1 /* SPDX-License-Identifier: LGPL-2.1+ */
7 #include <netinet/tcp.h>
12 #include <linux/sctp.h>
14 #include "alloc-util.h"
15 #include "bpf-firewall.h"
16 #include "bus-error.h"
19 #include "dbus-socket.h"
21 #include "exit-status.h"
23 #include "format-util.h"
25 #include "in-addr-util.h"
31 #include "parse-util.h"
32 #include "path-util.h"
33 #include "process-util.h"
34 #include "selinux-util.h"
35 #include "signal-util.h"
36 #include "smack-util.h"
38 #include "socket-protocol-list.h"
40 #include "string-table.h"
41 #include "string-util.h"
43 #include "unit-name.h"
45 #include "user-util.h"
51 union sockaddr_union peer
;
55 static const UnitActiveState state_translation_table
[_SOCKET_STATE_MAX
] = {
56 [SOCKET_DEAD
] = UNIT_INACTIVE
,
57 [SOCKET_START_PRE
] = UNIT_ACTIVATING
,
58 [SOCKET_START_CHOWN
] = UNIT_ACTIVATING
,
59 [SOCKET_START_POST
] = UNIT_ACTIVATING
,
60 [SOCKET_LISTENING
] = UNIT_ACTIVE
,
61 [SOCKET_RUNNING
] = UNIT_ACTIVE
,
62 [SOCKET_STOP_PRE
] = UNIT_DEACTIVATING
,
63 [SOCKET_STOP_PRE_SIGTERM
] = UNIT_DEACTIVATING
,
64 [SOCKET_STOP_PRE_SIGKILL
] = UNIT_DEACTIVATING
,
65 [SOCKET_STOP_POST
] = UNIT_DEACTIVATING
,
66 [SOCKET_FINAL_SIGTERM
] = UNIT_DEACTIVATING
,
67 [SOCKET_FINAL_SIGKILL
] = UNIT_DEACTIVATING
,
68 [SOCKET_FAILED
] = UNIT_FAILED
71 static int socket_dispatch_io(sd_event_source
*source
, int fd
, uint32_t revents
, void *userdata
);
72 static int socket_dispatch_timer(sd_event_source
*source
, usec_t usec
, void *userdata
);
74 static void socket_init(Unit
*u
) {
75 Socket
*s
= SOCKET(u
);
78 assert(u
->load_state
== UNIT_STUB
);
80 s
->backlog
= SOMAXCONN
;
81 s
->timeout_usec
= u
->manager
->default_timeout_start_usec
;
82 s
->directory_mode
= 0755;
83 s
->socket_mode
= 0666;
85 s
->max_connections
= 64;
92 s
->exec_context
.std_output
= u
->manager
->default_std_output
;
93 s
->exec_context
.std_error
= u
->manager
->default_std_error
;
95 s
->control_command_id
= _SOCKET_EXEC_COMMAND_INVALID
;
97 s
->trigger_limit
.interval
= USEC_INFINITY
;
98 s
->trigger_limit
.burst
= (unsigned) -1;
101 static void socket_unwatch_control_pid(Socket
*s
) {
104 if (s
->control_pid
<= 0)
107 unit_unwatch_pid(UNIT(s
), s
->control_pid
);
111 static void socket_cleanup_fd_list(SocketPort
*p
) {
114 close_many(p
->auxiliary_fds
, p
->n_auxiliary_fds
);
115 p
->auxiliary_fds
= mfree(p
->auxiliary_fds
);
116 p
->n_auxiliary_fds
= 0;
119 void socket_free_ports(Socket
*s
) {
124 while ((p
= s
->ports
)) {
125 LIST_REMOVE(port
, s
->ports
, p
);
127 sd_event_source_unref(p
->event_source
);
129 socket_cleanup_fd_list(p
);
136 static void socket_done(Unit
*u
) {
137 Socket
*s
= SOCKET(u
);
142 socket_free_ports(s
);
144 while ((p
= set_steal_first(s
->peers_by_address
)))
147 s
->peers_by_address
= set_free(s
->peers_by_address
);
149 s
->exec_runtime
= exec_runtime_unref(s
->exec_runtime
, false);
150 exec_command_free_array(s
->exec_command
, _SOCKET_EXEC_COMMAND_MAX
);
151 s
->control_command
= NULL
;
153 dynamic_creds_unref(&s
->dynamic_creds
);
155 socket_unwatch_control_pid(s
);
157 unit_ref_unset(&s
->service
);
159 s
->tcp_congestion
= mfree(s
->tcp_congestion
);
160 s
->bind_to_device
= mfree(s
->bind_to_device
);
162 s
->smack
= mfree(s
->smack
);
163 s
->smack_ip_in
= mfree(s
->smack_ip_in
);
164 s
->smack_ip_out
= mfree(s
->smack_ip_out
);
166 strv_free(s
->symlinks
);
168 s
->user
= mfree(s
->user
);
169 s
->group
= mfree(s
->group
);
171 s
->fdname
= mfree(s
->fdname
);
173 s
->timer_event_source
= sd_event_source_unref(s
->timer_event_source
);
176 static int socket_arm_timer(Socket
*s
, usec_t usec
) {
181 if (s
->timer_event_source
) {
182 r
= sd_event_source_set_time(s
->timer_event_source
, usec
);
186 return sd_event_source_set_enabled(s
->timer_event_source
, SD_EVENT_ONESHOT
);
189 if (usec
== USEC_INFINITY
)
192 r
= sd_event_add_time(
193 UNIT(s
)->manager
->event
,
194 &s
->timer_event_source
,
197 socket_dispatch_timer
, s
);
201 (void) sd_event_source_set_description(s
->timer_event_source
, "socket-timer");
206 int socket_instantiate_service(Socket
*s
) {
207 _cleanup_free_
char *prefix
= NULL
, *name
= NULL
;
213 /* This fills in s->service if it isn't filled in yet. For
214 * Accept=yes sockets we create the next connection service
215 * here. For Accept=no this is mostly a NOP since the service
216 * is figured out at load time anyway. */
218 if (UNIT_DEREF(s
->service
))
224 r
= unit_name_to_prefix(UNIT(s
)->id
, &prefix
);
228 if (asprintf(&name
, "%s@%u.service", prefix
, s
->n_accepted
) < 0)
231 r
= manager_load_unit(UNIT(s
)->manager
, name
, NULL
, NULL
, &u
);
235 unit_ref_set(&s
->service
, UNIT(s
), u
);
237 return unit_add_two_dependencies(UNIT(s
), UNIT_BEFORE
, UNIT_TRIGGERS
, u
, false, UNIT_DEPENDENCY_IMPLICIT
);
240 static bool have_non_accept_socket(Socket
*s
) {
248 LIST_FOREACH(port
, p
, s
->ports
) {
250 if (p
->type
!= SOCKET_SOCKET
)
253 if (!socket_address_can_accept(&p
->address
))
260 static int socket_add_mount_dependencies(Socket
*s
) {
266 LIST_FOREACH(port
, p
, s
->ports
) {
267 const char *path
= NULL
;
269 if (p
->type
== SOCKET_SOCKET
)
270 path
= socket_address_get_path(&p
->address
);
271 else if (IN_SET(p
->type
, SOCKET_FIFO
, SOCKET_SPECIAL
, SOCKET_USB_FUNCTION
))
277 r
= unit_require_mounts_for(UNIT(s
), path
, UNIT_DEPENDENCY_FILE
);
285 static int socket_add_device_dependencies(Socket
*s
) {
290 if (!s
->bind_to_device
|| streq(s
->bind_to_device
, "lo"))
293 t
= strjoina("/sys/subsystem/net/devices/", s
->bind_to_device
);
294 return unit_add_node_dependency(UNIT(s
), t
, false, UNIT_BINDS_TO
, UNIT_DEPENDENCY_FILE
);
297 static int socket_add_default_dependencies(Socket
*s
) {
301 if (!UNIT(s
)->default_dependencies
)
304 r
= unit_add_dependency_by_name(UNIT(s
), UNIT_BEFORE
, SPECIAL_SOCKETS_TARGET
, true, UNIT_DEPENDENCY_DEFAULT
);
308 if (MANAGER_IS_SYSTEM(UNIT(s
)->manager
)) {
309 r
= unit_add_two_dependencies_by_name(UNIT(s
), UNIT_AFTER
, UNIT_REQUIRES
, SPECIAL_SYSINIT_TARGET
, true, UNIT_DEPENDENCY_DEFAULT
);
314 return unit_add_two_dependencies_by_name(UNIT(s
), UNIT_BEFORE
, UNIT_CONFLICTS
, SPECIAL_SHUTDOWN_TARGET
, true, UNIT_DEPENDENCY_DEFAULT
);
317 _pure_
static bool socket_has_exec(Socket
*s
) {
321 for (i
= 0; i
< _SOCKET_EXEC_COMMAND_MAX
; i
++)
322 if (s
->exec_command
[i
])
328 static int socket_add_extras(Socket
*s
) {
334 /* Pick defaults for the trigger limit, if nothing was explicitly configured. We pick a relatively high limit
335 * in Accept=yes mode, and a lower limit for Accept=no. Reason: in Accept=yes mode we are invoking accept()
336 * ourselves before the trigger limit can hit, thus incoming connections are taken off the socket queue quickly
337 * and reliably. This is different for Accept=no, where the spawned service has to take the incoming traffic
338 * off the queues, which it might not necessarily do. Moreover, while Accept=no services are supposed to
339 * process whatever is queued in one go, and thus should normally never have to be started frequently. This is
340 * different for Accept=yes where each connection is processed by a new service instance, and thus frequent
341 * service starts are typical. */
343 if (s
->trigger_limit
.interval
== USEC_INFINITY
)
344 s
->trigger_limit
.interval
= 2 * USEC_PER_SEC
;
346 if (s
->trigger_limit
.burst
== (unsigned) -1) {
348 s
->trigger_limit
.burst
= 200;
350 s
->trigger_limit
.burst
= 20;
353 if (have_non_accept_socket(s
)) {
355 if (!UNIT_DEREF(s
->service
)) {
358 r
= unit_load_related_unit(u
, ".service", &x
);
362 unit_ref_set(&s
->service
, u
, x
);
365 r
= unit_add_two_dependencies(u
, UNIT_BEFORE
, UNIT_TRIGGERS
, UNIT_DEREF(s
->service
), true, UNIT_DEPENDENCY_IMPLICIT
);
370 r
= socket_add_mount_dependencies(s
);
374 r
= socket_add_device_dependencies(s
);
378 r
= unit_patch_contexts(u
);
382 if (socket_has_exec(s
)) {
383 r
= unit_add_exec_dependencies(u
, &s
->exec_context
);
388 r
= unit_set_default_slice(u
);
392 r
= socket_add_default_dependencies(s
);
399 static const char *socket_find_symlink_target(Socket
*s
) {
400 const char *found
= NULL
;
403 LIST_FOREACH(port
, p
, s
->ports
) {
404 const char *f
= NULL
;
413 f
= socket_address_get_path(&p
->address
);
431 static int socket_verify(Socket
*s
) {
434 if (UNIT(s
)->load_state
!= UNIT_LOADED
)
438 log_unit_error(UNIT(s
), "Unit has no Listen setting (ListenStream=, ListenDatagram=, ListenFIFO=, ...). Refusing.");
442 if (s
->accept
&& have_non_accept_socket(s
)) {
443 log_unit_error(UNIT(s
