_COMMAND_MAX
);
169 s
->control_command
= NULL
;
171 dynamic_creds_unref(&s
->dynamic_creds
);
173 socket_unwatch_control_pid(s
);
175 unit_ref_unset(&s
->service
);
177 s
->tcp_congestion
= mfree(s
->tcp_congestion
);
178 s
->bind_to_device
= mfree(s
->bind_to_device
);
180 s
->smack
= mfree(s
->smack
);
181 s
->smack_ip_in
= mfree(s
->smack_ip_in
);
182 s
->smack_ip_out
= mfree(s
->smack_ip_out
);
184 strv_free(s
->symlinks
);
186 s
->user
= mfree(s
->user
);
187 s
->group
= mfree(s
->group
);
189 s
->fdname
= mfree(s
->fdname
);
191 s
->timer_event_source
= sd_event_source_unref(s
->timer_event_source
);
194 static int socket_arm_timer(Socket
*s
, usec_t usec
) {
199 if (s
->timer_event_source
) {
200 r
= sd_event_source_set_time(s
->timer_event_source
, usec
);
204 return sd_event_source_set_enabled(s
->timer_event_source
, SD_EVENT_ONESHOT
);
207 if (usec
== USEC_INFINITY
)
210 r
= sd_event_add_time(
211 UNIT(s
)->manager
->event
,
212 &s
->timer_event_source
,
215 socket_dispatch_timer
, s
);
219 (void) sd_event_source_set_description(s
->timer_event_source
, "socket-timer");
224 int socket_instantiate_service(Socket
*s
) {
225 _cleanup_free_
char *prefix
= NULL
, *name
= NULL
;
231 /* This fills in s->service if it isn't filled in yet. For
232 * Accept=yes sockets we create the next connection service
233 * here. For Accept=no this is mostly a NOP since the service
234 * is figured out at load time anyway. */
236 if (UNIT_DEREF(s
->service
))
242 r
= unit_name_to_prefix(UNIT(s
)->id
, &prefix
);
246 if (asprintf(&name
, "%s@%u.service", prefix
, s
->n_accepted
) < 0)
249 r
= manager_load_unit(UNIT(s
)->manager
, name
, NULL
, NULL
, &u
);
253 unit_ref_set(&s
->service
, UNIT(s
), u
);
255 return unit_add_two_dependencies(UNIT(s
), UNIT_BEFORE
, UNIT_TRIGGERS
, u
, false, UNIT_DEPENDENCY_IMPLICIT
);
258 static bool have_non_accept_socket(Socket
*s
) {
266 LIST_FOREACH(port
, p
, s
->ports
) {
268 if (p
->type
!= SOCKET_SOCKET
)
271 if (!socket_address_can_accept(&p
->address
))
278 static int socket_add_mount_dependencies(Socket
*s
) {
284 LIST_FOREACH(port
, p
, s
->ports
) {
285 const char *path
= NULL
;
287 if (p
->type
== SOCKET_SOCKET
)
288 path
= socket_address_get_path(&p
->address
);
289 else if (IN_SET(p
->type
, SOCKET_FIFO
, SOCKET_SPECIAL
, SOCKET_USB_FUNCTION
))
295 r
= unit_require_mounts_for(UNIT(s
), path
, UNIT_DEPENDENCY_FILE
);
303 static int socket_add_device_dependencies(Socket
*s
) {
308 if (!s
->bind_to_device
|| streq(s
->bind_to_device
, "lo"))
311 t
= strjoina("/sys/subsystem/net/devices/", s
->bind_to_device
);
312 return unit_add_node_dependency(UNIT(s
), t
, false, UNIT_BINDS_TO
, UNIT_DEPENDENCY_FILE
);
315 static int socket_add_default_dependencies(Socket
*s
) {
319 if (!UNIT(s
)->default_dependencies
)
322 r
= unit_add_dependency_by_name(UNIT(s
), UNIT_BEFORE
, SPECIAL_SOCKETS_TARGET
, NULL
, true, UNIT_DEPENDENCY_DEFAULT
);
326 if (MANAGER_IS_SYSTEM(UNIT(s
)->manager
)) {
327 r
= unit_add_two_dependencies_by_name(UNIT(s
), UNIT_AFTER
, UNIT_REQUIRES
, SPECIAL_SYSINIT_TARGET
, NULL
, true, UNIT_DEPENDENCY_DEFAULT
);
332 return unit_add_two_dependencies_by_name(UNIT(s
), UNIT_BEFORE
, UNIT_CONFLICTS
, SPECIAL_SHUTDOWN_TARGET
, NULL
, true, UNIT_DEPENDENCY_DEFAULT
);
335 _pure_
static bool socket_has_exec(Socket
*s
) {
339 for (i
= 0; i
< _SOCKET_EXEC_COMMAND_MAX
; i
++)
340 if (s
->exec_command
[i
])
346 static int socket_add_extras(Socket
*s
) {
352 /* Pick defaults for the trigger limit, if nothing was explicitly configured. We pick a relatively high limit
353 * in Accept=yes mode, and a lower limit for Accept=no. Reason: in Accept=yes mode we are invoking accept()
354 * ourselves before the trigger limit can hit, thus incoming connections are taken off the socket queue quickly
355 * and reliably. This is different for Accept=no, where the spawned service has to take the incoming traffic
356 * off the queues, which it might not necessarily do. Moreover, while Accept=no services are supposed to
357 * process whatever is queued in one go, and thus should normally never have to be started frequently. This is
358 * different for Accept=yes where each connection is processed by a new service instance, and thus frequent
359 * service starts are typical. */
361 if (s
->trigger_limit
.interval
== USEC_INFINITY
)
362 s
->trigger_limit
.interval
= 2 * USEC_PER_SEC
;
364 if (s
->trigger_limit
.burst
== (unsigned) -1) {
366 s
->trigger_limit
.burst
= 200;
368 s
->trigger_limit
.burst
= 20;
371 if (have_non_accept_socket(s
)) {
373 if (!UNIT_DEREF(s
->service
)) {
376 r
= unit_load_related_unit(u
, ".service", &x
);
380 unit_ref_set(&s
->service
, u
, x
);
383 r
= unit_add_two_dependencies(u
, UNIT_BEFORE
, UNIT_TRIGGERS
, UNIT_DEREF(s
->service
), true, UNIT_DEPENDENCY_IMPLICIT
);
388 r
= socket_add_mount_dependencies(s
);
392 r
= socket_add_device_dependencies(s
);
396 r
= unit_patch_contexts(u
);
400 if (socket_has_exec(s
)) {
401 r
= unit_add_exec_dependencies(u
, &s
->exec_context
);
406 r
= unit_set_default_slice(u
);
410 r
= socket_add_default_dependencies(s
);
417 static const char *socket_find_symlink_target(Socket
*s
) {
418 const char *found
= NULL
;
421 LIST_FOREACH(port
, p
, s
->ports
) {
422 const char *f
= NULL
;
431 f
= socket_address_get_path(&p
->address
);
449 static int socket_verify(Socket
*s
) {
452 if (UNIT(s
)->load_state
!= UNIT_LOADED
)
456 log_unit_error(UNIT(s
), "Unit has no Listen setting (ListenStream=, ListenDatagram=, ListenFIFO=, ...). Refusing.");
460 if (s
->accept
&& have_non_accept_socket(s
)) {
461 log_unit_error(UNIT(s
), "Unit configured for accepting sockets, but sockets are non-accepting. Refusing.");
465 if (s
->accept
&& s
->max_connections
<= 0) {
466 log_unit_error(UNIT(s
), "MaxConnection= setting too small. Refusing.");
470 if (s
->accept
&& UNIT_DEREF(s
->service
)) {
471 log_unit_error(UNIT(s
), "Explicit service configuration for accepting socket units not supported. Refusing.");
475 if (s
->exec_context
.pam_name
&& s
->kill_context
.kill_mode
!= KILL_CONTROL_GROUP
) {
476 log_unit_error(UNIT(s
), "Unit has PAM enabled. Kill mode must be set to 'control-group'. Refusing.");
480 if (!strv_isempty(s
->symlinks
) && !socket_find_symlink_target(s
)) {
481 log_unit_error(UNIT(s
), "Unit has symlinks set but none or more than one node in the file system. Refusing.");
488 static void peer_address_hash_func(const void *p
, struct siphash
*state
) {
489 const SocketPeer
*s
= p
;
493 if (s
->peer
.sa
.sa_family
== AF_INET
)
494 siphash24_compress(&s
->peer
.in
.sin_addr
, sizeof(s
->peer
.in
.sin_addr
), state
);
495 else if (s
->peer
.sa
.sa_family
== AF_INET6
)
496 siphash24_compress(&s
->peer
.in6
.sin6_addr
, sizeof(s
->peer
.in6
.sin6_addr
), state
);
497 else if (s
->peer
.sa
.sa_family
== AF_VSOCK
)
498 siphash24_compress(&s
->peer
.vm
.svm_cid
, sizeof(s
->peer
.vm
.svm_cid
), state
);
500 assert_not_reached("Unknown address family.");
503 static int peer_address_compare_func(const void *a
, const void *b
) {
504 const SocketPeer
*x
= a
, *y
= b
;
506 if (x
->peer
.sa
.sa_family
< y
->peer
.sa
.sa_family
)
508 if (x
->peer
.sa
.sa_family
> y
->peer
.sa
.sa_family
)
511 switch(x
->peer
.sa
.sa_family
) {
513 return memcmp(&x
->peer
.in
.sin_addr
, &y
->peer
.in
.sin_addr
, sizeof(x
->peer
.in
.sin_addr
));
515 return memcmp(&x
->peer
.in6
.sin6_addr
, &y
->peer
.in6
.sin6_addr
, sizeof(x
->peer
.in6
.sin6_addr
));
517 if (x
->peer
.vm
.svm_cid
< y
->peer
.vm
.svm_cid
)
519 if (x
->peer
.vm
.svm_cid
> y
->peer
.vm
.svm_cid
)
523 assert_not_reached("Black sheep in the family!");
526 const struct hash_ops peer_address_hash_ops
= {
527 .hash
= peer_address_hash_func
,
528 .compare
= peer_address_compare_func
531 static int socket_load(Unit
*u
) {
532 Socket
*s
= SOCKET(u
);
536 assert(u
->load_state
== UNIT_STUB
);
538 r
= set_ensure_allocated(&s
->peers_by_address
, &peer_address_hash_ops
);
542 r
= unit_load_fragment_and_dropin(u
);
546 if (u
->load_state
== UNIT_LOADED
) {
547 /* This is a new unit? Then let's add in some extras */
548 r
= socket_add_extras(s
);
553 return socket_verify(s
);
556 static SocketPeer
*socket_peer_new(void) {
559 p
= new0(SocketPeer
, 1);
568 SocketPeer
*socket_peer_ref(SocketPeer
*p
) {
572 assert(p
->n_ref
> 0);
578 SocketPeer
*socket_peer_unref(SocketPeer
*p
) {
582 assert(p
->n_ref
> 0);
590 set_remove(p
->socket
->peers_by_address
, p
);
595 int socket_acquire_peer(Socket
*s
, int fd
, SocketPeer
