]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/socket.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
resolve: set IP_RECVERR
[thirdparty/systemd.git] / src / core / socket.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2
3 #include <arpa/inet.h>
4 #include <errno.h>
5 #include <fcntl.h>
6 #include <mqueue.h>
7 #include <netinet/tcp.h>
8 #include <signal.h>
9 #include <sys/epoll.h>
10 #include <sys/stat.h>
11 #include <unistd.h>
12 #include <linux/sctp.h>
13
14 #include "alloc-util.h"
15 #include "bpf-firewall.h"
16 #include "bus-error.h"
17 #include "bus-util.h"
18 #include "copy.h"
19 #include "dbus-socket.h"
20 #include "def.h"
21 #include "exit-status.h"
22 #include "fd-util.h"
23 #include "format-util.h"
24 #include "fs-util.h"
25 #include "in-addr-util.h"
26 #include "io-util.h"
27 #include "label.h"
28 #include "log.h"
29 #include "missing.h"
30 #include "mkdir.h"
31 #include "parse-util.h"
32 #include "path-util.h"
33 #include "process-util.h"
34 #include "selinux-util.h"
35 #include "signal-util.h"
36 #include "smack-util.h"
37 #include "socket.h"
38 #include "socket-protocol-list.h"
39 #include "special.h"
40 #include "string-table.h"
41 #include "string-util.h"
42 #include "strv.h"
43 #include "unit-name.h"
44 #include "unit.h"
45 #include "user-util.h"
46
47 struct SocketPeer {
48 unsigned n_ref;
49
50 Socket *socket;
51 union sockaddr_union peer;
52 socklen_t peer_salen;
53 };
54
55 static const UnitActiveState state_translation_table[_SOCKET_STATE_MAX] = {
56 [SOCKET_DEAD] = UNIT_INACTIVE,
57 [SOCKET_START_PRE] = UNIT_ACTIVATING,
58 [SOCKET_START_CHOWN] = UNIT_ACTIVATING,
59 [SOCKET_START_POST] = UNIT_ACTIVATING,
60 [SOCKET_LISTENING] = UNIT_ACTIVE,
61 [SOCKET_RUNNING] = UNIT_ACTIVE,
62 [SOCKET_STOP_PRE] = UNIT_DEACTIVATING,
63 [SOCKET_STOP_PRE_SIGTERM] = UNIT_DEACTIVATING,
64 [SOCKET_STOP_PRE_SIGKILL] = UNIT_DEACTIVATING,
65 [SOCKET_STOP_POST] = UNIT_DEACTIVATING,
66 [SOCKET_FINAL_SIGTERM] = UNIT_DEACTIVATING,
67 [SOCKET_FINAL_SIGKILL] = UNIT_DEACTIVATING,
68 [SOCKET_FAILED] = UNIT_FAILED
69 };
70
71 static int socket_dispatch_io(sd_event_source *source, int fd, uint32_t revents, void *userdata);
72 static int socket_dispatch_timer(sd_event_source *source, usec_t usec, void *userdata);
73
74 static void socket_init(Unit *u) {
75 Socket *s = SOCKET(u);
76
77 assert(u);
78 assert(u->load_state == UNIT_STUB);
79
80 s->backlog = SOMAXCONN;
81 s->timeout_usec = u->manager->default_timeout_start_usec;
82 s->directory_mode = 0755;
83 s->socket_mode = 0666;
84
85 s->max_connections = 64;
86
87 s->priority = -1;
88 s->ip_tos = -1;
89 s->ip_ttl = -1;
90 s->mark = -1;
91
92 s->exec_context.std_output = u->manager->default_std_output;
93 s->exec_context.std_error = u->manager->default_std_error;
94
95 s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
96
97 s->trigger_limit.interval = USEC_INFINITY;
98 s->trigger_limit.burst = (unsigned) -1;
99 }
100
101 static void socket_unwatch_control_pid(Socket *s) {
102 assert(s);
103
104 if (s->control_pid <= 0)
105 return;
106
107 unit_unwatch_pid(UNIT(s), s->control_pid);
108 s->control_pid = 0;
109 }
110
111 static void socket_cleanup_fd_list(SocketPort *p) {
112 assert(p);
113
114 close_many(p->auxiliary_fds, p->n_auxiliary_fds);
115 p->auxiliary_fds = mfree(p->auxiliary_fds);
116 p->n_auxiliary_fds = 0;
117 }
118
119 void socket_free_ports(Socket *s) {
120 SocketPort *p;
121
122 assert(s);
123
124 while ((p = s->ports)) {
125 LIST_REMOVE(port, s->ports, p);
126
127 sd_event_source_unref(p->event_source);
128
129 socket_cleanup_fd_list(p);
130 safe_close(p->fd);
131 free(p->path);
132 free(p);
133 }
134 }
135
136 static void socket_done(Unit *u) {
137 Socket *s = SOCKET(u);
138 SocketPeer *p;
139
140 assert(s);
141
142 socket_free_ports(s);
143
144 while ((p = set_steal_first(s->peers_by_address)))
145 p->socket = NULL;
146
147 s->peers_by_address = set_free(s->peers_by_address);
148
149 s->exec_runtime = exec_runtime_unref(s->exec_runtime, false);
150 exec_command_free_array(s->exec_command, _SOCKET_EXEC_COMMAND_MAX);
151 s->control_command = NULL;
152
153 dynamic_creds_unref(&s->dynamic_creds);
154
155 socket_unwatch_control_pid(s);
156
157 unit_ref_unset(&s->service);
158
159 s->tcp_congestion = mfree(s->tcp_congestion);
160 s->bind_to_device = mfree(s->bind_to_device);
161
162 s->smack = mfree(s->smack);
163 s->smack_ip_in = mfree(s->smack_ip_in);
164 s->smack_ip_out = mfree(s->smack_ip_out);
165
166 strv_free(s->symlinks);
167
168 s->user = mfree(s->user);
169 s->group = mfree(s->group);
170
171 s->fdname = mfree(s->fdname);
172
173 s->timer_event_source = sd_event_source_unref(s->timer_event_source);
174 }
175
176 static int socket_arm_timer(Socket *s, usec_t usec) {
177 int r;
178
179 assert(s);
180
181 if (s->timer_event_source) {
182 r = sd_event_source_set_time(s->timer_event_source, usec);
183 if (r < 0)
184 return r;
185
186 return sd_event_source_set_enabled(s->timer_event_source, SD_EVENT_ONESHOT);
187 }
188
189 if (usec == USEC_INFINITY)
190 return 0;
191
192 r = sd_event_add_time(
193 UNIT(s)->manager->event,
194 &s->timer_event_source,
195 CLOCK_MONOTONIC,
196 usec, 0,
197 socket_dispatch_timer, s);
198 if (r < 0)
199 return r;
200
201 (void) sd_event_source_set_description(s->timer_event_source, "socket-timer");
202
203 return 0;
204 }
205
206 int socket_instantiate_service(Socket *s) {
207 _cleanup_free_ char *prefix = NULL, *name = NULL;
208 int r;
209 Unit *u;
210
211 assert(s);
212
213 /* This fills in s->service if it isn't filled in yet. For
214 * Accept=yes sockets we create the next connection service
215 * here. For Accept=no this is mostly a NOP since the service
216 * is figured out at load time anyway. */
217
218 if (UNIT_DEREF(s->service))
219 return 0;
220
221 if (!s->accept)
222 return 0;
223
224 r = unit_name_to_prefix(UNIT(s)->id, &prefix);
225 if (r < 0)
226 return r;
227
228 if (asprintf(&name, "%s@%u.service", prefix, s->n_accepted) < 0)
229 return -ENOMEM;
230
231 r = manager_load_unit(UNIT(s)->manager, name, NULL, NULL, &u);
232 if (r < 0)
233 return r;
234
235 unit_ref_set(&s->service, UNIT(s), u);
236
237 return unit_add_two_dependencies(UNIT(s), UNIT_BEFORE, UNIT_TRIGGERS, u, false, UNIT_DEPENDENCY_IMPLICIT);
238 }
239
240 static bool have_non_accept_socket(Socket *s) {
241 SocketPort *p;
242
243 assert(s);
244
245 if (!s->accept)
246 return true;
247
248 LIST_FOREACH(port, p, s->ports) {
249
250 if (p->type != SOCKET_SOCKET)
251 return true;
252
253 if (!socket_address_can_accept(&p->address))
254 return true;
255 }
256
257 return false;
258 }
259
260 static int socket_add_mount_dependencies(Socket *s) {
261 SocketPort *p;
262 int r;
263
264 assert(s);
265
266 LIST_FOREACH(port, p, s->ports) {
267 const char *path = NULL;
268
269 if (p->type == SOCKET_SOCKET)
270 path = socket_address_get_path(&p->address);
271 else if (IN_SET(p->type, SOCKET_FIFO, SOCKET_SPECIAL, SOCKET_USB_FUNCTION))
272 path = p->path;
273
274 if (!path)
275 continue;
276
277 r = unit_require_mounts_for(UNIT(s), path, UNIT_DEPENDENCY_FILE);
278 if (r < 0)
279 return r;
280 }
281
282 return 0;
283 }
284
285 static int socket_add_device_dependencies(Socket *s) {
286 char *t;
287
288 assert(s);
289
290 if (!s->bind_to_device || streq(s->bind_to_device, "lo"))
291 return 0;
292
293 t = strjoina("/sys/subsystem/net/devices/", s->bind_to_device);
294 return unit_add_node_dependency(UNIT(s), t, false, UNIT_BINDS_TO, UNIT_DEPENDENCY_FILE);
295 }
296
297 static int socket_add_default_dependencies(Socket *s) {
298 int r;
299 assert(s);
300
301 if (!UNIT(s)->default_dependencies)
302 return 0;
303
304 r = unit_add_dependency_by_name(UNIT(s), UNIT_BEFORE, SPECIAL_SOCKETS_TARGET, true, UNIT_DEPENDENCY_DEFAULT);
305 if (r < 0)
306 return r;
307
308 if (MANAGER_IS_SYSTEM(UNIT(s)->manager)) {
309 r = unit_add_two_dependencies_by_name(UNIT(s), UNIT_AFTER, UNIT_REQUIRES, SPECIAL_SYSINIT_TARGET, true, UNIT_DEPENDENCY_DEFAULT);
310 if (r < 0)
311 return r;
312 }
313
314 return unit_add_two_dependencies_by_name(UNIT(s), UNIT_BEFORE, UNIT_CONFLICTS, SPECIAL_SHUTDOWN_TARGET, true, UNIT_DEPENDENCY_DEFAULT);
315 }
316
317 _pure_ static bool socket_has_exec(Socket *s) {
318 unsigned i;
319 assert(s);
320
321 for (i = 0; i < _SOCKET_EXEC_COMMAND_MAX; i++)
322 if (s->exec_command[i])
323 return true;
324
325 return false;
326 }
327
328 static int socket_add_extras(Socket *s) {
329 Unit *u = UNIT(s);
330 int r;
331
332 assert(s);
333
334 /* Pick defaults for the trigger limit, if nothing was explicitly configured. We pick a relatively high limit
335 * in Accept=yes mode, and a lower limit for Accept=no. Reason: in Accept=yes mode we are invoking accept()
336 * ourselves before the trigger limit can hit, thus incoming connections are taken off the socket queue quickly
337 * and reliably. This is different for Accept=no, where the spawned service has to take the incoming traffic
338 * off the queues, which it might not necessarily do. Moreover, while Accept=no services are supposed to
339 * process whatever is queued in one go, and thus should normally never have to be started frequently. This is
340 * different for Accept=yes where each connection is processed by a new service instance, and thus frequent
341 * service starts are typical. */
342
343 if (s->trigger_limit.interval == USEC_INFINITY)
344 s->trigger_limit.interval = 2 * USEC_PER_SEC;
345
346 if (s->trigger_limit.burst == (unsigned) -1) {
347 if (s->accept)
348 s->trigger_limit.burst = 200;
349 else
350 s->trigger_limit.burst = 20;
351 }
352
353 if (have_non_accept_socket(s)) {
354
355 if (!UNIT_DEREF(s->service)) {
356 Unit *x;
357
358 r = unit_load_related_unit(u, ".service", &x);
359 if (r < 0)
360 return r;
361
362 unit_ref_set(&s->service, u, x);
363 }
364
365 r = unit_add_two_dependencies(u, UNIT_BEFORE, UNIT_TRIGGERS, UNIT_DEREF(s->service), true, UNIT_DEPENDENCY_IMPLICIT);
366 if (r < 0)
367 return r;
368 }
369
370 r = socket_add_mount_dependencies(s);
371 if (r < 0)
372 return r;
373
374 r = socket_add_device_dependencies(s);
375 if (r < 0)
376 return r;
377
378 r = unit_patch_contexts(u);
379 if (r < 0)
380 return r;
381
382 if (socket_has_exec(s)) {
383 r = unit_add_exec_dependencies(u, &s->exec_context);
384 if (r < 0)
385 return r;
386 }
387
388 r = unit_set_default_slice(u);
389 if (r < 0)
390 return r;
391
392 r = socket_add_default_dependencies(s);
393 if (r < 0)
394 return r;
395
396 return 0;
397 }
398
399 static const char *socket_find_symlink_target(Socket *s) {
400 const char *found = NULL;
401 SocketPort *p;
402
