1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
5 #include <linux/sctp.h>
7 #include <netinet/tcp.h>
13 #include "alloc-util.h"
14 #include "bpf-program.h"
15 #include "bus-common-errors.h"
16 #include "bus-error.h"
18 #include "dbus-socket.h"
19 #include "dbus-unit.h"
20 #include "errno-list.h"
21 #include "errno-util.h"
22 #include "exit-status.h"
23 #include "extract-word.h"
26 #include "format-util.h"
28 #include "glyph-util.h"
29 #include "in-addr-util.h"
31 #include "ip-protocol-list.h"
34 #include "mkdir-label.h"
35 #include "namespace-util.h"
36 #include "parse-util.h"
37 #include "path-util.h"
38 #include "pidfd-util.h"
39 #include "process-util.h"
40 #include "recurse-dir.h"
41 #include "selinux-util.h"
42 #include "serialize.h"
45 #include "siphash24.h"
46 #include "smack-util.h"
48 #include "socket-netlink.h"
50 #include "string-table.h"
51 #include "string-util.h"
54 #include "unit-name.h"
55 #include "user-util.h"
57 typedef struct SocketPeer
{
61 union sockaddr_union peer
;
63 struct ucred peer_cred
;
66 static const UnitActiveState state_translation_table
[_SOCKET_STATE_MAX
] = {
67 [SOCKET_DEAD
] = UNIT_INACTIVE
,
68 [SOCKET_START_PRE
] = UNIT_ACTIVATING
,
69 [SOCKET_START_OPEN
] = UNIT_ACTIVATING
,
70 [SOCKET_START_CHOWN
] = UNIT_ACTIVATING
,
71 [SOCKET_START_POST
] = UNIT_ACTIVATING
,
72 [SOCKET_LISTENING
] = UNIT_ACTIVE
,
73 [SOCKET_DEFERRED
] = UNIT_ACTIVE
,
74 [SOCKET_RUNNING
] = UNIT_ACTIVE
,
75 [SOCKET_STOP_PRE
] = UNIT_DEACTIVATING
,
76 [SOCKET_STOP_PRE_SIGTERM
] = UNIT_DEACTIVATING
,
77 [SOCKET_STOP_PRE_SIGKILL
] = UNIT_DEACTIVATING
,
78 [SOCKET_STOP_POST
] = UNIT_DEACTIVATING
,
79 [SOCKET_FINAL_SIGTERM
] = UNIT_DEACTIVATING
,
80 [SOCKET_FINAL_SIGKILL
] = UNIT_DEACTIVATING
,
81 [SOCKET_FAILED
] = UNIT_FAILED
,
82 [SOCKET_CLEANING
] = UNIT_MAINTENANCE
,
85 static int socket_dispatch_io(sd_event_source
*source
, int fd
, uint32_t revents
, void *userdata
);
86 static int socket_dispatch_timer(sd_event_source
*source
, usec_t usec
, void *userdata
);
88 static bool SOCKET_STATE_WITH_PROCESS(SocketState state
) {
94 SOCKET_STOP_PRE_SIGTERM
,
95 SOCKET_STOP_PRE_SIGKILL
,
102 static bool SOCKET_SERVICE_IS_ACTIVE(Service
*s
, bool allow_finalize
) {
105 /* If unit_active_state() reports inactive/failed then it's all good, otherwise we need to
106 * manually exclude SERVICE_AUTO_RESTART and SERVICE_AUTO_RESTART_QUEUED, in which cases
107 * the start job hasn't been enqueued/run, but are only placeholders in order to allow
108 * canceling auto restart. */
110 if (UNIT_IS_INACTIVE_OR_FAILED(unit_active_state(UNIT(s
))))
113 if (IN_SET(s
->state
, SERVICE_AUTO_RESTART
, SERVICE_AUTO_RESTART_QUEUED
))
116 if (allow_finalize
&& IN_SET(s
->state
, SERVICE_FINAL_SIGTERM
, SERVICE_FINAL_SIGKILL
, SERVICE_CLEANING
))
122 static void socket_init(Unit
*u
) {
123 Socket
*s
= ASSERT_PTR(SOCKET(u
));
125 assert(u
->load_state
== UNIT_STUB
);
127 s
->backlog
= SOMAXCONN_DELUXE
;
128 s
->timeout_usec
= u
->manager
->defaults
.timeout_start_usec
;
129 s
->directory_mode
= 0755;
130 s
->socket_mode
= 0666;
132 s
->max_connections
= 64;
134 s
->pass_rights
= true; /* defaults to enabled in kernel */
140 s
->exec_context
.std_output
= u
->manager
->defaults
.std_output
;
141 s
->exec_context
.std_error
= u
->manager
->defaults
.std_error
;
143 s
->control_pid
= PIDREF_NULL
;
144 s
->control_command_id
= _SOCKET_EXEC_COMMAND_INVALID
;
146 s
->trigger_limit
= RATELIMIT_OFF
;
148 s
->poll_limit
= RATELIMIT_OFF
;
150 s
->defer_trigger_max_usec
= USEC_INFINITY
;
153 static void socket_unwatch_control_pid(Socket
*s
) {
155 unit_unwatch_pidref_done(UNIT(s
), &s
->control_pid
);
158 static void socket_port_close_auxiliary_fds(SocketPort
*p
) {
161 close_many(p
->auxiliary_fds
, p
->n_auxiliary_fds
);
162 p
->auxiliary_fds
= mfree(p
->auxiliary_fds
);
163 p
->n_auxiliary_fds
= 0;
166 SocketPort
* socket_port_free(SocketPort
*p
) {
170 sd_event_source_unref(p
->event_source
);
172 socket_port_close_auxiliary_fds(p
);
179 void socket_free_ports(Socket
*s
) {
182 LIST_CLEAR(port
, s
->ports
, socket_port_free
);
185 static void socket_done(Unit
*u
) {
186 Socket
*s
= ASSERT_PTR(SOCKET(u
));
189 socket_free_ports(s
);
191 while ((p
= set_steal_first(s
->peers_by_address
)))
194 s
->peers_by_address
= set_free(s
->peers_by_address
);
196 s
->exec_runtime
= exec_runtime_free(s
->exec_runtime
);
198 exec_command_free_array(s
->exec_command
, _SOCKET_EXEC_COMMAND_MAX
);
199 s
->control_command
= NULL
;
201 socket_unwatch_control_pid(s
);
203 unit_ref_unset(&s
->service
);
205 s
->tcp_congestion
= mfree(s
->tcp_congestion
);
206 s
->bind_to_device
= mfree(s
->bind_to_device
);
208 s
->smack
= mfree(s
->smack
);
209 s
->smack_ip_in
= mfree(s
->smack_ip_in
);
210 s
->smack_ip_out
= mfree(s
->smack_ip_out
);
212 strv_free(s
->symlinks
);
214 s
->user
= mfree(s
->user
);
215 s
->group
= mfree(s
->group
);
217 s
->fdname
= mfree(s
->fdname
);
219 s
->timer_event_source
= sd_event_source_disable_unref(s
->timer_event_source
);
222 static int socket_arm_timer(Socket
*s
, bool relative
, usec_t usec
) {
225 return unit_arm_timer(UNIT(s
), &s
->timer_event_source
, relative
, usec
, socket_dispatch_timer
);
228 static bool have_non_accept_socket(Socket
*s
) {
234 LIST_FOREACH(port
, p
, s
->ports
) {
236 if (p
->type
!= SOCKET_SOCKET
)
239 if (!socket_address_can_accept(&p
->address
))
246 static int socket_add_mount_dependencies(Socket
*s
) {
251 LIST_FOREACH(port
, p
, s
->ports
) {
252 const char *path
= NULL
;
254 if (p
->type
== SOCKET_SOCKET
)
255 path
= socket_address_get_path(&p
->address
);
256 else if (IN_SET(p
->type
, SOCKET_FIFO
, SOCKET_SPECIAL
, SOCKET_USB_FUNCTION
))
262 r
= unit_add_mounts_for(UNIT(s
), path
, UNIT_DEPENDENCY_FILE
, UNIT_MOUNT_REQUIRES
);
270 static int socket_add_device_dependencies(Socket
*s
) {
275 if (!s
->bind_to_device
|| streq(s
->bind_to_device
, "lo"))
278 t
= strjoina("/sys/subsystem/net/devices/", s
->bind_to_device
);
279 return unit_add_node_dependency(UNIT(s
), t
, UNIT_BINDS_TO
, UNIT_DEPENDENCY_FILE
);
282 static int socket_add_default_dependencies(Socket
*s
) {
287 if (!UNIT(s
)->default_dependencies
)
290 r
= unit_add_dependency_by_name(UNIT(s
), UNIT_BEFORE
, SPECIAL_SOCKETS_TARGET
, true, UNIT_DEPENDENCY_DEFAULT
);
294 if (MANAGER_IS_SYSTEM(UNIT(s
)->manager
)) {
295 r
= unit_add_two_dependencies_by_name(UNIT(s
), UNIT_AFTER
, UNIT_REQUIRES
, SPECIAL_SYSINIT_TARGET
, true, UNIT_DEPENDENCY_DEFAULT
);
300 return unit_add_two_dependencies_by_name(UNIT(s
), UNIT_BEFORE
, UNIT_CONFLICTS
, SPECIAL_SHUTDOWN_TARGET
, true, UNIT_DEPENDENCY_DEFAULT
);
303 static bool socket_has_exec(Socket
*s
) {
306 FOREACH_ARRAY(i
, s
->exec_command
, _SOCKET_EXEC_COMMAND_MAX
)
313 static int socket_add_extras(Socket
*s
) {
314 Unit
*u
= UNIT(ASSERT_PTR(s
));
317 /* Pick defaults for the trigger limit, if nothing was explicitly configured. We pick a relatively high limit
318 * in Accept=yes mode, and a lower limit for Accept=no. Reason: in Accept=yes mode we are invoking accept()
319 * ourselves before the trigger limit can hit, thus incoming connections are taken off the socket queue quickly
320 * and reliably. This is different for Accept=no, where the spawned service has to take the incoming traffic
321 * off the queues, which it might not necessarily do. Moreover, while Accept=no services are supposed to
322 * process whatever is queued in one go, and thus should normally never have to be started frequently. This is
323 * different for Accept=yes where each connection is processed by a new service instance, and thus frequent
324 * service starts are typical.
326 * For the poll limit we follow a similar rule, but use 3/4th of the trigger limit parameters, to
327 * trigger this earlier. */
329 if (s
->trigger_limit
.interval
== USEC_INFINITY
)
330 s
->trigger_limit
.interval
= 2 * USEC_PER_SEC
;
331 if (s
->trigger_limit
.burst
== UINT_MAX
)
332 s
->trigger_limit
.burst
= s
->accept
? 200 : 20;
334 if (s
->poll_limit
.interval
== USEC_INFINITY
)
335 s
->poll_limit
.interval
= 2 * USEC_PER_SEC
;
336 if (s
->poll_limit
.burst
== UINT_MAX
)
337 s
->poll_limit
.burst
= s
->accept
? 150 : 15;
339 if (have_non_accept_socket(s
)) {
341 if (!UNIT_ISSET(s
->service
)) {
344 r
= unit_load_related_unit(u
, ".service", &x
);
348 unit_ref_set(&s
->service
, u
, x
);
351 r
= unit_add_two_dependencies(u
, UNIT_BEFORE
, UNIT_TRIGGERS
, UNIT_DEREF(s
->service
), true, UNIT_DEPENDENCY_IMPLICIT
);
356 r
= socket_add_mount_dependencies(s
);
360 r
= socket_add_device_dependencies(s
);
364 r
= unit_patch_contexts(u
);
368 if (socket_has_exec(s
)) {
369 r
= unit_add_exec_dependencies(u
, &s
->exec_context
);
374 r
= unit_set_default_slice(u
);
378 r
= socket_add_default_dependencies(s
);
385 static const char* socket_find_symlink_target(Socket
*s
) {
386 const char *found
= NULL
;
390 LIST_FOREACH(port
, p
, s
->ports
) {
400 f
= socket_address_get_path(&p
->address
);
418 static int socket_verify(Socket
*s
) {
420 assert(UNIT(s
)->load_state
== UNIT_LOADED
);
423 return log_unit_error_errno(UNIT(s
), SYNTHETIC_ERRNO(ENOEXEC
), "Unit has no Listen setting (ListenStream=, ListenDatagram=, ListenFIFO=, ...). Refusing.");
425 if (s
->max_connections
<= 0)
426 return log_unit_error_errno(UNIT(s
), SYNTHETIC_ERRNO(ENOEXEC
), "MaxConnection= setting too small. Refusing.");
428 if (s
->accept
&& have_non_accept_socket(s
))
429 return log_unit_error_errno(UNIT(s
), SYNTHETIC_ERRNO(ENOEXEC
), "Unit configured for accepting sockets, but sockets are non-accepting. Refusing.");
431 if (s
->accept
&& UNIT_ISSET(s
->service
))
432 return log_unit_error_errno(UNIT(s
), SYNTHETIC_ERRNO(ENOEXEC
), "Explicit service configuration for accepting socket units not supported. Refusing.");
434 if (s
->accept
&& s
->defer_trigger
!= SOCKET_DEFER_NO
)
435 return log_unit_error_errno(UNIT(s
), SYNTHETIC_ERRNO(ENOEXEC
), "Socket unit is configured to be accepting with DeferTrigger= enabled. Refusing.");
437 if (!strv_isempty(s
->symlinks
) && !socket_find_symlink_target(s
))
438 return log_unit_error_errno(UNIT(s
), SYNTHETIC_ERRNO(ENOEXEC
), "Unit has symlinks set but none or more than one node in the file system. Refusing.");
443 static void peer_address_hash_func(const SocketPeer
*s
, struct siphash
*state
) {
446 if (s
->peer
.sa
.sa_family
== AF_INET
)
447 siphash24_compress_typesafe(s
->peer
.in
.sin_addr
, state
);
448 else if (s
->peer
.sa
.sa_family
== AF_INET6
)
