1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
3 #include "glyph-util.h"
4 #include "in-addr-util.h"
5 #include "resolved-dns-synthesize.h"
6 #include "resolved-varlink.h"
7 #include "socket-netlink.h"
9 typedef struct LookupParameters
{
13 union in_addr_union address
;
18 static void lookup_parameters_destroy(LookupParameters
*p
) {
23 static int reply_query_state(DnsQuery
*q
) {
26 assert(q
->varlink_request
);
30 case DNS_TRANSACTION_NO_SERVERS
:
31 return varlink_error(q
->varlink_request
, "io.systemd.Resolve.NoNameServers", NULL
);
33 case DNS_TRANSACTION_TIMEOUT
:
34 return varlink_error(q
->varlink_request
, "io.systemd.Resolve.QueryTimedOut", NULL
);
36 case DNS_TRANSACTION_ATTEMPTS_MAX_REACHED
:
37 return varlink_error(q
->varlink_request
, "io.systemd.Resolve.MaxAttemptsReached", NULL
);
39 case DNS_TRANSACTION_INVALID_REPLY
:
40 return varlink_error(q
->varlink_request
, "io.systemd.Resolve.InvalidReply", NULL
);
42 case DNS_TRANSACTION_ERRNO
:
43 return varlink_error_errno(q
->varlink_request
, q
->answer_errno
);
45 case DNS_TRANSACTION_ABORTED
:
46 return varlink_error(q
->varlink_request
, "io.systemd.Resolve.QueryAborted", NULL
);
48 case DNS_TRANSACTION_DNSSEC_FAILED
:
49 return varlink_errorb(q
->varlink_request
, "io.systemd.Resolve.DNSSECValidationFailed",
50 JSON_BUILD_OBJECT(JSON_BUILD_PAIR("result", JSON_BUILD_STRING(dnssec_result_to_string(q
->answer_dnssec_result
)))));
52 case DNS_TRANSACTION_NO_TRUST_ANCHOR
:
53 return varlink_error(q
->varlink_request
, "io.systemd.Resolve.NoTrustAnchor", NULL
);
55 case DNS_TRANSACTION_RR_TYPE_UNSUPPORTED
:
56 return varlink_error(q
->varlink_request
, "io.systemd.Resolve.ResourceRecordTypeUnsupported", NULL
);
58 case DNS_TRANSACTION_NETWORK_DOWN
:
59 return varlink_error(q
->varlink_request
, "io.systemd.Resolve.NetworkDown", NULL
);
61 case DNS_TRANSACTION_NO_SOURCE
:
62 return varlink_error(q
->varlink_request
, "io.systemd.Resolve.NoSource", NULL
);
64 case DNS_TRANSACTION_STUB_LOOP
:
65 return varlink_error(q
->varlink_request
, "io.systemd.Resolve.StubLoop", NULL
);
67 case DNS_TRANSACTION_NOT_FOUND
:
68 /* We return this as NXDOMAIN. This is only generated when a host doesn't implement LLMNR/TCP, and we
69 * thus quickly know that we cannot resolve an in-addr.arpa or ip6.arpa address. */
70 return varlink_errorb(q
->varlink_request
, "io.systemd.Resolve.DNSError",
71 JSON_BUILD_OBJECT(JSON_BUILD_PAIR("rcode", JSON_BUILD_INTEGER(DNS_RCODE_NXDOMAIN
))));
73 case DNS_TRANSACTION_RCODE_FAILURE
:
74 return varlink_errorb(q
->varlink_request
, "io.systemd.Resolve.DNSError",
75 JSON_BUILD_OBJECT(JSON_BUILD_PAIR("rcode", JSON_BUILD_INTEGER(q
->answer_rcode
))));
77 case DNS_TRANSACTION_NULL
:
78 case DNS_TRANSACTION_PENDING
:
79 case DNS_TRANSACTION_VALIDATING
:
80 case DNS_TRANSACTION_SUCCESS
:
86 static void vl_on_disconnect(VarlinkServer
*s
, Varlink
*link
, void *userdata
) {
92 q
= varlink_get_userdata(link
);
96 if (!DNS_TRANSACTION_IS_LIVE(q
->state
))
99 log_debug("Client of active query vanished, aborting query.");
100 dns_query_complete(q
, DNS_TRANSACTION_ABORTED
);
103 static void vl_on_notification_disconnect(VarlinkServer
*s
, Varlink
*link
, void *userdata
) {
104 Manager
*m
= ASSERT_PTR(userdata
);
109 Varlink
*removed_link
= set_remove(m
->varlink_subscription
, link
);
111 varlink_unref(removed_link
);
112 log_debug("%u monitor clients remain active", set_size(m
->varlink_subscription
));
116 static bool validate_and_mangle_flags(
123 /* This checks that the specified client-provided flags parameter actually makes sense, and mangles
124 * it slightly. Specifically:
126 * 1. We check that only the protocol flags and a bunch of NO_XYZ flags are on at most, plus the
127 * method-specific flags specified in 'ok'.