403 LIST_FOREACH(port, p, s->ports) {
404 const char *f = NULL;
405
406 switch (p->type) {
407
408 case SOCKET_FIFO:
409 f = p->path;
410 break;
411
412 case SOCKET_SOCKET:
413 f = socket_address_get_path(&p->address);
414 break;
415
416 default:
417 break;
418 }
419
420 if (f) {
421 if (found)
422 return NULL;
423
424 found = f;
425 }
426 }
427
428 return found;
429 }
430
431 static int socket_verify(Socket *s) {
432 assert(s);
433
434 if (UNIT(s)->load_state != UNIT_LOADED)
435 return 0;
436
437 if (!s->ports) {
438 log_unit_error(UNIT(s), "Unit has no Listen setting (ListenStream=, ListenDatagram=, ListenFIFO=, ...). Refusing.");
439 return -ENOEXEC;
440 }
441
442 if (s->accept && have_non_accept_socket(s)) {
443 log_unit_error(UNIT(s), "Unit configured for accepting sockets, but sockets are non-accepting. Refusing.");
444 return -ENOEXEC;
445 }
446
447 if (s->accept && s->max_connections <= 0) {
448 log_unit_error(UNIT(s), "MaxConnection= setting too small. Refusing.");
449 return -ENOEXEC;
450 }
451
452 if (s->accept && UNIT_DEREF(s->service)) {
453 log_unit_error(UNIT(s), "Explicit service configuration for accepting socket units not supported. Refusing.");
454 return -ENOEXEC;
455 }
456
457 if (s->exec_context.pam_name && s->kill_context.kill_mode != KILL_CONTROL_GROUP) {
458 log_unit_error(UNIT(s), "Unit has PAM enabled. Kill mode must be set to 'control-group'. Refusing.");
459 return -ENOEXEC;
460 }
461
462 if (!strv_isempty(s->symlinks) && !socket_find_symlink_target(s)) {
463 log_unit_error(UNIT(s), "Unit has symlinks set but none or more than one node in the file system. Refusing.");
464 return -ENOEXEC;
465 }
466
467 return 0;
468 }
469
470 static void peer_address_hash_func(const void *p, struct siphash *state) {
471 const SocketPeer *s = p;
472
473 assert(s);
474
475 if (s->peer.sa.sa_family == AF_INET)
476 siphash24_compress(&s->peer.in.sin_addr, sizeof(s->peer.in.sin_addr), state);
477 else if (s->peer.sa.sa_family == AF_INET6)
478 siphash24_compress(&s->peer.in6.sin6_addr, sizeof(s->peer.in6.sin6_addr), state);
479 else if (s->peer.sa.sa_family == AF_VSOCK)
480 siphash24_compress(&s->peer.vm.svm_cid, sizeof(s->peer.vm.svm_cid), state);
481 else
482 assert_not_reached("Unknown address family.");
483 }
484
485 static int peer_address_compare_func(const void *a, const void *b) {
486 const SocketPeer *x = a, *y = b;
487 int r;
488
489 r = CMP(x->peer.sa.sa_family, y->peer.sa.sa_family);
490 if (r != 0)
491 return r;
492
493 switch(x->peer.sa.sa_family) {
494 case AF_INET:
495 return memcmp(&x->peer.in.sin_addr, &y->peer.in.sin_addr, sizeof(x->peer.in.sin_addr));
496 case AF_INET6:
497 return memcmp(&x->peer.in6.sin6_addr, &y->peer.in6.sin6_addr, sizeof(x->peer.in6.sin6_addr));
498 case AF_VSOCK:
499 return CMP(x->peer.vm.svm_cid, y->peer.vm.svm_cid);
500 }
501 assert_not_reached("Black sheep in the family!");
502 }
503
504 const struct hash_ops peer_address_hash_ops = {
505 .hash = peer_address_hash_func,
506 .compare = peer_address_compare_func
507 };
508
509 static int socket_load(Unit *u) {
510 Socket *s = SOCKET(u);
511 int r;
512
513 assert(u);
514 assert(u->load_state == UNIT_STUB);
515
516 r = set_ensure_allocated(&s->peers_by_address, &peer_address_hash_ops);
517 if (r < 0)
518 return r;
519
520 r = unit_load_fragment_and_dropin(u);
521 if (r < 0)
522 return r;
523
524 if (u->load_state == UNIT_LOADED) {
525 /* This is a new unit? Then let's add in some extras */
526 r = socket_add_extras(s);
527 if (r < 0)
528 return r;
529 }
530
531 return socket_verify(s);
532 }
533
534 static SocketPeer *socket_peer_new(void) {
535 SocketPeer *p;
536
537 p = new0(SocketPeer, 1);
538 if (!p)
539 return NULL;
540
541 p->n_ref = 1;
542
543 return p;
544 }
545
546 static SocketPeer *socket_peer_free(SocketPeer *p) {
547 assert(p);
548
549 if (p->socket)
550 set_remove(p->socket->peers_by_address, p);
551
552 return mfree(p);
553 }
554
555 DEFINE_TRIVIAL_REF_UNREF_FUNC(SocketPeer, socket_peer, socket_peer_free);
556
557 int socket_acquire_peer(Socket *s, int fd, SocketPeer **p) {
558 _cleanup_(socket_peer_unrefp) SocketPeer *remote = NULL;
559 SocketPeer sa = {}, *i;
560 socklen_t salen = sizeof(sa.peer);
561 int r;
562
563 assert(fd >= 0);
564 assert(s);
565
566 r = getpeername(fd, &sa.peer.sa, &salen);
567 if (r < 0)
568 return log_error_errno(errno, "getpeername failed: %m");
569
570 if (!IN_SET(sa.peer.sa.sa_family, AF_INET, AF_INET6, AF_VSOCK)) {
571 *p = NULL;
572 return 0;
573 }
574
575 i = set_get(s->peers_by_address, &sa);
576 if (i) {
577 *p = socket_peer_ref(i);
578 return 1;
579 }
580
581 remote = socket_peer_new();
582 if (!remote)
583 return log_oom();
584
585 remote->peer = sa.peer;
586 remote->peer_salen = salen;
587
588 r = set_put(s->peers_by_address, remote);
589 if (r < 0)
590 return r;
591
592 remote->socket = s;
593
594 *p = TAKE_PTR(remote);
595
596 return 1;
597 }
598
599 _const_ static const char* listen_lookup(int family, int type) {
600
601 if (family == AF_NETLINK)
602 return "ListenNetlink";
603
604 if (type == SOCK_STREAM)
605 return "ListenStream";
606 else if (type == SOCK_DGRAM)
607 return "ListenDatagram";
608 else if (type == SOCK_SEQPACKET)
609 return "ListenSequentialPacket";
610
611 assert_not_reached("Unknown socket type");
612 return NULL;
613 }
614
615 static void socket_dump(Unit *u, FILE *f, const char *prefix) {
616 char time_string[FORMAT_TIMESPAN_MAX];
617 SocketExecCommand c;
618 Socket *s = SOCKET(u);
619 SocketPort *p;
620 const char *prefix2, *str;
621
622 assert(s);
623 assert(f);
624
625 prefix = strempty(prefix);
626 prefix2 = strjoina(prefix, "\t");
627
628 fprintf(f,
629 "%sSocket State: %s\n"
630 "%sResult: %s\n"
631 "%sBindIPv6Only: %s\n"
632 "%sBacklog: %u\n"
633 "%sSocketMode: %04o\n"
634 "%sDirectoryMode: %04o\n"
635 "%sKeepAlive: %s\n"
636 "%sNoDelay: %s\n"
637 "%sFreeBind: %s\n"
638 "%sTransparent: %s\n"
639 "%sBroadcast: %s\n"
640 "%sPassCredentials: %s\n"
641 "%sPassSecurity: %s\n"
642 "%sTCPCongestion: %s\n"
643 "%sRemoveOnStop: %s\n"
644 "%sWritable: %s\n"
645 "%sFileDescriptorName: %s\n"
646 "%sSELinuxContextFromNet: %s\n",
647 prefix, socket_state_to_string(s->state),
648 prefix, socket_result_to_string(s->result),
649 prefix, socket_address_bind_ipv6_only_to_string(s->bind_ipv6_only),
650 prefix, s->backlog,
651 prefix, s->socket_mode,
652 prefix, s->directory_mode,
653 prefix, yes_no(s->keep_alive),
654 prefix, yes_no(s->no_delay),
655 prefix, yes_no(s->free_bind),
656 prefix, yes_no(s->transparent),
657 prefix, yes_no(s->broadcast),
658 prefix, yes_no(s->pass_cred),
659 prefix, yes_no(s->pass_sec),
660 prefix, strna(s->tcp_congestion),
661 prefix, yes_no(s->remove_on_stop),
662 prefix, yes_no(s->writable),
663 prefix, socket_fdname(s),
664 prefix, yes_no(s->selinux_context_from_net));
665
666 if (s->control_pid > 0)
667 fprintf(f,
668 "%sControl PID: "PID_FMT"\n",
669 prefix, s->control_pid);
670
671 if (s->bind_to_device)
672 fprintf(f,
673 "%sBindToDevice: %s\n",
674 prefix, s->bind_to_device);
675
676 if (s->accept)
677 fprintf(f,
678 "%sAccepted: %u\n"
679 "%sNConnections: %u\n"
680 "%sMaxConnections: %u\n"
681 "%sMaxConnectionsPerSource: %u\n",
682 prefix, s->n_accepted,
683 prefix, s->n_connections,
684 prefix, s->max_connections,
685 prefix, s->max_connections_per_source);
686
687 if (s->priority >= 0)
688 fprintf(f,
689 "%sPriority: %i\n",
690 prefix, s->priority);
691
692 if (s->receive_buffer > 0)
693 fprintf(f,
694 "%sReceiveBuffer: %zu\n",
695 prefix, s->receive_buffer);
696
697 if (s->send_buffer > 0)
698 fprintf(f,
699 "%sSendBuffer: %zu\n",
700 prefix, s->send_buffer);
701
702 if (s->ip_tos >= 0)
703 fprintf(f,
704 "%sIPTOS: %i\n",
705 prefix, s->ip_tos);
706
707 if (s->ip_ttl >= 0)
708 fprintf(f,
709 "%sIPTTL: %i\n",
710 prefix, s->ip_ttl);
711
712 if (s->pipe_size > 0)
713 fprintf(f,
714 "%sPipeSize: %zu\n",
715 prefix, s->pipe_size);
716
717 if (s->mark >= 0)
718 fprintf(f,
719 "%sMark: %i\n",
720 prefix, s->mark);
721
722 if (s->mq_maxmsg > 0)
723 fprintf(f,
724 "%sMessageQueueMaxMessages: %li\n",
725 prefix, s->mq_maxmsg);
726
727 if (s->mq_msgsize > 0)
728 fprintf(f,
729 "%sMessageQueueMessageSize: %li\n",
730 prefix, s->mq_msgsize);
731
732 if (s->reuse_port)
733 fprintf(f,
734 "%sReusePort: %s\n",
735 prefix, yes_no(s->reuse_port));
736
737 if (s->smack)
738 fprintf(f,
739 "%sSmackLabel: %s\n",
740 prefix, s->smack);
741
742 if (s->smack_ip_in)
743 fprintf(f,
744 "%sSmackLabelIPIn: %s\n",
745 prefix, s->smack_ip_in);
746
747 if (s->smack_ip_out)
748 fprintf(f,
749 "%sSmackLabelIPOut: %s\n",
750 prefix, s->smack_ip_out);
751
752 if (!isempty(s->user) || !isempty(s->group))
753 fprintf(f,
754 "%sSocketUser: %s\n"
755 "%sSocketGroup: %s\n",
756 prefix, strna(s->user),
757 prefix, strna(s->group));
758
759 if (s->keep_alive_time > 0)
760 fprintf(f,
761 "%sKeepAliveTimeSec: %s\n",
762 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->keep_alive_time, USEC_PER_SEC));
763
764 if (s->keep_alive_interval > 0)
765 fprintf(f,
766 "%sKeepAliveIntervalSec: %s\n",
767 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->keep_alive_interval, USEC_PER_SEC));
768
769 if (s->keep_alive_cnt > 0)
770 fprintf(f,
771 "%sKeepAliveProbes: %u\n",
772 prefix, s->keep_alive_cnt);
773
774 if (s->defer_accept > 0)
775 fprintf(f,
776 "%sDeferAcceptSec: %s\n",
777 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->defer_accept, USEC_PER_SEC));
778
779 LIST_FOREACH(port, p, s->ports) {
780
781 switch (p->type) {
782 case SOCKET_SOCKET: {
783 _cleanup_free_ char *k = NULL;
784 const char *t;
785 int r;
786
787 r = socket_address_print(&p->address, &k);
788 if (r < 0)
789 t = strerror(-r);
790 else
791 t = k;
792
793 fprintf(f, "%s%s: %s\n", prefix, listen_lookup(socket_address_family(&p->address), p->address.type), t);
794 break;
795 }
796 case SOCKET_SPECIAL:
797 fprintf(f, "%sListenSpecial: %s\n", prefix, p->path);
798 break;
799 case SOCKET_USB_FUNCTION:
800 fprintf(f, "%sListenUSBFunction: %s\n", prefix, p->path);
801 break;
802 case SOCKET_MQUEUE:
803 fprintf(f, "%sListenMessageQueue: %s\n", prefix, p->path);
804 break;
805 default:
806 fprintf(f, "%sListenFIFO: %s\n", prefix, p->path);
807 }
808 }
809
810 fprintf(f,
811 "%sTriggerLimitIntervalSec: %s\n"
812 "%sTriggerLimitBurst: %u\n",
813 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->trigger_limit.interval, USEC_PER_SEC),
814 prefix, s->trigger_limit.burst);
815
816 str = socket_protocol_to_name(s->socket_protocol);
817 if (str)
818 fprintf(f, "%sSocketProtocol: %s\n", prefix, str);
819
820 if (!strv_isempty(s->symlinks)) {