449 siphash24_compress_typesafe(s
->peer
.in6
.sin6_addr
, state
);
450 else if (s
->peer
.sa
.sa_family
== AF_VSOCK
)
451 siphash24_compress_typesafe(s
->peer
.vm
.svm_cid
, state
);
452 else if (s
->peer
.sa
.sa_family
== AF_UNIX
)
453 siphash24_compress_typesafe(s
->peer_cred
.uid
, state
);
455 assert_not_reached();
458 static int peer_address_compare_func(const SocketPeer
*x
, const SocketPeer
*y
) {
461 r
= CMP(x
->peer
.sa
.sa_family
, y
->peer
.sa
.sa_family
);
465 switch (x
->peer
.sa
.sa_family
) {
467 return memcmp(&x
->peer
.in
.sin_addr
, &y
->peer
.in
.sin_addr
, sizeof(x
->peer
.in
.sin_addr
));
469 return memcmp(&x
->peer
.in6
.sin6_addr
, &y
->peer
.in6
.sin6_addr
, sizeof(x
->peer
.in6
.sin6_addr
));
471 return CMP(x
->peer
.vm
.svm_cid
, y
->peer
.vm
.svm_cid
);
473 return CMP(x
->peer_cred
.uid
, y
->peer_cred
.uid
);
475 assert_not_reached();
478 DEFINE_PRIVATE_HASH_OPS(peer_address_hash_ops
, SocketPeer
, peer_address_hash_func
, peer_address_compare_func
);
480 static int socket_load(Unit
*u
) {
481 Socket
*s
= ASSERT_PTR(SOCKET(u
));
484 assert(u
->load_state
== UNIT_STUB
);
486 r
= unit_load_fragment_and_dropin(u
, true);
490 if (u
->load_state
!= UNIT_LOADED
)
493 /* This is a new unit? Then let's add in some extras */
494 r
= socket_add_extras(s
);
498 return socket_verify(s
);
501 static SocketPeer
* socket_peer_dup(const SocketPeer
*q
) {
506 p
= new(SocketPeer
, 1);
513 .peer_salen
= q
->peer_salen
,
514 .peer_cred
= q
->peer_cred
,
520 static SocketPeer
* socket_peer_free(SocketPeer
*p
) {
524 set_remove(p
->socket
->peers_by_address
, p
);
529 DEFINE_TRIVIAL_REF_UNREF_FUNC(SocketPeer
, socket_peer
, socket_peer_free
);
531 int socket_acquire_peer(Socket
*s
, int fd
, SocketPeer
**ret
) {
532 _cleanup_(socket_peer_unrefp
) SocketPeer
*remote
= NULL
;
534 .peer_salen
= sizeof(union sockaddr_union
),
535 .peer_cred
= UCRED_INVALID
,
543 if (getpeername(fd
, &key
.peer
.sa
, &key
.peer_salen
) < 0)
544 return log_unit_error_errno(UNIT(s
), errno
, "getpeername() failed: %m");
546 switch (key
.peer
.sa
.sa_family
) {
553 r
= getpeercred(fd
, &key
.peer_cred
);
555 return log_unit_error_errno(UNIT(s
), r
, "Failed to get peer credentials of socket: %m");
563 i
= set_get(s
->peers_by_address
, &key
);
565 *ret
= socket_peer_ref(i
);
569 remote
= socket_peer_dup(&key
);
573 r
= set_ensure_put(&s
->peers_by_address
, &peer_address_hash_ops
, remote
);
575 return log_unit_error_errno(UNIT(s
), r
, "Failed to insert peer info into hash table: %m");
579 *ret
= TAKE_PTR(remote
);
583 static const char* listen_lookup(int family
, int type
) {
585 if (family
== AF_NETLINK
)
586 return "ListenNetlink";
588 if (type
== SOCK_STREAM
)
589 return "ListenStream";
590 else if (type
== SOCK_DGRAM
)
591 return "ListenDatagram";
592 else if (type
== SOCK_SEQPACKET
)
593 return "ListenSequentialPacket";
595 assert_not_reached();
598 static void socket_dump(Unit
*u
, FILE *f
, const char *prefix
) {
599 Socket
*s
= ASSERT_PTR(SOCKET(u
));
600 const char *prefix2
, *str
;
604 prefix
= strempty(prefix
);
605 prefix2
= strjoina(prefix
, "\t");
608 "%sSocket State: %s\n"
610 "%sClean Result: %s\n"
611 "%sBindIPv6Only: %s\n"
613 "%sSocketMode: %04o\n"
614 "%sDirectoryMode: %04o\n"
618 "%sTransparent: %s\n"
620 "%sPassCredentials: %s\n"
622 "%sPassSecurity: %s\n"
623 "%sPassPacketInfo: %s\n"
624 "%sAcceptFileDescriptors: %s\n"
625 "%sTCPCongestion: %s\n"
626 "%sRemoveOnStop: %s\n"
628 "%sFileDescriptorName: %s\n"
629 "%sPassFileDescriptorsToExec: %s\n"
630 "%sSELinuxContextFromNet: %s\n",
631 prefix
, socket_state_to_string(s
->state
),
632 prefix
, socket_result_to_string(s
->result
),
633 prefix
, socket_result_to_string(s
->clean_result
),
634 prefix
, socket_address_bind_ipv6_only_to_string(s
->bind_ipv6_only
),
636 prefix
, s
->socket_mode
,
637 prefix
, s
->directory_mode
,
638 prefix
, yes_no(s
->keep_alive
),
639 prefix
, yes_no(s
->no_delay
),
640 prefix
, yes_no(s
->free_bind
),
641 prefix
, yes_no(s
->transparent
),
642 prefix
, yes_no(s
->broadcast
),
643 prefix
, yes_no(s
->pass_cred
),
644 prefix
, yes_no(s
->pass_pidfd
),
645 prefix
, yes_no(s
->pass_sec
),
646 prefix
, yes_no(s
->pass_pktinfo
),
647 prefix
, yes_no(s
->pass_rights
),
648 prefix
, strna(s
->tcp_congestion
),
649 prefix
, yes_no(s
->remove_on_stop
),
650 prefix
, yes_no(s
->writable
),
651 prefix
, socket_fdname(s
),
652 prefix
, yes_no(s
->pass_fds_to_exec
),
653 prefix
, yes_no(s
->selinux_context_from_net
));
655 if (s
->timestamping
!= SOCKET_TIMESTAMPING_OFF
)
657 "%sTimestamping: %s\n",
658 prefix
, socket_timestamping_to_string(s
->timestamping
));
660 if (pidref_is_set(&s
->control_pid
))
662 "%sControl PID: "PID_FMT
"\n",
663 prefix
, s
->control_pid
.pid
);
665 if (s
->bind_to_device
)
667 "%sBindToDevice: %s\n",
668 prefix
, s
->bind_to_device
);
673 "%sNConnections: %u\n"
674 "%sMaxConnections: %u\n"
675 "%sMaxConnectionsPerSource: %u\n",
676 prefix
, s
->n_accepted
,
677 prefix
, s
->n_connections
,
678 prefix
, s
->max_connections
,
679 prefix
, s
->max_connections_per_source
);
682 "%sFlushPending: %s\n"
683 "%sDeferTrigger: %s\n"
684 "%sDeferTriggerMaxSec: %s\n",
685 prefix
, yes_no(s
->flush_pending
),
686 prefix
, socket_defer_trigger_to_string(s
->defer_trigger
),
687 prefix
, FORMAT_TIMESPAN(s
->defer_trigger_max_usec
, USEC_PER_SEC
));
689 if (s
->priority
>= 0)
692 prefix
, s
->priority
);
694 if (s
->receive_buffer
> 0)
696 "%sReceiveBuffer: %zu\n",
697 prefix
, s
->receive_buffer
);
699 if (s
->send_buffer
> 0)
701 "%sSendBuffer: %zu\n",
702 prefix
, s
->send_buffer
);
714 if (s
->pipe_size
> 0)
717 prefix
, s
->pipe_size
);
724 if (s
->mq_maxmsg
> 0)
726 "%sMessageQueueMaxMessages: %li\n",
727 prefix
, s
->mq_maxmsg
);
729 if (s
->mq_msgsize
> 0)
731 "%sMessageQueueMessageSize: %li\n",
732 prefix
, s
->mq_msgsize
);
737 prefix
, yes_no(s
->reuse_port
));
741 "%sSmackLabel: %s\n",
746 "%sSmackLabelIPIn: %s\n",
747 prefix
, s
->smack_ip_in
);
751 "%sSmackLabelIPOut: %s\n",
752 prefix
, s
->smack_ip_out
);
754 if (!isempty(s
->user
) || !isempty(s
->group
))
757 "%sSocketGroup: %s\n",
758 prefix
, strna(s
->user
),
759 prefix
, strna(s
->group
));
761 if (timestamp_is_set(s
->keep_alive_time
))
763 "%sKeepAliveTimeSec: %s\n",
764 prefix
, FORMAT_TIMESPAN(s
->keep_alive_time
, USEC_PER_SEC
));
766 if (s
->keep_alive_interval
> 0)
768 "%sKeepAliveIntervalSec: %s\n",
769 prefix
, FORMAT_TIMESPAN(s
->keep_alive_interval
, USEC_PER_SEC
));
771 if (s
->keep_alive_cnt
> 0)
773 "%sKeepAliveProbes: %u\n",
774 prefix
, s
->keep_alive_cnt
);
776 if (s
->defer_accept
> 0)
778 "%sDeferAcceptSec: %s\n",
779 prefix
, FORMAT_TIMESPAN(s
->defer_accept
, USEC_PER_SEC
));
781 LIST_FOREACH(port
, p
, s
->ports
) {
784 case SOCKET_SOCKET
: {
785 _cleanup_free_
char *k
= NULL
;
788 r
= socket_address_print(&p
->address
, &k
);
791 fprintf(f
, "%s%s: %m\n", prefix
, listen_lookup(socket_address_family(&p
->address
), p
->address
.type
));
793 fprintf(f
, "%s%s: %s\n", prefix
, listen_lookup(socket_address_family(&p
->address
), p
->address
.type
), k
);
797 fprintf(f
, "%sListenSpecial: %s\n", prefix
, p
->path
);
799 case SOCKET_USB_FUNCTION
:
800 fprintf(f
, "%sListenUSBFunction: %s\n", prefix
, p
->path
);
803 fprintf(f
, "%sListenMessageQueue: %s\n", prefix
, p
->path
);
806 fprintf(f
, "%sListenFIFO: %s\n", prefix
, p
->path
);
811 "%sTriggerLimitIntervalSec: %s\n"
812 "%sTriggerLimitBurst: %u\n"
813 "%sPollLimitIntervalSec: %s\n"
814 "%sPollLimitBurst: %u\n",
815 prefix
, FORMAT_TIMESPAN(s
->trigger_limit
.interval
, USEC_PER_SEC
),
816 prefix
, s
->trigger_limit
.burst
,
817 prefix
, FORMAT_TIMESPAN(s
->poll_limit
.interval
, USEC_PER_SEC
),
818 prefix
, s
->poll_limit
.burst
);
820 str
= ip_protocol_to_name(s
->socket_protocol
);
822 fprintf(f
, "%sSocketProtocol: %s\n", prefix
, str
);
824 if (!strv_isempty(s
->symlinks
)) {
825 fprintf(f
, "%sSymlinks:", prefix
);
826 STRV_FOREACH(q
, s
->symlinks
)
827 fprintf(f
, " %s", *q
);
833 "%sTimeoutSec: %s\n",
834 prefix
, FORMAT_TIMESPAN(s
->timeout_usec
, USEC_PER_SEC
));
836 exec_context_dump(&s
->exec_context
, f
, prefix
);
837 kill_context_dump(&s
->kill_context
, f
, prefix
);
839 for (SocketExecCommand c
= 0; c
< _SOCKET_EXEC_COMMAND_MAX
; c
++) {
840 if (!s
->exec_command
[c
])
843 fprintf(f
, "%s%s %s:\n",
844 prefix
, glyph(GLYPH_ARROW_RIGHT
), socket_exec_command_to_string(c
));
846 exec_command_dump_list(s
->exec_command
[c
], f
, prefix2
);
849 cgroup_context_dump(UNIT(s
), f
, prefix
);
852 static int instance_from_socket(
857 union sockaddr_union local
, remote
;
865 if (getsockname(fd
, &local
.sa
, &l
) < 0)
869 if (getpeername(fd
, &remote
.sa
, &l
) < 0)
873 r
= socket_get_cookie(fd
, &cookie
);
879 switch (local
.sa
.sa_family
) {
883 a
= be32toh(local
.in
.sin_addr
.s_addr
),
884 b
= be32toh(remote
.in
.sin_addr
.s_addr
);
887 "%u-%" PRIu64
"-%u.%u.%u.%u:%u-%u.%u.%u.%u:%u",
890 a
>> 24, (a
>> 16) & 0xFF, (a
>> 8) & 0xFF, a
& 0xFF,
891 be16toh(local
.in
.sin_port
),
892 b
>> 24, (b
>> 16) & 0xFF, (b
>> 8) & 0xFF, b
& 0xFF,
893 be16toh(remote
.in
.sin_port
)) < 0)
900 static const unsigned char ipv4_prefix
[] = {
901 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xFF, 0xFF
904 if (memcmp(&local
.in6
.sin6_addr
, ipv4_prefix
, sizeof(ipv4_prefix
)) == 0 &&
905 memcmp(&remote
.in6
.sin6_addr
, ipv4_prefix
, sizeof(ipv4_prefix
)) == 0) {
907 *a
= local
.in6
.sin6_addr
.s6_addr
+12,
908 *b
= remote
.in6
.sin6_addr
.s6_addr
+12;
911 "%u-%" PRIu64
"-%u.%u.%u.%u:%u-%u.%u.%u.%u:%u",
914 a
[0], a
[1], a
[2], a
[3],
915 be16toh(local
.in6
.sin6_port
),
916 b
[0], b
[1], b
[2], b
[3],
917 be16toh(remote
.in6
.sin6_port
)) < 0)
921 "%u-%" PRIu64
"-%s:%u-%s:%u",
924 IN6_ADDR_TO_STRING(&local
.in6
.sin6_addr
),
925 be16toh(local
.in6
.sin6_port
),
926 IN6_ADDR_TO_STRING(&remote
.in6
.sin6_addr
),
927 be16toh(remote
.in6
.sin6_port
)) < 0)
937 r
= getpeercred(fd
, &ucred
);
939 _cleanup_close_
int pidfd
= getpeerpidfd(fd
);
942 if (pidfd
>= 0 && pidfd_get_inode_id(pidfd
, &pidfd_id
) >= 0)
943 r
= asprintf(&s
, "%u-%" PRIu64
"-" PID_FMT
"_%" PRIu64
"-" UID_FMT
,
944 nr
, cookie
, ucred
.pid
, pidfd_id
, ucred
.uid
);
946 r
= asprintf(&s
, "%u-%" PRIu64
"-" PID_FMT
"-" UID_FMT
,
947 nr
, cookie
, ucred
.pid
, ucred
.uid
);
950 } else if (r
== -ENODATA
) {
951 /* This handles the case where somebody is connecting from another pid/uid namespace
952 * (e.g. from outside of our container). */
954 "%u-%" PRIu64