), "Unit configured for accepting sockets, but sockets are non-accepting. Refusing.");
447 if (s
->accept
&& s
->max_connections
<= 0) {
448 log_unit_error(UNIT(s
), "MaxConnection= setting too small. Refusing.");
452 if (s
->accept
&& UNIT_DEREF(s
->service
)) {
453 log_unit_error(UNIT(s
), "Explicit service configuration for accepting socket units not supported. Refusing.");
457 if (s
->exec_context
.pam_name
&& s
->kill_context
.kill_mode
!= KILL_CONTROL_GROUP
) {
458 log_unit_error(UNIT(s
), "Unit has PAM enabled. Kill mode must be set to 'control-group'. Refusing.");
462 if (!strv_isempty(s
->symlinks
) && !socket_find_symlink_target(s
)) {
463 log_unit_error(UNIT(s
), "Unit has symlinks set but none or more than one node in the file system. Refusing.");
470 static void peer_address_hash_func(const void *p
, struct siphash
*state
) {
471 const SocketPeer
*s
= p
;
475 if (s
->peer
.sa
.sa_family
== AF_INET
)
476 siphash24_compress(&s
->peer
.in
.sin_addr
, sizeof(s
->peer
.in
.sin_addr
), state
);
477 else if (s
->peer
.sa
.sa_family
== AF_INET6
)
478 siphash24_compress(&s
->peer
.in6
.sin6_addr
, sizeof(s
->peer
.in6
.sin6_addr
), state
);
479 else if (s
->peer
.sa
.sa_family
== AF_VSOCK
)
480 siphash24_compress(&s
->peer
.vm
.svm_cid
, sizeof(s
->peer
.vm
.svm_cid
), state
);
482 assert_not_reached("Unknown address family.");
485 static int peer_address_compare_func(const void *a
, const void *b
) {
486 const SocketPeer
*x
= a
, *y
= b
;
489 r
= CMP(x
->peer
.sa
.sa_family
, y
->peer
.sa
.sa_family
);
493 switch(x
->peer
.sa
.sa_family
) {
495 return memcmp(&x
->peer
.in
.sin_addr
, &y
->peer
.in
.sin_addr
, sizeof(x
->peer
.in
.sin_addr
));
497 return memcmp(&x
->peer
.in6
.sin6_addr
, &y
->peer
.in6
.sin6_addr
, sizeof(x
->peer
.in6
.sin6_addr
));
499 return CMP(x
->peer
.vm
.svm_cid
, y
->peer
.vm
.svm_cid
);
501 assert_not_reached("Black sheep in the family!");
504 const struct hash_ops peer_address_hash_ops
= {
505 .hash
= peer_address_hash_func
,
506 .compare
= peer_address_compare_func
509 static int socket_load(Unit
*u
) {
510 Socket
*s
= SOCKET(u
);
514 assert(u
->load_state
== UNIT_STUB
);
516 r
= set_ensure_allocated(&s
->peers_by_address
, &peer_address_hash_ops
);
520 r
= unit_load_fragment_and_dropin(u
);
524 if (u
->load_state
== UNIT_LOADED
) {
525 /* This is a new unit? Then let's add in some extras */
526 r
= socket_add_extras(s
);
531 return socket_verify(s
);
534 static SocketPeer
*socket_peer_new(void) {
537 p
= new0(SocketPeer
, 1);
546 static SocketPeer
*socket_peer_free(SocketPeer
*p
) {
550 set_remove(p
->socket
->peers_by_address
, p
);
555 DEFINE_TRIVIAL_REF_UNREF_FUNC(SocketPeer
, socket_peer
, socket_peer_free
);
557 int socket_acquire_peer(Socket
*s
, int fd
, SocketPeer
**p
) {
558 _cleanup_(socket_peer_unrefp
) SocketPeer
*remote
= NULL
;
559 SocketPeer sa
= {}, *i
;
560 socklen_t salen
= sizeof(sa
.peer
);
566 r
= getpeername(fd
, &sa
.peer
.sa
, &salen
);
568 return log_error_errno(errno
, "getpeername failed: %m");
570 if (!IN_SET(sa
.peer
.sa
.sa_family
, AF_INET
, AF_INET6
, AF_VSOCK
)) {
575 i
= set_get(s
->peers_by_address
, &sa
);
577 *p
= socket_peer_ref(i
);
581 remote
= socket_peer_new();
585 remote
->peer
= sa
.peer
;
586 remote
->peer_salen
= salen
;
588 r
= set_put(s
->peers_by_address
, remote
);
594 *p
= TAKE_PTR(remote
);
599 _const_
static const char* listen_lookup(int family
, int type
) {
601 if (family
== AF_NETLINK
)
602 return "ListenNetlink";
604 if (type
== SOCK_STREAM
)
605 return "ListenStream";
606 else if (type
== SOCK_DGRAM
)
607 return "ListenDatagram";
608 else if (type
== SOCK_SEQPACKET
)
609 return "ListenSequentialPacket";
611 assert_not_reached("Unknown socket type");
615 static void socket_dump(Unit
*u
, FILE *f
, const char *prefix
) {
616 char time_string
[FORMAT_TIMESPAN_MAX
];
618 Socket
*s
= SOCKET(u
);
620 const char *prefix2
, *str
;
625 prefix
= strempty(prefix
);
626 prefix2
= strjoina(prefix
, "\t");
629 "%sSocket State: %s\n"
631 "%sBindIPv6Only: %s\n"
633 "%sSocketMode: %04o\n"
634 "%sDirectoryMode: %04o\n"
638 "%sTransparent: %s\n"
640 "%sPassCredentials: %s\n"
641 "%sPassSecurity: %s\n"
642 "%sTCPCongestion: %s\n"
643 "%sRemoveOnStop: %s\n"
645 "%sFileDescriptorName: %s\n"
646 "%sSELinuxContextFromNet: %s\n",
647 prefix
, socket_state_to_string(s
->state
),
648 prefix
, socket_result_to_string(s
->result
),
649 prefix
, socket_address_bind_ipv6_only_to_string(s
->bind_ipv6_only
),
651 prefix
, s
->socket_mode
,
652 prefix
, s
->directory_mode
,
653 prefix
, yes_no(s
->keep_alive
),
654 prefix
, yes_no(s
->no_delay
),
655 prefix
, yes_no(s
->free_bind
),
656 prefix
, yes_no(s
->transparent
),
657 prefix
, yes_no(s
->broadcast
),
658 prefix
, yes_no(s
->pass_cred
),
659 prefix
, yes_no(s
->pass_sec
),
660 prefix
, strna(s
->tcp_congestion
),
661 prefix
, yes_no(s
->remove_on_stop
),
662 prefix
, yes_no(s
->writable
),
663 prefix
, socket_fdname(s
),
664 prefix
, yes_no(s
->selinux_context_from_net
));
666 if (s
->control_pid
> 0)
668 "%sControl PID: "PID_FMT
"\n",
669 prefix
, s
->control_pid
);
671 if (s
->bind_to_device
)
673 "%sBindToDevice: %s\n",
674 prefix
, s
->bind_to_device
);
679 "%sNConnections: %u\n"
680 "%sMaxConnections: %u\n"
681 "%sMaxConnectionsPerSource: %u\n",
682 prefix
, s
->n_accepted
,
683 prefix
, s
->n_connections
,
684 prefix
, s
->max_connections
,
685 prefix
, s
->max_connections_per_source
);
687 if (s
->priority
>= 0)
690 prefix
, s
->priority
);
692 if (s
->receive_buffer
> 0)
694 "%sReceiveBuffer: %zu\n",
695 prefix
, s
->receive_buffer
);
697 if (s
->send_buffer
> 0)
699 "%sSendBuffer: %zu\n",
700 prefix
, s
->send_buffer
);
712 if (s
->pipe_size
> 0)
715 prefix
, s
->pipe_size
);
722 if (s
->mq_maxmsg
> 0)
724 "%sMessageQueueMaxMessages: %li\n",
725 prefix
, s
->mq_maxmsg
);
727 if (s
->mq_msgsize
> 0)
729 "%sMessageQueueMessageSize: %li\n",
730 prefix
, s
->mq_msgsize
);
735 prefix
, yes_no(s
->reuse_port
));
739 "%sSmackLabel: %s\n",
744 "%sSmackLabelIPIn: %s\n",
745 prefix
, s
->smack_ip_in
);
749 "%sSmackLabelIPOut: %s\n",
750 prefix
, s
->smack_ip_out
);
752 if (!isempty(s
->user
) || !isempty(s
->group
))
755 "%sSocketGroup: %s\n",
756 prefix
, strna(s
->user
),
757 prefix
, strna(s
->group
));
759 if (s
->keep_alive_time
> 0)
761 "%sKeepAliveTimeSec: %s\n",
762 prefix
, format_timespan(time_string
, FORMAT_TIMESPAN_MAX
, s
->keep_alive_time
, USEC_PER_SEC
));
764 if (s
->keep_alive_interval
> 0)
766 "%sKeepAliveIntervalSec: %s\n",
767 prefix
, format_timespan(time_string
, FORMAT_TIMESPAN_MAX
, s
->keep_alive_interval
, USEC_PER_SEC
));
769 if (s
->keep_alive_cnt
> 0)
771 "%sKeepAliveProbes: %u\n",
772 prefix
, s
->keep_alive_cnt
);
774 if (s
->defer_accept
> 0)
776 "%sDeferAcceptSec: %s\n",
777 prefix
, format_timespan(time_string
, FORMAT_TIMESPAN_MAX
, s
->defer_accept
, USEC_PER_SEC
));
779 LIST_FOREACH(port
, p
, s
->ports
) {
782 case SOCKET_SOCKET
: {
783 _cleanup_free_
char *k
= NULL
;
787 r
= socket_address_print(&p
->address
, &k
);
793 fprintf(f
, "%s%s: %s\n", prefix
, listen_lookup(socket_address_family(&p
->address
), p
->address
.type
), t
);
797 fprintf(f
, "%sListenSpecial: %s\n", prefix
, p
->path
);
799 case SOCKET_USB_FUNCTION
:
800 fprintf(f
, "%sListenUSBFunction: %s\n", prefix
, p
->path
);
803 fprintf(f
, "%sListenMessageQueue: %s\n", prefix
, p
->path
);
806 fprintf(f
, "%sListenFIFO: %s\n", prefix
, p
->path
);
811 "%sTriggerLimitIntervalSec: %s\n"
812 "%sTriggerLimitBurst: %u\n",
813 prefix
, format_timespan(time_string
, FORMAT_TIMESPAN_MAX
, s
->trigger_limit
.interval
, USEC_PER_SEC
),
814 prefix
, s
->trigger_limit
.burst
);
816 str
= socket_protocol_to_name(s
->socket_protocol
);
818 fprintf(f
, "%sSocketProtocol: %s\n", prefix
, str
);
820 if (!strv_isempty(s
->symlinks
)) {
823 fprintf(f
, "%sSymlinks:", prefix
);
824 STRV_FOREACH(q
, s
->symlinks
)
825 fprintf(f
, " %s", *q
);
831 "%sTimeoutSec: %s\n",
832 prefix
, format_timespan(time_string
, FORMAT_TIMESPAN_MAX
, s
->timeout_usec
, USEC_PER_SEC
));
834 exec_context_dump(&s
->exec_context
, f
, prefix
);
835 kill_context_dump(&s
->kill_context
, f
, prefix
);
837 for (c
= 0; c
< _SOCKET_EXEC_COMMAND_MAX
; c
++) {
838 if (!s
->exec_command
[c
])
841 fprintf(f
, "%s-> %s:\n",
842 prefix
, socket_exec_command_to_string(c
));
844 exec_command_dump_list(s
->exec_command
[c
], f
, prefix2
);
847 cgroup_context_dump(&s
->cgroup_context
, f
, prefix
);
850 static int instance_from_socket(int fd
, unsigned nr
, char **instance
) {
853 union sockaddr_union local
, remote
;