821 char **q;
822
823 fprintf(f, "%sSymlinks:", prefix);
824 STRV_FOREACH(q, s->symlinks)
825 fprintf(f, " %s", *q);
826
827 fprintf(f, "\n");
828 }
829
830 fprintf(f,
831 "%sTimeoutSec: %s\n",
832 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->timeout_usec, USEC_PER_SEC));
833
834 exec_context_dump(&s->exec_context, f, prefix);
835 kill_context_dump(&s->kill_context, f, prefix);
836
837 for (c = 0; c < _SOCKET_EXEC_COMMAND_MAX; c++) {
838 if (!s->exec_command[c])
839 continue;
840
841 fprintf(f, "%s-> %s:\n",
842 prefix, socket_exec_command_to_string(c));
843
844 exec_command_dump_list(s->exec_command[c], f, prefix2);
845 }
846
847 cgroup_context_dump(&s->cgroup_context, f, prefix);
848 }
849
850 static int instance_from_socket(int fd, unsigned nr, char **instance) {
851 socklen_t l;
852 char *r;
853 union sockaddr_union local, remote;
854
855 assert(fd >= 0);
856 assert(instance);
857
858 l = sizeof(local);
859 if (getsockname(fd, &local.sa, &l) < 0)
860 return -errno;
861
862 l = sizeof(remote);
863 if (getpeername(fd, &remote.sa, &l) < 0)
864 return -errno;
865
866 switch (local.sa.sa_family) {
867
868 case AF_INET: {
869 uint32_t
870 a = be32toh(local.in.sin_addr.s_addr),
871 b = be32toh(remote.in.sin_addr.s_addr);
872
873 if (asprintf(&r,
874 "%u-%u.%u.%u.%u:%u-%u.%u.%u.%u:%u",
875 nr,
876 a >> 24, (a >> 16) & 0xFF, (a >> 8) & 0xFF, a & 0xFF,
877 be16toh(local.in.sin_port),
878 b >> 24, (b >> 16) & 0xFF, (b >> 8) & 0xFF, b & 0xFF,
879 be16toh(remote.in.sin_port)) < 0)
880 return -ENOMEM;
881
882 break;
883 }
884
885 case AF_INET6: {
886 static const unsigned char ipv4_prefix[] = {
887 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xFF, 0xFF
888 };
889
890 if (memcmp(&local.in6.sin6_addr, ipv4_prefix, sizeof(ipv4_prefix)) == 0 &&
891 memcmp(&remote.in6.sin6_addr, ipv4_prefix, sizeof(ipv4_prefix)) == 0) {
892 const uint8_t
893 *a = local.in6.sin6_addr.s6_addr+12,
894 *b = remote.in6.sin6_addr.s6_addr+12;
895
896 if (asprintf(&r,
897 "%u-%u.%u.%u.%u:%u-%u.%u.%u.%u:%u",
898 nr,
899 a[0], a[1], a[2], a[3],
900 be16toh(local.in6.sin6_port),
901 b[0], b[1], b[2], b[3],
902 be16toh(remote.in6.sin6_port)) < 0)
903 return -ENOMEM;
904 } else {
905 char a[INET6_ADDRSTRLEN], b[INET6_ADDRSTRLEN];
906
907 if (asprintf(&r,
908 "%u-%s:%u-%s:%u",
909 nr,
910 inet_ntop(AF_INET6, &local.in6.sin6_addr, a, sizeof(a)),
911 be16toh(local.in6.sin6_port),
912 inet_ntop(AF_INET6, &remote.in6.sin6_addr, b, sizeof(b)),
913 be16toh(remote.in6.sin6_port)) < 0)
914 return -ENOMEM;
915 }
916
917 break;
918 }
919
920 case AF_UNIX: {
921 struct ucred ucred;
922 int k;
923
924 k = getpeercred(fd, &ucred);
925 if (k >= 0) {
926 if (asprintf(&r,
927 "%u-"PID_FMT"-"UID_FMT,
928 nr, ucred.pid, ucred.uid) < 0)
929 return -ENOMEM;
930 } else if (k == -ENODATA) {
931 /* This handles the case where somebody is
932 * connecting from another pid/uid namespace
933 * (e.g. from outside of our container). */
934 if (asprintf(&r,
935 "%u-unknown",
936 nr) < 0)
937 return -ENOMEM;
938 } else
939 return k;
940
941 break;
942 }
943
944 case AF_VSOCK:
945 if (asprintf(&r,
946 "%u-%u:%u-%u:%u",
947 nr,
948 local.vm.svm_cid, local.vm.svm_port,
949 remote.vm.svm_cid, remote.vm.svm_port) < 0)
950 return -ENOMEM;
951
952 break;
953
954 default:
955 assert_not_reached("Unhandled socket type.");
956 }
957
958 *instance = r;
959 return 0;
960 }
961
962 static void socket_close_fds(Socket *s) {
963 SocketPort *p;
964 char **i;
965
966 assert(s);
967
968 LIST_FOREACH(port, p, s->ports) {
969 bool was_open;
970
971 was_open = p->fd >= 0;
972
973 p->event_source = sd_event_source_unref(p->event_source);
974 p->fd = safe_close(p->fd);
975 socket_cleanup_fd_list(p);
976
977 /* One little note: we should normally not delete any sockets in the file system here! After all some
978 * other process we spawned might still have a reference of this fd and wants to continue to use
979 * it. Therefore we normally delete sockets in the file system before we create a new one, not after we
980 * stopped using one! That all said, if the user explicitly requested this, we'll delete them here
981 * anyway, but only then. */
982
983 if (!was_open || !s->remove_on_stop)
984 continue;
985
986 switch (p->type) {
987
988 case SOCKET_FIFO:
989 (void) unlink(p->path);
990 break;
991
992 case SOCKET_MQUEUE:
993 (void) mq_unlink(p->path);
994 break;
995
996 case SOCKET_SOCKET:
997 (void) socket_address_unlink(&p->address);
998 break;
999
1000 default:
1001 break;
1002 }
1003 }
1004
1005 if (s->remove_on_stop)
1006 STRV_FOREACH(i, s->symlinks)
1007 (void) unlink(*i);
1008 }
1009
1010 static void socket_apply_socket_options(Socket *s, int fd) {
1011 int r;
1012
1013 assert(s);
1014 assert(fd >= 0);
1015
1016 if (s->keep_alive) {
1017 if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, &const_int_one, sizeof(const_int_one)) < 0)
1018 log_unit_warning_errno(UNIT(s), errno, "SO_KEEPALIVE failed: %m");
1019 }
1020
1021 if (s->keep_alive_time > 0) {
1022 int value = s->keep_alive_time / USEC_PER_SEC;
1023 if (setsockopt(fd, SOL_TCP, TCP_KEEPIDLE, &value, sizeof(value)) < 0)
1024 log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPIDLE failed: %m");
1025 }
1026
1027 if (s->keep_alive_interval > 0) {
1028 int value = s->keep_alive_interval / USEC_PER_SEC;
1029 if (setsockopt(fd, SOL_TCP, TCP_KEEPINTVL, &value, sizeof(value)) < 0)
1030 log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPINTVL failed: %m");
1031 }
1032
1033 if (s->keep_alive_cnt > 0) {
1034 int value = s->keep_alive_cnt;
1035 if (setsockopt(fd, SOL_TCP, TCP_KEEPCNT, &value, sizeof(value)) < 0)
1036 log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPCNT failed: %m");
1037 }
1038
1039 if (s->defer_accept > 0) {
1040 int value = s->defer_accept / USEC_PER_SEC;
1041 if (setsockopt(fd, SOL_TCP, TCP_DEFER_ACCEPT, &value, sizeof(value)) < 0)
1042 log_unit_warning_errno(UNIT(s), errno, "TCP_DEFER_ACCEPT failed: %m");
1043 }
1044
1045 if (s->no_delay) {
1046 if (s->socket_protocol == IPPROTO_SCTP) {
1047 if (setsockopt(fd, SOL_SCTP, SCTP_NODELAY, &const_int_one, sizeof(const_int_one)) < 0)
1048 log_unit_warning_errno(UNIT(s), errno, "SCTP_NODELAY failed: %m");
1049 } else {
1050 if (setsockopt(fd, SOL_TCP, TCP_NODELAY, &const_int_one, sizeof(const_int_one)) < 0)
1051 log_unit_warning_errno(UNIT(s), errno, "TCP_NODELAY failed: %m");
1052 }
1053 }
1054
1055 if (s->broadcast) {
1056 if (setsockopt(fd, SOL_SOCKET, SO_BROADCAST, &const_int_one, sizeof(const_int_one)) < 0)
1057 log_unit_warning_errno(UNIT(s), errno, "SO_BROADCAST failed: %m");
1058 }
1059
1060 if (s->pass_cred) {
1061 if (setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &const_int_one, sizeof(const_int_one)) < 0)
1062 log_unit_warning_errno(UNIT(s), errno, "SO_PASSCRED failed: %m");
1063 }
1064
1065 if (s->pass_sec) {
1066 if (setsockopt(fd, SOL_SOCKET, SO_PASSSEC, &const_int_one, sizeof(const_int_one)) < 0)
1067 log_unit_warning_errno(UNIT(s), errno, "SO_PASSSEC failed: %m");
1068 }
1069
1070 if (s->priority >= 0)
1071 if (setsockopt(fd, SOL_SOCKET, SO_PRIORITY, &s->priority, sizeof(s->priority)) < 0)
1072 log_unit_warning_errno(UNIT(s), errno, "SO_PRIORITY failed: %m");
1073
1074 if (s->receive_buffer > 0) {
1075 int value = (int) s->receive_buffer;
1076
1077 /* We first try with SO_RCVBUFFORCE, in case we have the perms for that */
1078 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUFFORCE, &value, sizeof(value)) < 0)
1079 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &value, sizeof(value)) < 0)
1080 log_unit_warning_errno(UNIT(s), errno, "SO_RCVBUF failed: %m");
1081 }
1082
1083 if (s->send_buffer > 0) {
1084 int value = (int) s->send_buffer;
1085 if (setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, &value, sizeof(value)) < 0)
1086 if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &value, sizeof(value)) < 0)
1087 log_unit_warning_errno(UNIT(s), errno, "SO_SNDBUF failed: %m");
1088 }
1089
1090 if (s->mark >= 0)
1091 if (setsockopt(fd, SOL_SOCKET, SO_MARK, &s->mark, sizeof(s->mark)) < 0)
1092 log_unit_warning_errno(UNIT(s), errno, "SO_MARK failed: %m");
1093
1094 if (s->ip_tos >= 0)
1095 if (setsockopt(fd, IPPROTO_IP, IP_TOS, &s->ip_tos, sizeof(s->ip_tos)) < 0)
1096 log_unit_warning_errno(UNIT(s), errno, "IP_TOS failed: %m");
1097
1098 if (s->ip_ttl >= 0) {
1099 int x;
1100
1101 r = setsockopt(fd, IPPROTO_IP, IP_TTL, &s->ip_ttl, sizeof(s->ip_ttl));
1102
1103 if (socket_ipv6_is_supported())
1104 x = setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &s->ip_ttl, sizeof(s->ip_ttl));
1105 else {
1106 x = -1;
1107 errno = EAFNOSUPPORT;
1108 }
1109
1110 if (r < 0 && x < 0)
1111 log_unit_warning_errno(UNIT(s), errno, "IP_TTL/IPV6_UNICAST_HOPS failed: %m");
1112 }
1113
1114 if (s->tcp_congestion)
1115 if (setsockopt(fd, SOL_TCP, TCP_CONGESTION, s->tcp_congestion, strlen(s->tcp_congestion)+1) < 0)
1116 log_unit_warning_errno(UNIT(s), errno, "TCP_CONGESTION failed: %m");
1117
1118 if (s->smack_ip_in) {
1119 r = mac_smack_apply_fd(fd, SMACK_ATTR_IPIN, s->smack_ip_in);
1120 if (r < 0)
1121 log_unit_error_errno(UNIT(s), r, "mac_smack_apply_ip_in_fd: %m");
1122 }
1123
1124 if (s->smack_ip_out) {
1125 r = mac_smack_apply_fd(fd, SMACK_ATTR_IPOUT, s->smack_ip_out);
1126 if (r < 0)
1127 log_unit_error_errno(UNIT(s), r, "mac_smack_apply_ip_out_fd: %m");
1128 }
1129 }
1130
1131 static void socket_apply_fifo_options(Socket *s, int fd) {
1132 int r;
1133
1134 assert(s);
1135 assert(fd >= 0);
1136
1137 if (s->pipe_size > 0)
1138 if (fcntl(fd, F_SETPIPE_SZ, s->pipe_size) < 0)
1139 log_unit_warning_errno(UNIT(s), errno, "Setting pipe size failed, ignoring: %m");
1140
1141 if (s->smack) {
1142 r = mac_smack_apply_fd(fd, SMACK_ATTR_ACCESS, s->smack);
1143 if (r < 0)
1144 log_unit_error_errno(UNIT(s), r, "SMACK relabelling failed, ignoring: %m");
1145 }
1146 }
1147
1148 static int fifo_address_create(
1149 const char *path,
1150 mode_t directory_mode,
1151 mode_t socket_mode) {
1152
1153 _cleanup_close_ int fd = -1;
1154 mode_t old_mask;
1155 struct stat st;
1156 int r;
1157
1158 assert(path);
1159
1160 (void) mkdir_parents_label(path, directory_mode);
1161
1162 r = mac_selinux_create_file_prepare(path, S_IFIFO);
1163 if (r < 0)
1164 return r;
1165
1166 /* Enforce the right access mode for the fifo */
1167 old_mask = umask(~socket_mode);
1168
1169 /* Include the original umask in our mask */
1170 (void) umask(~socket_mode | old_mask);
1171
1172 r = mkfifo(path, socket_mode);
1173 (void) umask(old_mask);
1174
1175 if (r < 0 && errno != EEXIST) {
1176 r = -errno;
1177 goto fail;