"-unknown",
966 "%u-%" PRIu64
"-%u:%u-%u:%u",
969 local
.vm
.svm_cid
, local
.vm
.svm_port
,
970 remote
.vm
.svm_cid
, remote
.vm
.svm_port
) < 0)
976 assert_not_reached();
983 static void socket_close_fds(Socket
*s
) {
986 LIST_FOREACH(port
, p
, s
->ports
) {
987 bool was_open
= p
->fd
>= 0;
989 p
->event_source
= sd_event_source_disable_unref(p
->event_source
);
990 p
->fd
= safe_close(p
->fd
);
991 socket_port_close_auxiliary_fds(p
);
993 /* One little note: we should normally not delete any sockets in the file system here! After all some
994 * other process we spawned might still have a reference of this fd and wants to continue to use
995 * it. Therefore we normally delete sockets in the file system before we create a new one, not after we
996 * stopped using one! That all said, if the user explicitly requested this, we'll delete them here
997 * anyway, but only then. */
999 if (!was_open
|| !s
->remove_on_stop
)
1005 (void) unlink(p
->path
);
1009 (void) mq_unlink(p
->path
);
1013 (void) socket_address_unlink(&p
->address
);
1021 if (s
->remove_on_stop
)
1022 STRV_FOREACH(i
, s
->symlinks
)
1025 /* Note that we don't return NULL here, since s has not been freed. */
1028 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(Socket
*, socket_close_fds
, NULL
);
1030 #define SOCKET_OPTION_WARNING_FORMAT_STR "Failed to set %s socket option, ignoring: %m"
1031 #define log_socket_option_warning_errno(s, error, option) \
1032 log_unit_warning_errno(UNIT(s), (error), SOCKET_OPTION_WARNING_FORMAT_STR, STRINGIFY(option))
1034 static void socket_apply_socket_options(Socket
*s
, SocketPort
*p
, int fd
) {
1041 if (s
->keep_alive
) {
1042 r
= setsockopt_int(fd
, SOL_SOCKET
, SO_KEEPALIVE
, true);
1044 log_socket_option_warning_errno(s
, r
, SO_KEEPALIVE
);
1047 if (timestamp_is_set(s
->keep_alive_time
)) {
1048 r
= setsockopt_int(fd
, SOL_TCP
, TCP_KEEPIDLE
, s
->keep_alive_time
/ USEC_PER_SEC
);
1050 log_socket_option_warning_errno(s
, r
, TCP_KEEPIDLE
);
1053 if (s
->keep_alive_interval
> 0) {
1054 r
= setsockopt_int(fd
, SOL_TCP
, TCP_KEEPINTVL
, s
->keep_alive_interval
/ USEC_PER_SEC
);
1056 log_socket_option_warning_errno(s
, r
, TCP_KEEPINTVL
);
1059 if (s
->keep_alive_cnt
> 0) {
1060 r
= setsockopt_int(fd
, SOL_TCP
, TCP_KEEPCNT
, s
->keep_alive_cnt
);
1062 log_socket_option_warning_errno(s
, r
, TCP_KEEPCNT
);
1065 if (s
->defer_accept
> 0) {
1066 r
= setsockopt_int(fd
, SOL_TCP
, TCP_DEFER_ACCEPT
, s
->defer_accept
/ USEC_PER_SEC
);
1068 log_socket_option_warning_errno(s
, r
, TCP_DEFER_ACCEPT
);
1072 if (s
->socket_protocol
== IPPROTO_SCTP
) {
1073 r
= setsockopt_int(fd
, SOL_SCTP
, SCTP_NODELAY
, true);
1075 log_socket_option_warning_errno(s
, r
, SCTP_NODELAY
);
1077 r
= setsockopt_int(fd
, SOL_TCP
, TCP_NODELAY
, true);
1079 log_socket_option_warning_errno(s
, r
, TCP_NODELAY
);
1084 r
= setsockopt_int(fd
, SOL_SOCKET
, SO_BROADCAST
, true);
1086 log_socket_option_warning_errno(s
, r
, SO_BROADCAST
);
1090 r
= setsockopt_int(fd
, SOL_SOCKET
, SO_PASSCRED
, true);
1092 log_socket_option_warning_errno(s
, r
, SO_PASSCRED
);
1095 if (s
->pass_pidfd
) {
1096 r
= setsockopt_int(fd
, SOL_SOCKET
, SO_PASSPIDFD
, true);
1098 log_unit_full_errno(UNIT(s
), ERRNO_IS_NEG_NOT_SUPPORTED(r
) ? LOG_DEBUG
: LOG_WARNING
, r
,
1099 SOCKET_OPTION_WARNING_FORMAT_STR
, "SO_PASSPIDFD");
1103 r
= setsockopt_int(fd
, SOL_SOCKET
, SO_PASSSEC
, true);
1105 log_unit_full_errno(UNIT(s
), ERRNO_IS_NEG_NOT_SUPPORTED(r
) ? LOG_DEBUG
: LOG_WARNING
, r
,
1106 SOCKET_OPTION_WARNING_FORMAT_STR
, "SO_PASSSEC");
1109 if (s
->pass_pktinfo
) {
1110 r
= socket_set_recvpktinfo(fd
, socket_address_family(&p
->address
), true);
1112 log_unit_warning_errno(UNIT(s
), r
, SOCKET_OPTION_WARNING_FORMAT_STR
, "packet info");
1115 if (!s
->pass_rights
) {
1116 r
= setsockopt_int(fd
, SOL_SOCKET
, SO_PASSRIGHTS
, false);
1118 log_unit_full_errno(UNIT(s
), ERRNO_IS_NEG_NOT_SUPPORTED(r
) ? LOG_DEBUG
: LOG_WARNING
, r
,
1119 SOCKET_OPTION_WARNING_FORMAT_STR
, "SO_PASSRIGHTS");
1122 if (s
->timestamping
!= SOCKET_TIMESTAMPING_OFF
) {
1123 r
= setsockopt_int(fd
, SOL_SOCKET
,
1124 s
->timestamping
== SOCKET_TIMESTAMPING_NS
? SO_TIMESTAMPNS
: SO_TIMESTAMP
,
1127 log_unit_warning_errno(UNIT(s
), r
, SOCKET_OPTION_WARNING_FORMAT_STR
, "timestamping");
1130 if (s
->priority
>= 0) {
1131 r
= setsockopt_int(fd
, SOL_SOCKET
, SO_PRIORITY
, s
->priority
);
1133 log_socket_option_warning_errno(s
, r
, SO_PRIORITY
);
1136 if (s
->receive_buffer
> 0) {
1137 r
= fd_set_rcvbuf(fd
, s
->receive_buffer
, false);
1139 log_unit_full_errno(UNIT(s
), ERRNO_IS_NEG_PRIVILEGE(r
) ? LOG_DEBUG
: LOG_WARNING
, r
,
1140 SOCKET_OPTION_WARNING_FORMAT_STR
, "SO_RCVBUF/SO_RCVBUFFORCE");
1143 if (s
->send_buffer
> 0) {
1144 r
= fd_set_sndbuf(fd
, s
->send_buffer
, false);
1146 log_unit_full_errno(UNIT(s
), ERRNO_IS_NEG_PRIVILEGE(r
) ? LOG_DEBUG
: LOG_WARNING
, r
,
1147 SOCKET_OPTION_WARNING_FORMAT_STR
, "SO_SNDBUF/SO_SNDBUFFORCE");
1151 r
= setsockopt_int(fd
, SOL_SOCKET
, SO_MARK
, s
->mark
);
1153 log_socket_option_warning_errno(s
, r
, SO_MARK
);
1156 if (s
->ip_tos
>= 0) {
1157 r
= setsockopt_int(fd
, IPPROTO_IP
, IP_TOS
, s
->ip_tos
);
1159 log_socket_option_warning_errno(s
, r
, IP_TOS
);
1162 if (s
->ip_ttl
>= 0) {
1163 r
= socket_set_ttl(fd
, socket_address_family(&p
->address
), s
->ip_ttl
);
1165 log_unit_warning_errno(UNIT(s
), r
, SOCKET_OPTION_WARNING_FORMAT_STR
, "IP_TTL/IPV6_UNICAST_HOPS");
1168 if (s
->tcp_congestion
)
1169 if (setsockopt(fd
, SOL_TCP
, TCP_CONGESTION
, s
->tcp_congestion
, strlen(s
->tcp_congestion
)+1) < 0)
1170 log_socket_option_warning_errno(s
, errno
, TCP_CONGESTION
);
1172 if (s
->smack_ip_in
) {
1173 r
= mac_smack_apply_fd(fd
, SMACK_ATTR_IPIN
, s
->smack_ip_in
);
1175 log_unit_error_errno(UNIT(s
), r
, "Failed to apply SMACK label for IP input, ignoring: %m");
1178 if (s
->smack_ip_out
) {
1179 r
= mac_smack_apply_fd(fd
, SMACK_ATTR_IPOUT
, s
->smack_ip_out
);
1181 log_unit_error_errno(UNIT(s
), r
, "Failed to apply SMACK label for IP output, ignoring: %m");
1185 static void socket_apply_fifo_options(Socket
*s
, int fd
) {
1191 if (s
->pipe_size
> 0)
1192 if (fcntl(fd
, F_SETPIPE_SZ
, s
->pipe_size
) < 0)
1193 log_unit_warning_errno(UNIT(s
), errno
, "Setting pipe size failed, ignoring: %m");
1196 r
= mac_smack_apply_fd(fd
, SMACK_ATTR_ACCESS
, s
->smack
);
1198 log_unit_error_errno(UNIT(s
), r
, "SMACK relabelling failed, ignoring: %m");
1202 static int fifo_address_create(
1204 mode_t directory_mode
,
1205 mode_t socket_mode
) {
1207 _cleanup_close_
int fd
= -EBADF
;
1214 (void) mkdir_parents_label(path
, directory_mode
);
1216 r
= mac_selinux_create_file_prepare(path
, S_IFIFO
);
1220 /* Enforce the right access mode for the fifo */
1221 old_mask
= umask(~socket_mode
);
1223 /* Include the original umask in our mask */
1224 (void) umask(~socket_mode
| old_mask
);
1226 r
= mkfifo(path
, socket_mode
);
1227 (void) umask(old_mask
);
1229 if (r
< 0 && errno
!= EEXIST
) {
1234 fd
= open(path
, O_RDWR
| O_CLOEXEC
| O_NOCTTY
| O_NONBLOCK
| O_NOFOLLOW
);
1240 mac_selinux_create_file_clear();
1242 if (fstat(fd
, &st
) < 0) {
1247 if (!S_ISFIFO(st
.st_mode
) ||
1248 (st
.st_mode
& 0777) != (socket_mode
& ~old_mask
) ||
1249 st
.st_uid
!= getuid() ||
1250 st
.st_gid
!= getgid()) {
1258 mac_selinux_create_file_clear();
1262 static int special_address_create(const char *path
, bool writable
) {
1263 _cleanup_close_
int fd
= -EBADF
;
1268 fd
= open(path
, (writable
? O_RDWR
: O_RDONLY
)|O_CLOEXEC
|O_NOCTTY
|O_NONBLOCK
|O_NOFOLLOW
);
1272 if (fstat(fd
, &st
) < 0)
1275 /* Check whether this is a /proc, /sys or /dev file or char device */
1276 if (!S_ISREG(st
.st_mode
) && !S_ISCHR(st
.st_mode
))
1282 static int usbffs_address_create_at(int dfd
, const char *name
) {
1283 _cleanup_close_
int fd
= -EBADF
;
1289 fd
= openat(dfd
, name
, O_RDWR
|O_CLOEXEC
|O_NOCTTY
|O_NONBLOCK
|O_NOFOLLOW
);
1293 if (fstat(fd
, &st
) < 0)
1296 /* Check whether this is a regular file (ffs endpoint) */
1297 if (!S_ISREG(st
.st_mode
))
1303 static int mq_address_create(
1309 _cleanup_close_
int fd
= -EBADF
;
1312 struct mq_attr _attr
, *attr
= NULL
;
1316 if (maxmsg
> 0 && msgsize
> 0) {
1317 _attr
= (struct mq_attr
) {
1318 .mq_flags
= O_NONBLOCK
,
1319 .mq_maxmsg
= maxmsg
,
1320 .mq_msgsize
= msgsize
,
1325 /* Enforce the right access mode for the mq */
1326 old_mask
= umask(~mq_mode
);
1328 /* Include the original umask in our mask */
1329 (void) umask(~mq_mode
| old_mask
);
1330 fd
= mq_open(path
, O_RDONLY
|O_CLOEXEC
|O_NONBLOCK
|O_CREAT
, mq_mode
, attr
);
1331 (void) umask(old_mask
);
1336 if (fstat(fd
, &st
) < 0)
1339 if ((st
.st_mode
& 0777) != (mq_mode
& ~old_mask
) ||
1340 st
.st_uid
!= getuid() ||
1341 st
.st_gid
!= getgid())
1347 static int socket_symlink(Socket
*s
) {
1353 p
= socket_find_symlink_target(s
);
1357 STRV_FOREACH(i
, s
->symlinks
) {
1358 (void) mkdir_parents_label(*i
, s
->directory_mode
);
1360 r
= symlink_idempotent(p
, *i
, false);
1361 if (r
== -EEXIST
&& s
->remove_on_stop
) {
1362 /* If there's already something where we want to create the symlink, and the destructive
1363 * RemoveOnStop= mode is set, then we might as well try to remove what already exists and try
1366 if (unlink(*i
) >= 0)
1367 r
= symlink_idempotent(p
, *i
, false);
1370 log_unit_warning_errno(UNIT(s
), r
, "Failed to create symlink %s %s %s, ignoring: %m",
1371 p
, glyph(GLYPH_ARROW_RIGHT
), *i
);
1377 static int usbffs_write_descs(int fd
, Service
*s
) {
1383 if (!s
->usb_function_descriptors
|| !s
->usb_function_strings
)
1386 r
= copy_file_fd(s
->usb_function_descriptors
, fd
, 0);
1390 return copy_file_fd(s
->usb_function_strings
, fd
, 0);
1393 static int usbffs_dispatch_eps(SocketPort
*p
, int dfd
) {
1394 _cleanup_free_ DirectoryEntries
*des
= NULL
;
1400 r
= readdir_all(dfd
, RECURSE_DIR_SORT
|RECURSE_DIR_IGNORE_DOT
, &des
);
1404 p
->auxiliary_fds
= new(int, des
->n_entries
);
1405 if (!p
->auxiliary_fds
)
1408 FOREACH_ARRAY(i
, des
->entries
, des
->n_entries
) {
1409 const struct dirent
*de
= *i
;
1411 if (streq(de
->d_name
, "ep0"))
1414 r
= usbffs_address_create_at(dfd
, de
->d_name
);
1418 p
->auxiliary_fds
[p
->n_auxiliary_fds
++] = r
;
1421 assert(p
->n_auxiliary_fds
< des
->n_entries
);
1426 socket_port_close_auxiliary_fds(p
);
1430 int socket_load_service_unit(Socket
*s
, int cfd
, Unit
**ret
) {
1433 /* Figure out what the unit that will be used to handle the connections on the socket looks like.