859 if (getsockname(fd
, &local
.sa
, &l
) < 0)
863 if (getpeername(fd
, &remote
.sa
, &l
) < 0)
866 switch (local
.sa
.sa_family
) {
870 a
= be32toh(local
.in
.sin_addr
.s_addr
),
871 b
= be32toh(remote
.in
.sin_addr
.s_addr
);
874 "%u-%u.%u.%u.%u:%u-%u.%u.%u.%u:%u",
876 a
>> 24, (a
>> 16) & 0xFF, (a
>> 8) & 0xFF, a
& 0xFF,
877 be16toh(local
.in
.sin_port
),
878 b
>> 24, (b
>> 16) & 0xFF, (b
>> 8) & 0xFF, b
& 0xFF,
879 be16toh(remote
.in
.sin_port
)) < 0)
886 static const unsigned char ipv4_prefix
[] = {
887 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xFF, 0xFF
890 if (memcmp(&local
.in6
.sin6_addr
, ipv4_prefix
, sizeof(ipv4_prefix
)) == 0 &&
891 memcmp(&remote
.in6
.sin6_addr
, ipv4_prefix
, sizeof(ipv4_prefix
)) == 0) {
893 *a
= local
.in6
.sin6_addr
.s6_addr
+12,
894 *b
= remote
.in6
.sin6_addr
.s6_addr
+12;
897 "%u-%u.%u.%u.%u:%u-%u.%u.%u.%u:%u",
899 a
[0], a
[1], a
[2], a
[3],
900 be16toh(local
.in6
.sin6_port
),
901 b
[0], b
[1], b
[2], b
[3],
902 be16toh(remote
.in6
.sin6_port
)) < 0)
905 char a
[INET6_ADDRSTRLEN
], b
[INET6_ADDRSTRLEN
];
910 inet_ntop(AF_INET6
, &local
.in6
.sin6_addr
, a
, sizeof(a
)),
911 be16toh(local
.in6
.sin6_port
),
912 inet_ntop(AF_INET6
, &remote
.in6
.sin6_addr
, b
, sizeof(b
)),
913 be16toh(remote
.in6
.sin6_port
)) < 0)
924 k
= getpeercred(fd
, &ucred
);
927 "%u-"PID_FMT
"-"UID_FMT
,
928 nr
, ucred
.pid
, ucred
.uid
) < 0)
930 } else if (k
== -ENODATA
) {
931 /* This handles the case where somebody is
932 * connecting from another pid/uid namespace
933 * (e.g. from outside of our container). */
948 local
.vm
.svm_cid
, local
.vm
.svm_port
,
949 remote
.vm
.svm_cid
, remote
.vm
.svm_port
) < 0)
955 assert_not_reached("Unhandled socket type.");
962 static void socket_close_fds(Socket
*s
) {
968 LIST_FOREACH(port
, p
, s
->ports
) {
971 was_open
= p
->fd
>= 0;
973 p
->event_source
= sd_event_source_unref(p
->event_source
);
974 p
->fd
= safe_close(p
->fd
);
975 socket_cleanup_fd_list(p
);
977 /* One little note: we should normally not delete any sockets in the file system here! After all some
978 * other process we spawned might still have a reference of this fd and wants to continue to use
979 * it. Therefore we normally delete sockets in the file system before we create a new one, not after we
980 * stopped using one! That all said, if the user explicitly requested this, we'll delete them here
981 * anyway, but only then. */
983 if (!was_open
|| !s
->remove_on_stop
)
989 (void) unlink(p
->path
);
993 (void) mq_unlink(p
->path
);
997 (void) socket_address_unlink(&p
->address
);
1005 if (s
->remove_on_stop
)
1006 STRV_FOREACH(i
, s
->symlinks
)
1010 static void socket_apply_socket_options(Socket
*s
, int fd
) {
1016 if (s
->keep_alive
) {
1017 if (setsockopt(fd
, SOL_SOCKET
, SO_KEEPALIVE
, &const_int_one
, sizeof(const_int_one
)) < 0)
1018 log_unit_warning_errno(UNIT(s
), errno
, "SO_KEEPALIVE failed: %m");
1021 if (s
->keep_alive_time
> 0) {
1022 int value
= s
->keep_alive_time
/ USEC_PER_SEC
;
1023 if (setsockopt(fd
, SOL_TCP
, TCP_KEEPIDLE
, &value
, sizeof(value
)) < 0)
1024 log_unit_warning_errno(UNIT(s
), errno
, "TCP_KEEPIDLE failed: %m");
1027 if (s
->keep_alive_interval
> 0) {
1028 int value
= s
->keep_alive_interval
/ USEC_PER_SEC
;
1029 if (setsockopt(fd
, SOL_TCP
, TCP_KEEPINTVL
, &value
, sizeof(value
)) < 0)
1030 log_unit_warning_errno(UNIT(s
), errno
, "TCP_KEEPINTVL failed: %m");
1033 if (s
->keep_alive_cnt
> 0) {
1034 int value
= s
->keep_alive_cnt
;
1035 if (setsockopt(fd
, SOL_TCP
, TCP_KEEPCNT
, &value
, sizeof(value
)) < 0)
1036 log_unit_warning_errno(UNIT(s
), errno
, "TCP_KEEPCNT failed: %m");
1039 if (s
->defer_accept
> 0) {
1040 int value
= s
->defer_accept
/ USEC_PER_SEC
;
1041 if (setsockopt(fd
, SOL_TCP
, TCP_DEFER_ACCEPT
, &value
, sizeof(value
)) < 0)
1042 log_unit_warning_errno(UNIT(s
), errno
, "TCP_DEFER_ACCEPT failed: %m");
1046 if (s
->socket_protocol
== IPPROTO_SCTP
) {
1047 if (setsockopt(fd
, SOL_SCTP
, SCTP_NODELAY
, &const_int_one
, sizeof(const_int_one
)) < 0)
1048 log_unit_warning_errno(UNIT(s
), errno
, "SCTP_NODELAY failed: %m");
1050 if (setsockopt(fd
, SOL_TCP
, TCP_NODELAY
, &const_int_one
, sizeof(const_int_one
)) < 0)
1051 log_unit_warning_errno(UNIT(s
), errno
, "TCP_NODELAY failed: %m");
1056 if (setsockopt(fd
, SOL_SOCKET
, SO_BROADCAST
, &const_int_one
, sizeof(const_int_one
)) < 0)
1057 log_unit_warning_errno(UNIT(s
), errno
, "SO_BROADCAST failed: %m");
1061 if (setsockopt(fd
, SOL_SOCKET
, SO_PASSCRED
, &const_int_one
, sizeof(const_int_one
)) < 0)
1062 log_unit_warning_errno(UNIT(s
), errno
, "SO_PASSCRED failed: %m");
1066 if (setsockopt(fd
, SOL_SOCKET
, SO_PASSSEC
, &const_int_one
, sizeof(const_int_one
)) < 0)
1067 log_unit_warning_errno(UNIT(s
), errno
, "SO_PASSSEC failed: %m");
1070 if (s
->priority
>= 0)
1071 if (setsockopt(fd
, SOL_SOCKET
, SO_PRIORITY
, &s
->priority
, sizeof(s
->priority
)) < 0)
1072 log_unit_warning_errno(UNIT(s
), errno
, "SO_PRIORITY failed: %m");
1074 if (s
->receive_buffer
> 0) {
1075 int value
= (int) s
->receive_buffer
;
1077 /* We first try with SO_RCVBUFFORCE, in case we have the perms for that */
1078 if (setsockopt(fd
, SOL_SOCKET
, SO_RCVBUFFORCE
, &value
, sizeof(value
)) < 0)
1079 if (setsockopt(fd
, SOL_SOCKET
, SO_RCVBUF
, &value
, sizeof(value
)) < 0)
1080 log_unit_warning_errno(UNIT(s
), errno
, "SO_RCVBUF failed: %m");
1083 if (s
->send_buffer
> 0) {
1084 int value
= (int) s
->send_buffer
;
1085 if (setsockopt(fd
, SOL_SOCKET
, SO_SNDBUFFORCE
, &value
, sizeof(value
)) < 0)
1086 if (setsockopt(fd
, SOL_SOCKET
, SO_SNDBUF
, &value
, sizeof(value
)) < 0)
1087 log_unit_warning_errno(UNIT(s
), errno
, "SO_SNDBUF failed: %m");
1091 if (setsockopt(fd
, SOL_SOCKET
, SO_MARK
, &s
->mark
, sizeof(s
->mark
)) < 0)
1092 log_unit_warning_errno(UNIT(s
), errno
, "SO_MARK failed: %m");
1095 if (setsockopt(fd
, IPPROTO_IP
, IP_TOS
, &s
->ip_tos
, sizeof(s
->ip_tos
)) < 0)
1096 log_unit_warning_errno(UNIT(s
), errno
, "IP_TOS failed: %m");
1098 if (s
->ip_ttl
>= 0) {
1101 r
= setsockopt(fd
, IPPROTO_IP
, IP_TTL
, &s
->ip_ttl
, sizeof(s
->ip_ttl
));
1103 if (socket_ipv6_is_supported())
1104 x
= setsockopt(fd
, IPPROTO_IPV6
, IPV6_UNICAST_HOPS
, &s
->ip_ttl
, sizeof(s
->ip_ttl
));
1107 errno
= EAFNOSUPPORT
;
1111 log_unit_warning_errno(UNIT(s
), errno
, "IP_TTL/IPV6_UNICAST_HOPS failed: %m");
1114 if (s
->tcp_congestion
)
1115 if (setsockopt(fd
, SOL_TCP
, TCP_CONGESTION
, s
->tcp_congestion
, strlen(s
->tcp_congestion
)+1) < 0)
1116 log_unit_warning_errno(UNIT(s
), errno
, "TCP_CONGESTION failed: %m");
1118 if (s
->smack_ip_in
) {
1119 r
= mac_smack_apply_fd(fd
, SMACK_ATTR_IPIN
, s
->smack_ip_in
);
1121 log_unit_error_errno(UNIT(s
), r
, "mac_smack_apply_ip_in_fd: %m");
1124 if (s
->smack_ip_out
) {
1125 r
= mac_smack_apply_fd(fd
, SMACK_ATTR_IPOUT
, s
->smack_ip_out
);
1127 log_unit_error_errno(UNIT(s
), r
, "mac_smack_apply_ip_out_fd: %m");
1131 static void socket_apply_fifo_options(Socket
*s
, int fd
) {
1137 if (s
->pipe_size
> 0)
1138 if (fcntl(fd
, F_SETPIPE_SZ
, s
->pipe_size
) < 0)
1139 log_unit_warning_errno(UNIT(s
), errno
, "Setting pipe size failed, ignoring: %m");
1142 r
= mac_smack_apply_fd(fd
, SMACK_ATTR_ACCESS
, s
->smack
);
1144 log_unit_error_errno(UNIT(s
), r
, "SMACK relabelling failed, ignoring: %m");
1148 static int fifo_address_create(
1150 mode_t directory_mode
,
1151 mode_t socket_mode
) {
1153 _cleanup_close_
int fd
= -1;
1160 (void) mkdir_parents_label(path
, directory_mode
);
1162 r
= mac_selinux_create_file_prepare(path
, S_IFIFO
);
1166 /* Enforce the right access mode for the fifo */
1167 old_mask
= umask(~socket_mode
);
1169 /* Include the original umask in our mask */
1170 (void) umask(~socket_mode
| old_mask
);
1172 r
= mkfifo(path
, socket_mode
);
1173 (void) umask(old_mask
);
1175 if (r
< 0 && errno
!= EEXIST
) {
1180 fd
= open(path
, O_RDWR
| O_CLOEXEC
| O_NOCTTY
| O_NONBLOCK
| O_NOFOLLOW
);
1186 mac_selinux_create_file_clear();
1188 if (fstat(fd
, &st
) < 0) {
1193 if (!S_ISFIFO(st
.st_mode
) ||
1194 (st
.st_mode
& 0777) != (socket_mode
& ~old_mask
) ||
1195 st
.st_uid
!= getuid() ||
1196 st
.st_gid
!= getgid()) {
1204 mac_selinux_create_file_clear();
1208 static int special_address_create(const char *path
, bool writable
) {
1209 _cleanup_close_
int fd
= -1;
1214 fd
= open(path
, (writable
? O_RDWR
: O_RDONLY
)|O_CLOEXEC
|O_NOCTTY
|O_NONBLOCK
|O_NOFOLLOW
);
1218 if (fstat(fd
, &st
) < 0)
1221 /* Check whether this is a /proc, /sys or /dev file or char device */
1222 if (!S_ISREG(st