1178 }
1179
1180 fd = open(path, O_RDWR | O_CLOEXEC | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW);
1181 if (fd < 0) {
1182 r = -errno;
1183 goto fail;
1184 }
1185
1186 mac_selinux_create_file_clear();
1187
1188 if (fstat(fd, &st) < 0) {
1189 r = -errno;
1190 goto fail;
1191 }
1192
1193 if (!S_ISFIFO(st.st_mode) ||
1194 (st.st_mode & 0777) != (socket_mode & ~old_mask) ||
1195 st.st_uid != getuid() ||
1196 st.st_gid != getgid()) {
1197 r = -EEXIST;
1198 goto fail;
1199 }
1200
1201 return TAKE_FD(fd);
1202
1203 fail:
1204 mac_selinux_create_file_clear();
1205 return r;
1206 }
1207
1208 static int special_address_create(const char *path, bool writable) {
1209 _cleanup_close_ int fd = -1;
1210 struct stat st;
1211
1212 assert(path);
1213
1214 fd = open(path, (writable ? O_RDWR : O_RDONLY)|O_CLOEXEC|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW);
1215 if (fd < 0)
1216 return -errno;
1217
1218 if (fstat(fd, &st) < 0)
1219 return -errno;
1220
1221 /* Check whether this is a /proc, /sys or /dev file or char device */
1222 if (!S_ISREG(st.st_mode) && !S_ISCHR(st.st_mode))
1223 return -EEXIST;
1224
1225 return TAKE_FD(fd);
1226 }
1227
1228 static int usbffs_address_create(const char *path) {
1229 _cleanup_close_ int fd = -1;
1230 struct stat st;
1231
1232 assert(path);
1233
1234 fd = open(path, O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW);
1235 if (fd < 0)
1236 return -errno;
1237
1238 if (fstat(fd, &st) < 0)
1239 return -errno;
1240
1241 /* Check whether this is a regular file (ffs endpoint) */
1242 if (!S_ISREG(st.st_mode))
1243 return -EEXIST;
1244
1245 return TAKE_FD(fd);
1246 }
1247
1248 static int mq_address_create(
1249 const char *path,
1250 mode_t mq_mode,
1251 long maxmsg,
1252 long msgsize) {
1253
1254 _cleanup_close_ int fd = -1;
1255 struct stat st;
1256 mode_t old_mask;
1257 struct mq_attr _attr, *attr = NULL;
1258
1259 assert(path);
1260
1261 if (maxmsg > 0 && msgsize > 0) {
1262 _attr = (struct mq_attr) {
1263 .mq_flags = O_NONBLOCK,
1264 .mq_maxmsg = maxmsg,
1265 .mq_msgsize = msgsize,
1266 };
1267 attr = &_attr;
1268 }
1269
1270 /* Enforce the right access mode for the mq */
1271 old_mask = umask(~mq_mode);
1272
1273 /* Include the original umask in our mask */
1274 (void) umask(~mq_mode | old_mask);
1275 fd = mq_open(path, O_RDONLY|O_CLOEXEC|O_NONBLOCK|O_CREAT, mq_mode, attr);
1276 (void) umask(old_mask);
1277
1278 if (fd < 0)
1279 return -errno;
1280
1281 if (fstat(fd, &st) < 0)
1282 return -errno;
1283
1284 if ((st.st_mode & 0777) != (mq_mode & ~old_mask) ||
1285 st.st_uid != getuid() ||
1286 st.st_gid != getgid())
1287 return -EEXIST;
1288
1289 return TAKE_FD(fd);
1290 }
1291
1292 static int socket_symlink(Socket *s) {
1293 const char *p;
1294 char **i;
1295 int r;
1296
1297 assert(s);
1298
1299 p = socket_find_symlink_target(s);
1300 if (!p)
1301 return 0;
1302
1303 STRV_FOREACH(i, s->symlinks) {
1304 (void) mkdir_parents_label(*i, s->directory_mode);
1305
1306 r = symlink_idempotent(p, *i, false);
1307
1308 if (r == -EEXIST && s->remove_on_stop) {
1309 /* If there's already something where we want to create the symlink, and the destructive
1310 * RemoveOnStop= mode is set, then we might as well try to remove what already exists and try
1311 * again. */
1312
1313 if (unlink(*i) >= 0)
1314 r = symlink_idempotent(p, *i, false);
1315 }
1316
1317 if (r < 0)
1318 log_unit_warning_errno(UNIT(s), r, "Failed to create symlink %s → %s, ignoring: %m", p, *i);
1319 }
1320
1321 return 0;
1322 }
1323
1324 static int usbffs_write_descs(int fd, Service *s) {
1325 int r;
1326
1327 if (!s->usb_function_descriptors || !s->usb_function_strings)
1328 return -EINVAL;
1329
1330 r = copy_file_fd(s->usb_function_descriptors, fd, 0);
1331 if (r < 0)
1332 return r;
1333
1334 return copy_file_fd(s->usb_function_strings, fd, 0);
1335 }
1336
1337 static int usbffs_select_ep(const struct dirent *d) {
1338 return d->d_name[0] != '.' && !streq(d->d_name, "ep0");
1339 }
1340
1341 static int usbffs_dispatch_eps(SocketPort *p) {
1342 _cleanup_free_ struct dirent **ent = NULL;
1343 size_t n, k, i;
1344 int r;
1345
1346 r = scandir(p->path, &ent, usbffs_select_ep, alphasort);
1347 if (r < 0)
1348 return -errno;
1349
1350 n = (size_t) r;
1351 p->auxiliary_fds = new(int, n);
1352 if (!p->auxiliary_fds) {
1353 r = -ENOMEM;
1354 goto clear;
1355 }
1356
1357 p->n_auxiliary_fds = n;
1358
1359 k = 0;
1360 for (i = 0; i < n; ++i) {
1361 _cleanup_free_ char *ep = NULL;
1362
1363 ep = path_make_absolute(ent[i]->d_name, p->path);
1364 if (!ep) {
1365 r = -ENOMEM;
1366 goto fail;
1367 }
1368
1369 path_simplify(ep, false);
1370
1371 r = usbffs_address_create(ep);
1372 if (r < 0)
1373 goto fail;
1374
1375 p->auxiliary_fds[k++] = r;
1376 }
1377
1378 r = 0;
1379 goto clear;
1380
1381 fail:
1382 close_many(p->auxiliary_fds, k);
1383 p->auxiliary_fds = mfree(p->auxiliary_fds);
1384 p->n_auxiliary_fds = 0;
1385
1386 clear:
1387 for (i = 0; i < n; ++i)
1388 free(ent[i]);
1389
1390 return r;
1391 }
1392
1393 static int socket_determine_selinux_label(Socket *s, char **ret) {
1394 Service *service;
1395 ExecCommand *c;
1396 _cleanup_free_ char *path = NULL;
1397 int r;
1398
1399 assert(s);
1400 assert(ret);
1401
1402 if (s->selinux_context_from_net) {
1403 /* If this is requested, get label from the network label */
1404
1405 r = mac_selinux_get_our_label(ret);
1406 if (r == -EOPNOTSUPP)
1407 goto no_label;
1408
1409 } else {
1410 /* Otherwise, get it from the executable we are about to start */
1411 r = socket_instantiate_service(s);
1412 if (r < 0)
1413 return r;
1414
1415 if (!UNIT_ISSET(s->service))
1416 goto no_label;
1417
1418 service = SERVICE(UNIT_DEREF(s->service));
1419 c = service->exec_command[SERVICE_EXEC_START];
1420 if (!c)
1421 goto no_label;
1422
1423 r = chase_symlinks(c->path, service->exec_context.root_directory, CHASE_PREFIX_ROOT, &path);
1424 if (r < 0)
1425 goto no_label;
1426
1427 r = mac_selinux_get_create_label_from_exe(path, ret);
1428 if (IN_SET(r, -EPERM, -EOPNOTSUPP))
1429 goto no_label;
1430 }
1431
1432 return r;
1433
1434 no_label:
1435 *ret = NULL;
1436 return 0;
1437 }
1438
1439 static int socket_address_listen_do(
1440 Socket *s,
1441 const SocketAddress *address,
1442 const char *label) {
1443
1444 assert(s);
1445 assert(address);
1446
1447 return socket_address_listen(
1448 address,
1449 SOCK_CLOEXEC|SOCK_NONBLOCK,
1450 s->backlog,
1451 s->bind_ipv6_only,
1452 s->bind_to_device,
1453 s->reuse_port,
1454 s->free_bind,
1455 s->transparent,
1456 s->directory_mode,
1457 s->socket_mode,
1458 label);
1459 }
1460
1461 static int socket_address_listen_in_cgroup(
1462 Socket *s,
1463 const SocketAddress *address,
1464 const char *label) {
1465
1466 _cleanup_close_pair_ int pair[2] = { -1, -1 };
1467 int fd, r;
1468 pid_t pid;
1469
1470 assert(s);
1471 assert(address);
1472
1473 /* This is a wrapper around socket_address_listen(), that forks off a helper process inside the socket's cgroup
1474 * in which the socket is actually created. This way we ensure the socket is actually properly attached to the
1475 * unit's cgroup for the purpose of BPF filtering and such. */
1476
1477 if (!IN_SET(address->sockaddr.sa.sa_family, AF_INET, AF_INET6))
1478 goto shortcut; /* BPF filtering only applies to IPv4 + IPv6, shortcut things for other protocols */
1479
1480 r = bpf_firewall_supported();
1481 if (r < 0)
1482 return r;
1483 if (r == BPF_FIREWALL_UNSUPPORTED) /* If BPF firewalling isn't supported anyway — there's no point in this forking complexity */
1484 goto shortcut;
1485
1486 if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, pair) < 0)
1487 return log_unit_error_errno(UNIT(s), errno, "Failed to create communication channel: %m");
1488
1489 r = unit_fork_helper_process(UNIT(s), "(sd-listen)", &pid);
1490 if (r < 0)
1491 return log_unit_error_errno(UNIT(s), r, "Failed to fork off listener stub process: %m");
1492 if (r == 0) {
1493 /* Child */
1494
1495 pair[0] = safe_close(pair[0]);
1496
1497 fd = socket_address_listen_do(s, address, label);
1498 if (fd < 0) {
1499 log_unit_error_errno(UNIT(s), fd, "Failed to create listening socket: %m");
1500 _exit(EXIT_FAILURE);
1501 }
1502
1503 r = send_one_fd(pair[1], fd, 0);
1504 if (r < 0) {
1505 log_unit_error_errno(UNIT(s), r, "Failed to send listening socket to parent: %m");
1506 _exit(EXIT_FAILURE);
1507 }
1508
1509 _exit(EXIT_SUCCESS);
1510 }
1511
1512 pair[1] = safe_close(pair[1]);
1513 fd = receive_one_fd(pair[0], 0);
1514
1515 /* We synchronously wait for the helper, as it shouldn't be slow */
1516 r = wait_for_terminate_and_check("(sd-listen)", pid, WAIT_LOG_ABNORMAL);
1517 if (r < 0) {
1518 safe_close(fd);
1519 return r;
1520 }
1521
1522 if (fd < 0)
1523 return log_unit_error_errno(UNIT(s), fd, "Failed to receive listening socket: %m");
1524
1525 return fd;
1526
1527 shortcut:
1528 fd = socket_address_listen_do(s, address, label);
1529 if (fd < 0)
1530 return log_error_errno(fd, "Failed to create listening socket: %m");
1531
1532 return fd;
1533 }
1534
1535 static int socket_open_fds(Socket *s) {
1536 _cleanup_(mac_selinux_freep) char *label = NULL;
1537 bool know_label = false;
1538 SocketPort *p;
1539 int r;
1540
1541 assert(s);
1542
1543 LIST_FOREACH(port, p, s->ports) {
1544
1545 if (p->fd >= 0)
1546 continue;
1547
1548 switch (p->type) {
1549
1550 case SOCKET_SOCKET:
1551
1552 if (!know_label) {
1553 /* Figure out label, if we don't it know yet. We do it once, for the first socket where
1554 * we need this and remember it for the rest. */
1555
1556 r = socket_determine_selinux_label(s, &label);
1557 if (r < 0)
1558 goto rollback;
1559
1560 know_label = true;
1561 }
1562
1563 /* Apply the socket protocol */
1564 switch (p->address.type) {
1565
1566 case SOCK_STREAM:
1567 case SOCK_SEQPACKET:
1568 if (s->socket_protocol == IPPROTO_SCTP)
1569 p->address.protocol = s->socket_protocol;
1570 break;
1571
1572 case SOCK_DGRAM:
1573 if (s->socket_protocol == IPPROTO_UDPLITE)
1574 p->address.protocol = s->socket_protocol;
1575 break;
1576 }
1577
1578 r = socket_address_listen_in_cgroup(s, &p->address, label);
1579 if (r < 0)
1580 goto rollback;
1581
1582 p->fd = r;
1583 socket_apply_socket_options(s, p->fd);
1584 socket_symlink(s);
1585 break;
1586
1587 case SOCKET_SPECIAL:
1588
1589 p->fd = special_address_create(p->path, s->writable);
1590 if (p->fd < 0) {
1591 r = p->fd;
1592 goto rollback;
1593 }
1594 break;
1595
1596 case SOCKET_FIFO:
1597
1598 p->fd = fifo_address_create(
1599 p->path,
1600 s->directory_mode,
1601 s->socket_mode);
1602 if (p->fd < 0) {
1603 r = p->fd;
1604 goto rollback;
