#include "bus-util.h"
#include "copy.h"
#include "dbus-socket.h"
+#include "dbus-unit.h"
#include "def.h"
#include "exit-status.h"
#include "fd-util.h"
#include "fs-util.h"
#include "in-addr-util.h"
#include "io-util.h"
+#include "ip-protocol-list.h"
#include "label.h"
#include "log.h"
#include "missing.h"
#include "path-util.h"
#include "process-util.h"
#include "selinux-util.h"
+#include "serialize.h"
#include "signal-util.h"
#include "smack-util.h"
#include "socket.h"
-#include "socket-protocol-list.h"
#include "special.h"
#include "string-table.h"
#include "string-util.h"
return 0;
}
-static void peer_address_hash_func(const void *p, struct siphash *state) {
- const SocketPeer *s = p;
-
+static void peer_address_hash_func(const SocketPeer *s, struct siphash *state) {
assert(s);
if (s->peer.sa.sa_family == AF_INET)
assert_not_reached("Unknown address family.");
}
-static int peer_address_compare_func(const void *a, const void *b) {
- const SocketPeer *x = a, *y = b;
+static int peer_address_compare_func(const SocketPeer *x, const SocketPeer *y) {
int r;
r = CMP(x->peer.sa.sa_family, y->peer.sa.sa_family);
assert_not_reached("Black sheep in the family!");
}
-const struct hash_ops peer_address_hash_ops = {
- .hash = peer_address_hash_func,
- .compare = peer_address_compare_func
-};
+DEFINE_PRIVATE_HASH_OPS(peer_address_hash_ops, SocketPeer, peer_address_hash_func, peer_address_compare_func);
static int socket_load(Unit *u) {
Socket *s = SOCKET(u);
r = getpeername(fd, &sa.peer.sa, &salen);
if (r < 0)
- return log_error_errno(errno, "getpeername failed: %m");
+ return log_unit_error_errno(UNIT(s), errno, "getpeername failed: %m");
if (!IN_SET(sa.peer.sa.sa_family, AF_INET, AF_INET6, AF_VSOCK)) {
*p = NULL;
prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->trigger_limit.interval, USEC_PER_SEC),
prefix, s->trigger_limit.burst);
- str = socket_protocol_to_name(s->socket_protocol);
+ str = ip_protocol_to_name(s->socket_protocol);
if (str)
fprintf(f, "%sSocketProtocol: %s\n", prefix, str);
assert(fd >= 0);
if (s->keep_alive) {
- int one = 1;
- if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, &one, sizeof(one)) < 0)
- log_unit_warning_errno(UNIT(s), errno, "SO_KEEPALIVE failed: %m");
+ r = setsockopt_int(fd, SOL_SOCKET, SO_KEEPALIVE, true);
+ if (r < 0)
+ log_unit_warning_errno(UNIT(s), r, "SO_KEEPALIVE failed: %m");
}
if (s->keep_alive_time > 0) {
- int value = s->keep_alive_time / USEC_PER_SEC;
- if (setsockopt(fd, SOL_TCP, TCP_KEEPIDLE, &value, sizeof(value)) < 0)
- log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPIDLE failed: %m");
+ r = setsockopt_int(fd, SOL_TCP, TCP_KEEPIDLE, s->keep_alive_time / USEC_PER_SEC);
+ if (r < 0)
+ log_unit_warning_errno(UNIT(s), r, "TCP_KEEPIDLE failed: %m");
}
if (s->keep_alive_interval > 0) {
- int value = s->keep_alive_interval / USEC_PER_SEC;
- if (setsockopt(fd, SOL_TCP, TCP_KEEPINTVL, &value, sizeof(value)) < 0)
- log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPINTVL failed: %m");
+ r = setsockopt_int(fd, SOL_TCP, TCP_KEEPINTVL, s->keep_alive_interval / USEC_PER_SEC);
+ if (r < 0)