**p
) {
596 _cleanup_(socket_peer_unrefp
) SocketPeer
*remote
= NULL
;
597 SocketPeer sa
= {}, *i
;
598 socklen_t salen
= sizeof(sa
.peer
);
604 r
= getpeername(fd
, &sa
.peer
.sa
, &salen
);
606 return log_error_errno(errno
, "getpeername failed: %m");
608 if (!IN_SET(sa
.peer
.sa
.sa_family
, AF_INET
, AF_INET6
, AF_VSOCK
)) {
613 i
= set_get(s
->peers_by_address
, &sa
);
615 *p
= socket_peer_ref(i
);
619 remote
= socket_peer_new();
623 remote
->peer
= sa
.peer
;
624 remote
->peer_salen
= salen
;
626 r
= set_put(s
->peers_by_address
, remote
);
638 _const_
static const char* listen_lookup(int family
, int type
) {
640 if (family
== AF_NETLINK
)
641 return "ListenNetlink";
643 if (type
== SOCK_STREAM
)
644 return "ListenStream";
645 else if (type
== SOCK_DGRAM
)
646 return "ListenDatagram";
647 else if (type
== SOCK_SEQPACKET
)
648 return "ListenSequentialPacket";
650 assert_not_reached("Unknown socket type");
654 static void socket_dump(Unit
*u
, FILE *f
, const char *prefix
) {
655 char time_string
[FORMAT_TIMESPAN_MAX
];
657 Socket
*s
= SOCKET(u
);
659 const char *prefix2
, *str
;
664 prefix
= strempty(prefix
);
665 prefix2
= strjoina(prefix
, "\t");
668 "%sSocket State: %s\n"
670 "%sBindIPv6Only: %s\n"
672 "%sSocketMode: %04o\n"
673 "%sDirectoryMode: %04o\n"
677 "%sTransparent: %s\n"
679 "%sPassCredentials: %s\n"
680 "%sPassSecurity: %s\n"
681 "%sTCPCongestion: %s\n"
682 "%sRemoveOnStop: %s\n"
684 "%sFileDescriptorName: %s\n"
685 "%sSELinuxContextFromNet: %s\n",
686 prefix
, socket_state_to_string(s
->state
),
687 prefix
, socket_result_to_string(s
->result
),
688 prefix
, socket_address_bind_ipv6_only_to_string(s
->bind_ipv6_only
),
690 prefix
, s
->socket_mode
,
691 prefix
, s
->directory_mode
,
692 prefix
, yes_no(s
->keep_alive
),
693 prefix
, yes_no(s
->no_delay
),
694 prefix
, yes_no(s
->free_bind
),
695 prefix
, yes_no(s
->transparent
),
696 prefix
, yes_no(s
->broadcast
),
697 prefix
, yes_no(s
->pass_cred
),
698 prefix
, yes_no(s
->pass_sec
),
699 prefix
, strna(s
->tcp_congestion
),
700 prefix
, yes_no(s
->remove_on_stop
),
701 prefix
, yes_no(s
->writable
),
702 prefix
, socket_fdname(s
),
703 prefix
, yes_no(s
->selinux_context_from_net
));
705 if (s
->control_pid
> 0)
707 "%sControl PID: "PID_FMT
"\n",
708 prefix
, s
->control_pid
);
710 if (s
->bind_to_device
)
712 "%sBindToDevice: %s\n",
713 prefix
, s
->bind_to_device
);
718 "%sNConnections: %u\n"
719 "%sMaxConnections: %u\n"
720 "%sMaxConnectionsPerSource: %u\n",
721 prefix
, s
->n_accepted
,
722 prefix
, s
->n_connections
,
723 prefix
, s
->max_connections
,
724 prefix
, s
->max_connections_per_source
);
726 if (s
->priority
>= 0)
729 prefix
, s
->priority
);
731 if (s
->receive_buffer
> 0)
733 "%sReceiveBuffer: %zu\n",
734 prefix
, s
->receive_buffer
);
736 if (s
->send_buffer
> 0)
738 "%sSendBuffer: %zu\n",
739 prefix
, s
->send_buffer
);
751 if (s
->pipe_size
> 0)
754 prefix
, s
->pipe_size
);
761 if (s
->mq_maxmsg
> 0)
763 "%sMessageQueueMaxMessages: %li\n",
764 prefix
, s
->mq_maxmsg
);
766 if (s
->mq_msgsize
> 0)
768 "%sMessageQueueMessageSize: %li\n",
769 prefix
, s
->mq_msgsize
);
774 prefix
, yes_no(s
->reuse_port
));
778 "%sSmackLabel: %s\n",
783 "%sSmackLabelIPIn: %s\n",
784 prefix
, s
->smack_ip_in
);
788 "%sSmackLabelIPOut: %s\n",
789 prefix
, s
->smack_ip_out
);
791 if (!isempty(s
->user
) || !isempty(s
->group
))
794 "%sSocketGroup: %s\n",
795 prefix
, strna(s
->user
),
796 prefix
, strna(s
->group
));
798 if (s
->keep_alive_time
> 0)
800 "%sKeepAliveTimeSec: %s\n",
801 prefix
, format_timespan(time_string
, FORMAT_TIMESPAN_MAX
, s
->keep_alive_time
, USEC_PER_SEC
));
803 if (s
->keep_alive_interval
)
805 "%sKeepAliveIntervalSec: %s\n",
806 prefix
, format_timespan(time_string
, FORMAT_TIMESPAN_MAX
, s
->keep_alive_interval
, USEC_PER_SEC
));
808 if (s
->keep_alive_cnt
)
810 "%sKeepAliveProbes: %u\n",
811 prefix
, s
->keep_alive_cnt
);
815 "%sDeferAcceptSec: %s\n",
816 prefix
, format_timespan(time_string
, FORMAT_TIMESPAN_MAX
, s
->defer_accept
, USEC_PER_SEC
));
818 LIST_FOREACH(port
, p
, s
->ports
) {
820 if (p
->type
== SOCKET_SOCKET
) {
825 r
= socket_address_print(&p
->address
, &k
);
831 fprintf(f
, "%s%s: %s\n", prefix
, listen_lookup(socket_address_family(&p
->address
), p
->address
.type
), t
);
833 } else if (p
->type
== SOCKET_SPECIAL
)
834 fprintf(f
, "%sListenSpecial: %s\n", prefix
, p
->path
);
835 else if (p
->type
== SOCKET_USB_FUNCTION
)
836 fprintf(f
, "%sListenUSBFunction: %s\n", prefix
, p
->path
);
837 else if (p
->type
== SOCKET_MQUEUE
)
838 fprintf(f
, "%sListenMessageQueue: %s\n", prefix
, p
->path
);
840 fprintf(f
, "%sListenFIFO: %s\n", prefix
, p
->path
);
844 "%sTriggerLimitIntervalSec: %s\n"
845 "%sTriggerLimitBurst: %u\n",
846 prefix
, format_timespan(time_string
, FORMAT_TIMESPAN_MAX
, s
->trigger_limit
.interval
, USEC_PER_SEC
),
847 prefix
, s
->trigger_limit
.burst
);
849 str
= socket_protocol_to_name(s
->socket_protocol
);
851 fprintf(f
, "%sSocketProtocol: %s\n", prefix
, str
);
853 if (!strv_isempty(s
->symlinks
)) {
856 fprintf(f
, "%sSymlinks:", prefix
);
857 STRV_FOREACH(q
, s
->symlinks
)
858 fprintf(f
, " %s", *q
);
864 "%sTimeoutSec: %s\n",
865 prefix
, format_timespan(time_string
, FORMAT_TIMESPAN_MAX
, s
->timeout_usec
, USEC_PER_SEC
));
867 exec_context_dump(&s
->exec_context
, f
, prefix
);
868 kill_context_dump(&s
->kill_context
, f
, prefix
);
870 for (c
= 0; c
< _SOCKET_EXEC_COMMAND_MAX
; c
++) {
871 if (!s
->exec_command
[c
])
874 fprintf(f
, "%s-> %s:\n",
875 prefix
, socket_exec_command_to_string(c
));
877 exec_command_dump_list(s
->exec_command
[c
], f
, prefix2
);
880 cgroup_context_dump(&s
->cgroup_context
, f
, prefix
);
883 static int instance_from_socket(int fd
, unsigned nr
, char **instance
) {
886 union sockaddr_union local
, remote
;
892 if (getsockname(fd
, &local
.sa
, &l
) < 0)
896 if (getpeername(fd
, &remote
.sa
, &l
) < 0)
899 switch (local
.sa
.sa_family
) {
903 a
= be32toh(local
.in
.sin_addr
.s_addr
),
904 b
= be32toh(remote
.in
.sin_addr
.s_addr
);
907 "%u-%u.%u.%u.%u:%u-%u.%u.%u.%u:%u",
909 a
>> 24, (a
>> 16) & 0xFF, (a
>> 8) & 0xFF, a
& 0xFF,
910 be16toh(local
.in
.sin_port
),
911 b
>> 24, (b
>> 16) & 0xFF, (b
>> 8) & 0xFF, b
& 0xFF,
912 be16toh(remote
.in
.sin_port
)) < 0)
919 static const unsigned char ipv4_prefix
[] = {
920 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xFF, 0xFF
923 if (memcmp(&local
.in6
.sin6_addr
, ipv4_prefix
, sizeof(ipv4_prefix
)) == 0 &&
924 memcmp(&remote
.in6
.sin6_addr
, ipv4_prefix
, sizeof(ipv4_prefix
)) == 0) {
926 *a
= local
.in6
.sin6_addr
.s6_addr
+12,
927 *b
= remote
.in6
.sin6_addr
.s6_addr
+12;
930 "%u-%u.%u.%u.%u:%u-%u.%u.%u.%u:%u",
932 a
[0], a
[1], a
[2], a
[3],
933 be16toh(local
.in6
.sin6_port
),
934 b
[0], b
[1], b
[2], b
[3],
935 be16toh(remote
.in6
.sin6_port
)) < 0)
938 char a
[INET6_ADDRSTRLEN
], b
[INET6_ADDRSTRLEN
];
943 inet_ntop(AF_INET6
, &local
.in6
.sin6_addr
, a
, sizeof(a
)),
944 be16toh(local
.in6
.sin6_port
),
945 inet_ntop(AF_INET6
, &remote
.in6
.sin6_addr
, b
, sizeof(b
)),
946 be16toh(remote
.in6
.sin6_port
)) < 0)
957 k
= getpeercred(fd
, &ucred
);
960 "%u-"PID_FMT
"-"UID_FMT
,
961 nr
, ucred
.pid
, ucred
.uid
) < 0)
963 } else if (k
== -ENODATA
) {
964 /* This handles the case where somebody is
965 * connecting from another pid/uid namespace
966 * (e.g. from outside of our container). */
981 local
.vm
.svm_cid
, local
.vm
.svm_port
,
982 remote
.vm
.svm_cid
, remote
.vm
.svm_port
) < 0)
988 assert_not_reached("Unhandled socket type.");
995 static void socket_close_fds(Socket
*s
) {
1001 LIST_FOREACH(port
, p
, s
->ports
) {
1004 was_open
= p
->fd
>= 0;
1006 p
->event_source
= sd_event_source_unref(p
->event_source
);
1007 p
->fd
= safe_close(p
->fd
);
1008 socket_cleanup_fd_list(p
);
1010 /* One little note: we should normally not delete any sockets in the file system here! After all some
1011 * other process we spawned might still have a reference of this fd and wants to continue to use
1012 * it. Therefore we normally delete sockets in the file system before we create a new one, not after we
1013 * stopped using one! That all said, if the user explicitly requested this, we'll delete them here
1014 * anyway, but only then. */
1016 if (!was_open
|| !s
->remove_on_stop
)
1022 (void) unlink(p
->path
);
1026 (void) mq_unlink(p
->path
);
1030 (void) socket_address_unlink(&p
->address
);
1038 if (s
->remove_on_stop
)
1039 STRV_FOREACH(i
, s
->symlinks
)