1605 }
1606
1607 socket_apply_fifo_options(s, p->fd);
1608 socket_symlink(s);
1609 break;
1610
1611 case SOCKET_MQUEUE:
1612
1613 p->fd = mq_address_create(
1614 p->path,
1615 s->socket_mode,
1616 s->mq_maxmsg,
1617 s->mq_msgsize);
1618 if (p->fd < 0) {
1619 r = p->fd;
1620 goto rollback;
1621 }
1622 break;
1623
1624 case SOCKET_USB_FUNCTION: {
1625 _cleanup_free_ char *ep = NULL;
1626
1627 ep = path_make_absolute("ep0", p->path);
1628
1629 p->fd = usbffs_address_create(ep);
1630 if (p->fd < 0) {
1631 r = p->fd;
1632 goto rollback;
1633 }
1634
1635 r = usbffs_write_descs(p->fd, SERVICE(UNIT_DEREF(s->service)));
1636 if (r < 0)
1637 goto rollback;
1638
1639 r = usbffs_dispatch_eps(p);
1640 if (r < 0)
1641 goto rollback;
1642
1643 break;
1644 }
1645 default:
1646 assert_not_reached("Unknown port type");
1647 }
1648 }
1649
1650 return 0;
1651
1652 rollback:
1653 socket_close_fds(s);
1654 return r;
1655 }
1656
1657 static void socket_unwatch_fds(Socket *s) {
1658 SocketPort *p;
1659 int r;
1660
1661 assert(s);
1662
1663 LIST_FOREACH(port, p, s->ports) {
1664 if (p->fd < 0)
1665 continue;
1666
1667 if (!p->event_source)
1668 continue;
1669
1670 r = sd_event_source_set_enabled(p->event_source, SD_EVENT_OFF);
1671 if (r < 0)
1672 log_unit_debug_errno(UNIT(s), r, "Failed to disable event source: %m");
1673 }
1674 }
1675
1676 static int socket_watch_fds(Socket *s) {
1677 SocketPort *p;
1678 int r;
1679
1680 assert(s);
1681
1682 LIST_FOREACH(port, p, s->ports) {
1683 if (p->fd < 0)
1684 continue;
1685
1686 if (p->event_source) {
1687 r = sd_event_source_set_enabled(p->event_source, SD_EVENT_ON);
1688 if (r < 0)
1689 goto fail;
1690 } else {
1691 r = sd_event_add_io(UNIT(s)->manager->event, &p->event_source, p->fd, EPOLLIN, socket_dispatch_io, p);
1692 if (r < 0)
1693 goto fail;
1694
1695 (void) sd_event_source_set_description(p->event_source, "socket-port-io");
1696 }
1697 }
1698
1699 return 0;
1700
1701 fail:
1702 log_unit_warning_errno(UNIT(s), r, "Failed to watch listening fds: %m");
1703 socket_unwatch_fds(s);
1704 return r;
1705 }
1706
1707 enum {
1708 SOCKET_OPEN_NONE,
1709 SOCKET_OPEN_SOME,
1710 SOCKET_OPEN_ALL,
1711 };
1712
1713 static int socket_check_open(Socket *s) {
1714 bool have_open = false, have_closed = false;
1715 SocketPort *p;
1716
1717 assert(s);
1718
1719 LIST_FOREACH(port, p, s->ports) {
1720 if (p->fd < 0)
1721 have_closed = true;
1722 else
1723 have_open = true;
1724
1725 if (have_open && have_closed)
1726 return SOCKET_OPEN_SOME;
1727 }
1728
1729 if (have_open)
1730 return SOCKET_OPEN_ALL;
1731
1732 return SOCKET_OPEN_NONE;
1733 }
1734
1735 static void socket_set_state(Socket *s, SocketState state) {
1736 SocketState old_state;
1737 assert(s);
1738
1739 old_state = s->state;
1740 s->state = state;
1741
1742 if (!IN_SET(state,
1743 SOCKET_START_PRE,
1744 SOCKET_START_CHOWN,
1745 SOCKET_START_POST,
1746 SOCKET_STOP_PRE,
1747 SOCKET_STOP_PRE_SIGTERM,
1748 SOCKET_STOP_PRE_SIGKILL,
1749 SOCKET_STOP_POST,
1750 SOCKET_FINAL_SIGTERM,
1751 SOCKET_FINAL_SIGKILL)) {
1752
1753 s->timer_event_source = sd_event_source_unref(s->timer_event_source);
1754 socket_unwatch_control_pid(s);
1755 s->control_command = NULL;
1756 s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
1757 }
1758
1759 if (state != SOCKET_LISTENING)
1760 socket_unwatch_fds(s);
1761
1762 if (!IN_SET(state,
1763 SOCKET_START_CHOWN,
1764 SOCKET_START_POST,
1765 SOCKET_LISTENING,
1766 SOCKET_RUNNING,
1767 SOCKET_STOP_PRE,
1768 SOCKET_STOP_PRE_SIGTERM,
1769 SOCKET_STOP_PRE_SIGKILL))
1770 socket_close_fds(s);
1771
1772 if (state != old_state)
1773 log_unit_debug(UNIT(s), "Changed %s -> %s", socket_state_to_string(old_state), socket_state_to_string(state));
1774
1775 unit_notify(UNIT(s), state_translation_table[old_state], state_translation_table[state], 0);
1776 }
1777
1778 static int socket_coldplug(Unit *u) {
1779 Socket *s = SOCKET(u);
1780 int r;
1781
1782 assert(s);
1783 assert(s->state == SOCKET_DEAD);
1784
1785 if (s->deserialized_state == s->state)
1786 return 0;
1787
1788 if (s->control_pid > 0 &&
1789 pid_is_unwaited(s->control_pid) &&
1790 IN_SET(s->deserialized_state,
1791 SOCKET_START_PRE,
1792 SOCKET_START_CHOWN,
1793 SOCKET_START_POST,
1794 SOCKET_STOP_PRE,
1795 SOCKET_STOP_PRE_SIGTERM,
1796 SOCKET_STOP_PRE_SIGKILL,
1797 SOCKET_STOP_POST,
1798 SOCKET_FINAL_SIGTERM,
1799 SOCKET_FINAL_SIGKILL)) {
1800
1801 r = unit_watch_pid(UNIT(s), s->control_pid);
1802 if (r < 0)
1803 return r;
1804
1805 r = socket_arm_timer(s, usec_add(u->state_change_timestamp.monotonic, s->timeout_usec));
1806 if (r < 0)
1807 return r;
1808 }
1809
1810 if (IN_SET(s->deserialized_state,
1811 SOCKET_START_CHOWN,
1812 SOCKET_START_POST,
1813 SOCKET_LISTENING,
1814 SOCKET_RUNNING)) {
1815
1816 /* Originally, we used to simply reopen all sockets here that we didn't have file descriptors
1817 * for. However, this is problematic, as we won't traverse throught the SOCKET_START_CHOWN state for
1818 * them, and thus the UID/GID wouldn't be right. Hence, instead simply check if we have all fds open,
1819 * and if there's a mismatch, warn loudly. */
1820
1821 r = socket_check_open(s);
1822 if (r == SOCKET_OPEN_NONE)
1823 log_unit_warning(UNIT(s),
1824 "Socket unit configuration has changed while unit has been running, "
1825 "no open socket file descriptor left. "
1826 "The socket unit is not functional until restarted.");
1827 else if (r == SOCKET_OPEN_SOME)
1828 log_unit_warning(UNIT(s),
1829 "Socket unit configuration has changed while unit has been running, "
1830 "and some socket file descriptors have not been opened yet. "
1831 "The socket unit is not fully functional until restarted.");
1832 }
1833
1834 if (s->deserialized_state == SOCKET_LISTENING) {
1835 r = socket_watch_fds(s);
1836 if (r < 0)
1837 return r;
1838 }
1839
1840 if (!IN_SET(s->deserialized_state, SOCKET_DEAD, SOCKET_FAILED)) {
1841 (void) unit_setup_dynamic_creds(u);
1842 (void) unit_setup_exec_runtime(u);
1843 }
1844
1845 socket_set_state(s, s->deserialized_state);
1846 return 0;
1847 }
1848
1849 static int socket_spawn(Socket *s, ExecCommand *c, pid_t *_pid) {
1850
1851 ExecParameters exec_params = {
1852 .flags = EXEC_APPLY_SANDBOXING|EXEC_APPLY_CHROOT|EXEC_APPLY_TTY_STDIN,
1853 .stdin_fd = -1,
1854 .stdout_fd = -1,
1855 .stderr_fd = -1,
1856 .exec_fd = -1,
1857 };
1858 pid_t pid;
1859 int r;
1860
1861 assert(s);
1862 assert(c);
1863 assert(_pid);
1864
1865 r = unit_prepare_exec(UNIT(s));
1866 if (r < 0)
1867 return r;
1868
1869 r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
1870 if (r < 0)
1871 return r;
1872
1873 unit_set_exec_params(UNIT(s), &exec_params);
1874
1875 r = exec_spawn(UNIT(s),
1876 c,
1877 &s->exec_context,
1878 &exec_params,
1879 s->exec_runtime,
1880 &s->dynamic_creds,
1881 &pid);
1882 if (r < 0)
1883 return r;
1884
1885 r = unit_watch_pid(UNIT(s), pid);
1886 if (r < 0)
1887 /* FIXME: we need to do something here */
1888 return r;
1889
1890 *_pid = pid;
1891
1892 return 0;
1893 }
1894
1895 static int socket_chown(Socket *s, pid_t *_pid) {
1896 pid_t pid;
1897 int r;
1898
1899 r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
1900 if (r < 0)
1901 goto fail;
1902
1903 /* We have to resolve the user names out-of-process, hence
1904 * let's fork here. It's messy, but well, what can we do? */
1905
1906 r = unit_fork_helper_process(UNIT(s), "(sd-chown)", &pid);
1907 if (r < 0)
1908 return r;
1909 if (r == 0) {
1910 uid_t uid = UID_INVALID;
1911 gid_t gid = GID_INVALID;
1912 SocketPort *p;
1913
1914 /* Child */
1915
1916 if (!isempty(s->user)) {
1917 const char *user = s->user;
1918
1919 r = get_user_creds(&user, &uid, &gid, NULL, NULL, 0);
1920 if (r < 0) {
1921 log_unit_error_errno(UNIT(s), r, "Failed to resolve user %s: %m", user);
1922 _exit(EXIT_USER);
1923 }
1924 }
1925
1926 if (!isempty(s->group)) {
1927 const char *group = s->group;
1928
1929 r = get_group_creds(&group, &gid, 0);
1930 if (r < 0) {
1931 log_unit_error_errno(UNIT(s), r, "Failed to resolve group %s: %m", group);
1932 _exit(EXIT_GROUP);
1933 }
1934 }
1935
1936 LIST_FOREACH(port, p, s->ports) {
1937 const char *path = NULL;
1938
1939 if (p->type == SOCKET_SOCKET)
1940 path = socket_address_get_path(&p->address);
1941 else if (p->type == SOCKET_FIFO)
1942 path = p->path;
1943
1944 if (!path)
1945 continue;
1946
1947 if (chown(path, uid, gid) < 0) {
1948 log_unit_error_errno(UNIT(s), errno, "Failed to chown(): %m");
1949 _exit(EXIT_CHOWN);
1950 }
1951 }
1952
1953 _exit(EXIT_SUCCESS);
1954 }
1955
1956 r = unit_watch_pid(UNIT(s), pid);
1957 if (r < 0)
1958 goto fail;
1959
1960 *_pid = pid;
1961 return 0;
1962
1963 fail:
1964 s->timer_event_source = sd_event_source_unref(s->timer_event_source);
1965 return r;
1966 }
1967
1968 static void socket_enter_dead(Socket *s, SocketResult f) {
1969 assert(s);
1970
1971 if (s->result == SOCKET_SUCCESS)
1972 s->result = f;
1973
1974 if (s->result != SOCKET_SUCCESS)
1975 log_unit_warning(UNIT(s), "Failed with result '%s'.", socket_result_to_string(s->result));
1976
1977 socket_set_state(s, s->result != SOCKET_SUCCESS ? SOCKET_FAILED : SOCKET_DEAD);
1978
1979 s->exec_runtime = exec_runtime_unref(s->exec_runtime, true);
1980
1981 exec_context_destroy_runtime_directory(&s->exec_context, UNIT(s)->manager->prefix[EXEC_DIRECTORY_RUNTIME]);
1982
1983 unit_unref_uid_gid(UNIT(s), true);
1984
1985 dynamic_creds_destroy(&s->dynamic_creds);
1986 }
1987
1988 static void socket_enter_signal(Socket *s, SocketState state, SocketResult f);
1989
1990 static void socket_enter_stop_post(Socket *s, SocketResult f) {
1991 int r;
1992 assert(s);
1993
1994 if (s->result == SOCKET_SUCCESS)
1995 s->result = f;
1996
1997 socket_unwatch_control_pid(s);
1998 s->control_command_id = SOCKET_EXEC_STOP_POST;
1999 s->control_command = s->exec_command[SOCKET_EXEC_STOP_POST];
2000
2001 if (s->control_command) {
2002 r = socket_spawn(s, s->control_command, &s->control_pid);
2003 if (r < 0)
2004 goto fail;
2005
2006 socket_set_state(s, SOCKET_STOP_POST);
2007 } else
2008 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_SUCCESS);
2009
2010 return;
2011
2012 fail:
2013 log_unit_warning_errno(UNIT(s), r, "Failed to run 'stop-post' task: %m");
2014 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_RESOURCES);
2015 }
2016
2017 static void socket_enter_signal(Socket *s, SocketState state, SocketResult f) {
2018 int r;
2019
2020 assert(s);
2021
2022 if (s->result == SOCKET_SUCCESS)
2023 s->result = f;
2024
2025 r = unit_kill_context(
2026 UNIT(s),
2027 &s->kill_context,
2028 !IN_SET(state, SOCKET_STOP_PRE_SIGTERM, SOCKET_FINAL_SIGTERM) ?