+ log_unit_warning_errno(UNIT(s), r, "TCP_KEEPINTVL failed: %m");
}
if (s->keep_alive_cnt > 0) {
- int value = s->keep_alive_cnt;
- if (setsockopt(fd, SOL_TCP, TCP_KEEPCNT, &value, sizeof(value)) < 0)
- log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPCNT failed: %m");
+ r = setsockopt_int(fd, SOL_TCP, TCP_KEEPCNT, s->keep_alive_cnt);
+ if (r < 0)
+ log_unit_warning_errno(UNIT(s), r, "TCP_KEEPCNT failed: %m");
}
if (s->defer_accept > 0) {
- int value = s->defer_accept / USEC_PER_SEC;
- if (setsockopt(fd, SOL_TCP, TCP_DEFER_ACCEPT, &value, sizeof(value)) < 0)
- log_unit_warning_errno(UNIT(s), errno, "TCP_DEFER_ACCEPT failed: %m");
+ r = setsockopt_int(fd, SOL_TCP, TCP_DEFER_ACCEPT, s->defer_accept / USEC_PER_SEC);
+ if (r < 0)
+ log_unit_warning_errno(UNIT(s), r, "TCP_DEFER_ACCEPT failed: %m");
}
if (s->no_delay) {
- int one = 1;
-
if (s->socket_protocol == IPPROTO_SCTP) {
- if (setsockopt(fd, SOL_SCTP, SCTP_NODELAY, &one, sizeof(one)) < 0)
- log_unit_warning_errno(UNIT(s), errno, "SCTP_NODELAY failed: %m");
+ r = setsockopt_int(fd, SOL_SCTP, SCTP_NODELAY, true);
+ if (r < 0)
+ log_unit_warning_errno(UNIT(s), r, "SCTP_NODELAY failed: %m");
} else {
- if (setsockopt(fd, SOL_TCP, TCP_NODELAY, &one, sizeof(one)) < 0)
- log_unit_warning_errno(UNIT(s), errno, "TCP_NODELAY failed: %m");
+ r = setsockopt_int(fd, SOL_TCP, TCP_NODELAY, true);
+ if (r < 0)
+ log_unit_warning_errno(UNIT(s), r, "TCP_NODELAY failed: %m");
}
}
if (s->broadcast) {
- int one = 1;
- if (setsockopt(fd, SOL_SOCKET, SO_BROADCAST, &one, sizeof(one)) < 0)
- log_unit_warning_errno(UNIT(s), errno, "SO_BROADCAST failed: %m");
+ r = setsockopt_int(fd, SOL_SOCKET, SO_BROADCAST, true);
+ if (r < 0)
+ log_unit_warning_errno(UNIT(s), r, "SO_BROADCAST failed: %m");
}
if (s->pass_cred) {
- int one = 1;
- if (setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &one, sizeof(one)) < 0)
- log_unit_warning_errno(UNIT(s), errno, "SO_PASSCRED failed: %m");
+ r = setsockopt_int(fd, SOL_SOCKET, SO_PASSCRED, true);
+ if (r < 0)
+ log_unit_warning_errno(UNIT(s), r, "SO_PASSCRED failed: %m");
}
if (s->pass_sec) {
- int one = 1;
- if (setsockopt(fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one)) < 0)
- log_unit_warning_errno(UNIT(s), errno, "SO_PASSSEC failed: %m");
+ r = setsockopt_int(fd, SOL_SOCKET, SO_PASSSEC, true);
+ if (r < 0)
+ log_unit_warning_errno(UNIT(s), r, "SO_PASSSEC failed: %m");
}
- if (s->priority >= 0)
- if (setsockopt(fd, SOL_SOCKET, SO_PRIORITY, &s->priority, sizeof(s->priority)) < 0)
- log_unit_warning_errno(UNIT(s), errno, "SO_PRIORITY failed: %m");
+ if (s->priority >= 0) {
+ r = setsockopt_int(fd, SOL_SOCKET, SO_PRIORITY, s->priority);
+ if (r < 0)
+ log_unit_warning_errno(UNIT(s), r, "SO_PRIORITY failed: %m");
+ }
if (s->receive_buffer > 0) {
- int value = (int) s->receive_buffer;
-
/* We first try with SO_RCVBUFFORCE, in case we have the perms for that */
- if (setsockopt(fd, SOL_SOCKET, SO_RCVBUFFORCE, &value, sizeof(value)) < 0)
- if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &value, sizeof(value)) < 0)
- log_unit_warning_errno(UNIT(s), errno, "SO_RCVBUF failed: %m");