.st_mode
) && !S_ISCHR(st
.st_mode
))
1228 static int usbffs_address_create(const char *path
) {
1229 _cleanup_close_
int fd
= -1;
1234 fd
= open(path
, O_RDWR
|O_CLOEXEC
|O_NOCTTY
|O_NONBLOCK
|O_NOFOLLOW
);
1238 if (fstat(fd
, &st
) < 0)
1241 /* Check whether this is a regular file (ffs endpoint) */
1242 if (!S_ISREG(st
.st_mode
))
1248 static int mq_address_create(
1254 _cleanup_close_
int fd
= -1;
1257 struct mq_attr _attr
, *attr
= NULL
;
1261 if (maxmsg
> 0 && msgsize
> 0) {
1262 _attr
= (struct mq_attr
) {
1263 .mq_flags
= O_NONBLOCK
,
1264 .mq_maxmsg
= maxmsg
,
1265 .mq_msgsize
= msgsize
,
1270 /* Enforce the right access mode for the mq */
1271 old_mask
= umask(~mq_mode
);
1273 /* Include the original umask in our mask */
1274 (void) umask(~mq_mode
| old_mask
);
1275 fd
= mq_open(path
, O_RDONLY
|O_CLOEXEC
|O_NONBLOCK
|O_CREAT
, mq_mode
, attr
);
1276 (void) umask(old_mask
);
1281 if (fstat(fd
, &st
) < 0)
1284 if ((st
.st_mode
& 0777) != (mq_mode
& ~old_mask
) ||
1285 st
.st_uid
!= getuid() ||
1286 st
.st_gid
!= getgid())
1292 static int socket_symlink(Socket
*s
) {
1299 p
= socket_find_symlink_target(s
);
1303 STRV_FOREACH(i
, s
->symlinks
) {
1304 (void) mkdir_parents_label(*i
, s
->directory_mode
);
1306 r
= symlink_idempotent(p
, *i
, false);
1308 if (r
== -EEXIST
&& s
->remove_on_stop
) {
1309 /* If there's already something where we want to create the symlink, and the destructive
1310 * RemoveOnStop= mode is set, then we might as well try to remove what already exists and try
1313 if (unlink(*i
) >= 0)
1314 r
= symlink_idempotent(p
, *i
, false);
1318 log_unit_warning_errno(UNIT(s
), r
, "Failed to create symlink %s → %s, ignoring: %m", p
, *i
);
1324 static int usbffs_write_descs(int fd
, Service
*s
) {
1327 if (!s
->usb_function_descriptors
|| !s
->usb_function_strings
)
1330 r
= copy_file_fd(s
->usb_function_descriptors
, fd
, 0);
1334 return copy_file_fd(s
->usb_function_strings
, fd
, 0);
1337 static int usbffs_select_ep(const struct dirent
*d
) {
1338 return d
->d_name
[0] != '.' && !streq(d
->d_name
, "ep0");
1341 static int usbffs_dispatch_eps(SocketPort
*p
) {
1342 _cleanup_free_
struct dirent
**ent
= NULL
;
1346 r
= scandir(p
->path
, &ent
, usbffs_select_ep
, alphasort
);
1351 p
->auxiliary_fds
= new(int, n
);
1352 if (!p
->auxiliary_fds
) {
1357 p
->n_auxiliary_fds
= n
;
1360 for (i
= 0; i
< n
; ++i
) {
1361 _cleanup_free_
char *ep
= NULL
;
1363 ep
= path_make_absolute(ent
[i
]->d_name
, p
->path
);
1369 path_simplify(ep
, false);
1371 r
= usbffs_address_create(ep
);
1375 p
->auxiliary_fds
[k
++] = r
;
1382 close_many(p
->auxiliary_fds
, k
);
1383 p
->auxiliary_fds
= mfree(p
->auxiliary_fds
);
1384 p
->n_auxiliary_fds
= 0;
1387 for (i
= 0; i
< n
; ++i
)
1393 static int socket_determine_selinux_label(Socket
*s
, char **ret
) {
1396 _cleanup_free_
char *path
= NULL
;
1402 if (s
->selinux_context_from_net
) {
1403 /* If this is requested, get label from the network label */
1405 r
= mac_selinux_get_our_label(ret
);
1406 if (r
== -EOPNOTSUPP
)
1410 /* Otherwise, get it from the executable we are about to start */
1411 r
= socket_instantiate_service(s
);
1415 if (!UNIT_ISSET(s
->service
))
1418 service
= SERVICE(UNIT_DEREF(s
->service
));
1419 c
= service
->exec_command
[SERVICE_EXEC_START
];
1423 r
= chase_symlinks(c
->path
, service
->exec_context
.root_directory
, CHASE_PREFIX_ROOT
, &path
);
1427 r
= mac_selinux_get_create_label_from_exe(path
, ret
);
1428 if (IN_SET(r
, -EPERM
, -EOPNOTSUPP
))
1439 static int socket_address_listen_do(
1441 const SocketAddress
*address
,
1442 const char *label
) {
1447 return socket_address_listen(
1449 SOCK_CLOEXEC
|SOCK_NONBLOCK
,
1461 static int socket_address_listen_in_cgroup(
1463 const SocketAddress
*address
,
1464 const char *label
) {
1466 _cleanup_close_pair_
int pair
[2] = { -1, -1 };
1473 /* This is a wrapper around socket_address_listen(), that forks off a helper process inside the socket's cgroup
1474 * in which the socket is actually created. This way we ensure the socket is actually properly attached to the
1475 * unit's cgroup for the purpose of BPF filtering and such. */
1477 if (!IN_SET(address
->sockaddr
.sa
.sa_family
, AF_INET
, AF_INET6
))
1478 goto shortcut
; /* BPF filtering only applies to IPv4 + IPv6, shortcut things for other protocols */
1480 r
= bpf_firewall_supported();
1483 if (r
== BPF_FIREWALL_UNSUPPORTED
) /* If BPF firewalling isn't supported anyway — there's no point in this forking complexity */
1486 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, pair
) < 0)
1487 return log_unit_error_errno(UNIT(s
), errno
, "Failed to create communication channel: %m");
1489 r
= unit_fork_helper_process(UNIT(s
), "(sd-listen)", &pid
);
1491 return log_unit_error_errno(UNIT(s
), r
, "Failed to fork off listener stub process: %m");
1495 pair
[0] = safe_close(pair
[0]);
1497 fd
= socket_address_listen_do(s
, address
, label
);
1499 log_unit_error_errno(UNIT(s
), fd
, "Failed to create listening socket: %m");
1500 _exit(EXIT_FAILURE
);
1503 r
= send_one_fd(pair
[1], fd
, 0);
1505 log_unit_error_errno(UNIT(s
), r
, "Failed to send listening socket to parent: %m");
1506 _exit(EXIT_FAILURE
);
1509 _exit(EXIT_SUCCESS
);
1512 pair
[1] = safe_close(pair
[1]);
1513 fd
= receive_one_fd(pair
[0], 0);
1515 /* We synchronously wait for the helper, as it shouldn't be slow */
1516 r
= wait_for_terminate_and_check("(sd-listen)", pid
, WAIT_LOG_ABNORMAL
);
1523 return log_unit_error_errno(UNIT(s
), fd
, "Failed to receive listening socket: %m");
1528 fd
= socket_address_listen_do(s
, address
, label
);
1530 return log_error_errno(fd
, "Failed to create listening socket: %m");
1535 static int socket_open_fds(Socket
*s
) {
1536 _cleanup_(mac_selinux_freep
) char *label
= NULL
;
1537 bool know_label
= false;
1543 LIST_FOREACH(port
, p
, s
->ports
) {
1553 /* Figure out label, if we don't it know yet. We do it once, for the first socket where
1554 * we need this and remember it for the rest. */
1556 r
= socket_determine_selinux_label(s
, &label
);
1563 /* Apply the socket protocol */
1564 switch (p
->address
.type
) {
1567 case SOCK_SEQPACKET
:
1568 if (s
->socket_protocol
== IPPROTO_SCTP
)
1569 p
->address
.protocol
= s
->socket_protocol
;
1573 if (s
->socket_protocol
== IPPROTO_UDPLITE
)
1574 p
->address
.protocol
= s
->socket_protocol
;
1578 r
= socket_address_listen_in_cgroup(s
, &p
->address
, label
);
1583 socket_apply_socket_options(s
, p
->fd
);
1587 case SOCKET_SPECIAL
:
1589 p
->fd
= special_address_create(p
->path
, s
->writable
);
1598 p
->fd
= fifo_address_create(
1607 socket_apply_fifo_options(s
, p
->fd
);
1613 p
->fd
= mq_address_create(
1624 case SOCKET_USB_FUNCTION
: {
1625 _cleanup_free_
char *ep
= NULL
;
1627 ep
= path_make_absolute("ep0", p
->path
);
1629 p
->fd
= usbffs_address_create(ep
);
1635 r
= usbffs_write_descs(p
->fd
, SERVICE(UNIT_DEREF(s
->service
)));
1639 r
= usbffs_dispatch_eps(p
);
1646 assert_not_reached("Unknown port type");
1653 socket_close_fds(s
);
1657 static void socket_unwatch_fds(Socket
*s
) {
1663 LIST_FOREACH(port
, p
, s
->ports
) {
1667 if (!p
->event_source
)
1670 r
= sd_event_source_set_enabled(p
->event_source
, SD_EVENT_OFF
);
1672 log_unit_debug_errno(UNIT(s
), r
, "Failed to disable event source: %m");
1676 static int socket_watch_fds(Socket
*s
) {
1682 LIST_FOREACH(port
, p
, s
->ports
) {
1686 if (p
->event_source
) {
1687 r
= sd_event_source_set_enabled(p
->event_source
, SD_EVENT_ON
);
1691 r
= sd_event_add_io(UNIT(s
)->manager
->event
, &p
->event_source
, p
->fd
, EPOLLIN
, socket_dispatch_io
, p
);
1695 (void) sd_event_source_set_description(p
->event_source
, "socket-port-io");
1702 log_unit_warning_errno(UNIT(s
), r
, "Failed to watch listening fds: %m");
1703 socket_unwatch_fds(s
);
1713 static int socket_check_open(Socket
*s
) {
1714 bool have_open
= false, have_closed
= false;
1719 LIST_FOREACH(port
, p
, s
->ports
) {
1725 if (have_open
&& have_closed
)
1726 return SOCKET_OPEN_SOME
;
1730 return SOCKET_OPEN_ALL
;
1732 return SOCKET_OPEN_NONE
;
1735 static void socket_set_state(Socket
*s
, SocketState state
) {
1736 SocketState old_state
;
1739 old_state
= s
->state
;
1747 SOCKET_STOP_PRE_SIGTERM
,
1748 SOCKET_STOP_PRE_SIGKILL
,
1750 SOCKET_FINAL_SIGTERM
,
1751 SOCKET_FINAL_SIGKILL
)) {
1753 s
->timer_event_source
= sd_event_source_unref(s
->timer_event_source
);
1754 socket_unwatch_control_pid(s
);
1755 s
->control_command
= NULL
;
1756 s
->control_command_id
= _SOCKET_EXEC_COMMAND_INVALID
;
1759 if (state
!= SOCKET_LISTENING