1043 static void socket_apply_socket_options(Socket
*s
, int fd
) {
1049 if (s
->keep_alive
) {
1050 int b
= s
->keep_alive
;
1051 if (setsockopt(fd
, SOL_SOCKET
, SO_KEEPALIVE
, &b
, sizeof(b
)) < 0)
1052 log_unit_warning_errno(UNIT(s
), errno
, "SO_KEEPALIVE failed: %m");
1055 if (s
->keep_alive_time
) {
1056 int value
= s
->keep_alive_time
/ USEC_PER_SEC
;
1057 if (setsockopt(fd
, SOL_TCP
, TCP_KEEPIDLE
, &value
, sizeof(value
)) < 0)
1058 log_unit_warning_errno(UNIT(s
), errno
, "TCP_KEEPIDLE failed: %m");
1061 if (s
->keep_alive_interval
) {
1062 int value
= s
->keep_alive_interval
/ USEC_PER_SEC
;
1063 if (setsockopt(fd
, SOL_TCP
, TCP_KEEPINTVL
, &value
, sizeof(value
)) < 0)
1064 log_unit_warning_errno(UNIT(s
), errno
, "TCP_KEEPINTVL failed: %m");
1067 if (s
->keep_alive_cnt
) {
1068 int value
= s
->keep_alive_cnt
;
1069 if (setsockopt(fd
, SOL_TCP
, TCP_KEEPCNT
, &value
, sizeof(value
)) < 0)
1070 log_unit_warning_errno(UNIT(s
), errno
, "TCP_KEEPCNT failed: %m");
1073 if (s
->defer_accept
) {
1074 int value
= s
->defer_accept
/ USEC_PER_SEC
;
1075 if (setsockopt(fd
, SOL_TCP
, TCP_DEFER_ACCEPT
, &value
, sizeof(value
)) < 0)
1076 log_unit_warning_errno(UNIT(s
), errno
, "TCP_DEFER_ACCEPT failed: %m");
1080 int b
= s
->no_delay
;
1082 if (s
->socket_protocol
== IPPROTO_SCTP
) {
1083 if (setsockopt(fd
, SOL_SCTP
, SCTP_NODELAY
, &b
, sizeof(b
)) < 0)
1084 log_unit_warning_errno(UNIT(s
), errno
, "SCTP_NODELAY failed: %m");
1086 if (setsockopt(fd
, SOL_TCP
, TCP_NODELAY
, &b
, sizeof(b
)) < 0)
1087 log_unit_warning_errno(UNIT(s
), errno
, "TCP_NODELAY failed: %m");
1093 if (setsockopt(fd
, SOL_SOCKET
, SO_BROADCAST
, &one
, sizeof(one
)) < 0)
1094 log_unit_warning_errno(UNIT(s
), errno
, "SO_BROADCAST failed: %m");
1099 if (setsockopt(fd
, SOL_SOCKET
, SO_PASSCRED
, &one
, sizeof(one
)) < 0)
1100 log_unit_warning_errno(UNIT(s
), errno
, "SO_PASSCRED failed: %m");
1105 if (setsockopt(fd
, SOL_SOCKET
, SO_PASSSEC
, &one
, sizeof(one
)) < 0)
1106 log_unit_warning_errno(UNIT(s
), errno
, "SO_PASSSEC failed: %m");
1109 if (s
->priority
>= 0)
1110 if (setsockopt(fd
, SOL_SOCKET
, SO_PRIORITY
, &s
->priority
, sizeof(s
->priority
)) < 0)
1111 log_unit_warning_errno(UNIT(s
), errno
, "SO_PRIORITY failed: %m");
1113 if (s
->receive_buffer
> 0) {
1114 int value
= (int) s
->receive_buffer
;
1116 /* We first try with SO_RCVBUFFORCE, in case we have the perms for that */
1118 if (setsockopt(fd
, SOL_SOCKET
, SO_RCVBUFFORCE
, &value
, sizeof(value
)) < 0)
1119 if (setsockopt(fd
, SOL_SOCKET
, SO_RCVBUF
, &value
, sizeof(value
)) < 0)
1120 log_unit_warning_errno(UNIT(s
), errno
, "SO_RCVBUF failed: %m");
1123 if (s
->send_buffer
> 0) {
1124 int value
= (int) s
->send_buffer
;
1125 if (setsockopt(fd
, SOL_SOCKET
, SO_SNDBUFFORCE
, &value
, sizeof(value
)) < 0)
1126 if (setsockopt(fd
, SOL_SOCKET
, SO_SNDBUF
, &value
, sizeof(value
)) < 0)
1127 log_unit_warning_errno(UNIT(s
), errno
, "SO_SNDBUF failed: %m");
1131 if (setsockopt(fd
, SOL_SOCKET
, SO_MARK
, &s
->mark
, sizeof(s
->mark
)) < 0)
1132 log_unit_warning_errno(UNIT(s
), errno
, "SO_MARK failed: %m");
1135 if (setsockopt(fd
, IPPROTO_IP
, IP_TOS
, &s
->ip_tos
, sizeof(s
->ip_tos
)) < 0)
1136 log_unit_warning_errno(UNIT(s
), errno
, "IP_TOS failed: %m");
1138 if (s
->ip_ttl
>= 0) {
1141 r
= setsockopt(fd
, IPPROTO_IP
, IP_TTL
, &s
->ip_ttl
, sizeof(s
->ip_ttl
));
1143 if (socket_ipv6_is_supported())
1144 x
= setsockopt(fd
, IPPROTO_IPV6
, IPV6_UNICAST_HOPS
, &s
->ip_ttl
, sizeof(s
->ip_ttl
));
1147 errno
= EAFNOSUPPORT
;
1151 log_unit_warning_errno(UNIT(s
), errno
, "IP_TTL/IPV6_UNICAST_HOPS failed: %m");
1154 if (s
->tcp_congestion
)
1155 if (setsockopt(fd
, SOL_TCP
, TCP_CONGESTION
, s
->tcp_congestion
, strlen(s
->tcp_congestion
)+1) < 0)
1156 log_unit_warning_errno(UNIT(s
), errno
, "TCP_CONGESTION failed: %m");
1158 if (s
->smack_ip_in
) {
1159 r
= mac_smack_apply_fd(fd
, SMACK_ATTR_IPIN
, s
->smack_ip_in
);
1161 log_unit_error_errno(UNIT(s
), r
, "mac_smack_apply_ip_in_fd: %m");
1164 if (s
->smack_ip_out
) {
1165 r
= mac_smack_apply_fd(fd
, SMACK_ATTR_IPOUT
, s
->smack_ip_out
);
1167 log_unit_error_errno(UNIT(s
), r
, "mac_smack_apply_ip_out_fd: %m");
1171 static void socket_apply_fifo_options(Socket
*s
, int fd
) {
1177 if (s
->pipe_size
> 0)
1178 if (fcntl(fd
, F_SETPIPE_SZ
, s
->pipe_size
) < 0)
1179 log_unit_warning_errno(UNIT(s
), errno
, "Setting pipe size failed, ignoring: %m");
1182 r
= mac_smack_apply_fd(fd
, SMACK_ATTR_ACCESS
, s
->smack
);
1184 log_unit_error_errno(UNIT(s
), r
, "SMACK relabelling failed, ignoring: %m");
1188 static int fifo_address_create(
1190 mode_t directory_mode
,
1191 mode_t socket_mode
) {
1193 _cleanup_close_
int fd
= -1;
1200 (void) mkdir_parents_label(path
, directory_mode
);
1202 r
= mac_selinux_create_file_prepare(path
, S_IFIFO
);
1206 /* Enforce the right access mode for the fifo */
1207 old_mask
= umask(~ socket_mode
);
1209 /* Include the original umask in our mask */
1210 (void) umask(~socket_mode
| old_mask
);
1212 r
= mkfifo(path
, socket_mode
);
1213 (void) umask(old_mask
);
1215 if (r
< 0 && errno
!= EEXIST
) {
1220 fd
= open(path
, O_RDWR
| O_CLOEXEC
| O_NOCTTY
| O_NONBLOCK
| O_NOFOLLOW
);
1226 mac_selinux_create_file_clear();
1228 if (fstat(fd
, &st
) < 0) {
1233 if (!S_ISFIFO(st
.st_mode
) ||
1234 (st
.st_mode
& 0777) != (socket_mode
& ~old_mask
) ||
1235 st
.st_uid
!= getuid() ||
1236 st
.st_gid
!= getgid()) {
1247 mac_selinux_create_file_clear();
1251 static int special_address_create(const char *path
, bool writable
) {
1252 _cleanup_close_
int fd
= -1;
1258 fd
= open(path
, (writable
? O_RDWR
: O_RDONLY
)|O_CLOEXEC
|O_NOCTTY
|O_NONBLOCK
|O_NOFOLLOW
);
1262 if (fstat(fd
, &st
) < 0)
1265 /* Check whether this is a /proc, /sys or /dev file or char device */
1266 if (!S_ISREG(st
.st_mode
) && !S_ISCHR(st
.st_mode
))
1275 static int usbffs_address_create(const char *path
) {
1276 _cleanup_close_
int fd
= -1;
1282 fd
= open(path
, O_RDWR
|O_CLOEXEC
|O_NOCTTY
|O_NONBLOCK
|O_NOFOLLOW
);
1286 if (fstat(fd
, &st
) < 0)
1289 /* Check whether this is a regular file (ffs endpoint) */
1290 if (!S_ISREG(st
.st_mode
))
1299 static int mq_address_create(
1305 _cleanup_close_
int fd
= -1;
1308 struct mq_attr _attr
, *attr
= NULL
;
1313 if (maxmsg
> 0 && msgsize
> 0) {
1314 _attr
= (struct mq_attr
) {
1315 .mq_flags
= O_NONBLOCK
,
1316 .mq_maxmsg
= maxmsg
,
1317 .mq_msgsize
= msgsize
,
1322 /* Enforce the right access mode for the mq */
1323 old_mask
= umask(~ mq_mode
);
1325 /* Include the original umask in our mask */
1326 (void) umask(~mq_mode
| old_mask
);
1327 fd
= mq_open(path
, O_RDONLY
|O_CLOEXEC
|O_NONBLOCK
|O_CREAT
, mq_mode
, attr
);
1328 (void) umask(old_mask
);
1333 if (fstat(fd
, &st
) < 0)
1336 if ((st
.st_mode
& 0777) != (mq_mode
& ~old_mask
) ||
1337 st
.st_uid
!= getuid() ||
1338 st
.st_gid
!= getgid())
1347 static int socket_symlink(Socket
*s
) {
1354 p
= socket_find_symlink_target(s
);
1358 STRV_FOREACH(i
, s
->symlinks
) {
1359 (void) mkdir_parents_label(*i
, s
->directory_mode
);
1361 r
= symlink_idempotent(p
, *i
);
1363 if (r
== -EEXIST
&& s
->remove_on_stop
) {
1364 /* If there's already something where we want to create the symlink, and the destructive
1365 * RemoveOnStop= mode is set, then we might as well try to remove what already exists and try
1368 if (unlink(*i
) >= 0)
1369 r
= symlink_idempotent(p
, *i
);
1373 log_unit_warning_errno(UNIT(s
), r
, "Failed to create symlink %s → %s, ignoring: %m", p
, *i
);
1379 static int usbffs_write_descs(int fd
, Service
*s
) {
1382 if (!s
->usb_function_descriptors
|| !s
->usb_function_strings
)
1385 r
= copy_file_fd(s
->usb_function_descriptors
, fd
, 0);
1389 return copy_file_fd(s
->usb_function_strings
, fd
, 0);
1392 static int usbffs_select_ep(const struct dirent
*d
) {
1393 return d
->d_name
[0] != '.' && !streq(d
->d_name
, "ep0");
1396 static int usbffs_dispatch_eps(SocketPort
*p
) {
1397 _cleanup_free_
struct dirent
**ent
= NULL
;
1400 r
= scandir(p
->path
, &ent
, usbffs_select_ep
, alphasort
);
1405 p
->auxiliary_fds
= new(int, n
);
1406 if (!p
->auxiliary_fds
)
1409 p
->n_auxiliary_fds
= n
;
1412 for (i
= 0; i
< n
; ++i
) {
1413 _cleanup_free_
char *ep
= NULL
;
1415 ep
= path_make_absolute(ent
[i
]->d_name
, p
->path
);
1419 path_kill_slashes(ep
);
1421 r
= usbffs_address_create(ep
);
1425 p
->auxiliary_fds
[k
] = r
;
1434 close_many(p
->auxiliary_fds
, k
);
1435 p
->auxiliary_fds
= mfree(p
->auxiliary_fds
);
1436 p
->n_auxiliary_fds
= 0;