+ if (setsockopt_int(fd, SOL_SOCKET, SO_RCVBUFFORCE, s->receive_buffer) < 0) {
+ r = setsockopt_int(fd, SOL_SOCKET, SO_RCVBUF, s->receive_buffer);
+ if (r < 0)
+ log_unit_warning_errno(UNIT(s), r, "SO_RCVBUF failed: %m");
+ }
}
if (s->send_buffer > 0) {
- int value = (int) s->send_buffer;
- if (setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, &value, sizeof(value)) < 0)
- if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &value, sizeof(value)) < 0)
- log_unit_warning_errno(UNIT(s), errno, "SO_SNDBUF failed: %m");
+ if (setsockopt_int(fd, SOL_SOCKET, SO_SNDBUFFORCE, s->send_buffer) < 0) {
+ r = setsockopt_int(fd, SOL_SOCKET, SO_SNDBUF, s->send_buffer);
+ if (r < 0)
+ log_unit_warning_errno(UNIT(s), r, "SO_SNDBUF failed: %m");
+ }
}
- if (s->mark >= 0)
- if (setsockopt(fd, SOL_SOCKET, SO_MARK, &s->mark, sizeof(s->mark)) < 0)
- log_unit_warning_errno(UNIT(s), errno, "SO_MARK failed: %m");
+ if (s->mark >= 0) {
+ r = setsockopt_int(fd, SOL_SOCKET, SO_MARK, s->mark);
+ if (r < 0)
+ log_unit_warning_errno(UNIT(s), r, "SO_MARK failed: %m");
+ }
- if (s->ip_tos >= 0)
- if (setsockopt(fd, IPPROTO_IP, IP_TOS, &s->ip_tos, sizeof(s->ip_tos)) < 0)
- log_unit_warning_errno(UNIT(s), errno, "IP_TOS failed: %m");
+ if (s->ip_tos >= 0) {
+ r = setsockopt_int(fd, IPPROTO_IP, IP_TOS, s->ip_tos);
+ if (r < 0)
+ log_unit_warning_errno(UNIT(s), r, "IP_TOS failed: %m");
+ }
if (s->ip_ttl >= 0) {
int x;
- r = setsockopt(fd, IPPROTO_IP, IP_TTL, &s->ip_ttl, sizeof(s->ip_ttl));
+ r = setsockopt_int(fd, IPPROTO_IP, IP_TTL, s->ip_ttl);
if (socket_ipv6_is_supported())
- x = setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &s->ip_ttl, sizeof(s->ip_ttl));
- else {
- x = -1;
- errno = EAFNOSUPPORT;
- }
+ x = setsockopt_int(fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, s->ip_ttl);
+ else
+ x = -EAFNOSUPPORT;
if (r < 0 && x < 0)
- log_unit_warning_errno(UNIT(s), errno, "IP_TTL/IPV6_UNICAST_HOPS failed: %m");
+ log_unit_warning_errno(UNIT(s), r, "IP_TTL/IPV6_UNICAST_HOPS failed: %m");
}
if (s->tcp_congestion)
label);
}
+#define log_address_error_errno(u, address, error, fmt) \
+ ({ \
+ _cleanup_free_ char *_t = NULL; \
+ \
+ (void) socket_address_print(address, &_t); \
+ log_unit_error_errno(u, error, fmt, strna(_t)); \
+ })
+
+static int fork_needed(const SocketAddress *address, const ExecContext *context) {
+ int r;
+
+ assert(address);
+ assert(context);
+
+ /* Check if we need to do the cgroup or netns stuff. If not we can do things much simpler. */
+
+ if (IN_SET(address->sockaddr.sa.sa_family, AF_INET, AF_INET6)) {
+ r = bpf_firewall_supported();
+ if (r < 0)
+ return r;
+ if (r != BPF_FIREWALL_UNSUPPORTED) /* If BPF firewalling isn't supported anyway — there's no point in this forking complexity */
+ return true;
+ }
+
+ return context->private_network || context->network_namespace_path;
+}
+
static int socket_address_listen_in_cgroup(
Socket *s,
const SocketAddress *address,
assert(s);
assert(address);
- /* This is a wrapper around socket_address_listen(), that forks off a helper process inside the socket's cgroup