)
1760 socket_unwatch_fds(s
);
1768 SOCKET_STOP_PRE_SIGTERM
,
1769 SOCKET_STOP_PRE_SIGKILL
))
1770 socket_close_fds(s
);
1772 if (state
!= old_state
)
1773 log_unit_debug(UNIT(s
), "Changed %s -> %s", socket_state_to_string(old_state
), socket_state_to_string(state
));
1775 unit_notify(UNIT(s
), state_translation_table
[old_state
], state_translation_table
[state
], 0);
1778 static int socket_coldplug(Unit
*u
) {
1779 Socket
*s
= SOCKET(u
);
1783 assert(s
->state
== SOCKET_DEAD
);
1785 if (s
->deserialized_state
== s
->state
)
1788 if (s
->control_pid
> 0 &&
1789 pid_is_unwaited(s
->control_pid
) &&
1790 IN_SET(s
->deserialized_state
,
1795 SOCKET_STOP_PRE_SIGTERM
,
1796 SOCKET_STOP_PRE_SIGKILL
,
1798 SOCKET_FINAL_SIGTERM
,
1799 SOCKET_FINAL_SIGKILL
)) {
1801 r
= unit_watch_pid(UNIT(s
), s
->control_pid
);
1805 r
= socket_arm_timer(s
, usec_add(u
->state_change_timestamp
.monotonic
, s
->timeout_usec
));
1810 if (IN_SET(s
->deserialized_state
,
1816 /* Originally, we used to simply reopen all sockets here that we didn't have file descriptors
1817 * for. However, this is problematic, as we won't traverse throught the SOCKET_START_CHOWN state for
1818 * them, and thus the UID/GID wouldn't be right. Hence, instead simply check if we have all fds open,
1819 * and if there's a mismatch, warn loudly. */
1821 r
= socket_check_open(s
);
1822 if (r
== SOCKET_OPEN_NONE
)
1823 log_unit_warning(UNIT(s
),
1824 "Socket unit configuration has changed while unit has been running, "
1825 "no open socket file descriptor left. "
1826 "The socket unit is not functional until restarted.");
1827 else if (r
== SOCKET_OPEN_SOME
)
1828 log_unit_warning(UNIT(s
),
1829 "Socket unit configuration has changed while unit has been running, "
1830 "and some socket file descriptors have not been opened yet. "
1831 "The socket unit is not fully functional until restarted.");
1834 if (s
->deserialized_state
== SOCKET_LISTENING
) {
1835 r
= socket_watch_fds(s
);
1840 if (!IN_SET(s
->deserialized_state
, SOCKET_DEAD
, SOCKET_FAILED
)) {
1841 (void) unit_setup_dynamic_creds(u
);
1842 (void) unit_setup_exec_runtime(u
);
1845 socket_set_state(s
, s
->deserialized_state
);
1849 static int socket_spawn(Socket
*s
, ExecCommand
*c
, pid_t
*_pid
) {
1851 ExecParameters exec_params
= {
1852 .flags
= EXEC_APPLY_SANDBOXING
|EXEC_APPLY_CHROOT
|EXEC_APPLY_TTY_STDIN
,
1865 r
= unit_prepare_exec(UNIT(s
));
1869 r
= socket_arm_timer(s
, usec_add(now(CLOCK_MONOTONIC
), s
->timeout_usec
));
1873 unit_set_exec_params(UNIT(s
), &exec_params
);
1875 r
= exec_spawn(UNIT(s
),
1885 r
= unit_watch_pid(UNIT(s
), pid
);
1887 /* FIXME: we need to do something here */
1895 static int socket_chown(Socket
*s
, pid_t
*_pid
) {
1899 r
= socket_arm_timer(s
, usec_add(now(CLOCK_MONOTONIC
), s
->timeout_usec
));
1903 /* We have to resolve the user names out-of-process, hence
1904 * let's fork here. It's messy, but well, what can we do? */
1906 r
= unit_fork_helper_process(UNIT(s
), "(sd-chown)", &pid
);
1910 uid_t uid
= UID_INVALID
;
1911 gid_t gid
= GID_INVALID
;
1916 if (!isempty(s
->user
)) {
1917 const char *user
= s
->user
;
1919 r
= get_user_creds(&user
, &uid
, &gid
, NULL
, NULL
, 0);
1921 log_unit_error_errno(UNIT(s
), r
, "Failed to resolve user %s: %m", user
);
1926 if (!isempty(s
->group
)) {
1927 const char *group
= s
->group
;
1929 r
= get_group_creds(&group
, &gid
, 0);
1931 log_unit_error_errno(UNIT(s
), r
, "Failed to resolve group %s: %m", group
);
1936 LIST_FOREACH(port
, p
, s
->ports
) {
1937 const char *path
= NULL
;
1939 if (p
->type
== SOCKET_SOCKET
)
1940 path
= socket_address_get_path(&p
->address
);
1941 else if (p
->type
== SOCKET_FIFO
)
1947 if (chown(path
, uid
, gid
) < 0) {
1948 log_unit_error_errno(UNIT(s
), errno
, "Failed to chown(): %m");
1953 _exit(EXIT_SUCCESS
);
1956 r
= unit_watch_pid(UNIT(s
), pid
);
1964 s
->timer_event_source
= sd_event_source_unref(s
->timer_event_source
);
1968 static void socket_enter_dead(Socket
*s
, SocketResult f
) {
1971 if (s
->result
== SOCKET_SUCCESS
)
1974 if (s
->result
!= SOCKET_SUCCESS
)
1975 log_unit_warning(UNIT(s
), "Failed with result '%s'.", socket_result_to_string(s
->result
));
1977 socket_set_state(s
, s
->result
!= SOCKET_SUCCESS
? SOCKET_FAILED
: SOCKET_DEAD
);
1979 s
->exec_runtime
= exec_runtime_unref(s
->exec_runtime
, true);
1981 exec_context_destroy_runtime_directory(&s
->exec_context
, UNIT(s
)->manager
->prefix
[EXEC_DIRECTORY_RUNTIME
]);
1983 unit_unref_uid_gid(UNIT(s
), true);
1985 dynamic_creds_destroy(&s
->dynamic_creds
);
1988 static void socket_enter_signal(Socket
*s
, SocketState state
, SocketResult f
);
1990 static void socket_enter_stop_post(Socket
*s
, SocketResult f
) {
1994 if (s
->result
== SOCKET_SUCCESS
)
1997 socket_unwatch_control_pid(s
);
1998 s
->control_command_id
= SOCKET_EXEC_STOP_POST
;
1999 s
->control_command
= s
->exec_command
[SOCKET_EXEC_STOP_POST
];
2001 if (s
->control_command
) {
2002 r
= socket_spawn(s
, s
->control_command
, &s
->control_pid
);
2006 socket_set_state(s
, SOCKET_STOP_POST
);
2008 socket_enter_signal(s
, SOCKET_FINAL_SIGTERM
, SOCKET_SUCCESS
);
2013 log_unit_warning_errno(UNIT(s
), r
, "Failed to run 'stop-post' task: %m");
2014 socket_enter_signal(s
, SOCKET_FINAL_SIGTERM
, SOCKET_FAILURE_RESOURCES
);
2017 static void socket_enter_signal(Socket
*s
, SocketState state
, SocketResult f
) {
2022 if (s
->result
== SOCKET_SUCCESS
)
2025 r
= unit_kill_context(
2028 !IN_SET(state
, SOCKET_STOP_PRE_SIGTERM
, SOCKET_FINAL_SIGTERM
) ?
2029 KILL_KILL
: KILL_TERMINATE
,
2037 r
= socket_arm_timer(s
, usec_add(now(CLOCK_MONOTONIC
), s
->timeout_usec
));
2041 socket_set_state(s
, state
);
2042 } else if (state
== SOCKET_STOP_PRE_SIGTERM
)
2043 socket_enter_signal(s
, SOCKET_STOP_PRE_SIGKILL
, SOCKET_SUCCESS
);
2044 else if (state
== SOCKET_STOP_PRE_SIGKILL
)
2045 socket_enter_stop_post(s
, SOCKET_SUCCESS
);
2046 else if (state
== SOCKET_FINAL_SIGTERM
)
2047 socket_enter_signal(s
, SOCKET_FINAL_SIGKILL
, SOCKET_SUCCESS
);
2049 socket_enter_dead(s
, SOCKET_SUCCESS
);
2054 log_unit_warning_errno(UNIT(s
), r
, "Failed to kill processes: %m");
2056 if (IN_SET(state
, SOCKET_STOP_PRE_SIGTERM
, SOCKET_STOP_PRE_SIGKILL
))
2057 socket_enter_stop_post(s
, SOCKET_FAILURE_RESOURCES
);
2059 socket_enter_dead(s
, SOCKET_FAILURE_RESOURCES
);
2062 static void socket_enter_stop_pre(Socket
*s
, SocketResult f
) {
2066 if (s
->result
== SOCKET_SUCCESS
)
2069 socket_unwatch_control_pid(s
);
2070 s
->control_command_id
= SOCKET_EXEC_STOP_PRE
;
2071 s
->control_command
= s
->exec_command
[SOCKET_EXEC_STOP_PRE
];
2073 if (s
->control_command
) {
2074 r
= socket_spawn(s
, s
->control_command
, &s
->control_pid
);
2078 socket_set_state(s
, SOCKET_STOP_PRE
);
2080 socket_enter_stop_post(s
, SOCKET_SUCCESS
);
2085 log_unit_warning_errno(UNIT(s
), r
, "Failed to run 'stop-pre' task: %m");
2086 socket_enter_stop_post(s
, SOCKET_FAILURE_RESOURCES
);
2089 static void socket_enter_listening(Socket
*s
) {
2093 r
= socket_watch_fds(s
);
2095 log_unit_warning_errno(UNIT(s
), r
, "Failed to watch sockets: %m");
2099 socket_set_state(s
, SOCKET_LISTENING
);
2103 socket_enter_stop_pre(s
, SOCKET_FAILURE_RESOURCES
);
2106 static void socket_enter_start_post(Socket
*s
) {
2110 socket_unwatch_control_pid(s
);
2111 s
->control_command_id
= SOCKET_EXEC_START_POST
;
2112 s
->control_command
= s
->exec_command
[SOCKET_EXEC_START_POST
];
2114 if (s
->control_command
) {
2115 r
= socket_spawn(s
, s
->control_command
, &s
->control_pid
);
2117 log_unit_warning_errno(UNIT(s
), r
, "Failed to run 'start-post' task: %m");
2121 socket_set_state(s
, SOCKET_START_POST
);
2123 socket_enter_listening(s
);
2128 socket_enter_stop_pre(s
, SOCKET_FAILURE_RESOURCES
);
2131 static void socket_enter_start_chown(Socket
*s
) {
2136 r
= socket_open_fds(s
);
2138 log_unit_warning_errno(UNIT(s
), r
, "Failed to listen on sockets: %m");
2142 if (!isempty(s
->user
) || !isempty(s
->group
)) {
2144 socket_unwatch_control_pid(s
);
2145 s
->control_command_id
= SOCKET_EXEC_START_CHOWN
;
2146 s
->control_command
= NULL
;
2148 r
= socket_chown(s
, &s
->control_pid
);
2150 log_unit_warning_errno(UNIT(s
), r
, "Failed to fork 'start-chown' task: %m");
2154 socket_set_state(s
, SOCKET_START_CHOWN
);
2156 socket_enter_start_post(s
);
2161 socket_enter_stop_pre(s
, SOCKET_FAILURE_RESOURCES
);
2164 static void socket_enter_start_pre(Socket
*s
) {
2168 socket_unwatch_control_pid(s
);
2170 unit_warn_leftover_processes(UNIT(s
));
2172 s
->control_command_id
= SOCKET_EXEC_START_PRE