2029 KILL_KILL : KILL_TERMINATE,
2030 -1,
2031 s->control_pid,
2032 false);
2033 if (r < 0)
2034 goto fail;
2035
2036 if (r > 0) {
2037 r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
2038 if (r < 0)
2039 goto fail;
2040
2041 socket_set_state(s, state);
2042 } else if (state == SOCKET_STOP_PRE_SIGTERM)
2043 socket_enter_signal(s, SOCKET_STOP_PRE_SIGKILL, SOCKET_SUCCESS);
2044 else if (state == SOCKET_STOP_PRE_SIGKILL)
2045 socket_enter_stop_post(s, SOCKET_SUCCESS);
2046 else if (state == SOCKET_FINAL_SIGTERM)
2047 socket_enter_signal(s, SOCKET_FINAL_SIGKILL, SOCKET_SUCCESS);
2048 else
2049 socket_enter_dead(s, SOCKET_SUCCESS);
2050
2051 return;
2052
2053 fail:
2054 log_unit_warning_errno(UNIT(s), r, "Failed to kill processes: %m");
2055
2056 if (IN_SET(state, SOCKET_STOP_PRE_SIGTERM, SOCKET_STOP_PRE_SIGKILL))
2057 socket_enter_stop_post(s, SOCKET_FAILURE_RESOURCES);
2058 else
2059 socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
2060 }
2061
2062 static void socket_enter_stop_pre(Socket *s, SocketResult f) {
2063 int r;
2064 assert(s);
2065
2066 if (s->result == SOCKET_SUCCESS)
2067 s->result = f;
2068
2069 socket_unwatch_control_pid(s);
2070 s->control_command_id = SOCKET_EXEC_STOP_PRE;
2071 s->control_command = s->exec_command[SOCKET_EXEC_STOP_PRE];
2072
2073 if (s->control_command) {
2074 r = socket_spawn(s, s->control_command, &s->control_pid);
2075 if (r < 0)
2076 goto fail;
2077
2078 socket_set_state(s, SOCKET_STOP_PRE);
2079 } else
2080 socket_enter_stop_post(s, SOCKET_SUCCESS);
2081
2082 return;
2083
2084 fail:
2085 log_unit_warning_errno(UNIT(s), r, "Failed to run 'stop-pre' task: %m");
2086 socket_enter_stop_post(s, SOCKET_FAILURE_RESOURCES);
2087 }
2088
2089 static void socket_enter_listening(Socket *s) {
2090 int r;
2091 assert(s);
2092
2093 r = socket_watch_fds(s);
2094 if (r < 0) {
2095 log_unit_warning_errno(UNIT(s), r, "Failed to watch sockets: %m");
2096 goto fail;
2097 }
2098
2099 socket_set_state(s, SOCKET_LISTENING);
2100 return;
2101
2102 fail:
2103 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2104 }
2105
2106 static void socket_enter_start_post(Socket *s) {
2107 int r;
2108 assert(s);
2109
2110 socket_unwatch_control_pid(s);
2111 s->control_command_id = SOCKET_EXEC_START_POST;
2112 s->control_command = s->exec_command[SOCKET_EXEC_START_POST];
2113
2114 if (s->control_command) {
2115 r = socket_spawn(s, s->control_command, &s->control_pid);
2116 if (r < 0) {
2117 log_unit_warning_errno(UNIT(s), r, "Failed to run 'start-post' task: %m");
2118 goto fail;
2119 }
2120
2121 socket_set_state(s, SOCKET_START_POST);
2122 } else
2123 socket_enter_listening(s);
2124
2125 return;
2126
2127 fail:
2128 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2129 }
2130
2131 static void socket_enter_start_chown(Socket *s) {
2132 int r;
2133
2134 assert(s);
2135
2136 r = socket_open_fds(s);
2137 if (r < 0) {
2138 log_unit_warning_errno(UNIT(s), r, "Failed to listen on sockets: %m");
2139 goto fail;
2140 }
2141
2142 if (!isempty(s->user) || !isempty(s->group)) {
2143
2144 socket_unwatch_control_pid(s);
2145 s->control_command_id = SOCKET_EXEC_START_CHOWN;
2146 s->control_command = NULL;
2147
2148 r = socket_chown(s, &s->control_pid);
2149 if (r < 0) {
2150 log_unit_warning_errno(UNIT(s), r, "Failed to fork 'start-chown' task: %m");
2151 goto fail;
2152 }
2153
2154 socket_set_state(s, SOCKET_START_CHOWN);
2155 } else
2156 socket_enter_start_post(s);
2157
2158 return;
2159
2160 fail:
2161 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2162 }
2163
2164 static void socket_enter_start_pre(Socket *s) {
2165 int r;
2166 assert(s);
2167
2168 socket_unwatch_control_pid(s);
2169
2170 unit_warn_leftover_processes(UNIT(s));
2171
2172 s->control_command_id = SOCKET_EXEC_START_PRE;
2173 s->control_command = s->exec_command[SOCKET_EXEC_START_PRE];
2174
2175 if (s->control_command) {
2176 r = socket_spawn(s, s->control_command, &s->control_pid);
2177 if (r < 0) {
2178 log_unit_warning_errno(UNIT(s), r, "Failed to run 'start-pre' task: %m");
2179 goto fail;
2180 }
2181
2182 socket_set_state(s, SOCKET_START_PRE);
2183 } else
2184 socket_enter_start_chown(s);
2185
2186 return;
2187
2188 fail:
2189 socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
2190 }
2191
2192 static void flush_ports(Socket *s) {
2193 SocketPort *p;
2194
2195 /* Flush all incoming traffic, regardless if actual bytes or new connections, so that this socket isn't busy
2196 * anymore */
2197
2198 LIST_FOREACH(port, p, s->ports) {
2199 if (p->fd < 0)
2200 continue;
2201
2202 (void) flush_accept(p->fd);
2203 (void) flush_fd(p->fd);
2204 }
2205 }
2206
2207 static void socket_enter_running(Socket *s, int cfd) {
2208 _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
2209 int r;
2210
2211 /* Note that this call takes possession of the connection fd passed. It either has to assign it somewhere or
2212 * close it. */
2213
2214 assert(s);
2215
2216 /* We don't take connections anymore if we are supposed to shut down anyway */
2217 if (unit_stop_pending(UNIT(s))) {
2218
2219 log_unit_debug(UNIT(s), "Suppressing connection request since unit stop is scheduled.");
2220
2221 if (cfd >= 0)
2222 goto refuse;
2223 else
2224 flush_ports(s);
2225
2226 return;
2227 }
2228
2229 if (!ratelimit_below(&s->trigger_limit)) {
2230 log_unit_warning(UNIT(s), "Trigger limit hit, refusing further activation.");
2231 socket_enter_stop_pre(s, SOCKET_FAILURE_TRIGGER_LIMIT_HIT);
2232 goto refuse;
2233 }
2234
2235 if (cfd < 0) {
2236 bool pending = false;
2237 Unit *other;
2238 Iterator i;
2239 void *v;
2240
2241 /* If there's already a start pending don't bother to
2242 * do anything */
2243 HASHMAP_FOREACH_KEY(v, other, UNIT(s)->dependencies[UNIT_TRIGGERS], i)
2244 if (unit_active_or_pending(other)) {
2245 pending = true;
2246 break;
2247 }
2248
2249 if (!pending) {
2250 if (!UNIT_ISSET(s->service)) {
2251 log_unit_error(UNIT(s), "Service to activate vanished, refusing activation.");
2252 r = -ENOENT;
2253 goto fail;
2254 }
2255
2256 r = manager_add_job(UNIT(s)->manager, JOB_START, UNIT_DEREF(s->service), JOB_REPLACE, &error, NULL);
2257 if (r < 0)
2258 goto fail;
2259 }
2260
2261 socket_set_state(s, SOCKET_RUNNING);
2262 } else {
2263 _cleanup_free_ char *prefix = NULL, *instance = NULL, *name = NULL;
2264 _cleanup_(socket_peer_unrefp) SocketPeer *p = NULL;
2265 Service *service;
2266
2267 if (s->n_connections >= s->max_connections) {
2268 log_unit_warning(UNIT(s), "Too many incoming connections (%u), dropping connection.",
2269 s->n_connections);
2270 goto refuse;
2271 }
2272
2273 if (s->max_connections_per_source > 0) {
2274 r = socket_acquire_peer(s, cfd, &p);
2275 if (r < 0) {
2276 goto refuse;
2277 } else if (r > 0 && p->n_ref > s->max_connections_per_source) {
2278 _cleanup_free_ char *t = NULL;
2279
2280 (void) sockaddr_pretty(&p->peer.sa, p->peer_salen, true, false, &t);
2281
2282 log_unit_warning(UNIT(s),
2283 "Too many incoming connections (%u) from source %s, dropping connection.",
2284 p->n_ref, strnull(t));
2285 goto refuse;
2286 }
2287 }
2288
2289 r = socket_instantiate_service(s);
2290 if (r < 0)
2291 goto fail;
2292
2293 r = instance_from_socket(cfd, s->n_accepted, &instance);
2294 if (r < 0) {
2295 if (r != -ENOTCONN)
2296 goto fail;
2297
2298 /* ENOTCONN is legitimate if TCP RST was received.
2299 * This connection is over, but the socket unit lives on. */
2300 log_unit_debug(UNIT(s), "Got ENOTCONN on incoming socket, assuming aborted connection attempt, ignoring.");
2301 goto refuse;
2302 }
2303
2304 r = unit_name_to_prefix(UNIT(s)->id, &prefix);
2305 if (r < 0)
2306 goto fail;
2307
2308 r = unit_name_build(prefix, instance, ".service", &name);
2309 if (r < 0)
2310 goto fail;
2311
2312 r = unit_add_name(UNIT_DEREF(s->service), name);
2313 if (r < 0)
2314 goto fail;
2315
2316 service = SERVICE(UNIT_DEREF(s->service));
2317 unit_ref_unset(&s->service);
2318
2319 s->n_accepted++;
2320 unit_choose_id(UNIT(service), name);
2321
2322 r = service_set_socket_fd(service, cfd, s, s->selinux_context_from_net);
2323 if (r < 0)
2324 goto fail;
2325
2326 cfd = -1; /* We passed ownership of the fd to the service now. Forget it here. */
2327 s->n_connections++;
2328
2329 service->peer = TAKE_PTR(p); /* Pass ownership of the peer reference */
2330
2331 r = manager_add_job(UNIT(s)->manager, JOB_START, UNIT(service), JOB_REPLACE, &error, NULL);
2332 if (r < 0) {
2333 /* We failed to activate the new service, but it still exists. Let's make sure the service
2334 * closes and forgets the connection fd again, immediately. */
2335 service_close_socket_fd(service);
2336 goto fail;
2337 }
2338
2339 /* Notify clients about changed counters */
2340 unit_add_to_dbus_queue(UNIT(s));
2341 }
2342
2343 return;
2344
2345 refuse:
2346 s->n_refused++;
2347 safe_close(cfd);
2348 return;
2349
2350 fail:
2351 log_unit_warning(UNIT(s), "Failed to queue service startup job (Maybe the service file is missing or not a %s unit?): %s",
2352 cfd >= 0 ? "template" : "non-template",
2353 bus_error_message(&error, r));
2354
2355 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2356 safe_close(cfd);
2357 }
2358
2359 static void socket_run_next(Socket *s) {
2360 int r;
2361
2362 assert(s);
2363 assert(s->control_command);
2364 assert(s->control_command->command_next);
2365
2366 socket_unwatch_control_pid(s);
2367
2368 s->control_command = s->control_command->command_next;
2369
2370 r = socket_spawn(s, s->control_command, &s->control_pid);
2371 if (r < 0)
2372 goto fail;
2373
2374 return;
2375
2376 fail:
2377 log_unit_warning_errno(UNIT(s), r, "Failed to run next task: %m");
2378
2379 if (s->state == SOCKET_START_POST)
2380 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2381 else if (s->state == SOCKET_STOP_POST)
2382 socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
2383 else
2384 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_RESOURCES);
2385 }
2386
2387 static int socket_start(Unit *u) {
2388 Socket *s = SOCKET(u);
2389 int r;
2390
2391 assert(s);
2392
2393 /* We cannot fulfill this request right now, try again later
2394 * please! */
2395 if (IN_SET(s->state,
2396 SOCKET_STOP_PRE,
2397 SOCKET_STOP_PRE_SIGKILL,
2398 SOCKET_STOP_PRE_SIGTERM,
2399 SOCKET_STOP_POST,
2400 SOCKET_FINAL_SIGTERM,
2401 SOCKET_FINAL_SIGKILL))
2402 return -EAGAIN;
2403
2404 /* Already on it! */
2405 if (IN_SET(s->state,
2406 SOCKET_START_PRE,
2407 SOCKET_START_CHOWN,
2408 SOCKET_START_POST))
2409 return 0;
2410
2411 /* Cannot run this without the service being around */
2412 if (UNIT_ISSET(s->service)) {
2413 Service *service;
2414
2415 service = SERVICE(UNIT_DEREF(s->service));
2416
2417 if (UNIT(service)->load_state != UNIT_LOADED) {
2418 log_unit_error(u, "Socket service %s not loaded, refusing.", UNIT(service)->id);
2419 return -ENOENT;
2420 }
2421
2422 /* If the service is already active we cannot start the
2423 * socket */
2424 if (!IN_SET(service->state, SERVICE_DEAD, SERVICE_FAILED, SERVICE_AUTO_RESTART)) {
2425 log_unit_error(u, "Socket service %s already active, refusing.", UNIT(service)->id);
2426 return -EBUSY;
2427 }
2428 }
2429
2430 assert(IN_SET(s->state, SOCKET_DEAD, SOCKET_FAILED));
2431
2432 r = unit_start_limit_test(u);
2433 if (r < 0) {
2434 socket_enter_dead(s, SOCKET_FAILURE_START_LIMIT_HIT);
2435 return r;
2436 }
2437
2438 r = unit_acquire_invocation_id(u);
2439 if (r < 0)
2440 return r;
2441
2442 s->result = SOCKET_SUCCESS;
2443 exec_command_reset_status_list_array(s->exec_command, _SOCKET_EXEC_COMMAND_MAX);
2444
2445 u->reset_accounting = true;
2446
2447 socket_enter_start_pre(s);
2448 return 1;
2449 }
2450
2451 static int socket_stop(Unit *u) {
2452 Socket *s = SOCKET(u);
2453
2454 assert(s);
2455
2456 /* Already on it */
2457 if (IN_SET(s->state,
2458 SOCKET_STOP_PRE,
2459 SOCKET_STOP_PRE_SIGTERM,
2460 SOCKET_STOP_PRE_SIGKILL,
2461 SOCKET_STOP_POST,
2462 SOCKET_FINAL_SIGTERM,
2463 SOCKET_FINAL_SIGKILL))