- * in which the socket is actually created. This way we ensure the socket is actually properly attached to the
- * unit's cgroup for the purpose of BPF filtering and such. */
-
- if (!IN_SET(address->sockaddr.sa.sa_family, AF_INET, AF_INET6))
- goto shortcut; /* BPF filtering only applies to IPv4 + IPv6, shortcut things for other protocols */
+ /* This is a wrapper around socket_address_listen(), that forks off a helper process inside the
+ * socket's cgroup and network namespace in which the socket is actually created. This way we ensure
+ * the socket is actually properly attached to the unit's cgroup for the purpose of BPF filtering and
+ * such. */
- r = bpf_firewall_supported();
+ r = fork_needed(address, &s->exec_context);
if (r < 0)
return r;
- if (r == BPF_FIREWALL_UNSUPPORTED) /* If BPF firewalling isn't supported anyway — there's no point in this forking complexity */
- goto shortcut;
+ if (r == 0) {
+ /* Shortcut things... */
+ fd = socket_address_listen_do(s, address, label);
+ if (fd < 0)
+ return log_address_error_errno(UNIT(s), address, fd, "Failed to create listening socket (%s): %m");
+
+ return fd;
+ }
+
+ r = unit_setup_exec_runtime(UNIT(s));
+ if (r < 0)
+ return log_unit_error_errno(UNIT(s), r, "Failed acquire runtime: %m");
+
+ if (s->exec_context.network_namespace_path &&
+ s->exec_runtime &&
+ s->exec_runtime->netns_storage_socket[0] >= 0) {
+ r = open_netns_path(s->exec_runtime->netns_storage_socket, s->exec_context.network_namespace_path);
+ if (r < 0)
+ return log_unit_error_errno(UNIT(s), r, "Failed to open network namespace path %s: %m", s->exec_context.network_namespace_path);
+ }
if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, pair) < 0)
return log_unit_error_errno(UNIT(s), errno, "Failed to create communication channel: %m");
pair[0] = safe_close(pair[0]);
+ if ((s->exec_context.private_network || s->exec_context.network_namespace_path) &&
+ s->exec_runtime &&
+ s->exec_runtime->netns_storage_socket[0] >= 0) {
+
+ if (ns_type_supported(NAMESPACE_NET)) {
+ r = setup_netns(s->exec_runtime->netns_storage_socket);
+ if (r < 0) {
+ log_unit_error_errno(UNIT(s), r, "Failed to join network namespace: %m");
+ _exit(EXIT_NETWORK);
+ }
+ } else if (s->exec_context.network_namespace_path) {
+ log_unit_error(UNIT(s), "Network namespace path configured but network namespaces not supported.");
+ _exit(EXIT_NETWORK);
+ } else
+ log_unit_warning(UNIT(s), "PrivateNetwork=yes is configured, but the kernel does not support network namespaces, ignoring.");
+ }
+
fd = socket_address_listen_do(s, address, label);
if (fd < 0) {
- log_unit_error_errno(UNIT(s), fd, "Failed to create listening socket: %m");
+ log_address_error_errno(UNIT(s), address, fd, "Failed to create listening socket (%s): %m");
_exit(EXIT_FAILURE);
}
r = send_one_fd(pair[1], fd, 0);
if (r < 0) {
- log_unit_error_errno(UNIT(s), r, "Failed to send listening socket to parent: %m");
+ log_address_error_errno(UNIT(s), address, r, "Failed to send listening socket (%s) to parent: %m");
_exit(EXIT_FAILURE);
}
}
if (fd < 0)
- return log_unit_error_errno(UNIT(s), fd, "Failed to receive listening socket: %m");