129 * 2. If no protocols are enabled we automatically convert that to "all protocols are enabled".
131 * The second rule means that clients can just pass 0 as flags for the common case, and all supported
132 * protocols are enabled. Moreover it's useful so that client's do not have to be aware of all
133 * protocols implemented in resolved, but can use 0 as protocols flags set as indicator for
137 if (*flags
& ~(SD_RESOLVED_PROTOCOLS_ALL
|
138 SD_RESOLVED_NO_CNAME
|
139 SD_RESOLVED_NO_VALIDATE
|
140 SD_RESOLVED_NO_SYNTHESIZE
|
141 SD_RESOLVED_NO_CACHE
|
143 SD_RESOLVED_NO_TRUST_ANCHOR
|
144 SD_RESOLVED_NO_NETWORK
|
148 if ((*flags
& SD_RESOLVED_PROTOCOLS_ALL
) == 0) /* If no protocol is enabled, enable all */
149 *flags
|= SD_RESOLVED_PROTOCOLS_ALL
;
151 /* If the SD_RESOLVED_NO_SEARCH flag is acceptable, and the query name is dot-suffixed, turn off
152 * search domains. Note that DNS name normalization drops the dot suffix, hence we propagate this
153 * into the flags field as early as we can. */
154 if (name
&& FLAGS_SET(ok
, SD_RESOLVED_NO_SEARCH
) && dns_name_dot_suffixed(name
) > 0)
155 *flags
|= SD_RESOLVED_NO_SEARCH
;
160 static void vl_method_resolve_hostname_complete(DnsQuery
*query
) {
161 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*canonical
= NULL
;
162 _cleanup_(json_variant_unrefp
) JsonVariant
*array
= NULL
;
163 _cleanup_(dns_query_freep
) DnsQuery
*q
= query
;
164 _cleanup_free_
char *normalized
= NULL
;
165 DnsResourceRecord
*rr
;
166 DnsQuestion
*question
;
171 if (q
->state
!= DNS_TRANSACTION_SUCCESS
) {
172 r
= reply_query_state(q
);
176 r
= dns_query_process_cname_many(q
);
178 r
= varlink_error(q
->varlink_request
, "io.systemd.Resolve.CNAMELoop", NULL
);
183 if (r
== DNS_QUERY_CNAME
) {
184 /* This was a cname, and the query was restarted. */
189 question
= dns_query_question_for_protocol(q
, q
->answer_protocol
);
191 DNS_ANSWER_FOREACH_IFINDEX(rr
, ifindex
, q
->answer
) {
192 _cleanup_(json_variant_unrefp
) JsonVariant
*entry
= NULL
;
196 r
= dns_question_matches_rr(question
, rr
, DNS_SEARCH_DOMAIN_NAME(q
->answer_search_domain
));
202 if (rr
->key
->type
== DNS_TYPE_A
) {
205 } else if (rr
->key
->type
== DNS_TYPE_AAAA
) {
207 p
= &rr
->aaaa
.in6_addr
;
213 r
= json_build(&entry
,
215 JSON_BUILD_PAIR_CONDITION(ifindex
> 0, "ifindex", JSON_BUILD_INTEGER(ifindex
)),
216 JSON_BUILD_PAIR("family", JSON_BUILD_INTEGER(family
)),
217 JSON_BUILD_PAIR("address", JSON_BUILD_BYTE_ARRAY(p
, FAMILY_ADDRESS_SIZE(family
)))));
222 canonical
= dns_resource_record_ref(rr
);
224 r
= json_variant_append_array(&array
, entry
);
229 if (json_variant_is_blank_object(array
)) {
230 r
= varlink_error(q
->varlink_request
, "io.systemd.Resolve.NoSuchResourceRecord", NULL
);
235 r
= dns_name_normalize(dns_resource_key_name(canonical
->key
), 0, &normalized
);
239 r
= varlink_replyb(q
->varlink_request
,