1435 * If cfd < 0, then we don't have a connection yet. In case of Accept=yes sockets, use a fake
1442 if (UNIT_ISSET(s
->service
)) {
1443 *ret
= UNIT_DEREF(s
->service
);
1450 /* Build the instance name and load the unit */
1451 _cleanup_free_
char *prefix
= NULL
, *instance
= NULL
, *name
= NULL
;
1453 r
= unit_name_to_prefix(UNIT(s
)->id
, &prefix
);
1458 r
= instance_from_socket(cfd
, s
->n_accepted
, &instance
);
1459 if (ERRNO_IS_NEG_DISCONNECT(r
))
1460 /* ENOTCONN is legitimate if TCP RST was received. Other socket families might return
1461 * different errors. This connection is over, but the socket unit lives on. */
1462 return log_unit_debug_errno(UNIT(s
), r
,
1463 "Got %s on incoming socket, assuming aborted connection attempt, ignoring.",
1469 /* For accepting sockets, we don't know how the instance will be called until we get a connection and
1470 * can figure out what the peer name is. So let's use "internal" as the instance to make it clear
1471 * that this is not an actual peer name. We use "unknown" when we cannot figure out the peer. */
1472 r
= unit_name_build(prefix
, instance
?: "internal", ".service", &name
);
1476 return manager_load_unit(UNIT(s
)->manager
, name
, NULL
, NULL
, ret
);
1479 static int socket_determine_selinux_label(Socket
*s
, char **ret
) {
1486 r
= socket_load_service_unit(s
, /* cfd= */ -EBADF
, &service
);
1487 if (r
== -ENODATA
) {
1494 r
= service_determine_exec_selinux_label(SERVICE(service
), ret
);
1495 if (r
== -ENODATA
) {
1502 static int socket_address_listen_do(
1504 const SocketAddress
*address
,
1505 const char *label
) {
1510 return socket_address_listen(
1512 SOCK_CLOEXEC
|SOCK_NONBLOCK
,
1524 #define log_address_error_errno(u, address, error, fmt) \
1526 _cleanup_free_ char *_t = NULL; \
1528 (void) socket_address_print(address, &_t); \
1529 log_unit_error_errno(u, error, fmt, strna(_t)); \
1532 static bool fork_needed(const SocketAddress
*address
, Socket
*s
) {
1536 /* Check if we need to do the cgroup or netns stuff. If not we can do things much simpler. */
1538 /* If there are any NFTSet= directives with cgroup source, we need the cgroup */
1540 CGroupContext
*c
= unit_get_cgroup_context(u
);
1542 FOREACH_ARRAY(nft_set
, c
->nft_set_context
.sets
, c
->nft_set_context
.n_sets
)
1543 if (nft_set
->source
== NFT_SET_SOURCE_CGROUP
)
1546 if (IN_SET(address
->sockaddr
.sa
.sa_family
, AF_INET
, AF_INET6
) &&
1547 bpf_program_supported() > 0) /* If BPF firewalling isn't supported anyway — there's no point in this forking complexity */
1550 return exec_needs_network_namespace(&s
->exec_context
);
1553 static int socket_address_listen_in_cgroup(
1555 const SocketAddress
*address
,
1556 const char *label
) {
1558 _cleanup_(pidref_done
) PidRef pid
= PIDREF_NULL
;
1559 _cleanup_close_pair_
int pair
[2] = EBADF_PAIR
;
1565 /* This is a wrapper around socket_address_listen(), that forks off a helper process inside the
1566 * socket's cgroup and network namespace in which the socket is actually created. This way we ensure
1567 * the socket is actually properly attached to the unit's cgroup for the purpose of BPF filtering and
1570 if (!fork_needed(address
, s
)) {
1571 /* Shortcut things... */
1572 fd
= socket_address_listen_do(s
, address
, label
);
1574 return log_address_error_errno(UNIT(s
), address
, fd
, "Failed to create listening socket (%s): %m");
1579 r
= unit_setup_exec_runtime(UNIT(s
));
1581 return log_unit_error_errno(UNIT(s
), r
, "Failed acquire runtime: %m");
1583 if (s
->exec_context
.network_namespace_path
&&
1585 s
->exec_runtime
->shared
&&
1586 s
->exec_runtime
->shared
->netns_storage_socket
[0] >= 0) {
1587 r
= open_shareable_ns_path(s
->exec_runtime
->shared
->netns_storage_socket
, s
->exec_context
.network_namespace_path
, CLONE_NEWNET
);
1589 return log_unit_error_errno(UNIT(s
), r
, "Failed to open network namespace path %s: %m", s
->exec_context
.network_namespace_path
);
1592 if (s
->exec_context
.ipc_namespace_path
&&
1594 s
->exec_runtime
->shared
&&
1595 s
->exec_runtime
->shared
->ipcns_storage_socket
[0] >= 0) {
1596 r
= open_shareable_ns_path(s
->exec_runtime
->shared
->ipcns_storage_socket
, s
->exec_context
.ipc_namespace_path
, CLONE_NEWIPC
);
1598 return log_unit_error_errno(UNIT(s
), r
, "Failed to open IPC namespace path %s: %m", s
->exec_context
.ipc_namespace_path
);
1601 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, pair
) < 0)
1602 return log_unit_error_errno(UNIT(s
), errno
, "Failed to create communication channel: %m");
1604 r
= unit_fork_helper_process(UNIT(s
), "(sd-listen)", /* into_cgroup= */ true, &pid
);
1606 return log_unit_error_errno(UNIT(s
), r
, "Failed to fork off listener stub process: %m");
1610 pair
[0] = safe_close(pair
[0]);
1612 if (exec_needs_network_namespace(&s
->exec_context
) &&
1614 s
->exec_runtime
->shared
&&
1615 s
->exec_runtime
->shared
->netns_storage_socket
[0] >= 0) {
1617 if (namespace_type_supported(NAMESPACE_NET
)) {
1618 r
= setup_shareable_ns(s
->exec_runtime
->shared
->netns_storage_socket
, CLONE_NEWNET
);
1620 log_unit_error_errno(UNIT(s
), r
, "Failed to join network namespace: %m");
1621 _exit(EXIT_NETWORK
);
1623 } else if (s
->exec_context
.network_namespace_path
) {
1624 log_unit_error(UNIT(s
), "Network namespace path configured but network namespaces not supported.");
1625 _exit(EXIT_NETWORK
);
1627 log_unit_warning(UNIT(s
), "PrivateNetwork=yes is configured, but the kernel does not support network namespaces, ignoring.");
1630 fd
= socket_address_listen_do(s
, address
, label
);
1632 log_address_error_errno(UNIT(s
), address
, fd
, "Failed to create listening socket (%s): %m");
1633 _exit(EXIT_FAILURE
);
1636 r
= send_one_fd(pair
[1], fd
, 0);
1638 log_address_error_errno(UNIT(s
), address
, r
, "Failed to send listening socket (%s) to parent: %m");
1639 _exit(EXIT_FAILURE
);
1642 _exit(EXIT_SUCCESS
);
1645 pair
[1] = safe_close(pair
[1]);
1646 fd
= receive_one_fd(pair
[0], 0);
1648 /* We synchronously wait for the helper, as it shouldn't be slow */
1649 r
= wait_for_terminate_and_check("(sd-listen)", pid
.pid
, WAIT_LOG_ABNORMAL
);
1656 return log_address_error_errno(UNIT(s
), address
, fd
, "Failed to receive listening socket (%s): %m");
1661 static int socket_open_fds(Socket
*orig_s
) {
1662 _cleanup_(socket_close_fdsp
) Socket
*s
= orig_s
;
1663 _cleanup_freecon_
char *label
= NULL
;
1664 bool know_label
= false;
1669 LIST_FOREACH(port
, p
, s
->ports
) {
1679 /* Figure out the label, if we don't it know yet. We do it once for the first
1680 * socket where we need this and remember it for the rest. */
1682 r
= socket_determine_selinux_label(s
, &label
);
1684 return log_unit_error_errno(UNIT(s
), r
, "Failed to determine SELinux label: %m");
1689 /* Apply the socket protocol */
1690 switch (p
->address
.type
) {
1693 if (IN_SET(s
->socket_protocol
, IPPROTO_SCTP
, IPPROTO_MPTCP
))
1694 p
->address
.protocol
= s
->socket_protocol
;
1697 case SOCK_SEQPACKET
:
1698 if (s
->socket_protocol
== IPPROTO_SCTP
)
1699 p
->address
.protocol
= s
->socket_protocol
;
1703 if (s
->socket_protocol
== IPPROTO_UDPLITE
)
1704 p
->address
.protocol
= s
->socket_protocol
;
1708 p
->fd
= socket_address_listen_in_cgroup(s
, &p
->address
, label
);
1712 socket_apply_socket_options(s
, p
, p
->fd
);
1716 case SOCKET_SPECIAL
:
1718 p
->fd
= special_address_create(p
->path
, s
->writable
);
1720 return log_unit_error_errno(UNIT(s
), p
->fd
, "Failed to open special file '%s': %m", p
->path
);
1725 p
->fd
= fifo_address_create(
1730 return log_unit_error_errno(UNIT(s
), p
->fd
, "Failed to open FIFO '%s': %m", p
->path
);
1732 socket_apply_fifo_options(s
, p
->fd
);
1738 p
->fd
= mq_address_create(
1744 return log_unit_error_errno(UNIT(s
), p
->fd
, "Failed to open message queue '%s': %m", p
->path
);
1747 case SOCKET_USB_FUNCTION
: {
1748 _cleanup_close_
int dfd
= -EBADF
;
1750 dfd
= open(p
->path
, O_DIRECTORY
|O_CLOEXEC
);
1752 return log_unit_error_errno(UNIT(s
), errno
,
1753 "Failed to open USB FunctionFS dir '%s': %m", p
->path
);
1755 p
->fd
= usbffs_address_create_at(dfd
, "ep0");
1757 return log_unit_error_errno(UNIT(s
), p
->fd
, "Failed to open USB FunctionFS ep0: %m");
1759 r
= usbffs_write_descs(p
->fd
, SERVICE(UNIT_DEREF(s
->service
)));
1761 return log_unit_error_errno(UNIT(s
), r
, "Failed to write to USB FunctionFS ep0: %m");
1763 r
= usbffs_dispatch_eps(p
, dfd
);
1765 return log_unit_error_errno(UNIT(s
), r
, "Failed to dispatch USB FunctionFS eps: %m");
1771 assert_not_reached();
1779 static void socket_unwatch_fds(Socket
*s
) {
1784 LIST_FOREACH(port
, p
, s
->ports
) {
1788 r
= sd_event_source_set_enabled(p
->event_source
, SD_EVENT_OFF
);
1790 log_unit_debug_errno(UNIT(s
), r
, "Failed to disable event source: %m");
1794 static int socket_watch_fds(Socket
*s
) {
1799 LIST_FOREACH(port
, p
, s
->ports
) {
1803 if (p
->event_source
) {
1804 r
= sd_event_source_set_enabled(p
->event_source
, SD_EVENT_ON
);
1808 r
= sd_event_add_io(UNIT(s
)->manager
->event
, &p
->event_source
, p
->fd
, EPOLLIN
, socket_dispatch_io
, p
);
1812 (void) sd_event_source_set_description(p
->event_source
, "socket-port-io");
1815 r
= sd_event_source_set_ratelimit(p
->event_source
, s
->poll_limit
.interval
, s
->poll_limit
.burst
);
1817 log_unit_debug_errno(UNIT(s
), r
, "Failed to set poll limit on I/O event source, ignoring: %m");
1823 log_unit_warning_errno(UNIT(s
), r
, "Failed to watch listening fds: %m");
1824 socket_unwatch_fds(s
);
1834 static int socket_check_open(Socket
*s
) {
1835 bool have_open
= false, have_closed
= false;
1839 LIST_FOREACH(port
, p
, s
->ports
) {
1845 if (have_open
&& have_closed
)
1846 return SOCKET_OPEN_SOME
;
1850 return SOCKET_OPEN_ALL
;
1852 return SOCKET_OPEN_NONE
;
1855 static void socket_set_state(Socket
*s
, SocketState state
) {
1856 SocketState old_state
;
1860 if (s
->state
!= state
)
1861 bus_unit_send_pending_change_signal(UNIT(s
), false);
1863 old_state
= s
->state
;
1866 if (!SOCKET_STATE_WITH_PROCESS(state
) && state
!= SOCKET_DEFERRED
)
1867 s
->timer_event_source
= sd_event_source_disable_unref(s
->timer_event_source
);
1869 if (!SOCKET_STATE_WITH_PROCESS(state
)) {
1870 socket_unwatch_control_pid(s
);
1871 s
->control_command
= NULL
;
1872 s
->control_command_id
= _SOCKET_EXEC_COMMAND_INVALID
;
1875 if (state
!= SOCKET_LISTENING
)
1876 socket_unwatch_fds(s
);
1886 SOCKET_STOP_PRE_SIGTERM
,
1887 SOCKET_STOP_PRE_SIGKILL
))
1888 socket_close_fds(s
);
1890 if (state
!= SOCKET_DEFERRED
)
1891 unit_remove_from_stop_notify_queue(UNIT(s
));
1893 if (state
!= old_state
)
1894 log_unit_debug(UNIT(s
), "Changed %s -> %s", socket_state_to_string(old_state
), socket_state_to_string(state
));
1896 unit_notify(UNIT(s
), state_translation_table
[old_state
], state_translation_table
[state
], /* reload_success = */ true);
1899 static int socket_coldplug(Unit
*u
) {
1900 Socket
*s
= ASSERT_PTR(SOCKET(u
));
1903 assert(s
->state
== SOCKET_DEAD
);
1905 if (s
->deserialized_state
== s
->state
)
1908 /* Patch "deferred" back to "listening" and let socket_enter_running() figure out what to do.
1909 * This saves us the trouble of handling flipping of DeferTrigger= vs Accept= during reload. */
1910 if (s
->deserialized_state
== SOCKET_DEFERRED
)
1911 s
->deserialized_state
= SOCKET_LISTENING
;
1913 if (pidref_is_set(&s
->control_pid
) &&
1914 pidref_is_unwaited(&s
->control_pid
) > 0 &&
1915 SOCKET_STATE_WITH_PROCESS(s
->deserialized_state
)) {
1917 r
= unit_watch_pidref(UNIT(s
), &s
->control_pid
, /* exclusive= */ false);
1921 r
= socket_arm_timer(s
, /* relative= */ false, usec_add(u
->state_change_timestamp
.monotonic
, s
->timeout_usec
));
1926 if (IN_SET(s
->deserialized_state
,
1933 /* Originally, we used to simply reopen all sockets here that we didn't have file descriptors
1934 * for. However, this is problematic, as we won't traverse through the SOCKET_START_CHOWN state for
1935 * them, and thus the UID/GID wouldn't be right. Hence, instead simply check if we have all fds open,
1936 * and if there's a mismatch, warn loudly.
1938 * Note that SOCKET_START_OPEN requires no special treatment, as it's only intermediate
1939 * between SOCKET_START_PRE and SOCKET_START_CHOWN and shall otherwise not be observed.