1441 static int socket_determine_selinux_label(Socket
*s
, char **ret
) {
1448 if (s
->selinux_context_from_net
) {
1449 /* If this is requested, get label from the network label */
1451 r
= mac_selinux_get_our_label(ret
);
1452 if (r
== -EOPNOTSUPP
)
1456 /* Otherwise, get it from the executable we are about to start */
1457 r
= socket_instantiate_service(s
);
1461 if (!UNIT_ISSET(s
->service
))
1464 c
= SERVICE(UNIT_DEREF(s
->service
))->exec_command
[SERVICE_EXEC_START
];
1468 r
= mac_selinux_get_create_label_from_exe(c
->path
, ret
);
1469 if (IN_SET(r
, -EPERM
, -EOPNOTSUPP
))
1480 static int socket_address_listen_do(
1482 const SocketAddress
*address
,
1483 const char *label
) {
1488 return socket_address_listen(
1490 SOCK_CLOEXEC
|SOCK_NONBLOCK
,
1502 static int socket_address_listen_in_cgroup(
1504 const SocketAddress
*address
,
1505 const char *label
) {
1507 _cleanup_close_pair_
int pair
[2] = { -1, -1 };
1514 /* This is a wrapper around socket_address_listen(), that forks off a helper process inside the socket's cgroup
1515 * in which the socket is actually created. This way we ensure the socket is actually properly attached to the
1516 * unit's cgroup for the purpose of BPF filtering and such. */
1518 if (!IN_SET(address
->sockaddr
.sa
.sa_family
, AF_INET
, AF_INET6
))
1519 goto shortcut
; /* BPF filtering only applies to IPv4 + IPv6, shortcut things for other protocols */
1521 r
= bpf_firewall_supported();
1524 if (r
== 0) /* If BPF firewalling isn't supported anyway — there's no point in this forking complexity */
1527 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, pair
) < 0)
1528 return log_unit_error_errno(UNIT(s
), errno
, "Failed to create communication channel: %m");
1530 r
= unit_fork_helper_process(UNIT(s
), "(sd-listen)", &pid
);
1532 return log_unit_error_errno(UNIT(s
), r
, "Failed to fork off listener stub process: %m");
1536 pair
[0] = safe_close(pair
[0]);
1538 fd
= socket_address_listen_do(s
, address
, label
);
1540 log_unit_error_errno(UNIT(s
), fd
, "Failed to create listening socket: %m");
1541 _exit(EXIT_FAILURE
);
1544 r
= send_one_fd(pair
[1], fd
, 0);
1546 log_unit_error_errno(UNIT(s
), r
, "Failed to send listening socket to parent: %m");
1547 _exit(EXIT_FAILURE
);
1550 _exit(EXIT_SUCCESS
);
1553 pair
[1] = safe_close(pair
[1]);
1554 fd
= receive_one_fd(pair
[0], 0);
1556 /* We synchronously wait for the helper, as it shouldn't be slow */
1557 r
= wait_for_terminate_and_check("(sd-listen)", pid
, WAIT_LOG_ABNORMAL
);
1564 return log_unit_error_errno(UNIT(s
), fd
, "Failed to receive listening socket: %m");
1569 fd
= socket_address_listen_do(s
, address
, label
);
1571 return log_error_errno(fd
, "Failed to create listening socket: %m");
1576 static int socket_open_fds(Socket
*s
) {
1577 _cleanup_(mac_selinux_freep
) char *label
= NULL
;
1578 bool know_label
= false;
1584 LIST_FOREACH(port
, p
, s
->ports
) {
1594 /* Figure out label, if we don't it know yet. We do it once, for the first socket where
1595 * we need this and remember it for the rest. */
1597 r
= socket_determine_selinux_label(s
, &label
);
1604 /* Apply the socket protocol */
1605 switch (p
->address
.type
) {
1608 case SOCK_SEQPACKET
:
1609 if (s
->socket_protocol
== IPPROTO_SCTP
)
1610 p
->address
.protocol
= s
->socket_protocol
;
1614 if (s
->socket_protocol
== IPPROTO_UDPLITE
)
1615 p
->address
.protocol
= s
->socket_protocol
;
1619 r
= socket_address_listen_in_cgroup(s
, &p
->address
, label
);
1624 socket_apply_socket_options(s
, p
->fd
);
1628 case SOCKET_SPECIAL
:
1630 p
->fd
= special_address_create(p
->path
, s
->writable
);
1639 p
->fd
= fifo_address_create(
1648 socket_apply_fifo_options(s
, p
->fd
);
1654 p
->fd
= mq_address_create(
1665 case SOCKET_USB_FUNCTION
: {
1666 _cleanup_free_
char *ep
= NULL
;
1668 ep
= path_make_absolute("ep0", p
->path
);
1670 p
->fd
= usbffs_address_create(ep
);
1676 r
= usbffs_write_descs(p
->fd
, SERVICE(UNIT_DEREF(s
->service
)));
1680 r
= usbffs_dispatch_eps(p
);
1687 assert_not_reached("Unknown port type");
1694 socket_close_fds(s
);
1698 static void socket_unwatch_fds(Socket
*s
) {
1704 LIST_FOREACH(port
, p
, s
->ports
) {
1708 if (!p
->event_source
)
1711 r
= sd_event_source_set_enabled(p
->event_source
, SD_EVENT_OFF
);
1713 log_unit_debug_errno(UNIT(s
), r
, "Failed to disable event source: %m");
1717 static int socket_watch_fds(Socket
*s
) {
1723 LIST_FOREACH(port
, p
, s
->ports
) {
1727 if (p
->event_source
) {
1728 r
= sd_event_source_set_enabled(p
->event_source
, SD_EVENT_ON
);
1732 r
= sd_event_add_io(UNIT(s
)->manager
->event
, &p
->event_source
, p
->fd
, EPOLLIN
, socket_dispatch_io
, p
);
1736 (void) sd_event_source_set_description(p
->event_source
, "socket-port-io");
1743 log_unit_warning_errno(UNIT(s
), r
, "Failed to watch listening fds: %m");
1744 socket_unwatch_fds(s
);
1754 static int socket_check_open(Socket
*s
) {
1755 bool have_open
= false, have_closed
= false;
1760 LIST_FOREACH(port
, p
, s
->ports
) {
1766 if (have_open
&& have_closed
)
1767 return SOCKET_OPEN_SOME
;
1771 return SOCKET_OPEN_ALL
;
1773 return SOCKET_OPEN_NONE
;
1776 static void socket_set_state(Socket
*s
, SocketState state
) {
1777 SocketState old_state
;
1780 old_state
= s
->state
;
1788 SOCKET_STOP_PRE_SIGTERM
,
1789 SOCKET_STOP_PRE_SIGKILL
,
1791 SOCKET_FINAL_SIGTERM
,
1792 SOCKET_FINAL_SIGKILL
)) {
1794 s
->timer_event_source
= sd_event_source_unref(s
->timer_event_source
);
1795 socket_unwatch_control_pid(s
);
1796 s
->control_command
= NULL
;
1797 s
->control_command_id
= _SOCKET_EXEC_COMMAND_INVALID
;
1800 if (state
!= SOCKET_LISTENING
)
1801 socket_unwatch_fds(s
);
1809 SOCKET_STOP_PRE_SIGTERM
,
1810 SOCKET_STOP_PRE_SIGKILL
))
1811 socket_close_fds(s
);
1813 if (state
!= old_state
)
1814 log_unit_debug(UNIT(s
), "Changed %s -> %s", socket_state_to_string(old_state
), socket_state_to_string(state
));
1816 unit_notify(UNIT(s
), state_translation_table
[old_state
], state_translation_table
[state
], true);
1819 static int socket_coldplug(Unit
*u
) {
1820 Socket
*s
= SOCKET(u
);
1824 assert(s
->state
== SOCKET_DEAD
);
1826 if (s
->deserialized_state
== s
->state
)
1829 if (s
->control_pid
> 0 &&
1830 pid_is_unwaited(s
->control_pid
) &&
1831 IN_SET(s
->deserialized_state
,
1836 SOCKET_STOP_PRE_SIGTERM
,
1837 SOCKET_STOP_PRE_SIGKILL
,
1839 SOCKET_FINAL_SIGTERM
,
1840 SOCKET_FINAL_SIGKILL
)) {
1842 r
= unit_watch_pid(UNIT(s
), s
->control_pid
);
1846 r
= socket_arm_timer(s
, usec_add(u
->state_change_timestamp
.monotonic
, s
->timeout_usec
));
1851 if (IN_SET(s
->deserialized_state
,
1857 /* Originally, we used to simply reopen all sockets here that we didn't have file descriptors
1858 * for. However, this is problematic, as we won't traverse throught the SOCKET_START_CHOWN state for
1859 * them, and thus the UID/GID wouldn't be right. Hence, instead simply check if we have all fds open,
1860 * and if there's a mismatch, warn loudly. */
1862 r
= socket_check_open(s
);
1863 if (r
== SOCKET_OPEN_NONE
)
1864 log_unit_warning(UNIT(s
),
1865 "Socket unit configuration has changed while unit has been running, "
1866 "no open socket file descriptor left. "
1867 "The socket unit is not functional until restarted.");
1868 else if (r
== SOCKET_OPEN_SOME
)
1869 log_unit_warning(UNIT(s
),
1870 "Socket unit configuration has changed while unit has been running, "
1871 "and some socket file descriptors have not been opened yet. "
1872 "The socket unit is not fully functional until restarted.");
1875 if (s
->deserialized_state
== SOCKET_LISTENING
) {
1876 r
= socket_watch_fds(s
);
1881 if (!IN_SET(s
->deserialized_state
, SOCKET_DEAD
, SOCKET_FAILED
)) {
1882 (void) unit_setup_dynamic_creds(u
);
1883 (void) unit_setup_exec_runtime(u
);
1886 socket_set_state(s
, s
->deserialized_state
);
1890 static int socket_spawn(Socket
*s
, ExecCommand
*c
, pid_t
*_pid
) {
1892 ExecParameters exec_params
= {
1893 .flags
= EXEC_APPLY_SANDBOXING
|EXEC_APPLY_CHROOT
|EXEC_APPLY_TTY_STDIN
,
1905 r
= unit_prepare_exec(UNIT(s
));
1909 r
= socket_arm_timer(s
, usec_add(now(CLOCK_MONOTONIC
), s
->timeout_usec
));
1913 manager_set_exec_params(UNIT(s
)->manager
, &exec_params
);
1914 unit_set_exec_params(UNIT(s
), &exec_params
);
1916 exec_params
.argv
= c
->argv
;
1918 r
= exec_spawn(UNIT(s
),
1928 r
= unit_watch_pid(UNIT(s
), pid
);
1930 /* FIXME: we need to do something here */
1938 static int socket_chown(Socket
*s
, pid_t
*_pid
) {
1942 r
= socket_arm_timer(s
, usec_add(now(CLOCK_MONOTONIC