;
2173 s
->control_command
= s
->exec_command
[SOCKET_EXEC_START_PRE
];
2175 if (s
->control_command
) {
2176 r
= socket_spawn(s
, s
->control_command
, &s
->control_pid
);
2178 log_unit_warning_errno(UNIT(s
), r
, "Failed to run 'start-pre' task: %m");
2182 socket_set_state(s
, SOCKET_START_PRE
);
2184 socket_enter_start_chown(s
);
2189 socket_enter_dead(s
, SOCKET_FAILURE_RESOURCES
);
2192 static void flush_ports(Socket
*s
) {
2195 /* Flush all incoming traffic, regardless if actual bytes or new connections, so that this socket isn't busy
2198 LIST_FOREACH(port
, p
, s
->ports
) {
2202 (void) flush_accept(p
->fd
);
2203 (void) flush_fd(p
->fd
);
2207 static void socket_enter_running(Socket
*s
, int cfd
) {
2208 _cleanup_(sd_bus_error_free
) sd_bus_error error
= SD_BUS_ERROR_NULL
;
2211 /* Note that this call takes possession of the connection fd passed. It either has to assign it somewhere or
2216 /* We don't take connections anymore if we are supposed to shut down anyway */
2217 if (unit_stop_pending(UNIT(s
))) {
2219 log_unit_debug(UNIT(s
), "Suppressing connection request since unit stop is scheduled.");
2229 if (!ratelimit_below(&s
->trigger_limit
)) {
2230 log_unit_warning(UNIT(s
), "Trigger limit hit, refusing further activation.");
2231 socket_enter_stop_pre(s
, SOCKET_FAILURE_TRIGGER_LIMIT_HIT
);
2236 bool pending
= false;
2241 /* If there's already a start pending don't bother to
2243 HASHMAP_FOREACH_KEY(v
, other
, UNIT(s
)->dependencies
[UNIT_TRIGGERS
], i
)
2244 if (unit_active_or_pending(other
)) {
2250 if (!UNIT_ISSET(s
->service
)) {
2251 log_unit_error(UNIT(s
), "Service to activate vanished, refusing activation.");
2256 r
= manager_add_job(UNIT(s
)->manager
, JOB_START
, UNIT_DEREF(s
->service
), JOB_REPLACE
, &error
, NULL
);
2261 socket_set_state(s
, SOCKET_RUNNING
);
2263 _cleanup_free_
char *prefix
= NULL
, *instance
= NULL
, *name
= NULL
;
2264 _cleanup_(socket_peer_unrefp
) SocketPeer
*p
= NULL
;
2267 if (s
->n_connections
>= s
->max_connections
) {
2268 log_unit_warning(UNIT(s
), "Too many incoming connections (%u), dropping connection.",
2273 if (s
->max_connections_per_source
> 0) {
2274 r
= socket_acquire_peer(s
, cfd
, &p
);
2277 } else if (r
> 0 && p
->n_ref
> s
->max_connections_per_source
) {
2278 _cleanup_free_
char *t
= NULL
;
2280 (void) sockaddr_pretty(&p
->peer
.sa
, p
->peer_salen
, true, false, &t
);
2282 log_unit_warning(UNIT(s
),
2283 "Too many incoming connections (%u) from source %s, dropping connection.",
2284 p
->n_ref
, strnull(t
));
2289 r
= socket_instantiate_service(s
);
2293 r
= instance_from_socket(cfd
, s
->n_accepted
, &instance
);
2298 /* ENOTCONN is legitimate if TCP RST was received.
2299 * This connection is over, but the socket unit lives on. */
2300 log_unit_debug(UNIT(s
), "Got ENOTCONN on incoming socket, assuming aborted connection attempt, ignoring.");
2304 r
= unit_name_to_prefix(UNIT(s
)->id
, &prefix
);
2308 r
= unit_name_build(prefix
, instance
, ".service", &name
);
2312 r
= unit_add_name(UNIT_DEREF(s
->service
), name
);
2316 service
= SERVICE(UNIT_DEREF(s
->service
));
2317 unit_ref_unset(&s
->service
);
2320 unit_choose_id(UNIT(service
), name
);
2322 r
= service_set_socket_fd(service
, cfd
, s
, s
->selinux_context_from_net
);
2326 cfd
= -1; /* We passed ownership of the fd to the service now. Forget it here. */
2329 service
->peer
= TAKE_PTR(p
); /* Pass ownership of the peer reference */
2331 r
= manager_add_job(UNIT(s
)->manager
, JOB_START
, UNIT(service
), JOB_REPLACE
, &error
, NULL
);
2333 /* We failed to activate the new service, but it still exists. Let's make sure the service
2334 * closes and forgets the connection fd again, immediately. */
2335 service_close_socket_fd(service
);
2339 /* Notify clients about changed counters */
2340 unit_add_to_dbus_queue(UNIT(s
));
2351 log_unit_warning(UNIT(s
), "Failed to queue service startup job (Maybe the service file is missing or not a %s unit?): %s",
2352 cfd
>= 0 ? "template" : "non-template",
2353 bus_error_message(&error
, r
));
2355 socket_enter_stop_pre(s
, SOCKET_FAILURE_RESOURCES
);
2359 static void socket_run_next(Socket
*s
) {
2363 assert(s
->control_command
);
2364 assert(s
->control_command
->command_next
);
2366 socket_unwatch_control_pid(s
);
2368 s
->control_command
= s
->control_command
->command_next
;
2370 r
= socket_spawn(s
, s
->control_command
, &s
->control_pid
);
2377 log_unit_warning_errno(UNIT(s
), r
, "Failed to run next task: %m");
2379 if (s
->state
== SOCKET_START_POST
)
2380 socket_enter_stop_pre(s
, SOCKET_FAILURE_RESOURCES
);
2381 else if (s
->state
== SOCKET_STOP_POST
)
2382 socket_enter_dead(s
, SOCKET_FAILURE_RESOURCES
);
2384 socket_enter_signal(s
, SOCKET_FINAL_SIGTERM
, SOCKET_FAILURE_RESOURCES
);
2387 static int socket_start(Unit
*u
) {
2388 Socket
*s
= SOCKET(u
);
2393 /* We cannot fulfill this request right now, try again later
2395 if (IN_SET(s
->state
,
2397 SOCKET_STOP_PRE_SIGKILL
,
2398 SOCKET_STOP_PRE_SIGTERM
,
2400 SOCKET_FINAL_SIGTERM
,
2401 SOCKET_FINAL_SIGKILL
))
2404 /* Already on it! */
2405 if (IN_SET(s
->state
,
2411 /* Cannot run this without the service being around */
2412 if (UNIT_ISSET(s
->service
)) {
2415 service
= SERVICE(UNIT_DEREF(s
->service
));
2417 if (UNIT(service
)->load_state
!= UNIT_LOADED
) {
2418 log_unit_error(u
, "Socket service %s not loaded, refusing.", UNIT(service
)->id
);
2422 /* If the service is already active we cannot start the
2424 if (!IN_SET(service
->state
, SERVICE_DEAD
, SERVICE_FAILED
, SERVICE_AUTO_RESTART
)) {
2425 log_unit_error(u
, "Socket service %s already active, refusing.", UNIT(service
)->id
);
2430 assert(IN_SET(s
->state
, SOCKET_DEAD
, SOCKET_FAILED
));
2432 r
= unit_start_limit_test(u
);
2434 socket_enter_dead(s
, SOCKET_FAILURE_START_LIMIT_HIT
);
2438 r
= unit_acquire_invocation_id(u
);
2442 s
->result
= SOCKET_SUCCESS
;
2443 exec_command_reset_status_list_array(s
->exec_command
, _SOCKET_EXEC_COMMAND_MAX
);
2445 u
->reset_accounting
= true;
2447 socket_enter_start_pre(s
);
2451 static int socket_stop(Unit
*u
) {
2452 Socket
*s
= SOCKET(u
);
2457 if (IN_SET(s
->state
,
2459 SOCKET_STOP_PRE_SIGTERM
,
2460 SOCKET_STOP_PRE_SIGKILL
,
2462 SOCKET_FINAL_SIGTERM
,
2463 SOCKET_FINAL_SIGKILL
))
2466 /* If there's already something running we go directly into
2468 if (IN_SET(s
->state
,
2471 SOCKET_START_POST
)) {
2472 socket_enter_signal(s
, SOCKET_STOP_PRE_SIGTERM
, SOCKET_SUCCESS
);
2476 assert(IN_SET(s
->state
, SOCKET_LISTENING
, SOCKET_RUNNING
));
2478 socket_enter_stop_pre(s
, SOCKET_SUCCESS
);
2482 static int socket_serialize(Unit
*u
, FILE *f
, FDSet
*fds
) {
2483 Socket
*s
= SOCKET(u
);
2491 unit_serialize_item(u
, f
, "state", socket_state_to_string(s
->state
));
2492 unit_serialize_item(u
, f
, "result", socket_result_to_string(s
->result
));
2493 unit_serialize_item_format(u
, f
, "n-accepted", "%u", s
->n_accepted
);
2494 unit_serialize_item_format(u
, f
, "n-refused", "%u", s
->n_refused
);
2496 if (s
->control_pid
> 0)
2497 unit_serialize_item_format(u
, f
, "control-pid", PID_FMT
, s
->control_pid
);
2499 if (s
->control_command_id
>= 0)
2500 unit_serialize_item(u
, f
, "control-command", socket_exec_command_to_string(s
->control_command_id
));
2502 LIST_FOREACH(port
, p
, s
->ports
) {
2508 copy
= fdset_put_dup(fds
, p
->fd
);
2512 if (p
->type
== SOCKET_SOCKET
) {
2513 _cleanup_free_
char *t
= NULL
;
2515 r
= socket_address_print(&p
->address
, &t
);
2519 if (socket_address_family(&p
->address
) == AF_NETLINK
)
2520 unit_serialize_item_format(u
, f
, "netlink", "%i %s", copy
, t
);
2522 unit_serialize_item_format(u
, f
, "socket", "%i %i %s", copy
, p
->address
.type
, t
);
2524 } else if (p
->type
== SOCKET_SPECIAL
)
2525 unit_serialize_item_format(u
, f
, "special", "%i %s", copy
, p
->path
);
2526 else if (p
->type
== SOCKET_MQUEUE
)
2527 unit_serialize_item_format(u
, f
, "mqueue", "%i %s", copy
, p
->path
);
2528 else if (p
->type
== SOCKET_USB_FUNCTION
)
2529 unit_serialize_item_format(u
, f
, "ffs", "%i %s", copy
, p
->path
);
2531 assert(p
->type
== SOCKET_FIFO
);
2532 unit_serialize_item_format(u
, f
, "fifo", "%i %s", copy
, p
->path
);
2539 static void socket_port_take_fd(SocketPort
*p
, FDSet
*fds
, int fd
) {
2541 p
->fd
= fdset_remove(fds
, fd
);
2544 static int socket_deserialize_item(Unit
*u
, const char *key
, const char *value
, FDSet
*fds
) {
2545 Socket
*s
= SOCKET(u
);
2551 if (streq(key
, "state")) {
2554 state
= socket_state_from_string(value
);
2556 log_unit_debug(u
, "Failed to parse state value: %s", value