1940 * It's listed only for consistency. */
1942 r
= socket_check_open(s
);
1943 if (r
== SOCKET_OPEN_NONE
)
1944 log_unit_warning(UNIT(s
),
1945 "Socket unit configuration has changed while unit has been running, "
1946 "no open socket file descriptor left. "
1947 "The socket unit is not functional until restarted.");
1948 else if (r
== SOCKET_OPEN_SOME
)
1949 log_unit_warning(UNIT(s
),
1950 "Socket unit configuration has changed while unit has been running, "
1951 "and some socket file descriptors have not been opened yet. "
1952 "The socket unit is not fully functional until restarted.");
1955 if (s
->deserialized_state
== SOCKET_LISTENING
) {
1956 r
= socket_watch_fds(s
);
1961 if (!IN_SET(s
->deserialized_state
, SOCKET_DEAD
, SOCKET_FAILED
, SOCKET_CLEANING
))
1962 (void) unit_setup_exec_runtime(u
);
1964 socket_set_state(s
, s
->deserialized_state
);
1968 static int socket_spawn(Socket
*s
, ExecCommand
*c
, PidRef
*ret_pid
) {
1969 _cleanup_(exec_params_shallow_clear
) ExecParameters exec_params
= EXEC_PARAMETERS_INIT(
1970 EXEC_APPLY_SANDBOXING
|EXEC_APPLY_CHROOT
|EXEC_APPLY_TTY_STDIN
);
1971 _cleanup_(pidref_done
) PidRef pidref
= PIDREF_NULL
;
1978 r
= unit_prepare_exec(UNIT(s
));
1982 r
= socket_arm_timer(s
, /* relative= */ true, s
->timeout_usec
);
1986 r
= unit_set_exec_params(UNIT(s
), &exec_params
);
1990 /* Note that ExecStartPre= command doesn't inherit any FDs. It runs before we open listen FDs. */
1991 if (s
->pass_fds_to_exec
) {
1992 _cleanup_strv_free_
char **fd_names
= NULL
;
1993 _cleanup_free_
int *fds
= NULL
;
1996 n_fds
= socket_collect_fds(s
, &fds
);
2000 r
= strv_extend_n(&fd_names
, socket_fdname(s
), n_fds
);
2004 exec_params
.flags
|= EXEC_PASS_FDS
;
2005 exec_params
.fds
= TAKE_PTR(fds
);
2006 exec_params
.fd_names
= TAKE_PTR(fd_names
);
2007 exec_params
.n_socket_fds
= n_fds
;
2010 r
= exec_spawn(UNIT(s
),
2020 r
= unit_watch_pidref(UNIT(s
), &pidref
, /* exclusive= */ true);
2024 *ret_pid
= TAKE_PIDREF(pidref
);
2028 static int socket_chown(Socket
*s
, PidRef
*ret_pid
) {
2029 _cleanup_(pidref_done
) PidRef pid
= PIDREF_NULL
;
2034 r
= socket_arm_timer(s
, /* relative= */ true, s
->timeout_usec
);
2038 /* We have to resolve the user names out-of-process, hence
2039 * let's fork here. It's messy, but well, what can we do? */
2041 r
= unit_fork_helper_process(UNIT(s
), "(sd-chown)", /* into_cgroup= */ true, &pid
);
2045 uid_t uid
= UID_INVALID
;
2046 gid_t gid
= GID_INVALID
;
2050 if (!isempty(s
->user
)) {
2051 const char *user
= s
->user
;
2053 r
= get_user_creds(&user
, &uid
, &gid
, NULL
, NULL
, 0);
2055 log_unit_error_errno(UNIT(s
), r
, "Failed to resolve user %s: %m", user
);
2060 if (!isempty(s
->group
)) {
2061 const char *group
= s
->group
;
2063 r
= get_group_creds(&group
, &gid
, 0);
2065 log_unit_error_errno(UNIT(s
), r
, "Failed to resolve group %s: %m", group
);
2070 LIST_FOREACH(port
, p
, s
->ports
) {
2071 const char *path
= NULL
;
2073 if (p
->type
== SOCKET_SOCKET
)
2074 path
= socket_address_get_path(&p
->address
);
2075 else if (p
->type
== SOCKET_FIFO
)
2077 else if (p
->type
== SOCKET_MQUEUE
) {
2078 /* Use fchown on the fd since /dev/mqueue might not be mounted. */
2079 if (fchown(p
->fd
, uid
, gid
) < 0) {
2080 log_unit_error_errno(UNIT(s
), errno
, "Failed to fchown(): %m");
2089 if (chown(path
, uid
, gid
) < 0) {
2090 log_unit_error_errno(UNIT(s
), errno
, "Failed to chown(): %m");
2095 _exit(EXIT_SUCCESS
);
2098 r
= unit_watch_pidref(UNIT(s
), &pid
, /* exclusive= */ true);
2102 *ret_pid
= TAKE_PIDREF(pid
);
2106 static void socket_enter_dead(Socket
*s
, SocketResult f
) {
2109 if (s
->result
== SOCKET_SUCCESS
)
2112 if (s
->result
== SOCKET_SUCCESS
)
2113 unit_log_success(UNIT(s
));
2115 unit_log_failure(UNIT(s
), socket_result_to_string(s
->result
));
2117 unit_warn_leftover_processes(UNIT(s
), /* start = */ false);
2119 socket_set_state(s
, s
->result
!= SOCKET_SUCCESS
? SOCKET_FAILED
: SOCKET_DEAD
);
2121 s
->exec_runtime
= exec_runtime_destroy(s
->exec_runtime
);
2123 unit_destroy_runtime_data(UNIT(s
), &s
->exec_context
, /* destroy_runtime_dir = */ true);
2125 unit_unref_uid_gid(UNIT(s
), true);
2128 static void socket_enter_signal(Socket
*s
, SocketState state
, SocketResult f
);
2130 static void socket_enter_stop_post(Socket
*s
, SocketResult f
) {
2135 if (s
->result
== SOCKET_SUCCESS
)
2138 socket_unwatch_control_pid(s
);
2139 s
->control_command_id
= SOCKET_EXEC_STOP_POST
;
2140 s
->control_command
= s
->exec_command
[SOCKET_EXEC_STOP_POST
];
2142 if (s
->control_command
) {
2143 pidref_done(&s
->control_pid
);
2145 r
= socket_spawn(s
, s
->control_command
, &s
->control_pid
);
2147 log_unit_warning_errno(UNIT(s
), r
, "Failed to spawn 'stop-post' task: %m");
2148 socket_enter_signal(s
, SOCKET_FINAL_SIGTERM
, SOCKET_FAILURE_RESOURCES
);
2152 socket_set_state(s
, SOCKET_STOP_POST
);
2154 socket_enter_signal(s
, SOCKET_FINAL_SIGTERM
, SOCKET_SUCCESS
);
2157 static int state_to_kill_operation(Socket
*s
, SocketState state
) {
2160 if (state
== SOCKET_STOP_PRE_SIGTERM
)
2161 return unit_has_job_type(UNIT(s
), JOB_RESTART
) ? KILL_RESTART
: KILL_TERMINATE
;
2163 if (state
== SOCKET_FINAL_SIGTERM
)
2164 return KILL_TERMINATE
;
2169 static void socket_enter_signal(Socket
*s
, SocketState state
, SocketResult f
) {
2174 if (s
->result
== SOCKET_SUCCESS
)
2177 r
= unit_kill_context(UNIT(s
), state_to_kill_operation(s
, state
));
2179 log_unit_warning_errno(UNIT(s
), r
, "Failed to kill processes: %m");
2183 r
= socket_arm_timer(s
, /* relative= */ true, s
->timeout_usec
);
2185 log_unit_warning_errno(UNIT(s
), r
, "Failed to install timer: %m");
2189 socket_set_state(s
, state
);
2190 } else if (state
== SOCKET_STOP_PRE_SIGTERM
)
2191 socket_enter_signal(s
, SOCKET_STOP_PRE_SIGKILL
, SOCKET_SUCCESS
);
2192 else if (state
== SOCKET_STOP_PRE_SIGKILL
)
2193 socket_enter_stop_post(s
, SOCKET_SUCCESS
);
2194 else if (state
== SOCKET_FINAL_SIGTERM
)
2195 socket_enter_signal(s
, SOCKET_FINAL_SIGKILL
, SOCKET_SUCCESS
);
2197 socket_enter_dead(s
, SOCKET_SUCCESS
);
2202 if (IN_SET(state
, SOCKET_STOP_PRE_SIGTERM
, SOCKET_STOP_PRE_SIGKILL
))
2203 socket_enter_stop_post(s
, SOCKET_FAILURE_RESOURCES
);
2205 socket_enter_dead(s
, SOCKET_FAILURE_RESOURCES
);
2208 static void socket_enter_stop_pre(Socket
*s
, SocketResult f
) {
2213 if (s
->result
== SOCKET_SUCCESS
)
2216 socket_unwatch_control_pid(s
);
2217 s
->control_command_id
= SOCKET_EXEC_STOP_PRE
;
2218 s
->control_command
= s
->exec_command
[SOCKET_EXEC_STOP_PRE
];
2220 if (s
->control_command
) {
2221 pidref_done(&s
->control_pid
);
2223 r
= socket_spawn(s
, s
->control_command
, &s
->control_pid
);
2225 log_unit_warning_errno(UNIT(s
), r
, "Failed to spawn 'stop-pre' task: %m");
2226 socket_enter_stop_post(s
, SOCKET_FAILURE_RESOURCES
);
2230 socket_set_state(s
, SOCKET_STOP_PRE
);
2232 socket_enter_stop_post(s
, SOCKET_SUCCESS
);
2235 static void flush_ports(Socket
*s
) {
2238 /* Flush all incoming traffic, regardless if actual bytes or new connections, so that this socket isn't busy
2241 LIST_FOREACH(port
, p
, s
->ports
) {
2245 if (p
->type
== SOCKET_MQUEUE
)
2246 (void) flush_mqueue(p
->fd
);
2248 (void) flush_accept(p
->fd
);
2249 (void) flush_fd(p
->fd
);
2254 static void socket_enter_listening(Socket
*s
) {
2259 if (!s
->accept
&& s
->flush_pending
) {
2260 log_unit_debug(UNIT(s
), "Flushing socket before listening.");
2264 r
= socket_watch_fds(s
);
2266 log_unit_warning_errno(UNIT(s
), r
, "Failed to watch sockets: %m");
2267 socket_enter_stop_pre(s
, SOCKET_FAILURE_RESOURCES
);
2271 socket_set_state(s
, SOCKET_LISTENING
);
2274 static void socket_enter_start_post(Socket
*s
) {
2279 socket_unwatch_control_pid(s
);
2280 s
->control_command_id
= SOCKET_EXEC_START_POST
;
2281 s
->control_command
= s
->exec_command
[SOCKET_EXEC_START_POST
];
2283 if (s
->control_command
) {
2284 pidref_done(&s
->control_pid
);
2286 r
= socket_spawn(s
, s
->control_command
, &s
->control_pid
);
2288 log_unit_warning_errno(UNIT(s
), r
, "Failed to spawn 'start-post' task: %m");
2289 socket_enter_stop_pre(s
, SOCKET_FAILURE_RESOURCES
);
2293 socket_set_state(s
, SOCKET_START_POST
);
2295 socket_enter_listening(s
);
2298 static void socket_enter_start_chown(Socket
*s
) {
2302 assert(s
->state
== SOCKET_START_OPEN
);
2304 if (!isempty(s
->user
) || !isempty(s
->group
)) {
2306 socket_unwatch_control_pid(s
);
2307 s
->control_command_id
= SOCKET_EXEC_START_CHOWN
;
2308 s
->control_command
= NULL
;
2310 r
= socket_chown(s
, &s
->control_pid
);
2312 log_unit_warning_errno(UNIT(s
), r
, "Failed to spawn 'start-chown' task: %m");
2313 socket_enter_stop_pre(s
, SOCKET_FAILURE_RESOURCES
);
2317 socket_set_state(s
, SOCKET_START_CHOWN
);
2319 socket_enter_start_post(s
);
2322 static void socket_enter_start_open(Socket
*s
) {
2326 assert(IN_SET(s
->state
, SOCKET_DEAD
, SOCKET_FAILED
, SOCKET_START_PRE
));
2328 /* We force a state transition here even though we're not spawning any process (i.e. the state is purely
2329 * intermediate), so that failure of socket_open_fds() always causes a state change in unit_notify().
2330 * Otherwise, if no Exec*= is defined, we might go from previous SOCKET_FAILED to SOCKET_FAILED,
2331 * meaning the OnFailure= deps are unexpectedly skipped (#35635). */
2333 socket_set_state(s
, SOCKET_START_OPEN
);
2335 r
= socket_open_fds(s
);
2337 log_unit_error_errno(UNIT(s
), r
, "Failed to listen on sockets: %m");
2338 socket_enter_stop_pre(s
, SOCKET_FAILURE_RESOURCES
);
2342 socket_enter_start_chown(s
);
2345 static void socket_enter_start_pre(Socket
*s
) {
2350 socket_unwatch_control_pid(s
);
2352 unit_warn_leftover_processes(UNIT(s
), /* start = */ true);
2354 s
->control_command_id
= SOCKET_EXEC_START_PRE
;
2355 s
->control_command
= s
->exec_command
[SOCKET_EXEC_START_PRE
];
2357 if (s
->control_command
) {
2358 pidref_done(&s
->control_pid
);
2360 r
= socket_spawn(s
, s
->control_command
, &s
->control_pid
);
2362 log_unit_warning_errno(UNIT(s
), r
, "Failed to spawn 'start-pre' task: %m");
2363 socket_enter_dead(s
, SOCKET_FAILURE_RESOURCES
);
2367 socket_set_state(s
, SOCKET_START_PRE
);
2369 socket_enter_start_open(s
);
2372 static bool socket_may_defer(Socket
*s
) {
2375 switch (s
->defer_trigger
) {
2377 case SOCKET_DEFER_NO
:
2380 case SOCKET_DEFER_YES
:
2381 return !hashmap_isempty(UNIT(s
)->manager
->jobs
);
2383 case SOCKET_DEFER_PATIENT
:
2384 assert(s
->defer_trigger_max_usec
> 0);
2388 assert_not_reached();
2392 static bool socket_stop_notify(Unit
*u
) {
2393 Socket
*s
= ASSERT_PTR(SOCKET(u
));
2394 _cleanup_(sd_bus_error_free
) sd_bus_error error
= SD_BUS_ERROR_NULL
;
2397 assert(s
->state
== SOCKET_DEFERRED
);
2399 r
= manager_add_job(u
->manager
, JOB_START
, UNIT_DEREF(s
->service
), JOB_LENIENT
, &error
, /* ret = */ NULL
);
2400 if (r
>= 0) { /* Yay! */
2401 socket_set_state(s
, SOCKET_RUNNING
);
2402 return true; /* changed */
2404 if (sd_bus_error_has_name(&error
, BUS_ERROR_TRANSACTION_IS_DESTRUCTIVE
)) {
2405 if (s
->defer_trigger
== SOCKET_DEFER_PATIENT
|| !hashmap_isempty(u
->manager
->jobs
))
2406 /* Wait for some more */
2409 log_unit_warning_errno(u
, r
, "Service conflicts with active units even after all jobs have completed, giving up.");
2411 log_unit_warning_errno(u
, r
, "Failed to queue service startup job: %s", bus_error_message(&error
, r
));
2413 socket_enter_stop_pre(s
, SOCKET_FAILURE_RESOURCES
);
2414 return true; /* changed */
2417 static void socket_enter_deferred(Socket
*s
) {
2421 assert(socket_may_defer(s
));
2423 /* So here's the thing: if there're currently units conflicting with the service we shall be
2424 * triggering, and the previous transaction is still running (job pool is not empty), let's
2425 * defer the activation a bit, and recheck upon any unit stop. IOW, the trigger in question
2426 * becomes bound to the conflicting dependency, and not the socket IO because we never process them.