241 JSON_BUILD_PAIR("addresses", JSON_BUILD_VARIANT(array
)),
242 JSON_BUILD_PAIR("name", JSON_BUILD_STRING(normalized
)),
243 JSON_BUILD_PAIR("flags", JSON_BUILD_INTEGER(dns_query_reply_flags_make(q
)))));
246 log_error_errno(r
, "Failed to send hostname reply: %m");
247 r
= varlink_error_errno(q
->varlink_request
, r
);
251 static int parse_as_address(Varlink
*link
, LookupParameters
*p
) {
252 _cleanup_free_
char *canonical
= NULL
;
253 int r
, ff
, parsed_ifindex
, ifindex
;
254 union in_addr_union parsed
;
259 /* Check if this parses as literal address. If so, just parse it and return that, do not involve networking */
260 r
= in_addr_ifindex_from_string_auto(p
->name
, &ff
, &parsed
, &parsed_ifindex
);
262 return 0; /* not a literal address */
264 /* Make sure the data we parsed matches what is requested */
265 if ((p
->family
!= AF_UNSPEC
&& ff
!= p
->family
) ||
266 (p
->ifindex
> 0 && parsed_ifindex
> 0 && parsed_ifindex
!= p
->ifindex
))
267 return varlink_error(link
, "io.systemd.Resolve.NoSuchResourceRecord", NULL
);
269 ifindex
= parsed_ifindex
> 0 ? parsed_ifindex
: p
->ifindex
;
271 /* Reformat the address as string, to return as canonicalized name */
272 r
= in_addr_ifindex_to_string(ff
, &parsed
, ifindex
, &canonical
);
276 return varlink_replyb(
279 JSON_BUILD_PAIR("addresses",
282 JSON_BUILD_PAIR_CONDITION(ifindex
> 0, "ifindex", JSON_BUILD_INTEGER(ifindex
)),
283 JSON_BUILD_PAIR("family", JSON_BUILD_INTEGER(ff
)),
284 JSON_BUILD_PAIR("address", JSON_BUILD_BYTE_ARRAY(&parsed
, FAMILY_ADDRESS_SIZE(ff
)))))),
285 JSON_BUILD_PAIR("name", JSON_BUILD_STRING(canonical
)),
286 JSON_BUILD_PAIR("flags", JSON_BUILD_INTEGER(SD_RESOLVED_FLAGS_MAKE(dns_synthesize_protocol(p
->flags
), ff
, true, true)|
287 SD_RESOLVED_SYNTHETIC
))));
290 static int vl_method_resolve_hostname(Varlink
*link
, JsonVariant
*parameters
, VarlinkMethodFlags flags
, void *userdata
) {
291 static const JsonDispatch dispatch_table
[] = {
292 { "ifindex", JSON_VARIANT_UNSIGNED
, json_dispatch_int
, offsetof(LookupParameters
, ifindex
), 0 },
293 { "name", JSON_VARIANT_STRING
, json_dispatch_string
, offsetof(LookupParameters
, name
), JSON_MANDATORY
},
294 { "family", JSON_VARIANT_UNSIGNED
, json_dispatch_int
, offsetof(LookupParameters
, family
), 0 },
295 { "flags", JSON_VARIANT_UNSIGNED
, json_dispatch_uint64
, offsetof(LookupParameters
, flags
), 0 },
299 _cleanup_(dns_question_unrefp
) DnsQuestion
*question_idna
= NULL
, *question_utf8
= NULL
;
300 _cleanup_(lookup_parameters_destroy
) LookupParameters p
= {
303 _cleanup_(dns_query_freep
) DnsQuery
*q
= NULL
;
309 m
= varlink_server_get_userdata(varlink_get_server(link
));
312 if (FLAGS_SET(flags
, VARLINK_METHOD_ONEWAY
))
315 r
= json_dispatch(parameters
, dispatch_table
, NULL
, 0, &p
);
320 return varlink_error_invalid_parameter(link
, JSON_VARIANT_STRING_CONST("ifindex"));
322 r