-
- return fd;
-
-shortcut:
- fd = socket_address_listen_do(s, address, label);
- if (fd < 0)
- return log_error_errno(fd, "Failed to create listening socket: %m");
+ return log_address_error_errno(UNIT(s), address, fd, "Failed to receive listening socket (%s): %m");
return fd;
}
-static int socket_open_fds(Socket *s) {
+DEFINE_TRIVIAL_CLEANUP_FUNC(Socket *, socket_close_fds);
+
+static int socket_open_fds(Socket *_s) {
+ _cleanup_(socket_close_fdsp) Socket *s = _s;
_cleanup_(mac_selinux_freep) char *label = NULL;
bool know_label = false;
SocketPort *p;
r = socket_determine_selinux_label(s, &label);
if (r < 0)
- goto rollback;
+ return log_unit_error_errno(UNIT(s), r, "Failed to determine SELinux label: %m");
know_label = true;
}
break;
}
- r = socket_address_listen_in_cgroup(s, &p->address, label);
- if (r < 0)
- goto rollback;
+ p->fd = socket_address_listen_in_cgroup(s, &p->address, label);
+ if (p->fd < 0)
+ return p->fd;
- p->fd = r;
socket_apply_socket_options(s, p->fd);
socket_symlink(s);
break;
case SOCKET_SPECIAL:
p->fd = special_address_create(p->path, s->writable);
- if (p->fd < 0) {
- r = p->fd;
- goto rollback;
- }
+ if (p->fd < 0)
+ return log_unit_error_errno(UNIT(s), p->fd, "Failed to open special file %s: %m", p->path);
break;
case SOCKET_FIFO:
p->path,
s->directory_mode,
s->socket_mode);
- if (p->fd < 0) {
- r = p->fd;
- goto rollback;
- }
+ if (p->fd < 0)
+ return log_unit_error_errno(UNIT(s), p->fd, "Failed to open FIFO %s: %m", p->path);
socket_apply_fifo_options(s, p->fd);
socket_symlink(s);
s->socket_mode,
s->mq_maxmsg,
s->mq_msgsize);
- if (p->fd < 0) {
- r = p->fd;
- goto rollback;
- }
+ if (p->fd < 0)
+ return log_unit_error_errno(UNIT(s), p->fd, "Failed to open message queue %s: %m", p->path);
break;
case SOCKET_USB_FUNCTION: {
ep = path_make_absolute("ep0", p->path);
p->fd = usbffs_address_create(ep);
- if (p->fd < 0) {
- r = p->fd;
- goto rollback;
- }
+ if (p->fd < 0)
+ return p->fd;
r = usbffs_write_descs(p->fd, SERVICE(UNIT_DEREF(s->service)));
if (r < 0)
- goto rollback;
+ return r;
r = usbffs_dispatch_eps(p);
if (r < 0)
- goto rollback;
+ return r;
break;
}
}
}
+ s = NULL;
return 0;
-
-rollback:
- socket_close_fds(s);
- return r;
}
static void socket_unwatch_fds(Socket *s) {
SocketState old_state;
assert(s);
+ if (s->state != state)
+ bus_unit_send_pending_change_signal(UNIT(s), false);
+
old_state = s->state;
s->state = state;
static int socket_spawn(Socket *s, ExecCommand *c, pid_t *_pid) {
- ExecParameters exec_params = {
+ _cleanup_(exec_params_clear) ExecParameters exec_params = {
.flags = EXEC_APPLY_SANDBOXING|EXEC_APPLY_CHROOT|EXEC_APPLY_TTY_STDIN,
.stdin_fd = -1,
.stdout_fd = -1,
if (r < 0)
return r;
- unit_set_exec_params(UNIT(s), &exec_params);
+ r = unit_set_exec_params(UNIT(s), &exec_params);
+ if (r < 0)
+ return r;
r = exec_spawn(UNIT(s),
c,
if (s->result == SOCKET_SUCCESS)
s->result = f;
- if (s->result != SOCKET_SUCCESS)
- log_unit_warning(UNIT(s), "Failed with result '%s'.", socket_result_to_string(s->result));
+ if (s->result == SOCKET_SUCCESS)
+ unit_log_success(UNIT(s));
+ else