2427 * Put a safety net around all this though, i.e. give up if the service still can't be started
2428 * even after all existing jobs have completed, or DeferTriggerMaxSec= is reached. */
2430 r
= socket_arm_timer(s
, /* relative = */ true, s
->defer_trigger_max_usec
);
2432 log_unit_warning_errno(UNIT(s
), r
, "Failed to install timer: %m");
2433 return socket_enter_stop_pre(s
, SOCKET_FAILURE_RESOURCES
);
2436 unit_add_to_stop_notify_queue(UNIT(s
));
2438 /* Disable IO event sources */
2439 socket_set_state(s
, SOCKET_DEFERRED
);
2442 static void socket_enter_running(Socket
*s
, int cfd_in
) {
2443 /* Note that this call takes possession of the connection fd passed. It either has to assign it
2444 * somewhere or close it. */
2445 _cleanup_close_
int cfd
= cfd_in
;
2446 _cleanup_(sd_bus_error_free
) sd_bus_error error
= SD_BUS_ERROR_NULL
;
2451 /* We don't take connections anymore if we are supposed to shut down anyway */
2452 if (unit_stop_pending(UNIT(s
))) {
2454 log_unit_debug(UNIT(s
), "Suppressing connection request since unit stop is scheduled.");
2463 if (s
->state
== SOCKET_DEFERRED
) {
2468 if (!ratelimit_below(&s
->trigger_limit
)) {
2469 log_unit_warning(UNIT(s
), "Trigger limit hit, refusing further activation.");
2470 socket_enter_stop_pre(s
, SOCKET_FAILURE_TRIGGER_LIMIT_HIT
);
2474 if (cfd
< 0) { /* Accept=no case */
2475 bool pending
= false;
2478 /* If there's already a start pending don't bother to do anything */
2479 UNIT_FOREACH_DEPENDENCY(other
, UNIT(s
), UNIT_ATOM_TRIGGERS
)
2480 if (unit_active_or_pending(other
)) {
2486 if (!UNIT_ISSET(s
->service
)) {
2487 log_unit_warning(UNIT(s
),
2488 "Service to activate vanished, refusing activation.");
2492 if (s
->defer_trigger
!= SOCKET_DEFER_NO
) {
2493 r
= manager_add_job(UNIT(s
)->manager
, JOB_START
, UNIT_DEREF(s
->service
), JOB_LENIENT
, &error
, /* ret = */ NULL
);
2494 if (r
< 0 && sd_bus_error_has_name(&error
, BUS_ERROR_TRANSACTION_IS_DESTRUCTIVE
) && socket_may_defer(s
))
2495 /* We only check BUS_ERROR_TRANSACTION_IS_DESTRUCTIVE here, not
2496 * BUS_ERROR_TRANSACTION_JOBS_CONFLICTING or BUS_ERROR_TRANSACTION_ORDER_IS_CYCLIC,
2497 * since those are errors in a single transaction, which are most likely
2498 * caused by dependency issues in the unit configuration.
2499 * Deferring activation probably won't help. */
2500 return socket_enter_deferred(s
);
2502 r
= manager_add_job(UNIT(s
)->manager
, JOB_START
, UNIT_DEREF(s
->service
), JOB_REPLACE
, &error
, /* ret = */ NULL
);
2507 socket_set_state(s
, SOCKET_RUNNING
);
2508 } else { /* Accept=yes case */
2509 _cleanup_(socket_peer_unrefp
) SocketPeer
*p
= NULL
;
2512 if (s
->n_connections
>= s
->max_connections
) {
2513 log_unit_warning(UNIT(s
), "Too many incoming connections (%u), dropping connection.",
2518 if (s
->max_connections_per_source
> 0) {
2519 r
= socket_acquire_peer(s
, cfd
, &p
);
2520 if (ERRNO_IS_NEG_DISCONNECT(r
))
2523 /* We didn't have enough resources to acquire peer information, let's fail. */
2525 if (r
> 0 && p
->n_ref
> s
->max_connections_per_source
) {
2526 _cleanup_free_
char *t
= NULL
;
2528 if (p
->peer
.sa
.sa_family
== AF_UNIX
)
2529 (void) asprintf(&t
, "UID " UID_FMT
, p
->peer_cred
.uid
);
2531 (void) sockaddr_pretty(&p
->peer
.sa
, p
->peer_salen
, /* translate_ipv6= */ true, /* include_port= */ false, &t
);
2533 log_unit_warning(UNIT(s
),
2534 "Too many incoming connections (%u) from source %s, dropping connection.",
2535 p
->n_ref
, strnull(t
));
2540 r
= socket_load_service_unit(s
, cfd
, &service
);
2541 if (ERRNO_IS_NEG_DISCONNECT(r
))
2543 if (r
< 0 || UNIT_IS_LOAD_ERROR(service
->load_state
)) {
2544 log_unit_warning_errno(UNIT(s
), r
< 0 ? r
: service
->load_error
,
2545 "Failed to load connection service unit: %m");
2548 if (service
->load_state
== UNIT_MASKED
) {
2549 log_unit_warning(UNIT(s
), "Connection service unit is masked, refusing.");
2555 r
= service_set_socket_fd(SERVICE(service
), cfd
, s
, p
, s
->selinux_context_from_net
);
2556 if (ERRNO_IS_NEG_DISCONNECT(r
))
2559 log_unit_warning_errno(UNIT(s
), r
, "Failed to set socket on service: %m");
2563 /* We passed ownership of the fd and socket peer to the service now. */
2569 r
= manager_add_job(UNIT(s
)->manager
, JOB_START
, service
, JOB_REPLACE
, &error
, /* ret = */ NULL
);
2571 /* We failed to activate the new service, but it still exists. Let's make sure the
2572 * service closes and forgets the connection fd again, immediately. */
2573 service_release_socket_fd(SERVICE(service
));
2577 /* Notify clients about changed counters */
2578 unit_add_to_dbus_queue(UNIT(s
));
2588 log_unit_warning_errno(UNIT(s
), r
, "Failed to queue service startup job%s: %s",
2589 cfd
>= 0 && !ERRNO_IS_RESOURCE(r
) ? " (Maybe the service is missing or is a template unit?)" : "",
2590 bus_error_message(&error
, r
));
2593 socket_enter_stop_pre(s
, SOCKET_FAILURE_RESOURCES
);
2596 static void socket_run_next(Socket
*s
) {
2600 assert(s
->control_command
);
2601 assert(s
->control_command
->command_next
);
2603 socket_unwatch_control_pid(s
);
2605 s
->control_command
= s
->control_command
->command_next
;
2607 pidref_done(&s
->control_pid
);
2609 r
= socket_spawn(s
, s
->control_command
, &s
->control_pid
);
2611 log_unit_warning_errno(UNIT(s
), r
, "Failed to spawn next task: %m");
2613 if (s
->state
== SOCKET_START_POST
)
2614 socket_enter_stop_pre(s
, SOCKET_FAILURE_RESOURCES
);
2615 else if (s
->state
== SOCKET_STOP_POST
)
2616 socket_enter_dead(s
, SOCKET_FAILURE_RESOURCES
);
2618 socket_enter_signal(s
, SOCKET_FINAL_SIGTERM
, SOCKET_FAILURE_RESOURCES
);
2622 static int socket_start(Unit
*u
) {
2623 Socket
*s
= ASSERT_PTR(SOCKET(u
));
2626 /* We cannot fulfill this request right now, try again later
2628 if (IN_SET(s
->state
,
2630 SOCKET_STOP_PRE_SIGKILL
,
2631 SOCKET_STOP_PRE_SIGTERM
,
2633 SOCKET_FINAL_SIGTERM
,
2634 SOCKET_FINAL_SIGKILL
,
2638 /* Already on it! */
2639 if (IN_SET(s
->state
,
2646 /* Cannot run this without the service being around */
2647 if (UNIT_ISSET(s
->service
)) {
2648 Service
*service
= ASSERT_PTR(SERVICE(UNIT_DEREF(s
->service
)));
2650 if (UNIT(service
)->load_state
!= UNIT_LOADED
)
2651 return log_unit_error_errno(u
, SYNTHETIC_ERRNO(ENOENT
),
2652 "Socket service %s not loaded, refusing.", UNIT(service
)->id
);
2654 /* If the service is already active we cannot start the socket */
2655 if (SOCKET_SERVICE_IS_ACTIVE(service
, /* allow_finalize = */ false))
2656 return log_unit_error_errno(u
, SYNTHETIC_ERRNO(EBUSY
),
2657 "Socket service %s already active, refusing.", UNIT(service
)->id
);
2660 assert(IN_SET(s
->state
, SOCKET_DEAD
, SOCKET_FAILED
));
2662 r
= unit_acquire_invocation_id(u
);
2666 s
->result
= SOCKET_SUCCESS
;
2667 exec_command_reset_status_list_array(s
->exec_command
, _SOCKET_EXEC_COMMAND_MAX
);
2669 if (s
->cgroup_runtime
)
2670 s
->cgroup_runtime
->reset_accounting
= true;
2672 socket_enter_start_pre(s
);
2676 static int socket_stop(Unit
*u
) {
2677 Socket
*s
= ASSERT_PTR(SOCKET(u
));
2680 if (IN_SET(s
->state
,
2682 SOCKET_STOP_PRE_SIGTERM
,
2683 SOCKET_STOP_PRE_SIGKILL
,
2685 SOCKET_FINAL_SIGTERM
,
2686 SOCKET_FINAL_SIGKILL
))
2689 /* If there's already something running we go directly into
2691 if (IN_SET(s
->state
,
2695 SOCKET_START_POST
)) {
2696 socket_enter_signal(s
, SOCKET_STOP_PRE_SIGTERM
, SOCKET_SUCCESS
);
2700 /* If we are currently cleaning, then abort it, brutally. */
2701 if (s
->state
== SOCKET_CLEANING
) {
2702 socket_enter_signal(s
, SOCKET_FINAL_SIGKILL
, SOCKET_SUCCESS
);
2706 assert(IN_SET(s
->state
, SOCKET_LISTENING
, SOCKET_DEFERRED
, SOCKET_RUNNING
));
2708 socket_enter_stop_pre(s
, SOCKET_SUCCESS
);
2712 static int socket_serialize(Unit
*u
, FILE *f
, FDSet
*fds
) {
2713 Socket
*s
= ASSERT_PTR(SOCKET(u
));
2719 (void) serialize_item(f
, "state", socket_state_to_string(s
->state
));
2720 (void) serialize_item(f
, "result", socket_result_to_string(s
->result
));
2721 (void) serialize_item_format(f
, "n-accepted", "%u", s
->n_accepted
);
2722 (void) serialize_item_format(f
, "n-refused", "%u", s
->n_refused
);
2723 (void) serialize_pidref(f
, fds
, "control-pid", &s
->control_pid
);
2725 if (s
->control_command_id
>= 0)
2726 (void) serialize_item(f
, "control-command", socket_exec_command_to_string(s
->control_command_id
));
2728 LIST_FOREACH(port
, p
, s
->ports
) {
2734 copy
= fdset_put_dup(fds
, p
->fd
);
2736 return log_unit_warning_errno(u
, copy
, "Failed to serialize socket fd: %m");
2738 if (p
->type
== SOCKET_SOCKET
) {
2739 _cleanup_free_
char *t
= NULL
;
2741 r
= socket_address_print(&p
->address
, &t
);
2743 return log_unit_error_errno(u
, r
, "Failed to format socket address: %m");
2745 if (socket_address_family(&p
->address
) == AF_NETLINK
)
2746 (void) serialize_item_format(f
, "netlink", "%i %s", copy
, t
);
2748 (void) serialize_item_format(f
, "socket", "%i %i %s", copy
, p
->address
.type
, t
);
2749 } else if (p
->type
== SOCKET_SPECIAL
)
2750 (void) serialize_item_format(f
, "special", "%i %s", copy
, p
->path
);
2751 else if (p
->type
== SOCKET_MQUEUE
)
2752 (void) serialize_item_format(f
, "mqueue", "%i %s", copy
, p
->path
);
2753 else if (p
->type
== SOCKET_USB_FUNCTION
)
2754 (void) serialize_item_format(f
, "ffs", "%i %s", copy
, p
->path
);
2756 assert(p
->type
== SOCKET_FIFO
);
2757 (void) serialize_item_format(f
, "fifo", "%i %s", copy
, p
->path
);
2761 (void) serialize_ratelimit(f
, "trigger-ratelimit", &s
->trigger_limit
);
2766 static int socket_deserialize_item(Unit
*u
, const char *key
, const char *value
, FDSet
*fds
) {
2767 Socket
*s
= ASSERT_PTR(SOCKET(u
));
2773 if (streq(key
, "state")) {
2776 state
= socket_state_from_string(value
);
2778 log_unit_debug(u
, "Failed to parse state value: %s", value
);
2780 s
->deserialized_state
= state
;
2781 } else if (streq(key
, "result")) {
2784 f
= socket_result_from_string(value
);
2786 log_unit_debug(u
, "Failed to parse result value: %s", value
);
2787 else if (f
!= SOCKET_SUCCESS
)
2790 } else if (streq(key
, "n-accepted")) {
2793 if (safe_atou(value
, &k
) < 0)
2794 log_unit_debug(u
, "Failed to parse n-accepted value: %s", value
);
2797 } else if (streq(key
, "n-refused")) {
2800 if (safe_atou(value
, &k
) < 0)
2801 log_unit_debug(u
, "Failed to parse n-refused value: %s", value
);
2804 } else if (streq(key
, "control-pid")) {
2806 if (!pidref_is_set(&s
->control_pid
))
2807 (void) deserialize_pidref(fds
, value
, &s
->control_pid
);
2809 } else if (streq(key
, "control-command")) {
2810 SocketExecCommand id
;
2812 id
= socket_exec_command_from_string(value
);
2814 log_unit_debug(u
, "Failed to parse exec-command value: %s", value
);
2816 s
->control_command_id
= id
;
2817 s
->control_command
= s
->exec_command
[id
];
2819 } else if (streq(key
, "fifo")) {
2820 _cleanup_free_
char *fdv
= NULL
;
2824 r
= extract_first_word(&value
, &fdv
, NULL
, 0);