2464 return 0;
2465
2466 /* If there's already something running we go directly into
2467 * kill mode. */
2468 if (IN_SET(s->state,
2469 SOCKET_START_PRE,
2470 SOCKET_START_CHOWN,
2471 SOCKET_START_POST)) {
2472 socket_enter_signal(s, SOCKET_STOP_PRE_SIGTERM, SOCKET_SUCCESS);
2473 return -EAGAIN;
2474 }
2475
2476 assert(IN_SET(s->state, SOCKET_LISTENING, SOCKET_RUNNING));
2477
2478 socket_enter_stop_pre(s, SOCKET_SUCCESS);
2479 return 1;
2480 }
2481
2482 static int socket_serialize(Unit *u, FILE *f, FDSet *fds) {
2483 Socket *s = SOCKET(u);
2484 SocketPort *p;
2485 int r;
2486
2487 assert(u);
2488 assert(f);
2489 assert(fds);
2490
2491 unit_serialize_item(u, f, "state", socket_state_to_string(s->state));
2492 unit_serialize_item(u, f, "result", socket_result_to_string(s->result));
2493 unit_serialize_item_format(u, f, "n-accepted", "%u", s->n_accepted);
2494 unit_serialize_item_format(u, f, "n-refused", "%u", s->n_refused);
2495
2496 if (s->control_pid > 0)
2497 unit_serialize_item_format(u, f, "control-pid", PID_FMT, s->control_pid);
2498
2499 if (s->control_command_id >= 0)
2500 unit_serialize_item(u, f, "control-command", socket_exec_command_to_string(s->control_command_id));
2501
2502 LIST_FOREACH(port, p, s->ports) {
2503 int copy;
2504
2505 if (p->fd < 0)
2506 continue;
2507
2508 copy = fdset_put_dup(fds, p->fd);
2509 if (copy < 0)
2510 return copy;
2511
2512 if (p->type == SOCKET_SOCKET) {
2513 _cleanup_free_ char *t = NULL;
2514
2515 r = socket_address_print(&p->address, &t);
2516 if (r < 0)
2517 return r;
2518
2519 if (socket_address_family(&p->address) == AF_NETLINK)
2520 unit_serialize_item_format(u, f, "netlink", "%i %s", copy, t);
2521 else
2522 unit_serialize_item_format(u, f, "socket", "%i %i %s", copy, p->address.type, t);
2523
2524 } else if (p->type == SOCKET_SPECIAL)
2525 unit_serialize_item_format(u, f, "special", "%i %s", copy, p->path);
2526 else if (p->type == SOCKET_MQUEUE)
2527 unit_serialize_item_format(u, f, "mqueue", "%i %s", copy, p->path);
2528 else if (p->type == SOCKET_USB_FUNCTION)
2529 unit_serialize_item_format(u, f, "ffs", "%i %s", copy, p->path);
2530 else {
2531 assert(p->type == SOCKET_FIFO);
2532 unit_serialize_item_format(u, f, "fifo", "%i %s", copy, p->path);
2533 }
2534 }
2535
2536 return 0;
2537 }
2538
2539 static void socket_port_take_fd(SocketPort *p, FDSet *fds, int fd) {
2540 safe_close(p->fd);
2541 p->fd = fdset_remove(fds, fd);
2542 }
2543
2544 static int socket_deserialize_item(Unit *u, const char *key, const char *value, FDSet *fds) {
2545 Socket *s = SOCKET(u);
2546
2547 assert(u);
2548 assert(key);
2549 assert(value);
2550
2551 if (streq(key, "state")) {
2552 SocketState state;
2553
2554 state = socket_state_from_string(value);
2555 if (state < 0)
2556 log_unit_debug(u, "Failed to parse state value: %s", value);
2557 else
2558 s->deserialized_state = state;
2559 } else if (streq(key, "result")) {
2560 SocketResult f;
2561
2562 f = socket_result_from_string(value);
2563 if (f < 0)
2564 log_unit_debug(u, "Failed to parse result value: %s", value);
2565 else if (f != SOCKET_SUCCESS)
2566 s->result = f;
2567
2568 } else if (streq(key, "n-accepted")) {
2569 unsigned k;
2570
2571 if (safe_atou(value, &k) < 0)
2572 log_unit_debug(u, "Failed to parse n-accepted value: %s", value);
2573 else
2574 s->n_accepted += k;
2575 } else if (streq(key, "n-refused")) {
2576 unsigned k;
2577
2578 if (safe_atou(value, &k) < 0)
2579 log_unit_debug(u, "Failed to parse n-refused value: %s", value);
2580 else
2581 s->n_refused += k;
2582 } else if (streq(key, "control-pid")) {
2583 pid_t pid;
2584
2585 if (parse_pid(value, &pid) < 0)
2586 log_unit_debug(u, "Failed to parse control-pid value: %s", value);
2587 else
2588 s->control_pid = pid;
2589 } else if (streq(key, "control-command")) {
2590 SocketExecCommand id;
2591
2592 id = socket_exec_command_from_string(value);
2593 if (id < 0)
2594 log_unit_debug(u, "Failed to parse exec-command value: %s", value);
2595 else {
2596 s->control_command_id = id;
2597 s->control_command = s->exec_command[id];
2598 }
2599 } else if (streq(key, "fifo")) {
2600 int fd, skip = 0;
2601 SocketPort *p;
2602
2603 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2604 log_unit_debug(u, "Failed to parse fifo value: %s", value);
2605 else
2606 LIST_FOREACH(port, p, s->ports)
2607 if (p->type == SOCKET_FIFO &&
2608 path_equal_or_files_same(p->path, value+skip, 0)) {
2609 socket_port_take_fd(p, fds, fd);
2610 break;
2611 }
2612
2613 } else if (streq(key, "special")) {
2614 int fd, skip = 0;
2615 SocketPort *p;
2616
2617 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2618 log_unit_debug(u, "Failed to parse special value: %s", value);
2619 else
2620 LIST_FOREACH(port, p, s->ports)
2621 if (p->type == SOCKET_SPECIAL &&
2622 path_equal_or_files_same(p->path, value+skip, 0)) {
2623 socket_port_take_fd(p, fds, fd);
2624 break;
2625 }
2626
2627 } else if (streq(key, "mqueue")) {
2628 int fd, skip = 0;
2629 SocketPort *p;
2630
2631 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2632 log_unit_debug(u, "Failed to parse mqueue value: %s", value);
2633 else
2634 LIST_FOREACH(port, p, s->ports)
2635 if (p->type == SOCKET_MQUEUE &&
2636 streq(p->path, value+skip)) {
2637 socket_port_take_fd(p, fds, fd);
2638 break;
2639 }
2640
2641 } else if (streq(key, "socket")) {
2642 int fd, type, skip = 0;
2643 SocketPort *p;
2644
2645 if (sscanf(value, "%i %i %n", &fd, &type, &skip) < 2 || fd < 0 || type < 0 || !fdset_contains(fds, fd))
2646 log_unit_debug(u, "Failed to parse socket value: %s", value);
2647 else
2648 LIST_FOREACH(port, p, s->ports)
2649 if (socket_address_is(&p->address, value+skip, type)) {
2650 socket_port_take_fd(p, fds, fd);
2651 break;
2652 }
2653
2654 } else if (streq(key, "netlink")) {
2655 int fd, skip = 0;
2656 SocketPort *p;
2657
2658 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2659 log_unit_debug(u, "Failed to parse socket value: %s", value);
2660 else
2661 LIST_FOREACH(port, p, s->ports)
2662 if (socket_address_is_netlink(&p->address, value+skip)) {
2663 socket_port_take_fd(p, fds, fd);
2664 break;
2665 }
2666
2667 } else if (streq(key, "ffs")) {
2668 int fd, skip = 0;
2669 SocketPort *p;
2670
2671 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2672 log_unit_debug(u, "Failed to parse ffs value: %s", value);
2673 else
2674 LIST_FOREACH(port, p, s->ports)
2675 if (p->type == SOCKET_USB_FUNCTION &&
2676 path_equal_or_files_same(p->path, value+skip, 0)) {
2677 socket_port_take_fd(p, fds, fd);
2678 break;
2679 }
2680
2681 } else
2682 log_unit_debug(UNIT(s), "Unknown serialization key: %s", key);
2683
2684 return 0;
2685 }
2686
2687 static void socket_distribute_fds(Unit *u, FDSet *fds) {
2688 Socket *s = SOCKET(u);
2689 SocketPort *p;
2690
2691 assert(u);
2692
2693 LIST_FOREACH(port, p, s->ports) {
2694 Iterator i;
2695 int fd;
2696
2697 if (p->type != SOCKET_SOCKET)
2698 continue;
2699
2700 if (p->fd >= 0)
2701 continue;
2702
2703 FDSET_FOREACH(fd, fds, i) {
2704 if (socket_address_matches_fd(&p->address, fd)) {
2705 p->fd = fdset_remove(fds, fd);
2706 s->deserialized_state = SOCKET_LISTENING;
2707 break;
2708 }
2709 }
2710 }
2711 }
2712
2713 _pure_ static UnitActiveState socket_active_state(Unit *u) {
2714 assert(u);
2715
2716 return state_translation_table[SOCKET(u)->state];
2717 }
2718
2719 _pure_ static const char *socket_sub_state_to_string(Unit *u) {
2720 assert(u);
2721
2722 return socket_state_to_string(SOCKET(u)->state);
2723 }
2724
2725 const char* socket_port_type_to_string(SocketPort *p) {
2726
2727 assert(p);
2728
2729 switch (p->type) {
2730
2731 case SOCKET_SOCKET:
2732
2733 switch (p->address.type) {
2734
2735 case SOCK_STREAM:
2736 return "Stream";
2737
2738 case SOCK_DGRAM:
2739 return "Datagram";
2740
2741 case SOCK_SEQPACKET:
2742 return "SequentialPacket";
2743
2744 case SOCK_RAW:
2745 if (socket_address_family(&p->address) == AF_NETLINK)
2746 return "Netlink";
2747
2748 _fallthrough_;
2749 default:
2750 return NULL;
2751 }
2752
2753 case SOCKET_SPECIAL:
2754 return "Special";
2755
2756 case SOCKET_MQUEUE:
2757 return "MessageQueue";
2758
2759 case SOCKET_FIFO:
2760 return "FIFO";
2761
2762 case SOCKET_USB_FUNCTION:
2763 return "USBFunction";
2764
2765 default:
2766 return NULL;
2767 }
2768 }
2769
2770 SocketType socket_port_type_from_string(const char *s) {
2771 assert(s);
2772
2773 if (STR_IN_SET(s, "Stream", "Datagram", "SequentialPacket", "Netlink"))
2774 return SOCKET_SOCKET;
2775 else if (streq(s, "Special"))
2776 return SOCKET_SPECIAL;
2777 else if (streq(s, "MessageQueue"))
2778 return SOCKET_MQUEUE;
2779 else if (streq(s, "FIFO"))
2780 return SOCKET_FIFO;
2781 else if (streq(s, "USBFunction"))
2782 return SOCKET_USB_FUNCTION;
2783 else
2784 return _SOCKET_TYPE_INVALID;
2785 }
2786
2787 _pure_ static bool socket_may_gc(Unit *u) {
2788 Socket *s = SOCKET(u);
2789
2790 assert(u);
2791
2792 return s->n_connections == 0;
2793 }
2794
2795 static int socket_accept_do(Socket *s, int fd) {
2796 int cfd;
2797
2798 assert(s);
2799 assert(fd >= 0);
2800
2801 for (;;) {
2802 cfd = accept4(fd, NULL, NULL, SOCK_NONBLOCK);
2803 if (cfd < 0) {
2804 if (errno == EINTR)
2805 continue;
2806
2807 return -errno;
2808 }
2809
2810 break;
2811 }
2812
2813 return cfd;
2814 }
2815
2816 static int socket_accept_in_cgroup(Socket *s, SocketPort *p, int fd) {
2817 _cleanup_close_pair_ int pair[2] = { -1, -1 };
2818 int cfd, r;
2819 pid_t pid;
2820
2821 assert(s);
2822 assert(p);
2823 assert(fd >= 0);
2824
2825 /* Similar to socket_address_listen_in_cgroup(), but for accept() rathern than socket(): make sure that any
2826 * connection socket is also properly associated with the cgroup. */
2827
2828 if (!IN_SET(p->address.sockaddr.sa.sa_family, AF_INET, AF_INET6))
2829 goto shortcut;
2830
2831 r = bpf_firewall_supported();
2832 if (r < 0)
2833 return r;
2834 if (r == BPF_FIREWALL_UNSUPPORTED)
2835 goto shortcut;
2836
2837 if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, pair) < 0)
2838 return log_unit_error_errno(UNIT(s), errno, "Failed to create communication channel: %m");
2839
2840 r = unit_fork_helper_process(UNIT(s), "(sd-accept)", &pid);
2841 if (r < 0)
2842 return log_unit_error_errno(UNIT(s), r, "Failed to fork off accept stub process: %m");
2843 if (r == 0) {
2844 /* Child */
2845
2846 pair[0] = safe_close(pair[0]);
2847
2848 cfd = socket_accept_do(s, fd);
2849 if (cfd < 0) {
2850 log_unit_error_errno(UNIT(s), cfd, "Failed to accept connection socket: %m");
2851 _exit(EXIT_FAILURE);
2852 }
2853
2854 r = send_one_fd(pair[1], cfd, 0);
2855 if (r < 0) {
2856 log_unit_error_errno(UNIT(s), r, "Failed to send connection socket to parent: %m");
2857 _exit(EXIT_FAILURE);
2858 }
2859
2860 _exit(EXIT_SUCCESS);
2861 }
2862
2863 pair[1] = safe_close(pair[1]);
2864 cfd = receive_one_fd(pair[0], 0);
2865
2866 /* We synchronously wait for the helper, as it shouldn't be slow */
2867 r = wait_for_terminate_and_check("(sd-accept)", pid, WAIT_LOG_ABNORMAL);
2868 if (r < 0) {
2869 safe_close(cfd);
2870 return r;
2871 }
2872
2873 if (cfd < 0)
2874 return log_unit_error_errno(UNIT(s), cfd, "Failed to receive connection socket: %m");
2875
2876 return cfd;
2877
2878 shortcut:
2879 cfd = socket_accept_do(s, fd);
2880 if (cfd < 0)
2881 return log_unit_error_errno(UNIT(s), cfd, "Failed to accept connection socket: %m");
2882
2883 return cfd;
2884 }
2885
2886 static int socket_dispatch_io(sd_event_source *source, int fd, uint32_t revents, void *userdata) {
2887 SocketPort *p = userdata;
2888 int cfd = -1;
2889
2890 assert(p);
2891 assert(fd >= 0);
2892
2893 if (p->socket->state != SOCKET_LISTENING)
2894 return 0;
2895
2896 log_unit_debug(UNIT(p->socket), "Incoming traffic");
2897
2898 if (revents != EPOLLIN) {
2899
2900 if (revents & EPOLLHUP)
2901 log_unit_error(UNIT(p->socket), "Got POLLHUP on a listening socket. The service probably invoked shutdown() on it, and should better not do that.");