= dns_name_is_valid(p
.name
);
326 return varlink_error_invalid_parameter(link
, JSON_VARIANT_STRING_CONST("name"));
328 if (!IN_SET(p
.family
, AF_UNSPEC
, AF_INET
, AF_INET6
))
329 return varlink_error_invalid_parameter(link
, JSON_VARIANT_STRING_CONST("family"));
331 if (!validate_and_mangle_flags(p
.name
, &p
.flags
, SD_RESOLVED_NO_SEARCH
))
332 return varlink_error_invalid_parameter(link
, JSON_VARIANT_STRING_CONST("flags"));
334 r
= parse_as_address(link
, &p
);
338 r
= dns_question_new_address(&question_utf8
, p
.family
, p
.name
, false);
342 r
= dns_question_new_address(&question_idna
, p
.family
, p
.name
, true);
343 if (r
< 0 && r
!= -EALREADY
)
346 r
= dns_query_new(m
, &q
, question_utf8
, question_idna
?: question_utf8
, NULL
, p
.ifindex
, p
.flags
);
350 q
->varlink_request
= varlink_ref(link
);
351 varlink_set_userdata(link
, q
);
352 q
->request_family
= p
.family
;
353 q
->request_name
= strdup(p
.name
);
354 if (!q
->request_name
)
356 q
->complete
= vl_method_resolve_hostname_complete
;
366 static int json_dispatch_address(const char *name
, JsonVariant
*variant
, JsonDispatchFlags flags
, void *userdata
) {
367 LookupParameters
*p
= ASSERT_PTR(userdata
);
368 union in_addr_union buf
= {};
374 if (!json_variant_is_array(variant
))
375 return json_log(variant
, flags
, SYNTHETIC_ERRNO(EINVAL
), "JSON field '%s' is not an array.", strna(name
));
377 n
= json_variant_elements(variant
);
378 if (!IN_SET(n
, 4, 16))
379 return json_log(variant
, flags
, SYNTHETIC_ERRNO(EINVAL
), "JSON field '%s' is array of unexpected size.", strna(name
));
381 JSON_VARIANT_ARRAY_FOREACH(i
, variant
) {
384 if (!json_variant_is_integer(i
))
385 return json_log(variant
, flags
, SYNTHETIC_ERRNO(EINVAL
), "Element %zu of JSON field '%s' is not an integer.", k
, strna(name
));
387 b
= json_variant_integer(i
);
388 if (b
< 0 || b
> 0xff)
389 return json_log(variant
, flags
, SYNTHETIC_ERRNO(EINVAL
),
390 "Element %zu of JSON field '%s' is out of range 0%s255.",
391 k
, strna(name
), special_glyph(SPECIAL_GLYPH_ELLIPSIS
));
393 buf
.bytes
[k
++] = (uint8_t) b
;
402 static void vl_method_resolve_address_complete(DnsQuery
*query
) {
403 _cleanup_(json_variant_unrefp
) JsonVariant
*array
= NULL
;
404 _cleanup_(dns_query_freep
) DnsQuery
*q
= query
;
405 DnsQuestion
*question
;
406 DnsResourceRecord
*rr
;
411 if (q
->state
!= DNS_TRANSACTION_SUCCESS
) {
412 r
= reply_query_state(q
);
416 r
= dns_query_process_cname_many(q
);
418 r
= varlink_error(q
->varlink_request
, "io.systemd.Resolve.CNAMELoop", NULL
);
423 if (r
== DNS_QUERY_CNAME
) {
424 /* This was a cname, and the query was restarted. */
429 question
= dns_query_question_for_protocol(q
, q
->answer_protocol
);
431 DNS_ANSWER_FOREACH_IFINDEX(rr
, ifindex
, q
->answer
) {
432 _cleanup_(json_variant_unrefp
) JsonVariant
*entry
= NULL
;
433 _cleanup_free_
char *normalized
= NULL