), s
->timeout_usec
));
1946 /* We have to resolve the user names out-of-process, hence
1947 * let's fork here. It's messy, but well, what can we do? */
1949 r
= unit_fork_helper_process(UNIT(s
), "(sd-chown)", &pid
);
1953 uid_t uid
= UID_INVALID
;
1954 gid_t gid
= GID_INVALID
;
1959 if (!isempty(s
->user
)) {
1960 const char *user
= s
->user
;
1962 r
= get_user_creds(&user
, &uid
, &gid
, NULL
, NULL
);
1964 log_unit_error_errno(UNIT(s
), r
, "Failed to resolve user %s: %m", user
);
1969 if (!isempty(s
->group
)) {
1970 const char *group
= s
->group
;
1972 r
= get_group_creds(&group
, &gid
);
1974 log_unit_error_errno(UNIT(s
), r
, "Failed to resolve group %s: %m", group
);
1979 LIST_FOREACH(port
, p
, s
->ports
) {
1980 const char *path
= NULL
;
1982 if (p
->type
== SOCKET_SOCKET
)
1983 path
= socket_address_get_path(&p
->address
);
1984 else if (p
->type
== SOCKET_FIFO
)
1990 if (chown(path
, uid
, gid
) < 0) {
1991 log_unit_error_errno(UNIT(s
), errno
, "Failed to chown(): %m");
1996 _exit(EXIT_SUCCESS
);
1999 r
= unit_watch_pid(UNIT(s
), pid
);
2007 s
->timer_event_source
= sd_event_source_unref(s
->timer_event_source
);
2011 static void socket_enter_dead(Socket
*s
, SocketResult f
) {
2014 if (s
->result
== SOCKET_SUCCESS
)
2017 if (s
->result
!= SOCKET_SUCCESS
)
2018 log_unit_warning(UNIT(s
), "Failed with result '%s'.", socket_result_to_string(s
->result
));
2020 socket_set_state(s
, s
->result
!= SOCKET_SUCCESS
? SOCKET_FAILED
: SOCKET_DEAD
);
2022 s
->exec_runtime
= exec_runtime_unref(s
->exec_runtime
, true);
2024 exec_context_destroy_runtime_directory(&s
->exec_context
, UNIT(s
)->manager
->prefix
[EXEC_DIRECTORY_RUNTIME
]);
2026 unit_unref_uid_gid(UNIT(s
), true);
2028 dynamic_creds_destroy(&s
->dynamic_creds
);
2031 static void socket_enter_signal(Socket
*s
, SocketState state
, SocketResult f
);
2033 static void socket_enter_stop_post(Socket
*s
, SocketResult f
) {
2037 if (s
->result
== SOCKET_SUCCESS
)
2040 socket_unwatch_control_pid(s
);
2041 s
->control_command_id
= SOCKET_EXEC_STOP_POST
;
2042 s
->control_command
= s
->exec_command
[SOCKET_EXEC_STOP_POST
];
2044 if (s
->control_command
) {
2045 r
= socket_spawn(s
, s
->control_command
, &s
->control_pid
);
2049 socket_set_state(s
, SOCKET_STOP_POST
);
2051 socket_enter_signal(s
, SOCKET_FINAL_SIGTERM
, SOCKET_SUCCESS
);
2056 log_unit_warning_errno(UNIT(s
), r
, "Failed to run 'stop-post' task: %m");
2057 socket_enter_signal(s
, SOCKET_FINAL_SIGTERM
, SOCKET_FAILURE_RESOURCES
);
2060 static void socket_enter_signal(Socket
*s
, SocketState state
, SocketResult f
) {
2065 if (s
->result
== SOCKET_SUCCESS
)
2068 r
= unit_kill_context(
2071 !IN_SET(state
, SOCKET_STOP_PRE_SIGTERM
, SOCKET_FINAL_SIGTERM
) ?
2072 KILL_KILL
: KILL_TERMINATE
,
2080 r
= socket_arm_timer(s
, usec_add(now(CLOCK_MONOTONIC
), s
->timeout_usec
));
2084 socket_set_state(s
, state
);
2085 } else if (state
== SOCKET_STOP_PRE_SIGTERM
)
2086 socket_enter_signal(s
, SOCKET_STOP_PRE_SIGKILL
, SOCKET_SUCCESS
);
2087 else if (state
== SOCKET_STOP_PRE_SIGKILL
)
2088 socket_enter_stop_post(s
, SOCKET_SUCCESS
);
2089 else if (state
== SOCKET_FINAL_SIGTERM
)
2090 socket_enter_signal(s
, SOCKET_FINAL_SIGKILL
, SOCKET_SUCCESS
);
2092 socket_enter_dead(s
, SOCKET_SUCCESS
);
2097 log_unit_warning_errno(UNIT(s
), r
, "Failed to kill processes: %m");
2099 if (IN_SET(state
, SOCKET_STOP_PRE_SIGTERM
, SOCKET_STOP_PRE_SIGKILL
))
2100 socket_enter_stop_post(s
, SOCKET_FAILURE_RESOURCES
);
2102 socket_enter_dead(s
, SOCKET_FAILURE_RESOURCES
);
2105 static void socket_enter_stop_pre(Socket
*s
, SocketResult f
) {
2109 if (s
->result
== SOCKET_SUCCESS
)
2112 socket_unwatch_control_pid(s
);
2113 s
->control_command_id
= SOCKET_EXEC_STOP_PRE
;
2114 s
->control_command
= s
->exec_command
[SOCKET_EXEC_STOP_PRE
];
2116 if (s
->control_command
) {
2117 r
= socket_spawn(s
, s
->control_command
, &s
->control_pid
);
2121 socket_set_state(s
, SOCKET_STOP_PRE
);
2123 socket_enter_stop_post(s
, SOCKET_SUCCESS
);
2128 log_unit_warning_errno(UNIT(s
), r
, "Failed to run 'stop-pre' task: %m");
2129 socket_enter_stop_post(s
, SOCKET_FAILURE_RESOURCES
);
2132 static void socket_enter_listening(Socket
*s
) {
2136 r
= socket_watch_fds(s
);
2138 log_unit_warning_errno(UNIT(s
), r
, "Failed to watch sockets: %m");
2142 socket_set_state(s
, SOCKET_LISTENING
);
2146 socket_enter_stop_pre(s
, SOCKET_FAILURE_RESOURCES
);
2149 static void socket_enter_start_post(Socket
*s
) {
2153 socket_unwatch_control_pid(s
);
2154 s
->control_command_id
= SOCKET_EXEC_START_POST
;
2155 s
->control_command
= s
->exec_command
[SOCKET_EXEC_START_POST
];
2157 if (s
->control_command
) {
2158 r
= socket_spawn(s
, s
->control_command
, &s
->control_pid
);
2160 log_unit_warning_errno(UNIT(s
), r
, "Failed to run 'start-post' task: %m");
2164 socket_set_state(s
, SOCKET_START_POST
);
2166 socket_enter_listening(s
);
2171 socket_enter_stop_pre(s
, SOCKET_FAILURE_RESOURCES
);
2174 static void socket_enter_start_chown(Socket
*s
) {
2179 r
= socket_open_fds(s
);
2181 log_unit_warning_errno(UNIT(s
), r
, "Failed to listen on sockets: %m");
2185 if (!isempty(s
->user
) || !isempty(s
->group
)) {
2187 socket_unwatch_control_pid(s
);
2188 s
->control_command_id
= SOCKET_EXEC_START_CHOWN
;
2189 s
->control_command
= NULL
;
2191 r
= socket_chown(s
, &s
->control_pid
);
2193 log_unit_warning_errno(UNIT(s
), r
, "Failed to fork 'start-chown' task: %m");
2197 socket_set_state(s
, SOCKET_START_CHOWN
);
2199 socket_enter_start_post(s
);
2204 socket_enter_stop_pre(s
, SOCKET_FAILURE_RESOURCES
);
2207 static void socket_enter_start_pre(Socket
*s
) {
2211 socket_unwatch_control_pid(s
);
2213 unit_warn_leftover_processes(UNIT(s
));
2215 s
->control_command_id
= SOCKET_EXEC_START_PRE
;
2216 s
->control_command
= s
->exec_command
[SOCKET_EXEC_START_PRE
];
2218 if (s
->control_command
) {
2219 r
= socket_spawn(s
, s
->control_command
, &s
->control_pid
);
2221 log_unit_warning_errno(UNIT(s
), r
, "Failed to run 'start-pre' task: %m");
2225 socket_set_state(s
, SOCKET_START_PRE
);
2227 socket_enter_start_chown(s
);
2232 socket_enter_dead(s
, SOCKET_FAILURE_RESOURCES
);
2235 static void flush_ports(Socket
*s
) {
2238 /* Flush all incoming traffic, regardless if actual bytes or new connections, so that this socket isn't busy
2241 LIST_FOREACH(port
, p
, s
->ports
) {
2245 (void) flush_accept(p
->fd
);
2246 (void) flush_fd(p
->fd
);
2250 static void socket_enter_running(Socket
*s
, int cfd
) {
2251 _cleanup_(sd_bus_error_free
) sd_bus_error error
= SD_BUS_ERROR_NULL
;
2254 /* Note that this call takes possession of the connection fd passed. It either has to assign it somewhere or
2259 /* We don't take connections anymore if we are supposed to shut down anyway */
2260 if (unit_stop_pending(UNIT(s
))) {
2262 log_unit_debug(UNIT(s
), "Suppressing connection request since unit stop is scheduled.");
2265 cfd
= safe_close(cfd
);
2272 if (!ratelimit_test(&s
->trigger_limit
)) {
2274 log_unit_warning(UNIT(s
), "Trigger limit hit, refusing further activation.");
2275 socket_enter_stop_pre(s
, SOCKET_FAILURE_TRIGGER_LIMIT_HIT
);
2280 bool pending
= false;
2285 /* If there's already a start pending don't bother to
2287 HASHMAP_FOREACH_KEY(v
, other
, UNIT(s
)->dependencies
[UNIT_TRIGGERS
], i
)
2288 if (unit_active_or_pending(other
)) {
2294 if (!UNIT_ISSET(s
->service
)) {
2295 log_unit_error(UNIT(s
), "Service to activate vanished, refusing activation.");
2300 r
= manager_add_job(UNIT(s
)->manager
, JOB_START
, UNIT_DEREF(s
->service
), JOB_REPLACE
, &error
, NULL
);
2305 socket_set_state(s
, SOCKET_RUNNING
);
2307 _cleanup_free_
char *prefix
= NULL
, *instance
= NULL
, *name
= NULL
;
2308 _cleanup_(socket_peer_unrefp
) SocketPeer
*p
= NULL
;
2311 if (s
->n_connections
>= s
->max_connections
) {
2312 log_unit_warning(UNIT(s
), "Too many incoming connections (%u), dropping connection.",
2318 if (s
->max_connections_per_source
> 0) {
2319 r
= socket_acquire_peer(s
, cfd
, &p
);
2323 } else if (r
> 0 && p
->n_ref
> s
->max_connections_per_source
) {
2324 _cleanup_free_
char *t
= NULL
;
2326 (void) sockaddr_pretty(&p
->peer
.sa
, p
->peer_salen
, true, false, &t
);
2328 log_unit_warning(UNIT(s
),
2329 "Too many incoming connections (%u) from source %s, dropping connection.",
2330 p
->n_ref
, strnull(t
));
2336 r
= socket_instantiate_service(s
);
2340 r
= instance_from_socket(cfd
, s
->n_accepted
, &instance
);
2345 /* ENOTCONN is legitimate if TCP RST was received.