2826 log_unit_debug(u
, "Failed to parse fifo value: %s", value
);
2831 if (fd
< 0 || !fdset_contains(fds
, fd
)) {
2832 log_unit_debug(u
, "Invalid fifo value: %s", fdv
);
2836 LIST_FOREACH(port
, p
, s
->ports
)
2838 p
->type
== SOCKET_FIFO
&&
2839 path_equal_or_inode_same(p
->path
, value
, 0)) {
2840 p
->fd
= fdset_remove(fds
, fd
);
2845 log_unit_debug(u
, "No matching fifo socket found: %s", value
);
2847 } else if (streq(key
, "special")) {
2848 _cleanup_free_
char *fdv
= NULL
;
2852 r
= extract_first_word(&value
, &fdv
, NULL
, 0);
2854 log_unit_debug(u
, "Failed to parse special value: %s", value
);
2859 if (fd
< 0 || !fdset_contains(fds
, fd
)) {
2860 log_unit_debug(u
, "Invalid special value: %s", fdv
);
2864 LIST_FOREACH(port
, p
, s
->ports
)
2866 p
->type
== SOCKET_SPECIAL
&&
2867 path_equal_or_inode_same(p
->path
, value
, 0)) {
2868 p
->fd
= fdset_remove(fds
, fd
);
2873 log_unit_debug(u
, "No matching special socket found: %s", value
);
2875 } else if (streq(key
, "mqueue")) {
2876 _cleanup_free_
char *fdv
= NULL
;
2880 r
= extract_first_word(&value
, &fdv
, NULL
, 0);
2882 log_unit_debug(u
, "Failed to parse mqueue value: %s", value
);
2887 if (fd
< 0 || !fdset_contains(fds
, fd
)) {
2888 log_unit_debug(u
, "Invalid mqueue value: %s", fdv
);
2892 LIST_FOREACH(port
, p
, s
->ports
)
2894 p
->type
== SOCKET_MQUEUE
&&
2895 streq(p
->path
, value
)) {
2896 p
->fd
= fdset_remove(fds
, fd
);
2901 log_unit_debug(u
, "No matching mqueue socket found: %s", value
);
2903 } else if (streq(key
, "socket")) {
2904 _cleanup_free_
char *fdv
= NULL
, *typev
= NULL
;
2908 r
= extract_first_word(&value
, &fdv
, NULL
, 0);
2910 log_unit_debug(u
, "Failed to parse socket fd from value: %s", value
);
2915 if (fd
< 0 || !fdset_contains(fds
, fd
)) {
2916 log_unit_debug(u
, "Invalid socket fd: %s", fdv
);
2920 r
= extract_first_word(&value
, &typev
, NULL
, 0);
2922 log_unit_debug(u
, "Failed to parse socket type from value: %s", value
);
2926 if (safe_atoi(typev
, &type
) < 0 || type
< 0) {
2927 log_unit_debug(u
, "Invalid socket type: %s", typev
);
2931 LIST_FOREACH(port
, p
, s
->ports
)
2933 socket_address_is(&p
->address
, value
, type
)) {
2934 p
->fd
= fdset_remove(fds
, fd
);
2939 log_unit_debug(u
, "No matching %s socket found: %s",
2940 socket_address_type_to_string(type
), value
);
2942 } else if (streq(key
, "netlink")) {
2943 _cleanup_free_
char *fdv
= NULL
;
2947 r
= extract_first_word(&value
, &fdv
, NULL
, 0);
2949 log_unit_debug(u
, "Failed to parse socket value: %s", value
);
2954 if (fd
< 0 || !fdset_contains(fds
, fd
)) {
2955 log_unit_debug(u
, "Invalid socket value: %s", fdv
);
2959 LIST_FOREACH(port
, p
, s
->ports
)
2961 socket_address_is_netlink(&p
->address
, value
)) {
2962 p
->fd
= fdset_remove(fds
, fd
);
2967 log_unit_debug(u
, "No matching netlink socket found: %s", value
);
2969 } else if (streq(key
, "ffs")) {
2970 _cleanup_free_
char *fdv
= NULL
;
2974 r
= extract_first_word(&value
, &fdv
, NULL
, 0);
2976 log_unit_debug(u
, "Failed to parse ffs value: %s", value
);
2981 if (fd
< 0 || !fdset_contains(fds
, fd
)) {
2982 log_unit_debug(u
, "Invalid ffs value: %s", fdv
);
2986 LIST_FOREACH(port
, p
, s
->ports
)
2988 p
->type
== SOCKET_USB_FUNCTION
&&
2989 path_equal_or_inode_same(p
->path
, value
, 0)) {
2990 p
->fd
= fdset_remove(fds
, fd
);
2995 log_unit_debug(u
, "No matching ffs socket found: %s", value
);
2997 } else if (streq(key
, "trigger-ratelimit"))
2998 (void) deserialize_ratelimit(&s
->trigger_limit
, key
, value
);
3000 log_unit_debug(UNIT(s
), "Unknown serialization key: %s", key
);
3005 static void socket_distribute_fds(Unit
*u
, FDSet
*fds
) {
3006 Socket
*s
= ASSERT_PTR(SOCKET(u
));
3008 LIST_FOREACH(port
, p
, s
->ports
) {
3011 if (p
->type
!= SOCKET_SOCKET
)
3017 FDSET_FOREACH(fd
, fds
) {
3018 if (socket_address_matches_fd(&p
->address
, fd
)) {
3019 p
->fd
= fdset_remove(fds
, fd
);
3020 s
->deserialized_state
= SOCKET_LISTENING
;
3027 static UnitActiveState
socket_active_state(Unit
*u
) {
3028 Socket
*s
= ASSERT_PTR(SOCKET(u
));
3030 return state_translation_table
[s
->state
];
3033 static const char *socket_sub_state_to_string(Unit
*u
) {
3034 Socket
*s
= ASSERT_PTR(SOCKET(u
));
3036 return socket_state_to_string(s
->state
);
3039 int socket_port_to_address(const SocketPort
*p
, char **ret
) {
3040 _cleanup_free_
char *address
= NULL
;
3047 case SOCKET_SOCKET
: {
3048 r
= socket_address_print(&p
->address
, &address
);
3055 case SOCKET_SPECIAL
:
3058 case SOCKET_USB_FUNCTION
:
3059 address
= strdup(p
->path
);
3065 assert_not_reached();
3068 *ret
= TAKE_PTR(address
);
3073 const char* socket_port_type_to_string(SocketPort
*p
) {
3080 switch (p
->address
.type
) {
3088 case SOCK_SEQPACKET
:
3089 return "SequentialPacket";
3092 if (socket_address_family(&p
->address
) == AF_NETLINK
)
3100 case SOCKET_SPECIAL
:
3104 return "MessageQueue";
3109 case SOCKET_USB_FUNCTION
:
3110 return "USBFunction";
3117 SocketType
socket_port_type_from_string(const char *s
) {
3120 if (STR_IN_SET(s
, "Stream", "Datagram", "SequentialPacket", "Netlink"))
3121 return SOCKET_SOCKET
;
3122 else if (streq(s
, "Special"))
3123 return SOCKET_SPECIAL
;
3124 else if (streq(s
, "MessageQueue"))
3125 return SOCKET_MQUEUE
;
3126 else if (streq(s
, "FIFO"))
3128 else if (streq(s
, "USBFunction"))
3129 return SOCKET_USB_FUNCTION
;
3131 return _SOCKET_TYPE_INVALID
;
3134 static bool socket_may_gc(Unit
*u
) {
3135 Socket
*s
= ASSERT_PTR(SOCKET(u
));
3137 return s
->n_connections
== 0;
3140 static int socket_accept_do(Socket
*s
, int fd
) {
3146 cfd
= accept4(fd
, NULL
, NULL
, SOCK_NONBLOCK
|SOCK_CLOEXEC
);
3148 /* Convert transient network errors into clean and well-defined EAGAIN */
3149 return ERRNO_IS_ACCEPT_AGAIN(errno
) ? -EAGAIN
: -errno
;
3154 static int socket_accept_in_cgroup(Socket
*s
, SocketPort
*p
, int fd
) {
3155 _cleanup_(pidref_done
) PidRef pid
= PIDREF_NULL
;
3156 _cleanup_close_pair_
int pair
[2] = EBADF_PAIR
;
3163 /* Similar to socket_address_listen_in_cgroup(), but for accept() rather than socket(): make sure that any
3164 * connection socket is also properly associated with the cgroup. */
3166 if (!IN_SET(p
->address
.sockaddr
.sa
.sa_family
, AF_INET
, AF_INET6
))
3169 if (bpf_program_supported() <= 0)
3172 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, pair
) < 0)
3173 return log_unit_error_errno(UNIT(s
), errno
, "Failed to create communication channel: %m");
3175 r
= unit_fork_helper_process(UNIT(s
), "(sd-accept)", /* into_cgroup= */ true, &pid
);
3177 return log_unit_error_errno(UNIT(s
), r
, "Failed to fork off accept stub process: %m");
3181 pair
[0] = safe_close(pair
[0]);
3183 cfd
= socket_accept_do(s
, fd
);
3184 if (cfd
== -EAGAIN
) /* spurious accept() */
3185 _exit(EXIT_SUCCESS
);
3187 log_unit_error_errno(UNIT(s
), cfd
, "Failed to accept connection socket: %m");
3188 _exit(EXIT_FAILURE
);
3191 r
= send_one_fd(pair
[1], cfd
, 0);
3193 log_unit_error_errno(UNIT(s
), r
, "Failed to send connection socket to parent: %m");
3194 _exit(EXIT_FAILURE
);
3197 _exit(EXIT_SUCCESS
);
3200 pair
[1] = safe_close(pair
[1]);
3201 cfd
= receive_one_fd(pair
[0], 0);
3203 /* We synchronously wait for the helper, as it shouldn't be slow */
3204 r
= wait_for_terminate_and_check("(sd-accept)", pid
.pid
, WAIT_LOG_ABNORMAL
);
3210 /* If we received no fd, we got EIO here. If this happens with a process exit code of EXIT_SUCCESS
3211 * this is a spurious accept(), let's convert that back to EAGAIN here. */
3215 return log_unit_error_errno(UNIT(s
), cfd
, "Failed to receive connection socket: %m");
3220 cfd
= socket_accept_do(s
, fd
);
3221 if (cfd
== -EAGAIN
) /* spurious accept(), skip it silently */
3224 return log_unit_error_errno(UNIT(s
), cfd
, "Failed to accept connection socket: %m");
3229 static int socket_dispatch_io(sd_event_source
*source
, int fd
, uint32_t revents
, void *userdata
) {
3230 SocketPort
*p
= ASSERT_PTR(userdata
);
3235 if (p
->socket
->state
!= SOCKET_LISTENING
)
3238 log_unit_debug(UNIT(p
->socket
), "Incoming traffic");
3240 if (revents
!= EPOLLIN
) {
3241 if (revents
& EPOLLHUP
)
3242 log_unit_error(UNIT(p
->socket
), "Got POLLHUP on a listening socket. The service probably invoked shutdown() on it, and should better not do that.");
3244 log_unit_error(UNIT(p
->socket
), "Got unexpected poll event (0x%x) on socket.", revents
);
3248 if (p
->socket
->accept
&&
3249 p
->type
== SOCKET_SOCKET
&&
3250 socket_address_can_accept(&p
->address
)) {
3252 cfd
= socket_accept_in_cgroup(p
->socket
, p
, fd
);
3253 if (cfd
== -EAGAIN
) /* Spurious accept() */
3258 socket_apply_socket_options(p
->socket
, p
, cfd
);
3261 socket_enter_running(p
->socket
, cfd
);
3265 socket_enter_stop_pre(p
->socket
, SOCKET_FAILURE_RESOURCES
);
3269 static void socket_sigchld_event(Unit
*u
, pid_t pid
, int code
, int status
) {
3270 Socket
*s
= ASSERT_PTR(SOCKET(u
));
3275 if (pid
!= s
->control_pid
.pid
)
3278 pidref_done(&s
->control_pid
);
3280 if (is_clean_exit(code
, status
, EXIT_CLEAN_COMMAND
, NULL
))
3282 else if (code
== CLD_EXITED
)
3283 f
= SOCKET_FAILURE_EXIT_CODE
;
3284 else if (code
== CLD_KILLED
)
3285 f
= SOCKET_FAILURE_SIGNAL
;
3286 else if (code
== CLD_DUMPED
)
3287 f
= SOCKET_FAILURE_CORE_DUMP
;
3289 assert_not_reached();
3291 if (s
->control_command
) {
3292 exec_status_exit(&s
->control_command
->exec_status
, &s
->exec_context
, pid
, code
, status
);
3294 if (s
->control_command
->flags
& EXEC_COMMAND_IGNORE_FAILURE
)
3298 unit_log_process_exit(
3301 socket_exec_command_to_string(s
->control_command_id
),
3302 f
== SOCKET_SUCCESS
,
3305 if (s
->result
== SOCKET_SUCCESS
)
3308 if (s
->control_command
&&
3309 s
->control_command
->command_next
&&
3310 f
== SOCKET_SUCCESS
) {
3312 log_unit_debug(u
, "Running next command for state %s", socket_state_to_string(s
->state
));
3315 s
->control_command
= NULL
;
3316 s
->control_command_id
= _SOCKET_EXEC_COMMAND_INVALID
;
3318 /* No further commands for this step, so let's figure
3319 * out what to do next */
3321 log_unit_debug(u
, "Got final SIGCHLD for state %s", socket_state_to_string(s
->state
));
3325 case SOCKET_START_PRE
:
3326 if (f
== SOCKET_SUCCESS
)
3327 socket_enter_start_open(s
);
3329 socket_enter_signal(s
, SOCKET_FINAL_SIGTERM
, f
);
3332 case SOCKET_START_CHOWN
:
3333 if (f
== SOCKET_SUCCESS
)
3334 socket_enter_start_post(s
);
3336 socket_enter_stop_pre(s
, f
);
3339 case SOCKET_START_POST
:
3340 if (f
== SOCKET_SUCCESS
)
3341 socket_enter_listening(s
);
3343 socket_enter_stop_pre(s
, f
);
3346 case SOCKET_STOP_PRE
:
3347 case SOCKET_STOP_PRE_SIGTERM
:
3348 case SOCKET_STOP_PRE_SIGKILL
:
3349 socket_enter_stop_post(s
, f
);
3352 case SOCKET_STOP_POST
:
3353 case SOCKET_FINAL_SIGTERM
:
3354 case SOCKET_FINAL_SIGKILL
:
3355 socket_enter_dead(s
, f
);
3358 case SOCKET_CLEANING
:
3360 if (s
->clean_result
== SOCKET_SUCCESS
)