+ unit_log_failure(UNIT(s), socket_result_to_string(s->result));
socket_set_state(s, s->result != SOCKET_SUCCESS ? SOCKET_FAILED : SOCKET_DEAD);
assert(f);
assert(fds);
- unit_serialize_item(u, f, "state", socket_state_to_string(s->state));
- unit_serialize_item(u, f, "result", socket_result_to_string(s->result));
- unit_serialize_item_format(u, f, "n-accepted", "%u", s->n_accepted);
- unit_serialize_item_format(u, f, "n-refused", "%u", s->n_refused);
+ (void) serialize_item(f, "state", socket_state_to_string(s->state));
+ (void) serialize_item(f, "result", socket_result_to_string(s->result));
+ (void) serialize_item_format(f, "n-accepted", "%u", s->n_accepted);
+ (void) serialize_item_format(f, "n-refused", "%u", s->n_refused);
if (s->control_pid > 0)
- unit_serialize_item_format(u, f, "control-pid", PID_FMT, s->control_pid);
+ (void) serialize_item_format(f, "control-pid", PID_FMT, s->control_pid);
if (s->control_command_id >= 0)
- unit_serialize_item(u, f, "control-command", socket_exec_command_to_string(s->control_command_id));
+ (void) serialize_item(f, "control-command", socket_exec_command_to_string(s->control_command_id));
LIST_FOREACH(port, p, s->ports) {
int copy;
copy = fdset_put_dup(fds, p->fd);
if (copy < 0)
- return copy;
+ return log_unit_warning_errno(u, copy, "Failed to serialize socket fd: %m");
if (p->type == SOCKET_SOCKET) {
_cleanup_free_ char *t = NULL;
r = socket_address_print(&p->address, &t);
if (r < 0)
- return r;
+ return log_unit_error_errno(u, r, "Failed to format socket address: %m");
if (socket_address_family(&p->address) == AF_NETLINK)
- unit_serialize_item_format(u, f, "netlink", "%i %s", copy, t);
+ (void) serialize_item_format(f, "netlink", "%i %s", copy, t);
else
- unit_serialize_item_format(u, f, "socket", "%i %i %s", copy, p->address.type, t);
-
+ (void) serialize_item_format(f, "socket", "%i %i %s", copy, p->address.type, t);
} else if (p->type == SOCKET_SPECIAL)
- unit_serialize_item_format(u, f, "special", "%i %s", copy, p->path);
+ (void) serialize_item_format(f, "special", "%i %s", copy, p->path);
else if (p->type == SOCKET_MQUEUE)
- unit_serialize_item_format(u, f, "mqueue", "%i %s", copy, p->path);
+ (void) serialize_item_format(f, "mqueue", "%i %s", copy, p->path);
else if (p->type == SOCKET_USB_FUNCTION)
- unit_serialize_item_format(u, f, "ffs", "%i %s", copy, p->path);
+ (void) serialize_item_format(f, "ffs", "%i %s", copy, p->path);
else {
assert(p->type == SOCKET_FIFO);
- unit_serialize_item_format(u, f, "fifo", "%i %s", copy, p->path);
+ (void) serialize_item_format(f, "fifo", "%i %s", copy, p->path);
}
}
}
static void socket_port_take_fd(SocketPort *p, FDSet *fds, int fd) {
+ assert(p);
+
safe_close(p->fd);
p->fd = fdset_remove(fds, fd);
}
f = SOCKET_SUCCESS;
}
- log_unit_full(u, f == SOCKET_SUCCESS ? LOG_DEBUG : LOG_NOTICE, 0,
- "Control process exited, code=%s status=%i",
- sigchld_code_to_string(code), status);
+ unit_log_process_exit(
+ u, f == SOCKET_SUCCESS ? LOG_DEBUG : LOG_NOTICE,
+ "Control process",
+ socket_exec_command_to_string(s->control_command_id),
+ code, status);
if (s->result == SOCKET_SUCCESS)
s->result = f;