);
2558 s
->deserialized_state
= state
;
2559 } else if (streq(key
, "result")) {
2562 f
= socket_result_from_string(value
);
2564 log_unit_debug(u
, "Failed to parse result value: %s", value
);
2565 else if (f
!= SOCKET_SUCCESS
)
2568 } else if (streq(key
, "n-accepted")) {
2571 if (safe_atou(value
, &k
) < 0)
2572 log_unit_debug(u
, "Failed to parse n-accepted value: %s", value
);
2575 } else if (streq(key
, "n-refused")) {
2578 if (safe_atou(value
, &k
) < 0)
2579 log_unit_debug(u
, "Failed to parse n-refused value: %s", value
);
2582 } else if (streq(key
, "control-pid")) {
2585 if (parse_pid(value
, &pid
) < 0)
2586 log_unit_debug(u
, "Failed to parse control-pid value: %s", value
);
2588 s
->control_pid
= pid
;
2589 } else if (streq(key
, "control-command")) {
2590 SocketExecCommand id
;
2592 id
= socket_exec_command_from_string(value
);
2594 log_unit_debug(u
, "Failed to parse exec-command value: %s", value
);
2596 s
->control_command_id
= id
;
2597 s
->control_command
= s
->exec_command
[id
];
2599 } else if (streq(key
, "fifo")) {
2603 if (sscanf(value
, "%i %n", &fd
, &skip
) < 1 || fd
< 0 || !fdset_contains(fds
, fd
))
2604 log_unit_debug(u
, "Failed to parse fifo value: %s", value
);
2606 LIST_FOREACH(port
, p
, s
->ports
)
2607 if (p
->type
== SOCKET_FIFO
&&
2608 path_equal_or_files_same(p
->path
, value
+skip
, 0)) {
2609 socket_port_take_fd(p
, fds
, fd
);
2613 } else if (streq(key
, "special")) {
2617 if (sscanf(value
, "%i %n", &fd
, &skip
) < 1 || fd
< 0 || !fdset_contains(fds
, fd
))
2618 log_unit_debug(u
, "Failed to parse special value: %s", value
);
2620 LIST_FOREACH(port
, p
, s
->ports
)
2621 if (p
->type
== SOCKET_SPECIAL
&&
2622 path_equal_or_files_same(p
->path
, value
+skip
, 0)) {
2623 socket_port_take_fd(p
, fds
, fd
);
2627 } else if (streq(key
, "mqueue")) {
2631 if (sscanf(value
, "%i %n", &fd
, &skip
) < 1 || fd
< 0 || !fdset_contains(fds
, fd
))
2632 log_unit_debug(u
, "Failed to parse mqueue value: %s", value
);
2634 LIST_FOREACH(port
, p
, s
->ports
)
2635 if (p
->type
== SOCKET_MQUEUE
&&
2636 streq(p
->path
, value
+skip
)) {
2637 socket_port_take_fd(p
, fds
, fd
);
2641 } else if (streq(key
, "socket")) {
2642 int fd
, type
, skip
= 0;
2645 if (sscanf(value
, "%i %i %n", &fd
, &type
, &skip
) < 2 || fd
< 0 || type
< 0 || !fdset_contains(fds
, fd
))
2646 log_unit_debug(u
, "Failed to parse socket value: %s", value
);
2648 LIST_FOREACH(port
, p
, s
->ports
)
2649 if (socket_address_is(&p
->address
, value
+skip
, type
)) {
2650 socket_port_take_fd(p
, fds
, fd
);
2654 } else if (streq(key
, "netlink")) {
2658 if (sscanf(value
, "%i %n", &fd
, &skip
) < 1 || fd
< 0 || !fdset_contains(fds
, fd
))
2659 log_unit_debug(u
, "Failed to parse socket value: %s", value
);
2661 LIST_FOREACH(port
, p
, s
->ports
)
2662 if (socket_address_is_netlink(&p
->address
, value
+skip
)) {
2663 socket_port_take_fd(p
, fds
, fd
);
2667 } else if (streq(key
, "ffs")) {
2671 if (sscanf(value
, "%i %n", &fd
, &skip
) < 1 || fd
< 0 || !fdset_contains(fds
, fd
))
2672 log_unit_debug(u
, "Failed to parse ffs value: %s", value
);
2674 LIST_FOREACH(port
, p
, s
->ports
)
2675 if (p
->type
== SOCKET_USB_FUNCTION
&&
2676 path_equal_or_files_same(p
->path
, value
+skip
, 0)) {
2677 socket_port_take_fd(p
, fds
, fd
);
2682 log_unit_debug(UNIT(s
), "Unknown serialization key: %s", key
);
2687 static void socket_distribute_fds(Unit
*u
, FDSet
*fds
) {
2688 Socket
*s
= SOCKET(u
);
2693 LIST_FOREACH(port
, p
, s
->ports
) {
2697 if (p
->type
!= SOCKET_SOCKET
)
2703 FDSET_FOREACH(fd
, fds
, i
) {
2704 if (socket_address_matches_fd(&p
->address
, fd
)) {
2705 p
->fd
= fdset_remove(fds
, fd
);
2706 s
->deserialized_state
= SOCKET_LISTENING
;
2713 _pure_
static UnitActiveState
socket_active_state(Unit
*u
) {
2716 return state_translation_table
[SOCKET(u
)->state
];
2719 _pure_
static const char *socket_sub_state_to_string(Unit
*u
) {
2722 return socket_state_to_string(SOCKET(u
)->state
);
2725 const char* socket_port_type_to_string(SocketPort
*p
) {
2733 switch (p
->address
.type
) {
2741 case SOCK_SEQPACKET
:
2742 return "SequentialPacket";
2745 if (socket_address_family(&p
->address
) == AF_NETLINK
)
2753 case SOCKET_SPECIAL
:
2757 return "MessageQueue";
2762 case SOCKET_USB_FUNCTION
:
2763 return "USBFunction";
2770 SocketType
socket_port_type_from_string(const char *s
) {
2773 if (STR_IN_SET(s
, "Stream", "Datagram", "SequentialPacket", "Netlink"))
2774 return SOCKET_SOCKET
;
2775 else if (streq(s
, "Special"))
2776 return SOCKET_SPECIAL
;
2777 else if (streq(s
, "MessageQueue"))
2778 return SOCKET_MQUEUE
;
2779 else if (streq(s
, "FIFO"))
2781 else if (streq(s
, "USBFunction"))
2782 return SOCKET_USB_FUNCTION
;
2784 return _SOCKET_TYPE_INVALID
;
2787 _pure_
static bool socket_may_gc(Unit
*u
) {
2788 Socket
*s
= SOCKET(u
);
2792 return s
->n_connections
== 0;
2795 static int socket_accept_do(Socket
*s
, int fd
) {
2802 cfd
= accept4(fd
, NULL
, NULL
, SOCK_NONBLOCK
);
2816 static int socket_accept_in_cgroup(Socket
*s
, SocketPort
*p
, int fd
) {
2817 _cleanup_close_pair_
int pair
[2] = { -1, -1 };
2825 /* Similar to socket_address_listen_in_cgroup(), but for accept() rathern than socket(): make sure that any
2826 * connection socket is also properly associated with the cgroup. */
2828 if (!IN_SET(p
->address
.sockaddr
.sa
.sa_family
, AF_INET
, AF_INET6
))
2831 r
= bpf_firewall_supported();
2834 if (r
== BPF_FIREWALL_UNSUPPORTED
)
2837 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, pair
) < 0)
2838 return log_unit_error_errno(UNIT(s
), errno
, "Failed to create communication channel: %m");
2840 r
= unit_fork_helper_process(UNIT(s
), "(sd-accept)", &pid
);
2842 return log_unit_error_errno(UNIT(s
), r
, "Failed to fork off accept stub process: %m");
2846 pair
[0] = safe_close(pair
[0]);
2848 cfd
= socket_accept_do(s
, fd
);
2850 log_unit_error_errno(UNIT(s
), cfd
, "Failed to accept connection socket: %m");
2851 _exit(EXIT_FAILURE
);
2854 r
= send_one_fd(pair
[1], cfd
, 0);
2856 log_unit_error_errno(UNIT(s
), r
, "Failed to send connection socket to parent: %m");
2857 _exit(EXIT_FAILURE
);
2860 _exit(EXIT_SUCCESS
);
2863 pair
[1] = safe_close(pair
[1]);
2864 cfd
= receive_one_fd(pair
[0], 0);
2866 /* We synchronously wait for the helper, as it shouldn't be slow */
2867 r
= wait_for_terminate_and_check("(sd-accept)", pid
, WAIT_LOG_ABNORMAL
);
2874 return log_unit_error_errno(UNIT(s
), cfd
, "Failed to receive connection socket: %m");
2879 cfd
= socket_accept_do(s
, fd
);
2881 return log_unit_error_errno(UNIT(s
), cfd
, "Failed to accept connection socket: %m");
2886 static int socket_dispatch_io(sd_event_source
*source
, int fd
, uint32_t revents
, void *userdata
) {
2887 SocketPort
*p
= userdata
;
2893 if (p
->socket
->state
!= SOCKET_LISTENING
)
2896 log_unit_debug(UNIT(p
->socket
), "Incoming traffic");
2898 if (revents
!= EPOLLIN
) {
2900 if (revents
& EPOLLHUP
)
2901 log_unit_error(UNIT(p
->socket
), "Got POLLHUP on a listening socket. The service probably invoked shutdown() on it, and should better not do that.");
2903 log_unit_error(UNIT(p
->socket
), "Got unexpected poll event (0x%x) on socket.", revents
);
2907 if (p
->socket
->accept
&&
2908 p
->type
== SOCKET_SOCKET
&&
2909 socket_address_can_accept(&p
->address
)) {
2911 cfd
= socket_accept_in_cgroup(p
->socket
, p
, fd
);
2915 socket_apply_socket_options(p
->socket
, cfd
);
2918 socket_enter_running(p
->socket
, cfd
);
2922 socket_enter_stop_pre(p
->socket
, SOCKET_FAILURE_RESOURCES
);
2926 static void socket_sigchld_event(Unit
*u
, pid_t pid
, int code
, int status
) {
2927 Socket
*s
= SOCKET(u
);
2933 if (pid
!= s
->control_pid
)
2938 if (is_clean_exit(code
, status
, EXIT_CLEAN_COMMAND
, NULL
))
2940 else if (code
== CLD_EXITED
)
2941 f
= SOCKET_FAILURE_EXIT_CODE
;
2942 else if (code
== CLD_KILLED
)
2943 f
= SOCKET_FAILURE_SIGNAL
;
2944 else if (code
== CLD_DUMPED
)
2945 f
= SOCKET_FAILURE_CORE_DUMP
;
2947 assert_not_reached("Unknown sigchld code");
2949 if (s
->control_command
) {
2950 exec_status_exit(&s
->control_command
->exec_status
, &s
->exec_context
, pid
, code
, status
);
2952 if (s
->control_command
->flags
& EXEC_COMMAND_IGNORE_FAILURE
)
2956 log_unit_full(u
, f
== SOCKET_SUCCESS
? LOG_DEBUG
: LOG_NOTICE
, 0,
2957 "Control process exited, code=%s status=%i",
2958 sigchld_code_to_string(code
), status
);
2960 if (s
->result
== SOCKET_SUCCESS
)
2963 if (s
->control_command
&&
2964 s
->control_command
->command_next
&&
2965 f
== SOCKET_SUCCESS
) {