2346 * This connection is over, but the socket unit lives on. */
2347 log_unit_debug(UNIT(s
), "Got ENOTCONN on incoming socket, assuming aborted connection attempt, ignoring.");
2352 r
= unit_name_to_prefix(UNIT(s
)->id
, &prefix
);
2356 r
= unit_name_build(prefix
, instance
, ".service", &name
);
2360 r
= unit_add_name(UNIT_DEREF(s
->service
), name
);
2364 service
= SERVICE(UNIT_DEREF(s
->service
));
2365 unit_ref_unset(&s
->service
);
2368 unit_choose_id(UNIT(service
), name
);
2370 r
= service_set_socket_fd(service
, cfd
, s
, s
->selinux_context_from_net
);
2374 cfd
= -1; /* We passed ownership of the fd to the service now. Forget it here. */
2377 service
->peer
= p
; /* Pass ownership of the peer reference */
2380 r
= manager_add_job(UNIT(s
)->manager
, JOB_START
, UNIT(service
), JOB_REPLACE
, &error
, NULL
);
2382 /* We failed to activate the new service, but it still exists. Let's make sure the service
2383 * closes and forgets the connection fd again, immediately. */
2384 service_close_socket_fd(service
);
2388 /* Notify clients about changed counters */
2389 unit_add_to_dbus_queue(UNIT(s
));
2395 log_unit_warning(UNIT(s
), "Failed to queue service startup job (Maybe the service file is missing or not a %s unit?): %s",
2396 cfd
>= 0 ? "template" : "non-template",
2397 bus_error_message(&error
, r
));
2399 socket_enter_stop_pre(s
, SOCKET_FAILURE_RESOURCES
);
2403 static void socket_run_next(Socket
*s
) {
2407 assert(s
->control_command
);
2408 assert(s
->control_command
->command_next
);
2410 socket_unwatch_control_pid(s
);
2412 s
->control_command
= s
->control_command
->command_next
;
2414 r
= socket_spawn(s
, s
->control_command
, &s
->control_pid
);
2421 log_unit_warning_errno(UNIT(s
), r
, "Failed to run next task: %m");
2423 if (s
->state
== SOCKET_START_POST
)
2424 socket_enter_stop_pre(s
, SOCKET_FAILURE_RESOURCES
);
2425 else if (s
->state
== SOCKET_STOP_POST
)
2426 socket_enter_dead(s
, SOCKET_FAILURE_RESOURCES
);
2428 socket_enter_signal(s
, SOCKET_FINAL_SIGTERM
, SOCKET_FAILURE_RESOURCES
);
2431 static int socket_start(Unit
*u
) {
2432 Socket
*s
= SOCKET(u
);
2437 /* We cannot fulfill this request right now, try again later
2439 if (IN_SET(s
->state
,
2441 SOCKET_STOP_PRE_SIGKILL
,
2442 SOCKET_STOP_PRE_SIGTERM
,
2444 SOCKET_FINAL_SIGTERM
,
2445 SOCKET_FINAL_SIGKILL
))
2448 /* Already on it! */
2449 if (IN_SET(s
->state
,
2455 /* Cannot run this without the service being around */
2456 if (UNIT_ISSET(s
->service
)) {
2459 service
= SERVICE(UNIT_DEREF(s
->service
));
2461 if (UNIT(service
)->load_state
!= UNIT_LOADED
) {
2462 log_unit_error(u
, "Socket service %s not loaded, refusing.", UNIT(service
)->id
);
2466 /* If the service is already active we cannot start the
2468 if (!IN_SET(service
->state
, SERVICE_DEAD
, SERVICE_FAILED
, SERVICE_AUTO_RESTART
)) {
2469 log_unit_error(u
, "Socket service %s already active, refusing.", UNIT(service
)->id
);
2474 assert(IN_SET(s
->state
, SOCKET_DEAD
, SOCKET_FAILED
));
2476 r
= unit_start_limit_test(u
);
2478 socket_enter_dead(s
, SOCKET_FAILURE_START_LIMIT_HIT
);
2482 r
= unit_acquire_invocation_id(u
);
2486 s
->result
= SOCKET_SUCCESS
;
2488 u
->reset_accounting
= true;
2490 socket_enter_start_pre(s
);
2494 static int socket_stop(Unit
*u
) {
2495 Socket
*s
= SOCKET(u
);
2500 if (IN_SET(s
->state
,
2502 SOCKET_STOP_PRE_SIGTERM
,
2503 SOCKET_STOP_PRE_SIGKILL
,
2505 SOCKET_FINAL_SIGTERM
,
2506 SOCKET_FINAL_SIGKILL
))
2509 /* If there's already something running we go directly into
2511 if (IN_SET(s
->state
,
2514 SOCKET_START_POST
)) {
2515 socket_enter_signal(s
, SOCKET_STOP_PRE_SIGTERM
, SOCKET_SUCCESS
);
2519 assert(IN_SET(s
->state
, SOCKET_LISTENING
, SOCKET_RUNNING
));
2521 socket_enter_stop_pre(s
, SOCKET_SUCCESS
);
2525 static int socket_serialize(Unit
*u
, FILE *f
, FDSet
*fds
) {
2526 Socket
*s
= SOCKET(u
);
2534 unit_serialize_item(u
, f
, "state", socket_state_to_string(s
->state
));
2535 unit_serialize_item(u
, f
, "result", socket_result_to_string(s
->result
));
2536 unit_serialize_item_format(u
, f
, "n-accepted", "%u", s
->n_accepted
);
2538 if (s
->control_pid
> 0)
2539 unit_serialize_item_format(u
, f
, "control-pid", PID_FMT
, s
->control_pid
);
2541 if (s
->control_command_id
>= 0)
2542 unit_serialize_item(u
, f
, "control-command", socket_exec_command_to_string(s
->control_command_id
));
2544 LIST_FOREACH(port
, p
, s
->ports
) {
2550 copy
= fdset_put_dup(fds
, p
->fd
);
2554 if (p
->type
== SOCKET_SOCKET
) {
2555 _cleanup_free_
char *t
= NULL
;
2557 r
= socket_address_print(&p
->address
, &t
);
2561 if (socket_address_family(&p
->address
) == AF_NETLINK
)
2562 unit_serialize_item_format(u
, f
, "netlink", "%i %s", copy
, t
);
2564 unit_serialize_item_format(u
, f
, "socket", "%i %i %s", copy
, p
->address
.type
, t
);
2566 } else if (p
->type
== SOCKET_SPECIAL
)
2567 unit_serialize_item_format(u
, f
, "special", "%i %s", copy
, p
->path
);
2568 else if (p
->type
== SOCKET_MQUEUE
)
2569 unit_serialize_item_format(u
, f
, "mqueue", "%i %s", copy
, p
->path
);
2570 else if (p
->type
== SOCKET_USB_FUNCTION
)
2571 unit_serialize_item_format(u
, f
, "ffs", "%i %s", copy
, p
->path
);
2573 assert(p
->type
== SOCKET_FIFO
);
2574 unit_serialize_item_format(u
, f
, "fifo", "%i %s", copy
, p
->path
);
2581 static void socket_port_take_fd(SocketPort
*p
, FDSet
*fds
, int fd
) {
2583 p
->fd
= fdset_remove(fds
, fd
);
2586 static int socket_deserialize_item(Unit
*u
, const char *key
, const char *value
, FDSet
*fds
) {
2587 Socket
*s
= SOCKET(u
);
2593 if (streq(key
, "state")) {
2596 state
= socket_state_from_string(value
);
2598 log_unit_debug(u
, "Failed to parse state value: %s", value
);
2600 s
->deserialized_state
= state
;
2601 } else if (streq(key
, "result")) {
2604 f
= socket_result_from_string(value
);
2606 log_unit_debug(u
, "Failed to parse result value: %s", value
);
2607 else if (f
!= SOCKET_SUCCESS
)
2610 } else if (streq(key
, "n-accepted")) {
2613 if (safe_atou(value
, &k
) < 0)
2614 log_unit_debug(u
, "Failed to parse n-accepted value: %s", value
);
2617 } else if (streq(key
, "control-pid")) {
2620 if (parse_pid(value
, &pid
) < 0)
2621 log_unit_debug(u
, "Failed to parse control-pid value: %s", value
);
2623 s
->control_pid
= pid
;
2624 } else if (streq(key
, "control-command")) {
2625 SocketExecCommand id
;
2627 id
= socket_exec_command_from_string(value
);
2629 log_unit_debug(u
, "Failed to parse exec-command value: %s", value
);
2631 s
->control_command_id
= id
;
2632 s
->control_command
= s
->exec_command
[id
];
2634 } else if (streq(key
, "fifo")) {
2638 if (sscanf(value
, "%i %n", &fd
, &skip
) < 1 || fd
< 0 || !fdset_contains(fds
, fd
))
2639 log_unit_debug(u
, "Failed to parse fifo value: %s", value
);
2641 LIST_FOREACH(port
, p
, s
->ports
)
2642 if (p
->type
== SOCKET_FIFO
&&
2643 path_equal_or_files_same(p
->path
, value
+skip
, 0)) {
2644 socket_port_take_fd(p
, fds
, fd
);
2648 } else if (streq(key
, "special")) {
2652 if (sscanf(value
, "%i %n", &fd
, &skip
) < 1 || fd
< 0 || !fdset_contains(fds
, fd
))
2653 log_unit_debug(u
, "Failed to parse special value: %s", value
);
2655 LIST_FOREACH(port
, p
, s
->ports
)
2656 if (p
->type
== SOCKET_SPECIAL
&&
2657 path_equal_or_files_same(p
->path
, value
+skip
, 0)) {
2658 socket_port_take_fd(p
, fds
, fd
);
2662 } else if (streq(key
, "mqueue")) {
2666 if (sscanf(value
, "%i %n", &fd
, &skip
) < 1 || fd
< 0 || !fdset_contains(fds
, fd
))
2667 log_unit_debug(u
, "Failed to parse mqueue value: %s", value
);