;
435 r
= dns_question_matches_rr(question
, rr
, NULL
);
441 r
= dns_name_normalize(rr
->ptr
.name
, 0, &normalized
);
445 r
= json_build(&entry
,
447 JSON_BUILD_PAIR_CONDITION(ifindex
> 0, "ifindex", JSON_BUILD_INTEGER(ifindex
)),
448 JSON_BUILD_PAIR("name", JSON_BUILD_STRING(normalized
))));
452 r
= json_variant_append_array(&array
, entry
);
457 if (json_variant_is_blank_object(array
)) {
458 r
= varlink_error(q
->varlink_request
, "io.systemd.Resolve.NoSuchResourceRecord", NULL
);
462 r
= varlink_replyb(q
->varlink_request
,
464 JSON_BUILD_PAIR("names", JSON_BUILD_VARIANT(array
)),
465 JSON_BUILD_PAIR("flags", JSON_BUILD_INTEGER(dns_query_reply_flags_make(q
)))));
468 log_error_errno(r
, "Failed to send address reply: %m");
469 r
= varlink_error_errno(q
->varlink_request
, r
);
473 static int vl_method_resolve_address(Varlink
*link
, JsonVariant
*parameters
, VarlinkMethodFlags flags
, void *userdata
) {
474 static const JsonDispatch dispatch_table
[] = {
475 { "ifindex", JSON_VARIANT_UNSIGNED
, json_dispatch_int
, offsetof(LookupParameters
, ifindex
), 0 },
476 { "family", JSON_VARIANT_UNSIGNED
, json_dispatch_int
, offsetof(LookupParameters
, family
), JSON_MANDATORY
},
477 { "address", JSON_VARIANT_ARRAY
, json_dispatch_address
, 0, JSON_MANDATORY
},
478 { "flags", JSON_VARIANT_UNSIGNED
, json_dispatch_uint64
, offsetof(LookupParameters
, flags
), 0 },
482 _cleanup_(dns_question_unrefp
) DnsQuestion
*question
= NULL
;
483 _cleanup_(lookup_parameters_destroy
) LookupParameters p
= {
486 _cleanup_(dns_query_freep
) DnsQuery
*q
= NULL
;
492 m
= varlink_server_get_userdata(varlink_get_server(link
));
495 if (FLAGS_SET(flags
, VARLINK_METHOD_ONEWAY
))
498 r
= json_dispatch(parameters
, dispatch_table
, NULL
, 0, &p
);
503 return varlink_error_invalid_parameter(link
, JSON_VARIANT_STRING_CONST("ifindex"));
505 if (!IN_SET(p
.family
, AF_INET
, AF_INET6
))
506 return varlink_error_invalid_parameter(link
, JSON_VARIANT_STRING_CONST("family"));
508 if (FAMILY_ADDRESS_SIZE(p
.family
) != p
.address_size
)
509 return varlink_error(link
, "io.systemd.UserDatabase.BadAddressSize", NULL
);
511 if (!validate_and_mangle_flags(NULL
, &p
.flags
, 0))
512 return varlink_error_invalid_parameter(link
, JSON_VARIANT_STRING_CONST("flags"));
514 r
= dns_question_new_reverse(&question
, p
.family
, &p
.address
);
518 r
= dns_query_new(m
, &q
, question
, question
, NULL
, p
.ifindex
, p
.flags
|SD_RESOLVED_NO_SEARCH
);
522 q
->varlink_request
= varlink_ref(link
);
523 varlink_set_userdata(link
, q
);
525 q
->request_family
= p
.family
;
526 q
->request_address
= p
.address
;
527 q
->complete
= vl_method_resolve_address_complete
;
537 static int vl_method_subscribe_dns_resolves(Varlink
*link
, JsonVariant
*parameters
, VarlinkMethodFlags flags
, void *userdata
) {
543 m
= varlink_server_get_userdata(varlink_get_server(link
));