2902 else
2903 log_unit_error(UNIT(p->socket), "Got unexpected poll event (0x%x) on socket.", revents);
2904 goto fail;
2905 }
2906
2907 if (p->socket->accept &&
2908 p->type == SOCKET_SOCKET &&
2909 socket_address_can_accept(&p->address)) {
2910
2911 cfd = socket_accept_in_cgroup(p->socket, p, fd);
2912 if (cfd < 0)
2913 goto fail;
2914
2915 socket_apply_socket_options(p->socket, cfd);
2916 }
2917
2918 socket_enter_running(p->socket, cfd);
2919 return 0;
2920
2921 fail:
2922 socket_enter_stop_pre(p->socket, SOCKET_FAILURE_RESOURCES);
2923 return 0;
2924 }
2925
2926 static void socket_sigchld_event(Unit *u, pid_t pid, int code, int status) {
2927 Socket *s = SOCKET(u);
2928 SocketResult f;
2929
2930 assert(s);
2931 assert(pid >= 0);
2932
2933 if (pid != s->control_pid)
2934 return;
2935
2936 s->control_pid = 0;
2937
2938 if (is_clean_exit(code, status, EXIT_CLEAN_COMMAND, NULL))
2939 f = SOCKET_SUCCESS;
2940 else if (code == CLD_EXITED)
2941 f = SOCKET_FAILURE_EXIT_CODE;
2942 else if (code == CLD_KILLED)
2943 f = SOCKET_FAILURE_SIGNAL;
2944 else if (code == CLD_DUMPED)
2945 f = SOCKET_FAILURE_CORE_DUMP;
2946 else
2947 assert_not_reached("Unknown sigchld code");
2948
2949 if (s->control_command) {
2950 exec_status_exit(&s->control_command->exec_status, &s->exec_context, pid, code, status);
2951
2952 if (s->control_command->flags & EXEC_COMMAND_IGNORE_FAILURE)
2953 f = SOCKET_SUCCESS;
2954 }
2955
2956 log_unit_full(u, f == SOCKET_SUCCESS ? LOG_DEBUG : LOG_NOTICE, 0,
2957 "Control process exited, code=%s status=%i",
2958 sigchld_code_to_string(code), status);
2959
2960 if (s->result == SOCKET_SUCCESS)
2961 s->result = f;
2962
2963 if (s->control_command &&
2964 s->control_command->command_next &&
2965 f == SOCKET_SUCCESS) {
2966
2967 log_unit_debug(u, "Running next command for state %s", socket_state_to_string(s->state));
2968 socket_run_next(s);
2969 } else {
2970 s->control_command = NULL;
2971 s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
2972
2973 /* No further commands for this step, so let's figure
2974 * out what to do next */
2975
2976 log_unit_debug(u, "Got final SIGCHLD for state %s", socket_state_to_string(s->state));
2977
2978 switch (s->state) {
2979
2980 case SOCKET_START_PRE:
2981 if (f == SOCKET_SUCCESS)
2982 socket_enter_start_chown(s);
2983 else
2984 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, f);
2985 break;
2986
2987 case SOCKET_START_CHOWN:
2988 if (f == SOCKET_SUCCESS)
2989 socket_enter_start_post(s);
2990 else
2991 socket_enter_stop_pre(s, f);
2992 break;
2993
2994 case SOCKET_START_POST:
2995 if (f == SOCKET_SUCCESS)
2996 socket_enter_listening(s);
2997 else
2998 socket_enter_stop_pre(s, f);
2999 break;
3000
3001 case SOCKET_STOP_PRE:
3002 case SOCKET_STOP_PRE_SIGTERM:
3003 case SOCKET_STOP_PRE_SIGKILL:
3004 socket_enter_stop_post(s, f);
3005 break;
3006
3007 case SOCKET_STOP_POST:
3008 case SOCKET_FINAL_SIGTERM:
3009 case SOCKET_FINAL_SIGKILL:
3010 socket_enter_dead(s, f);
3011 break;
3012
3013 default:
3014 assert_not_reached("Uh, control process died at wrong time.");
3015 }
3016 }
3017
3018 /* Notify clients about changed exit status */
3019 unit_add_to_dbus_queue(u);
3020 }
3021
3022 static int socket_dispatch_timer(sd_event_source *source, usec_t usec, void *userdata) {
3023 Socket *s = SOCKET(userdata);
3024
3025 assert(s);
3026 assert(s->timer_event_source == source);
3027
3028 switch (s->state) {
3029
3030 case SOCKET_START_PRE:
3031 log_unit_warning(UNIT(s), "Starting timed out. Terminating.");
3032 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_TIMEOUT);
3033 break;
3034
3035 case SOCKET_START_CHOWN:
3036 case SOCKET_START_POST:
3037 log_unit_warning(UNIT(s), "Starting timed out. Stopping.");
3038 socket_enter_stop_pre(s, SOCKET_FAILURE_TIMEOUT);
3039 break;
3040
3041 case SOCKET_STOP_PRE:
3042 log_unit_warning(UNIT(s), "Stopping timed out. Terminating.");
3043 socket_enter_signal(s, SOCKET_STOP_PRE_SIGTERM, SOCKET_FAILURE_TIMEOUT);
3044 break;
3045
3046 case SOCKET_STOP_PRE_SIGTERM:
3047 if (s->kill_context.send_sigkill) {
3048 log_unit_warning(UNIT(s), "Stopping timed out. Killing.");
3049 socket_enter_signal(s, SOCKET_STOP_PRE_SIGKILL, SOCKET_FAILURE_TIMEOUT);
3050 } else {
3051 log_unit_warning(UNIT(s), "Stopping timed out. Skipping SIGKILL. Ignoring.");
3052 socket_enter_stop_post(s, SOCKET_FAILURE_TIMEOUT);
3053 }
3054 break;
3055
3056 case SOCKET_STOP_PRE_SIGKILL:
3057 log_unit_warning(UNIT(s), "Processes still around after SIGKILL. Ignoring.");
3058 socket_enter_stop_post(s, SOCKET_FAILURE_TIMEOUT);
3059 break;
3060
3061 case SOCKET_STOP_POST:
3062 log_unit_warning(UNIT(s), "Stopping timed out (2). Terminating.");
3063 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_TIMEOUT);
3064 break;
3065
3066 case SOCKET_FINAL_SIGTERM:
3067 if (s->kill_context.send_sigkill) {
3068 log_unit_warning(UNIT(s), "Stopping timed out (2). Killing.");
3069 socket_enter_signal(s, SOCKET_FINAL_SIGKILL, SOCKET_FAILURE_TIMEOUT);
3070 } else {
3071 log_unit_warning(UNIT(s), "Stopping timed out (2). Skipping SIGKILL. Ignoring.");
3072 socket_enter_dead(s, SOCKET_FAILURE_TIMEOUT);
3073 }
3074 break;
3075
3076 case SOCKET_FINAL_SIGKILL:
3077 log_unit_warning(UNIT(s), "Still around after SIGKILL (2). Entering failed mode.");
3078 socket_enter_dead(s, SOCKET_FAILURE_TIMEOUT);
3079 break;
3080
3081 default:
3082 assert_not_reached("Timeout at wrong time.");
3083 }
3084
3085 return 0;
3086 }
3087
3088 int socket_collect_fds(Socket *s, int **fds) {
3089 size_t k = 0, n = 0;
3090 SocketPort *p;
3091 int *rfds;
3092
3093 assert(s);
3094 assert(fds);
3095
3096 /* Called from the service code for requesting our fds */
3097
3098 LIST_FOREACH(port, p, s->ports) {
3099 if (p->fd >= 0)
3100 n++;
3101 n += p->n_auxiliary_fds;
3102 }
3103
3104 if (n <= 0) {
3105 *fds = NULL;
3106 return 0;
3107 }
3108
3109 rfds = new(int, n);
3110 if (!rfds)
3111 return -ENOMEM;
3112
3113 LIST_FOREACH(port, p, s->ports) {
3114 size_t i;
3115
3116 if (p->fd >= 0)
3117 rfds[k++] = p->fd;
3118 for (i = 0; i < p->n_auxiliary_fds; ++i)
3119 rfds[k++] = p->auxiliary_fds[i];
3120 }
3121
3122 assert(k == n);
3123
3124 *fds = rfds;
3125 return (int) n;
3126 }
3127
3128 static void socket_reset_failed(Unit *u) {
3129 Socket *s = SOCKET(u);
3130
3131 assert(s);
3132
3133 if (s->state == SOCKET_FAILED)
3134 socket_set_state(s, SOCKET_DEAD);
3135
3136 s->result = SOCKET_SUCCESS;
3137 }
3138
3139 void socket_connection_unref(Socket *s) {
3140 assert(s);
3141
3142 /* The service is dead. Yay!
3143 *
3144 * This is strictly for one-instance-per-connection
3145 * services. */
3146
3147 assert(s->n_connections > 0);
3148 s->n_connections--;
3149
3150 log_unit_debug(UNIT(s), "One connection closed, %u left.", s->n_connections);
3151 }
3152
3153 static void socket_trigger_notify(Unit *u, Unit *other) {
3154 Socket *s = SOCKET(u);
3155
3156 assert(u);
3157 assert(other);
3158
3159 /* Filter out invocations with bogus state */
3160 if (other->load_state != UNIT_LOADED || other->type != UNIT_SERVICE)
3161 return;
3162
3163 /* Don't propagate state changes from the service if we are already down */
3164 if (!IN_SET(s->state, SOCKET_RUNNING, SOCKET_LISTENING))
3165 return;
3166
3167 /* We don't care for the service state if we are in Accept=yes mode */
3168 if (s->accept)
3169 return;
3170
3171 /* Propagate start limit hit state */
3172 if (other->start_limit_hit) {
3173 socket_enter_stop_pre(s, SOCKET_FAILURE_SERVICE_START_LIMIT_HIT);
3174 return;
3175 }
3176
3177 /* Don't propagate anything if there's still a job queued */
3178 if (other->job)
3179 return;
3180
3181 if (IN_SET(SERVICE(other)->state,
3182 SERVICE_DEAD, SERVICE_FAILED,
3183 SERVICE_FINAL_SIGTERM, SERVICE_FINAL_SIGKILL,
3184 SERVICE_AUTO_RESTART))
3185 socket_enter_listening(s);
3186
3187 if (SERVICE(other)->state == SERVICE_RUNNING)
3188 socket_set_state(s, SOCKET_RUNNING);
3189 }
3190
3191 static int socket_kill(Unit *u, KillWho who, int signo, sd_bus_error *error) {
3192 return unit_kill_common(u, who, signo, -1, SOCKET(u)->control_pid, error);
3193 }
3194
3195 static int socket_get_timeout(Unit *u, usec_t *timeout) {
3196 Socket *s = SOCKET(u);
3197 usec_t t;
3198 int r;
3199
3200 if (!s->timer_event_source)
3201 return 0;
3202
3203 r = sd_event_source_get_time(s->timer_event_source, &t);
3204 if (r < 0)
3205 return r;
3206 if (t == USEC_INFINITY)
3207 return 0;
3208
3209 *timeout = t;
3210 return 1;
3211 }
3212
3213 char *socket_fdname(Socket *s) {
3214 assert(s);
3215
3216 /* Returns the name to use for $LISTEN_NAMES. If the user
3217 * didn't specify anything specifically, use the socket unit's
3218 * name as fallback. */
3219
3220 return s->fdname ?: UNIT(s)->id;
3221 }
3222
3223 static int socket_control_pid(Unit *u) {
3224 Socket *s = SOCKET(u);
3225
3226 assert(s);
3227
3228 return s->control_pid;
3229 }
3230
3231 static const char* const socket_exec_command_table[_SOCKET_EXEC_COMMAND_MAX] = {
3232 [SOCKET_EXEC_START_PRE] = "ExecStartPre",
3233 [SOCKET_EXEC_START_CHOWN] = "ExecStartChown",
3234 [SOCKET_EXEC_START_POST] = "ExecStartPost",
3235 [SOCKET_EXEC_STOP_PRE] = "ExecStopPre",
3236 [SOCKET_EXEC_STOP_POST] = "ExecStopPost"
3237 };
3238
3239 DEFINE_STRING_TABLE_LOOKUP(socket_exec_command, SocketExecCommand);
3240
3241 static const char* const socket_result_table[_SOCKET_RESULT_MAX] = {
3242 [SOCKET_SUCCESS] = "success",
3243 [SOCKET_FAILURE_RESOURCES] = "resources",
3244 [SOCKET_FAILURE_TIMEOUT] = "timeout",
3245 [SOCKET_FAILURE_EXIT_CODE] = "exit-code",
3246 [SOCKET_FAILURE_SIGNAL] = "signal",
3247 [SOCKET_FAILURE_CORE_DUMP] = "core-dump",
3248 [SOCKET_FAILURE_START_LIMIT_HIT] = "start-limit-hit",
3249 [SOCKET_FAILURE_TRIGGER_LIMIT_HIT] = "trigger-limit-hit",
3250 [SOCKET_FAILURE_SERVICE_START_LIMIT_HIT] = "service-start-limit-hit"
3251 };
3252
3253 DEFINE_STRING_TABLE_LOOKUP(socket_result, SocketResult);
3254
3255 const UnitVTable socket_vtable = {
3256 .object_size = sizeof(Socket),
3257 .exec_context_offset = offsetof(Socket, exec_context),
3258 .cgroup_context_offset = offsetof(Socket, cgroup_context),
3259 .kill_context_offset = offsetof(Socket, kill_context),
3260 .exec_runtime_offset = offsetof(Socket, exec_runtime),
3261 .dynamic_creds_offset = offsetof(Socket, dynamic_creds),
3262
3263 .sections =
3264 "Unit\0"
3265 "Socket\0"
3266 "Install\0",
3267 .private_section = "Socket",
3268
3269 .can_transient = true,
3270
3271 .init = socket_init,
3272 .done = socket_done,
3273 .load = socket_load,
3274
3275 .coldplug = socket_coldplug,
3276
3277 .dump = socket_dump,
3278
3279 .start = socket_start,
3280 .stop = socket_stop,
3281
3282 .kill = socket_kill,
3283
3284 .get_timeout = socket_get_timeout,
3285
3286 .serialize = socket_serialize,
3287 .deserialize_item = socket_deserialize_item,
3288 .distribute_fds = socket_distribute_fds,
3289
3290 .active_state = socket_active_state,
3291 .sub_state_to_string = socket_sub_state_to_string,
3292
3293 .may_gc = socket_may_gc,
3294
3295 .sigchld_event = socket_sigchld_event,
3296
3297 .trigger_notify = socket_trigger_notify,
3298
3299 .reset_failed = socket_reset_failed,
3300
3301 .control_pid = socket_control_pid,
3302
3303 .bus_vtable = bus_socket_vtable,
3304 .bus_set_property = bus_socket_set_property,
3305 .bus_commit_properties = bus_socket_commit_properties,
3306
3307 .status_message_formats = {
3308 /*.starting_stopping = {
3309 [0] = "Starting socket %s...",
3310 [1] = "Stopping socket %s...",
3311 },*/
3312 .finished_start_job = {
3313 [JOB_DONE] = "Listening on %s.",
3314 [JOB_FAILED] = "Failed to listen on %s.",
3315 [JOB_TIMEOUT] = "Timed out starting %s.",
3316 },
3317 .finished_stop_job = {
3318 [JOB_DONE] = "Closed %s.",
3319 [JOB_FAILED] = "Failed stopping %s.",
3320 [JOB_TIMEOUT] = "Timed out stopping %s.",
3321 },
3322 },
3323 };
Unnamed repository; edit this file 'description' to name the repository.