3361 s
->clean_result
= f
;
3363 socket_enter_dead(s
, SOCKET_SUCCESS
);
3367 assert_not_reached();
3371 /* Notify clients about changed exit status */
3372 unit_add_to_dbus_queue(u
);
3375 static int socket_dispatch_timer(sd_event_source
*source
, usec_t usec
, void *userdata
) {
3376 Socket
*s
= ASSERT_PTR(SOCKET(userdata
));
3378 assert(s
->timer_event_source
== source
);
3382 case SOCKET_START_PRE
:
3383 log_unit_warning(UNIT(s
), "Starting timed out. Terminating.");
3384 socket_enter_signal(s
, SOCKET_FINAL_SIGTERM
, SOCKET_FAILURE_TIMEOUT
);
3387 case SOCKET_START_CHOWN
:
3388 case SOCKET_START_POST
:
3389 log_unit_warning(UNIT(s
), "Starting timed out. Stopping.");
3390 socket_enter_stop_pre(s
, SOCKET_FAILURE_TIMEOUT
);
3393 case SOCKET_DEFERRED
:
3394 log_unit_warning(UNIT(s
), "DeferTriggerMaxSec= elapsed. Stopping.");
3395 socket_enter_stop_pre(s
, SOCKET_FAILURE_TIMEOUT
);
3398 case SOCKET_STOP_PRE
:
3399 log_unit_warning(UNIT(s
), "Stopping timed out. Terminating.");
3400 socket_enter_signal(s
, SOCKET_STOP_PRE_SIGTERM
, SOCKET_FAILURE_TIMEOUT
);
3403 case SOCKET_STOP_PRE_SIGTERM
:
3404 if (s
->kill_context
.send_sigkill
) {
3405 log_unit_warning(UNIT(s
), "Stopping timed out. Killing.");
3406 socket_enter_signal(s
, SOCKET_STOP_PRE_SIGKILL
, SOCKET_FAILURE_TIMEOUT
);
3408 log_unit_warning(UNIT(s
), "Stopping timed out. Skipping SIGKILL. Ignoring.");
3409 socket_enter_stop_post(s
, SOCKET_FAILURE_TIMEOUT
);
3413 case SOCKET_STOP_PRE_SIGKILL
:
3414 log_unit_warning(UNIT(s
), "Processes still around after SIGKILL. Ignoring.");
3415 socket_enter_stop_post(s
, SOCKET_FAILURE_TIMEOUT
);
3418 case SOCKET_STOP_POST
:
3419 log_unit_warning(UNIT(s
), "Stopping timed out (2). Terminating.");
3420 socket_enter_signal(s
, SOCKET_FINAL_SIGTERM
, SOCKET_FAILURE_TIMEOUT
);
3423 case SOCKET_FINAL_SIGTERM
:
3424 if (s
->kill_context
.send_sigkill
) {
3425 log_unit_warning(UNIT(s
), "Stopping timed out (2). Killing.");
3426 socket_enter_signal(s
, SOCKET_FINAL_SIGKILL
, SOCKET_FAILURE_TIMEOUT
);
3428 log_unit_warning(UNIT(s
), "Stopping timed out (2). Skipping SIGKILL. Ignoring.");
3429 socket_enter_dead(s
, SOCKET_FAILURE_TIMEOUT
);
3433 case SOCKET_FINAL_SIGKILL
:
3434 log_unit_warning(UNIT(s
), "Still around after SIGKILL (2). Entering failed mode.");
3435 socket_enter_dead(s
, SOCKET_FAILURE_TIMEOUT
);
3438 case SOCKET_CLEANING
:
3439 log_unit_warning(UNIT(s
), "Cleaning timed out. killing.");
3441 if (s
->clean_result
== SOCKET_SUCCESS
)
3442 s
->clean_result
= SOCKET_FAILURE_TIMEOUT
;
3444 socket_enter_signal(s
, SOCKET_FINAL_SIGKILL
, 0);
3448 assert_not_reached();
3454 int socket_collect_fds(Socket
*s
, int **ret
) {
3455 size_t n
= 0, k
= 0;
3460 /* Called from the service code for requesting our fds */
3462 LIST_FOREACH(port
, p
, s
->ports
) {
3465 n
+= p
->n_auxiliary_fds
;
3473 int *fds
= new(int, n
);
3477 LIST_FOREACH(port
, p
, s
->ports
) {
3480 FOREACH_ARRAY(i
, p
->auxiliary_fds
, p
->n_auxiliary_fds
)
3490 static void socket_reset_failed(Unit
*u
) {
3491 Socket
*s
= SOCKET(u
);
3495 if (s
->state
== SOCKET_FAILED
)
3496 socket_set_state(s
, SOCKET_DEAD
);
3498 s
->result
= SOCKET_SUCCESS
;
3499 s
->clean_result
= SOCKET_SUCCESS
;
3502 void socket_connection_unref(Socket
*s
) {
3505 /* The service is dead. Yay!
3507 * This is strictly for one-instance-per-connection
3510 assert(s
->n_connections
> 0);
3513 log_unit_debug(UNIT(s
), "One connection closed, %u left.", s
->n_connections
);
3516 static void socket_trigger_notify(Unit
*u
, Unit
*other
) {
3517 Socket
*s
= ASSERT_PTR(SOCKET(u
));
3521 /* Filter out invocations with bogus state */
3522 assert(UNIT_IS_LOAD_COMPLETE(other
->load_state
));
3524 Service
*service
= ASSERT_PTR(SERVICE(other
));
3526 /* Don't propagate state changes from the service if we are already down */
3527 if (!IN_SET(s
->state
, SOCKET_RUNNING
, SOCKET_LISTENING
, SOCKET_DEFERRED
))
3530 /* We don't care for the service state if we are in Accept=yes mode */
3534 /* Propagate start limit hit state */
3535 if (other
->start_limit_hit
) {
3536 socket_enter_stop_pre(s
, SOCKET_FAILURE_SERVICE_START_LIMIT_HIT
);
3540 /* Don't propagate anything if there's still a job queued */
3544 if (!SOCKET_SERVICE_IS_ACTIVE(service
, /* allow_finalize = */ true))
3545 socket_enter_listening(s
);
3547 if (SERVICE(other
)->state
== SERVICE_RUNNING
)
3548 socket_set_state(s
, SOCKET_RUNNING
);
3551 static void socket_handoff_timestamp(
3553 const struct ucred
*ucred
,
3554 const dual_timestamp
*ts
) {
3556 Socket
*s
= ASSERT_PTR(SOCKET(u
));
3561 if (s
->control_pid
.pid
== ucred
->pid
&& s
->control_command
) {
3562 exec_status_handoff(&s
->control_command
->exec_status
, ucred
, ts
);
3563 unit_add_to_dbus_queue(u
);
3567 static int socket_get_timeout(Unit
*u
, usec_t
*timeout
) {
3568 Socket
*s
= ASSERT_PTR(SOCKET(u
));
3572 if (!s
->timer_event_source
)
3575 r
= sd_event_source_get_time(s
->timer_event_source
, &t
);
3578 if (t
== USEC_INFINITY
)
3585 const char* socket_fdname(Socket
*s
) {
3588 /* Returns the name to use for $LISTEN_FDNAMES. If the user didn't specify anything specifically,
3589 * use the socket unit's name as fallback for Accept=no sockets, "connection" otherwise. */
3595 return "connection";
3600 static PidRef
* socket_control_pid(Unit
*u
) {
3601 return &ASSERT_PTR(SOCKET(u
))->control_pid
;
3604 static int socket_clean(Unit
*u
, ExecCleanMask mask
) {
3605 Socket
*s
= ASSERT_PTR(SOCKET(u
));
3606 _cleanup_strv_free_
char **l
= NULL
;
3611 if (s
->state
!= SOCKET_DEAD
)
3614 r
= exec_context_get_clean_directories(&s
->exec_context
, u
->manager
->prefix
, mask
, &l
);
3618 if (strv_isempty(l
))
3621 socket_unwatch_control_pid(s
);
3622 s
->clean_result
= SOCKET_SUCCESS
;
3623 s
->control_command
= NULL
;
3624 s
->control_command_id
= _SOCKET_EXEC_COMMAND_INVALID
;
3626 r
= socket_arm_timer(s
, /* relative= */ true, s
->exec_context
.timeout_clean_usec
);
3628 log_unit_warning_errno(u
, r
, "Failed to install timer: %m");
3632 r
= unit_fork_and_watch_rm_rf(u
, l
, &s
->control_pid
);
3634 log_unit_warning_errno(u
, r
, "Failed to spawn cleaning task: %m");
3638 socket_set_state(s
, SOCKET_CLEANING
);
3642 s
->clean_result
= SOCKET_FAILURE_RESOURCES
;
3643 s
->timer_event_source
= sd_event_source_disable_unref(s
->timer_event_source
);
3647 static int socket_can_clean(Unit
*u
, ExecCleanMask
*ret
) {
3648 Socket
*s
= ASSERT_PTR(SOCKET(u
));
3650 return exec_context_get_clean_mask(&s
->exec_context
, ret
);
3653 static int socket_can_start(Unit
*u
) {
3654 Socket
*s
= ASSERT_PTR(SOCKET(u
));
3657 r
= unit_test_start_limit(u
);
3659 socket_enter_dead(s
, SOCKET_FAILURE_START_LIMIT_HIT
);
3666 static const char* const socket_exec_command_table
[_SOCKET_EXEC_COMMAND_MAX
] = {
3667 [SOCKET_EXEC_START_PRE
] = "ExecStartPre",
3668 [SOCKET_EXEC_START_CHOWN
] = "ExecStartChown",
3669 [SOCKET_EXEC_START_POST
] = "ExecStartPost",
3670 [SOCKET_EXEC_STOP_PRE
] = "ExecStopPre",
3671 [SOCKET_EXEC_STOP_POST
] = "ExecStopPost",
3674 DEFINE_STRING_TABLE_LOOKUP(socket_exec_command
, SocketExecCommand
);
3676 static const char* const socket_result_table
[_SOCKET_RESULT_MAX
] = {
3677 [SOCKET_SUCCESS
] = "success",
3678 [SOCKET_FAILURE_RESOURCES
] = "resources",
3679 [SOCKET_FAILURE_TIMEOUT
] = "timeout",
3680 [SOCKET_FAILURE_EXIT_CODE
] = "exit-code",
3681 [SOCKET_FAILURE_SIGNAL
] = "signal",
3682 [SOCKET_FAILURE_CORE_DUMP
] = "core-dump",
3683 [SOCKET_FAILURE_START_LIMIT_HIT
] = "start-limit-hit",
3684 [SOCKET_FAILURE_TRIGGER_LIMIT_HIT
] = "trigger-limit-hit",
3685 [SOCKET_FAILURE_SERVICE_START_LIMIT_HIT
] = "service-start-limit-hit",
3688 DEFINE_STRING_TABLE_LOOKUP(socket_result
, SocketResult
);
3690 static const char* const socket_timestamping_table
[_SOCKET_TIMESTAMPING_MAX
] = {
3691 [SOCKET_TIMESTAMPING_OFF
] = "off",
3692 [SOCKET_TIMESTAMPING_US
] = "us",
3693 [SOCKET_TIMESTAMPING_NS
] = "ns",
3696 DEFINE_STRING_TABLE_LOOKUP(socket_timestamping
, SocketTimestamping
);
3698 SocketTimestamping
socket_timestamping_from_string_harder(const char *p
) {
3699 SocketTimestamping t
;
3703 return _SOCKET_TIMESTAMPING_INVALID
;
3705 t
= socket_timestamping_from_string(p
);
3709 /* Let's alternatively support the various other aliases parse_time() accepts for ns and µs here,
3711 if (streq(p
, "nsec"))
3712 return SOCKET_TIMESTAMPING_NS
;
3713 if (STR_IN_SET(p
, "usec", "µs", "μs")) /* Accept both small greek letter mu + micro sign unicode codepoints */
3714 return SOCKET_TIMESTAMPING_US
;
3716 r
= parse_boolean(p
);
3718 return _SOCKET_TIMESTAMPING_INVALID
;
3720 return r
? SOCKET_TIMESTAMPING_NS
: SOCKET_TIMESTAMPING_OFF
; /* If boolean yes, default to ns accuracy */
3723 static const char* const socket_defer_trigger_table
[_SOCKET_DEFER_MAX
] = {
3724 [SOCKET_DEFER_NO
] = "no",
3725 [SOCKET_DEFER_YES
] = "yes",
3726 [SOCKET_DEFER_PATIENT
] = "patient",
3729 DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(socket_defer_trigger
, SocketDeferTrigger
, SOCKET_DEFER_YES
);
3731 const UnitVTable socket_vtable
= {
3732 .object_size
= sizeof(Socket
),
3733 .exec_context_offset
= offsetof(Socket
, exec_context
),
3734 .cgroup_context_offset
= offsetof(Socket
, cgroup_context
),
3735 .kill_context_offset
= offsetof(Socket
, kill_context
),
3736 .exec_runtime_offset
= offsetof(Socket
, exec_runtime
),
3737 .cgroup_runtime_offset
= offsetof(Socket
, cgroup_runtime
),
3743 .private_section
= "Socket",
3745 .can_transient
= true,
3746 .can_trigger
= true,
3749 .init
= socket_init
,
3750 .done
= socket_done
,
3751 .load
= socket_load
,
3753 .coldplug
= socket_coldplug
,
3755 .dump
= socket_dump
,
3757 .start
= socket_start
,
3758 .stop
= socket_stop
,
3760 .clean
= socket_clean
,
3761 .can_clean
= socket_can_clean
,
3763 .get_timeout
= socket_get_timeout
,
3765 .serialize
= socket_serialize
,
3766 .deserialize_item
= socket_deserialize_item
,
3767 .distribute_fds
= socket_distribute_fds
,
3769 .active_state
= socket_active_state
,
3770 .sub_state_to_string
= socket_sub_state_to_string
,
3772 .will_restart
= unit_will_restart_default
,
3774 .may_gc
= socket_may_gc
,
3776 .sigchld_event
= socket_sigchld_event
,
3778 .trigger_notify
= socket_trigger_notify
,
3780 .stop_notify
= socket_stop_notify
,
3782 .reset_failed
= socket_reset_failed
,
3784 .notify_handoff_timestamp
= socket_handoff_timestamp
,
3786 .control_pid
= socket_control_pid
,
3788 .bus_set_property
= bus_socket_set_property
,
3789 .bus_commit_properties
= bus_socket_commit_properties
,
3791 .status_message_formats
= {
3792 .finished_start_job
= {
3793 [JOB_DONE
] = "Listening on %s.",
3794 [JOB_FAILED
] = "Failed to listen on %s.",
3795 [JOB_TIMEOUT
] = "Timed out starting %s.",
3797 .finished_stop_job
= {
3798 [JOB_DONE
] = "Closed %s.",
3799 [JOB_FAILED
] = "Failed stopping %s.",
3800 [JOB_TIMEOUT
] = "Timed out stopping %s.",
3804 .can_start
= socket_can_start
,