546 if (json_variant_elements(parameters
) > 0)
547 return varlink_error_invalid_parameter(link
, parameters
);
549 r
= set_ensure_put(&m
->varlink_subscription
, NULL
, link
);
551 return log_error_errno(r
, "Failed to add subscription to set: %m");
554 log_debug("%u clients now attached for varlink notifications", set_size(m
->varlink_subscription
));
556 /* if the client didn't set the more flag, return an empty response and close the connection */
557 if (!FLAGS_SET(flags
, VARLINK_METHOD_MORE
))
558 return varlink_reply(link
, NULL
);
563 int manager_varlink_init(Manager
*m
) {
564 _cleanup_(varlink_server_unrefp
) VarlinkServer
*s
= NULL
;
569 if (m
->varlink_server
)
572 r
= varlink_server_new(&s
, VARLINK_SERVER_ACCOUNT_UID
);
574 return log_error_errno(r
, "Failed to allocate varlink server object: %m");
576 varlink_server_set_userdata(s
, m
);
578 r
= varlink_server_bind_method_many(
580 "io.systemd.Resolve.ResolveHostname", vl_method_resolve_hostname
,
581 "io.systemd.Resolve.ResolveAddress", vl_method_resolve_address
);
583 return log_error_errno(r
, "Failed to register varlink methods: %m");
585 r
= varlink_server_bind_disconnect(s
, vl_on_disconnect
);
587 return log_error_errno(r
, "Failed to register varlink disconnect handler: %m");
589 r
= varlink_server_listen_address(s
, "/run/systemd/resolve/io.systemd.Resolve", 0666);
591 return log_error_errno(r
, "Failed to bind to varlink socket: %m");
593 r
= varlink_server_attach_event(s
, m
->event
, SD_EVENT_PRIORITY_NORMAL
);
595 return log_error_errno(r
, "Failed to attach varlink connection to event loop: %m");
597 m
->varlink_server
= TAKE_PTR(s
);
599 if (m
->enable_varlink_notifications
) {
600 if (m
->varlink_notification_server
)
603 r
= varlink_server_new(&s
, VARLINK_SERVER_ACCOUNT_UID
);
605 return log_error_errno(r
, "Failed to allocate varlink server object: %m");
607 varlink_server_set_userdata(s
, m
);
609 r
= varlink_server_bind_method_many(
611 "io.systemd.Resolve.Monitor.SubscribeDnsResolves",
612 vl_method_subscribe_dns_resolves
);
614 return log_error_errno(r
, "Failed to register varlink methods: %m");
616 r
= varlink_server_bind_disconnect(s
, vl_on_notification_disconnect
);
618 return log_error_errno(r
, "Failed to register varlink disconnect handler: %m");
620 r
= varlink_server_listen_address(s
, "/run/systemd/resolve/io.systemd.Resolve.Monitor", 0660);
622 return log_error_errno(r
, "Failed to bind to varlink socket: %m");
624 r
= varlink_server_attach_event(s
, m
->event
, SD_EVENT_PRIORITY_NORMAL
);
626 return log_error_errno(r
, "Failed to attach varlink connection to event loop: %m");
628 m
->varlink_notification_server
= TAKE_PTR(s
);
634 void manager_varlink_done(Manager
*m
) {
637 m
->varlink_server
= varlink_server_unref(m
->varlink_server
);
638 m
->varlink_notification_server
= varlink_server_unref(m
->varlink_notification_server
);