2967 log_unit_debug(u
, "Running next command for state %s", socket_state_to_string(s
->state
));
2970 s
->control_command
= NULL
;
2971 s
->control_command_id
= _SOCKET_EXEC_COMMAND_INVALID
;
2973 /* No further commands for this step, so let's figure
2974 * out what to do next */
2976 log_unit_debug(u
, "Got final SIGCHLD for state %s", socket_state_to_string(s
->state
));
2980 case SOCKET_START_PRE
:
2981 if (f
== SOCKET_SUCCESS
)
2982 socket_enter_start_chown(s
);
2984 socket_enter_signal(s
, SOCKET_FINAL_SIGTERM
, f
);
2987 case SOCKET_START_CHOWN
:
2988 if (f
== SOCKET_SUCCESS
)
2989 socket_enter_start_post(s
);
2991 socket_enter_stop_pre(s
, f
);
2994 case SOCKET_START_POST
:
2995 if (f
== SOCKET_SUCCESS
)
2996 socket_enter_listening(s
);
2998 socket_enter_stop_pre(s
, f
);
3001 case SOCKET_STOP_PRE
:
3002 case SOCKET_STOP_PRE_SIGTERM
:
3003 case SOCKET_STOP_PRE_SIGKILL
:
3004 socket_enter_stop_post(s
, f
);
3007 case SOCKET_STOP_POST
:
3008 case SOCKET_FINAL_SIGTERM
:
3009 case SOCKET_FINAL_SIGKILL
:
3010 socket_enter_dead(s
, f
);
3014 assert_not_reached("Uh, control process died at wrong time.");
3018 /* Notify clients about changed exit status */
3019 unit_add_to_dbus_queue(u
);
3022 static int socket_dispatch_timer(sd_event_source
*source
, usec_t usec
, void *userdata
) {
3023 Socket
*s
= SOCKET(userdata
);
3026 assert(s
->timer_event_source
== source
);
3030 case SOCKET_START_PRE
:
3031 log_unit_warning(UNIT(s
), "Starting timed out. Terminating.");
3032 socket_enter_signal(s
, SOCKET_FINAL_SIGTERM
, SOCKET_FAILURE_TIMEOUT
);
3035 case SOCKET_START_CHOWN
:
3036 case SOCKET_START_POST
:
3037 log_unit_warning(UNIT(s
), "Starting timed out. Stopping.");
3038 socket_enter_stop_pre(s
, SOCKET_FAILURE_TIMEOUT
);
3041 case SOCKET_STOP_PRE
:
3042 log_unit_warning(UNIT(s
), "Stopping timed out. Terminating.");
3043 socket_enter_signal(s
, SOCKET_STOP_PRE_SIGTERM
, SOCKET_FAILURE_TIMEOUT
);
3046 case SOCKET_STOP_PRE_SIGTERM
:
3047 if (s
->kill_context
.send_sigkill
) {
3048 log_unit_warning(UNIT(s
), "Stopping timed out. Killing.");
3049 socket_enter_signal(s
, SOCKET_STOP_PRE_SIGKILL
, SOCKET_FAILURE_TIMEOUT
);
3051 log_unit_warning(UNIT(s
), "Stopping timed out. Skipping SIGKILL. Ignoring.");
3052 socket_enter_stop_post(s
, SOCKET_FAILURE_TIMEOUT
);
3056 case SOCKET_STOP_PRE_SIGKILL
:
3057 log_unit_warning(UNIT(s
), "Processes still around after SIGKILL. Ignoring.");
3058 socket_enter_stop_post(s
, SOCKET_FAILURE_TIMEOUT
);
3061 case SOCKET_STOP_POST
:
3062 log_unit_warning(UNIT(s
), "Stopping timed out (2). Terminating.");
3063 socket_enter_signal(s
, SOCKET_FINAL_SIGTERM
, SOCKET_FAILURE_TIMEOUT
);
3066 case SOCKET_FINAL_SIGTERM
:
3067 if (s
->kill_context
.send_sigkill
) {
3068 log_unit_warning(UNIT(s
), "Stopping timed out (2). Killing.");
3069 socket_enter_signal(s
, SOCKET_FINAL_SIGKILL
, SOCKET_FAILURE_TIMEOUT
);
3071 log_unit_warning(UNIT(s
), "Stopping timed out (2). Skipping SIGKILL. Ignoring.");
3072 socket_enter_dead(s
, SOCKET_FAILURE_TIMEOUT
);
3076 case SOCKET_FINAL_SIGKILL
:
3077 log_unit_warning(UNIT(s
), "Still around after SIGKILL (2). Entering failed mode.");
3078 socket_enter_dead(s
, SOCKET_FAILURE_TIMEOUT
);
3082 assert_not_reached("Timeout at wrong time.");
3088 int socket_collect_fds(Socket
*s
, int **fds
) {
3089 size_t k
= 0, n
= 0;
3096 /* Called from the service code for requesting our fds */
3098 LIST_FOREACH(port
, p
, s
->ports
) {
3101 n
+= p
->n_auxiliary_fds
;
3113 LIST_FOREACH(port
, p
, s
->ports
) {
3118 for (i
= 0; i
< p
->n_auxiliary_fds
; ++i
)
3119 rfds
[k
++] = p
->auxiliary_fds
[i
];
3128 static void socket_reset_failed(Unit
*u
) {
3129 Socket
*s
= SOCKET(u
);
3133 if (s
->state
== SOCKET_FAILED
)
3134 socket_set_state(s
, SOCKET_DEAD
);
3136 s
->result
= SOCKET_SUCCESS
;
3139 void socket_connection_unref(Socket
*s
) {
3142 /* The service is dead. Yay!
3144 * This is strictly for one-instance-per-connection
3147 assert(s
->n_connections
> 0);
3150 log_unit_debug(UNIT(s
), "One connection closed, %u left.", s
->n_connections
);
3153 static void socket_trigger_notify(Unit
*u
, Unit
*other
) {
3154 Socket
*s
= SOCKET(u
);
3159 /* Filter out invocations with bogus state */
3160 if (other
->load_state
!= UNIT_LOADED
|| other
->type
!= UNIT_SERVICE
)
3163 /* Don't propagate state changes from the service if we are already down */
3164 if (!IN_SET(s
->state
, SOCKET_RUNNING
, SOCKET_LISTENING
))
3167 /* We don't care for the service state if we are in Accept=yes mode */
3171 /* Propagate start limit hit state */
3172 if (other
->start_limit_hit
) {
3173 socket_enter_stop_pre(s
, SOCKET_FAILURE_SERVICE_START_LIMIT_HIT
);
3177 /* Don't propagate anything if there's still a job queued */
3181 if (IN_SET(SERVICE(other
)->state
,
3182 SERVICE_DEAD
, SERVICE_FAILED
,
3183 SERVICE_FINAL_SIGTERM
, SERVICE_FINAL_SIGKILL
,
3184 SERVICE_AUTO_RESTART
))
3185 socket_enter_listening(s
);
3187 if (SERVICE(other
)->state
== SERVICE_RUNNING
)
3188 socket_set_state(s
, SOCKET_RUNNING
);
3191 static int socket_kill(Unit
*u
, KillWho who
, int signo
, sd_bus_error
*error
) {
3192 return unit_kill_common(u
, who
, signo
, -1, SOCKET(u
)->control_pid
, error
);
3195 static int socket_get_timeout(Unit
*u
, usec_t
*timeout
) {
3196 Socket
*s
= SOCKET(u
);
3200 if (!s
->timer_event_source
)
3203 r
= sd_event_source_get_time(s
->timer_event_source
, &t
);
3206 if (t
== USEC_INFINITY
)
3213 char *socket_fdname(Socket
*s
) {
3216 /* Returns the name to use for $LISTEN_NAMES. If the user
3217 * didn't specify anything specifically, use the socket unit's
3218 * name as fallback. */
3220 return s
->fdname
?: UNIT(s
)->id
;
3223 static int socket_control_pid(Unit
*u
) {
3224 Socket
*s
= SOCKET(u
);
3228 return s
->control_pid
;
3231 static const char* const socket_exec_command_table
[_SOCKET_EXEC_COMMAND_MAX
] = {
3232 [SOCKET_EXEC_START_PRE
] = "ExecStartPre",
3233 [SOCKET_EXEC_START_CHOWN
] = "ExecStartChown",
3234 [SOCKET_EXEC_START_POST
] = "ExecStartPost",
3235 [SOCKET_EXEC_STOP_PRE
] = "ExecStopPre",
3236 [SOCKET_EXEC_STOP_POST
] = "ExecStopPost"
3239 DEFINE_STRING_TABLE_LOOKUP(socket_exec_command
, SocketExecCommand
);
3241 static const char* const socket_result_table
[_SOCKET_RESULT_MAX
] = {
3242 [SOCKET_SUCCESS
] = "success",
3243 [SOCKET_FAILURE_RESOURCES
] = "resources",
3244 [SOCKET_FAILURE_TIMEOUT
] = "timeout",
3245 [SOCKET_FAILURE_EXIT_CODE
] = "exit-code",
3246 [SOCKET_FAILURE_SIGNAL
] = "signal",
3247 [SOCKET_FAILURE_CORE_DUMP
] = "core-dump",
3248 [SOCKET_FAILURE_START_LIMIT_HIT
] = "start-limit-hit",
3249 [SOCKET_FAILURE_TRIGGER_LIMIT_HIT
] = "trigger-limit-hit",
3250 [SOCKET_FAILURE_SERVICE_START_LIMIT_HIT
] = "service-start-limit-hit"
3253 DEFINE_STRING_TABLE_LOOKUP(socket_result
, SocketResult
);
3255 const UnitVTable socket_vtable
= {
3256 .object_size
= sizeof(Socket
),
3257 .exec_context_offset
= offsetof(Socket
, exec_context
),
3258 .cgroup_context_offset
= offsetof(Socket
, cgroup_context
),
3259 .kill_context_offset
= offsetof(Socket
, kill_context
),
3260 .exec_runtime_offset
= offsetof(Socket
, exec_runtime
),
3261 .dynamic_creds_offset
= offsetof(Socket
, dynamic_creds
),
3267 .private_section
= "Socket",
3269 .can_transient
= true,
3271 .init
= socket_init
,
3272 .done
= socket_done
,
3273 .load
= socket_load
,
3275 .coldplug
= socket_coldplug
,
3277 .dump
= socket_dump
,
3279 .start
= socket_start
,
3280 .stop
= socket_stop
,
3282 .kill
= socket_kill
,
3284 .get_timeout
= socket_get_timeout
,
3286 .serialize
= socket_serialize
,
3287 .deserialize_item
= socket_deserialize_item
,
3288 .distribute_fds
= socket_distribute_fds
,
3290 .active_state
= socket_active_state
,
3291 .sub_state_to_string
= socket_sub_state_to_string
,
3293 .may_gc
= socket_may_gc
,
3295 .sigchld_event
= socket_sigchld_event
,
3297 .trigger_notify
= socket_trigger_notify
,
3299 .reset_failed
= socket_reset_failed
,
3301 .control_pid
= socket_control_pid
,
3303 .bus_vtable
= bus_socket_vtable
,
3304 .bus_set_property
= bus_socket_set_property
,
3305 .bus_commit_properties
= bus_socket_commit_properties
,
3307 .status_message_formats
= {
3308 /*.starting_stopping = {
3309 [0] = "Starting socket %s...",
3310 [1] = "Stopping socket %s...",
3312 .finished_start_job
= {
3313 [JOB_DONE
] = "Listening on %s.",
3314 [JOB_FAILED
] = "Failed to listen on %s.",
3315 [JOB_TIMEOUT
] = "Timed out starting %s.",
3317 .finished_stop_job
= {
3318 [JOB_DONE
] = "Closed %s.",
3319 [JOB_FAILED
] = "Failed stopping %s.",
3320 [JOB_TIMEOUT
] = "Timed out stopping %s.",