2669 LIST_FOREACH(port
, p
, s
->ports
)
2670 if (p
->type
== SOCKET_MQUEUE
&&
2671 streq(p
->path
, value
+skip
)) {
2672 socket_port_take_fd(p
, fds
, fd
);
2676 } else if (streq(key
, "socket")) {
2677 int fd
, type
, skip
= 0;
2680 if (sscanf(value
, "%i %i %n", &fd
, &type
, &skip
) < 2 || fd
< 0 || type
< 0 || !fdset_contains(fds
, fd
))
2681 log_unit_debug(u
, "Failed to parse socket value: %s", value
);
2683 LIST_FOREACH(port
, p
, s
->ports
)
2684 if (socket_address_is(&p
->address
, value
+skip
, type
)) {
2685 socket_port_take_fd(p
, fds
, fd
);
2689 } else if (streq(key
, "netlink")) {
2693 if (sscanf(value
, "%i %n", &fd
, &skip
) < 1 || fd
< 0 || !fdset_contains(fds
, fd
))
2694 log_unit_debug(u
, "Failed to parse socket value: %s", value
);
2696 LIST_FOREACH(port
, p
, s
->ports
)
2697 if (socket_address_is_netlink(&p
->address
, value
+skip
)) {
2698 socket_port_take_fd(p
, fds
, fd
);
2702 } else if (streq(key
, "ffs")) {
2706 if (sscanf(value
, "%i %n", &fd
, &skip
) < 1 || fd
< 0 || !fdset_contains(fds
, fd
))
2707 log_unit_debug(u
, "Failed to parse ffs value: %s", value
);
2709 LIST_FOREACH(port
, p
, s
->ports
)
2710 if (p
->type
== SOCKET_USB_FUNCTION
&&
2711 path_equal_or_files_same(p
->path
, value
+skip
, 0)) {
2712 socket_port_take_fd(p
, fds
, fd
);
2717 log_unit_debug(UNIT(s
), "Unknown serialization key: %s", key
);
2722 static void socket_distribute_fds(Unit
*u
, FDSet
*fds
) {
2723 Socket
*s
= SOCKET(u
);
2728 LIST_FOREACH(port
, p
, s
->ports
) {
2732 if (p
->type
!= SOCKET_SOCKET
)
2738 FDSET_FOREACH(fd
, fds
, i
) {
2739 if (socket_address_matches_fd(&p
->address
, fd
)) {
2740 p
->fd
= fdset_remove(fds
, fd
);
2741 s
->deserialized_state
= SOCKET_LISTENING
;
2748 _pure_
static UnitActiveState
socket_active_state(Unit
*u
) {
2751 return state_translation_table
[SOCKET(u
)->state
];
2754 _pure_
static const char *socket_sub_state_to_string(Unit
*u
) {
2757 return socket_state_to_string(SOCKET(u
)->state
);
2760 const char* socket_port_type_to_string(SocketPort
*p
) {
2768 switch (p
->address
.type
) {
2776 case SOCK_SEQPACKET
:
2777 return "SequentialPacket";
2780 if (socket_address_family(&p
->address
) == AF_NETLINK
)
2788 case SOCKET_SPECIAL
:
2792 return "MessageQueue";
2797 case SOCKET_USB_FUNCTION
:
2798 return "USBFunction";
2805 SocketType
socket_port_type_from_string(const char *s
) {
2808 if (STR_IN_SET(s
, "Stream", "Datagram", "SequentialPacket", "Netlink"))
2809 return SOCKET_SOCKET
;
2810 else if (streq(s
, "Special"))
2811 return SOCKET_SPECIAL
;
2812 else if (streq(s
, "MessageQueue"))
2813 return SOCKET_MQUEUE
;
2814 else if (streq(s
, "FIFO"))
2816 else if (streq(s
, "USBFunction"))
2817 return SOCKET_USB_FUNCTION
;
2819 return _SOCKET_TYPE_INVALID
;
2822 _pure_
static bool socket_may_gc(Unit
*u
) {
2823 Socket
*s
= SOCKET(u
);
2827 return s
->n_connections
== 0;
2830 static int socket_accept_do(Socket
*s
, int fd
) {
2837 cfd
= accept4(fd
, NULL
, NULL
, SOCK_NONBLOCK
);
2851 static int socket_accept_in_cgroup(Socket
*s
, SocketPort
*p
, int fd
) {
2852 _cleanup_close_pair_
int pair
[2] = { -1, -1 };
2860 /* Similar to socket_address_listen_in_cgroup(), but for accept() rathern than socket(): make sure that any
2861 * connection socket is also properly associated with the cgroup. */
2863 if (!IN_SET(p
->address
.sockaddr
.sa
.sa_family
, AF_INET
, AF_INET6
))
2866 r
= bpf_firewall_supported();
2872 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, pair
) < 0)
2873 return log_unit_error_errno(UNIT(s
), errno
, "Failed to create communication channel: %m");
2875 r
= unit_fork_helper_process(UNIT(s
), "(sd-accept)", &pid
);
2877 return log_unit_error_errno(UNIT(s
), r
, "Failed to fork off accept stub process: %m");
2881 pair
[0] = safe_close(pair
[0]);
2883 cfd
= socket_accept_do(s
, fd
);
2885 log_unit_error_errno(UNIT(s
), cfd
, "Failed to accept connection socket: %m");
2886 _exit(EXIT_FAILURE
);
2889 r
= send_one_fd(pair
[1], cfd
, 0);
2891 log_unit_error_errno(UNIT(s
), r
, "Failed to send connection socket to parent: %m");
2892 _exit(EXIT_FAILURE
);
2895 _exit(EXIT_SUCCESS
);
2898 pair
[1] = safe_close(pair
[1]);
2899 cfd
= receive_one_fd(pair
[0], 0);
2901 /* We synchronously wait for the helper, as it shouldn't be slow */
2902 r
= wait_for_terminate_and_check("(sd-accept)", pid
, WAIT_LOG_ABNORMAL
);
2909 return log_unit_error_errno(UNIT(s
), cfd
, "Failed to receive connection socket: %m");
2914 cfd
= socket_accept_do(s
, fd
);
2916 return log_unit_error_errno(UNIT(s
), cfd
, "Failed to accept connection socket: %m");
2921 static int socket_dispatch_io(sd_event_source
*source
, int fd
, uint32_t revents
, void *userdata
) {
2922 SocketPort
*p
= userdata
;
2928 if (p
->socket
->state
!= SOCKET_LISTENING
)
2931 log_unit_debug(UNIT(p
->socket
), "Incoming traffic");
2933 if (revents
!= EPOLLIN
) {
2935 if (revents
& EPOLLHUP
)
2936 log_unit_error(UNIT(p
->socket
), "Got POLLHUP on a listening socket. The service probably invoked shutdown() on it, and should better not do that.");
2938 log_unit_error(UNIT(p
->socket
), "Got unexpected poll event (0x%x) on socket.", revents
);
2942 if (p
->socket
->accept
&&
2943 p
->type
== SOCKET_SOCKET
&&
2944 socket_address_can_accept(&p
->address
)) {
2946 cfd
= socket_accept_in_cgroup(p
->socket
, p
, fd
);
2950 socket_apply_socket_options(p
->socket
, cfd
);
2953 socket_enter_running(p
->socket
, cfd
);
2957 socket_enter_stop_pre(p
->socket
, SOCKET_FAILURE_RESOURCES
);
2961 static void socket_sigchld_event(Unit
*u
, pid_t pid
, int code
, int status
) {
2962 Socket
*s
= SOCKET(u
);
2968 if (pid
!= s
->control_pid
)
2973 if (is_clean_exit(code
, status
, EXIT_CLEAN_COMMAND
, NULL
))
2975 else if (code
== CLD_EXITED
)
2976 f
= SOCKET_FAILURE_EXIT_CODE
;
2977 else if (code
== CLD_KILLED
)
2978 f
= SOCKET_FAILURE_SIGNAL
;
2979 else if (code
== CLD_DUMPED
)
2980 f
= SOCKET_FAILURE_CORE_DUMP
;
2982 assert_not_reached("Unknown sigchld code");
2984 if (s
->control_command
) {
2985 exec_status_exit(&s
->control_command
->exec_status
, &s
->exec_context
, pid
, code
, status
);
2987 if (s
->control_command
->flags
& EXEC_COMMAND_IGNORE_FAILURE
)
2991 log_unit_full(u
, f
== SOCKET_SUCCESS
? LOG_DEBUG
: LOG_NOTICE
, 0,
2992 "Control process exited, code=%s status=%i",
2993 sigchld_code_to_string(code
), status
);
2995 if (s
->result
== SOCKET_SUCCESS
)
2998 if (s
->control_command
&&
2999 s
->control_command
->command_next
&&
3000 f
== SOCKET_SUCCESS
) {
3002 log_unit_debug(u
, "Running next command for state %s", socket_state_to_string(s
->state
));
3005 s
->control_command
= NULL
;
3006 s
->control_command_id
= _SOCKET_EXEC_COMMAND_INVALID
;
3008 /* No further commands for this step, so let's figure
3009 * out what to do next */
3011 log_unit_debug(u
, "Got final SIGCHLD for state %s", socket_state_to_string(s
->state
));
3015 case SOCKET_START_PRE
:
3016 if (f
== SOCKET_SUCCESS
)
3017 socket_enter_start_chown(s
);
3019 socket_enter_signal(s
, SOCKET_FINAL_SIGTERM
, f
);
3022 case SOCKET_START_CHOWN
:
3023 if (f
== SOCKET_SUCCESS
)
3024 socket_enter_start_post(s
);
3026 socket_enter_stop_pre(s
, f
);
3029 case SOCKET_START_POST
:
3030 if (f
== SOCKET_SUCCESS
)
3031 socket_enter_listening(s
);
3033 socket_enter_stop_pre(s
, f
);
3036 case SOCKET_STOP_PRE
:
3037 case SOCKET_STOP_PRE_SIGTERM
:
3038 case SOCKET_STOP_PRE_SIGKILL
:
3039 socket_enter_stop_post(s
, f
);
3042 case SOCKET_STOP_POST
:
3043 case SOCKET_FINAL_SIGTERM
:
3044 case SOCKET_FINAL_SIGKILL
:
3045 socket_enter_dead(s
, f
);
3049 assert_not_reached("Uh, control process died at wrong time.");
3053 /* Notify clients about changed exit status */
3054 unit_add_to_dbus_queue(u
);
3057 static int socket_dispatch_timer(sd_event_source
*source
, usec_t usec
, void *userdata
) {
3058 Socket
*s
= SOCKET(userdata
);
3061 assert(s
->timer_event_source
== source
);
3065 case SOCKET_START_PRE
:
3066 log_unit_warning(UNIT(s
), "Starting timed out. Terminating.");
3067 socket_enter_signal(s
, SOCKET_FINAL_SIGTERM
, SOCKET_FAILURE_TIMEOUT
);
3070 case SOCKET_START_CHOWN
:
3071 case SOCKET_START_POST
:
3072 log_unit_warning(UNIT(s
), "Starting timed out. Stopping.");
3073 socket_enter_stop_pre(s
, SOCKET_FAILURE_TIMEOUT
);
3076 case SOCKET_STOP_PRE
:
3077 log_unit_warning(UNIT(s
), "Stopping timed out. Terminating.");
3078 socket_enter_signal(s
, SOCKET_STOP_PRE_SIGTERM
, SOCKET_FAILURE_TIMEOUT
);
3081 case SOCKET_STOP_PRE_SIGTERM
:
3082 if (s
->kill_context
.send_sigkill
) {
3083 log_unit_warning(UNIT(s
), "Stopping timed out. Killing.");
3084 socket_enter_signal(s
, SOCKET_STOP_PRE_SIGKILL
, SOCKET_FAILURE_TIMEOUT
);
3086 log_unit_warning(UNIT(s
), "Stopping timed out. Skipping SIGKILL. Ignoring.");
3087 socket_enter_stop_post(s
, SOCKET_FAILURE_TIMEOUT
);
3091 case SOCKET_STOP_PRE_SIGKILL
:
3092 log_unit_warning(UNIT(s
), "Processes still around after SIGKILL. Ignoring.");
3093 socket_enter_stop_post(s
, SOCKET_FAILURE_TIMEOUT
);
3096 case SOCKET_STOP_POST
:
3097 log_unit_warning(UNIT(s
), "Stopping timed out (2). Terminating.");
3098 socket_enter_signal(s
, SOCKET_FINAL_SIGTERM
, SOCKET_FAILURE_TIMEOUT
);
3101 case SOCKET_FINAL_SIGTERM
:
3102 if (s
->kill_context
.send_sigkill
) {
3103 log_unit_warning(UNIT(s
), "Stopping timed out (2). Killing.");
3104 socket_enter_signal(s
, SOCKET_FINAL_SIGKILL
, SOCKET_FAILURE_TIMEOUT
);
3106 log_unit_warning(UNIT(s
), "Stopping timed out (2). Skipping SIGKILL. Ignoring.");
3107 socket_enter_dead(s
, SOCKET_FAILURE_TIMEOUT
);
3111 case SOCKET_FINAL_SIGKILL
:
3112 log_unit_warning(UNIT(s
), "Still around after SIGKILL (2). Entering failed mode.");
3113 socket_enter_dead(s
, SOCKET_FAILURE_TIMEOUT
);
3117 assert_not_reached("Timeout at wrong time.");
3123 int socket_collect_fds(Socket
*s
, int **fds
) {
3124 int *rfds
, k
= 0, n
= 0;
3130 /* Called from the service code for requesting our fds */
3132 LIST_FOREACH(port
, p
, s
->ports
) {
3135 n
+= p
->n_auxiliary_fds
;
3147 LIST_FOREACH(port
, p
, s
->ports
) {
3152 for (i
= 0; i
< p
->n_auxiliary_fds
; ++i
)
3153 rfds
[k
++] = p
->auxiliary_fds
[i
];
3162 static void socket_reset_failed(Unit
*u
) {
3163 Socket
*s
= SOCKET(u
);
3167 if (s
->state
== SOCKET_FAILED
)
3168 socket_set_state(s
, SOCKET_DEAD
);
3170 s
->result
= SOCKET_SUCCESS
;
3173 void socket_connection_unref(Socket
*s
) {
3176 /* The service is dead. Yay!
3178 * This is strictly for one-instance-per-connection
3181 assert(s
->n_connections
> 0);
3184 log_unit_debug(UNIT(s
), "One connection closed, %u left.", s
->n_connections
);
3187 static void socket_trigger_notify(Unit
*u
, Unit
*other
) {
3188 Socket
*s
= SOCKET(u
);
3193 /* Filter out invocations with bogus state */
3194 if (other
->load_state
!= UNIT_LOADED
|| other
->type
!= UNIT_SERVICE
)
3197 /* Don't propagate state changes from the service if we are already down */
3198 if (!IN_SET(s
->state
, SOCKET_RUNNING
, SOCKET_LISTENING
))
3201 /* We don't care for the service state if we are in Accept=yes mode */
3205 /* Propagate start limit hit state */
3206 if (other
->start_limit_hit
) {
3207 socket_enter_stop_pre(s
, SOCKET_FAILURE_SERVICE_START_LIMIT_HIT
);
3211 /* Don't propagate anything if there's still a job queued */
3215 if (IN_SET(SERVICE(other
)->state
,
3216 SERVICE_DEAD
, SERVICE_FAILED
,
3217 SERVICE_FINAL_SIGTERM
, SERVICE_FINAL_SIGKILL
,
3218 SERVICE_AUTO_RESTART
))
3219 socket_enter_listening(s
);
3221 if (SERVICE(other
)->state
== SERVICE_RUNNING
)
3222 socket_set_state(s
, SOCKET_RUNNING
);
3225 static int socket_kill(Unit
*u
, KillWho who
, int signo
, sd_bus_error
*error
) {
3226 return unit_kill_common(u
, who
, signo
, -1, SOCKET(u
)->control_pid
, error
);
3229 static int socket_get_timeout(Unit
*u
, usec_t
*timeout
) {
3230 Socket
*s
= SOCKET(u
);
3234 if (!s
->timer_event_source
)
3237 r
= sd_event_source_get_time(s
->timer_event_source
, &t
);
3240 if (t
== USEC_INFINITY
)
3247 char *socket_fdname(Socket
*s
) {
3250 /* Returns the name to use for $LISTEN_NAMES. If the user
3251 * didn't specify anything specifically, use the socket unit's
3252 * name as fallback. */
3254 return s
->fdname
?: UNIT(s
)->id
;
3257 static int socket_control_pid(Unit
*u
) {
3258 Socket
*s
= SOCKET(u
);
3262 return s
->control_pid
;
3265 static const char* const socket_exec_command_table
[_SOCKET_EXEC_COMMAND_MAX
] = {
3266 [SOCKET_EXEC_START_PRE
] = "ExecStartPre",
3267 [SOCKET_EXEC_START_CHOWN
] = "ExecStartChown",
3268 [SOCKET_EXEC_START_POST
] = "ExecStartPost",
3269 [SOCKET_EXEC_STOP_PRE
] = "ExecStopPre",
3270 [SOCKET_EXEC_STOP_POST
] = "ExecStopPost"
3273 DEFINE_STRING_TABLE_LOOKUP(socket_exec_command
, SocketExecCommand
);
3275 static const char* const socket_result_table
[_SOCKET_RESULT_MAX
] = {
3276 [SOCKET_SUCCESS
] = "success",
3277 [SOCKET_FAILURE_RESOURCES
] = "resources",
3278 [SOCKET_FAILURE_TIMEOUT
] = "timeout",
3279 [SOCKET_FAILURE_EXIT_CODE
] = "exit-code",
3280 [SOCKET_FAILURE_SIGNAL
] = "signal",
3281 [SOCKET_FAILURE_CORE_DUMP
] = "core-dump",
3282 [SOCKET_FAILURE_START_LIMIT_HIT
] = "start-limit-hit",
3283 [SOCKET_FAILURE_TRIGGER_LIMIT_HIT
] = "trigger-limit-hit",
3284 [SOCKET_FAILURE_SERVICE_START_LIMIT_HIT
] = "service-start-limit-hit"
3287 DEFINE_STRING_TABLE_LOOKUP(socket_result
, SocketResult
);
3289 const UnitVTable socket_vtable
= {
3290 .object_size
= sizeof(Socket
),
3291 .exec_context_offset
= offsetof(Socket
, exec_context
),
3292 .cgroup_context_offset
= offsetof(Socket
, cgroup_context
),
3293 .kill_context_offset
= offsetof(Socket
, kill_context
),
3294 .exec_runtime_offset
= offsetof(Socket
, exec_runtime
),
3295 .dynamic_creds_offset
= offsetof(Socket
, dynamic_creds
),
3301 .private_section
= "Socket",
3303 .can_transient
= true,
3305 .init
= socket_init
,
3306 .done
= socket_done
,
3307 .load
= socket_load
,
3309 .coldplug
= socket_coldplug
,
3311 .dump
= socket_dump
,
3313 .start
= socket_start
,
3314 .stop
= socket_stop
,
3316 .kill
= socket_kill
,
3318 .get_timeout
= socket_get_timeout
,
3320 .serialize
= socket_serialize
,
3321 .deserialize_item
= socket_deserialize_item
,
3322 .distribute_fds
= socket_distribute_fds
,
3324 .active_state
= socket_active_state
,
3325 .sub_state_to_string
= socket_sub_state_to_string
,
3327 .may_gc
= socket_may_gc
,
3329 .sigchld_event
= socket_sigchld_event
,
3331 .trigger_notify
= socket_trigger_notify
,
3333 .reset_failed
= socket_reset_failed
,
3335 .control_pid
= socket_control_pid
,
3337 .bus_vtable
= bus_socket_vtable
,
3338 .bus_set_property
= bus_socket_set_property
,
3339 .bus_commit_properties
= bus_socket_commit_properties
,
3341 .status_message_formats
= {
3342 /*.starting_stopping = {
3343 [0] = "Starting socket %s...",
3344 [1] = "Stopping socket %s...",
3346 .finished_start_job
= {
3347 [JOB_DONE
] = "Listening on %s.",
3348 [JOB_FAILED
] = "Failed to listen on %s.",
3349 [JOB_TIMEOUT
] = "Timed out starting %s.",
3351 .finished_stop_job
= {
3352 [JOB_DONE
] = "Closed %s.",
3353 [JOB_FAILED
] = "Failed stopping %s.",
3354 [JOB_TIMEOUT
] = "Timed out stopping %s.",