[thirdparty/systemd.git] / src / basic / socket-label.c

/* SPDX-License-Identifier: LGPL-2.1+ */
/***
  This file is part of systemd.

  Copyright 2010 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <errno.h>
#include <netinet/in.h>
#include <stdbool.h>
#include <stddef.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <unistd.h>

#include "alloc-util.h"
#include "fd-util.h"
#include "log.h"
#include "macro.h"
#include "missing.h"
#include "mkdir.h"
#include "selinux-util.h"
#include "socket-util.h"
#include "umask-util.h"

int socket_address_listen(
                const SocketAddress *a,
                int flags,
                int backlog,
                SocketAddressBindIPv6Only only,
                const char *bind_to_device,
                bool reuse_port,
                bool free_bind,
                bool transparent,
                mode_t directory_mode,
                mode_t socket_mode,
                const char *label) {

        _cleanup_close_ int fd = -1;
        int r, one;

        assert(a);

        r = socket_address_verify(a);
        if (r < 0)
                return r;

        if (socket_address_family(a) == AF_INET6 && !socket_ipv6_is_supported())
                return -EAFNOSUPPORT;

        if (label) {
                r = mac_selinux_create_socket_prepare(label);
                if (r < 0)
                        return r;
        }

        fd = socket(socket_address_family(a), a->type | flags, a->protocol);
        r = fd < 0 ? -errno : 0;

        if (label)
                mac_selinux_create_socket_clear();

        if (r < 0)
                return r;

        if (socket_address_family(a) == AF_INET6 && only != SOCKET_ADDRESS_DEFAULT) {
                int flag = only == SOCKET_ADDRESS_IPV6_ONLY;

                if (setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &flag, sizeof(flag)) < 0)
                        return -errno;
        }

        if (IN_SET(socket_address_family(a), AF_INET, AF_INET6)) {
                if (bind_to_device)
                        if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, bind_to_device, strlen(bind_to_device)+1) < 0)
                                return -errno;

                if (reuse_port) {
                        one = 1;
                        if (setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, &one, sizeof(one)) < 0)
                                log_warning_errno(errno, "SO_REUSEPORT failed: %m");
                }

                if (free_bind) {
                        one = 1;
                        if (setsockopt(fd, IPPROTO_IP, IP_FREEBIND, &one, sizeof(one)) < 0)
                                log_warning_errno(errno, "IP_FREEBIND failed: %m");
                }

                if (transparent) {
                        one = 1;
                        if (setsockopt(fd, IPPROTO_IP, IP_TRANSPARENT, &one, sizeof(one)) < 0)
                                log_warning_errno(errno, "IP_TRANSPARENT failed: %m");
                }
        }

        one = 1;
        if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)) < 0)
                return -errno;

        if (socket_address_family(a) == AF_UNIX && a->sockaddr.un.sun_path[0] != 0) {
                /* Create parents */
                (void) mkdir_parents_label(a->sockaddr.un.sun_path, directory_mode);

                /* Enforce the right access mode for the socket */
                RUN_WITH_UMASK(~socket_mode) {
                        r = mac_selinux_bind(fd, &a->sockaddr.sa, a->size);
                        if (r == -EADDRINUSE) {
                                /* Unlink and try again */
                                unlink(a->sockaddr.un.sun_path);
                                if (bind(fd, &a->sockaddr.sa, a->size) < 0)
                                        return -errno;
                        } else if (r < 0)
                                return r;
                }
        } else {
                if (bind(fd, &a->sockaddr.sa, a->size) < 0)
                        return -errno;
        }

        if (socket_address_can_accept(a))
                if (listen(fd, backlog) < 0)
                        return -errno;

        r = fd;
        fd = -1;

        return r;
}

int make_socket_fd(int log_level, const char* address, int type, int flags) {
        SocketAddress a;
        int fd, r;

        r = socket_address_parse(&a, address);
        if (r < 0)
                return log_error_errno(r, "Failed to parse socket address \"%s\": %m", address);

        a.type = type;

        fd = socket_address_listen(&a, type | flags, SOMAXCONN, SOCKET_ADDRESS_DEFAULT,
                                   NULL, false, false, false, 0755, 0644, NULL);
        if (fd < 0 || log_get_max_level() >= log_level) {
                _cleanup_free_ char *p = NULL;

                r = socket_address_print(&a, &p);
                if (r < 0)
                        return log_error_errno(r, "socket_address_print(): %m");

                if (fd < 0)
                        log_error_errno(fd, "Failed to listen on %s: %m", p);
                else
                        log_full(log_level, "Listening on %s", p);
        }

        return fd;
}
Commit	Line	Data
53e1b683	1	/* SPDX-License-Identifier: LGPL-2.1+ */
cc527a47 KS	2	/***
	3	This file is part of systemd.
	4
	5	Copyright 2010 Lennart Poettering
	6
	7	systemd is free software; you can redistribute it and/or modify it
5430f7f2 LP	8	under the terms of the GNU Lesser General Public License as published by
5430f7f2 LP	9	the Free Software Foundation; either version 2.1 of the License, or
cc527a47 KS	10	(at your option) any later version.
	11
	12	systemd is distributed in the hope that it will be useful, but
	13	WITHOUT ANY WARRANTY; without even the implied warranty of
	14	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2	15	Lesser General Public License for more details.
cc527a47	16
5430f7f2	17	You should have received a copy of the GNU Lesser General Public License
cc527a47 KS	18	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	19	***/
	20
cc527a47	21	#include <errno.h>
11c3a366 TA	22	#include <netinet/in.h>
11c3a366 TA	23	#include <stdbool.h>
cc527a47	24	#include <stddef.h>
3ffd4af2	25	#include <string.h>
11c3a366	26	#include <sys/socket.h>
11c3a366	27	#include <sys/un.h>
3ffd4af2	28	#include <unistd.h>
cc527a47	29
b5efdb8a	30	#include "alloc-util.h"
3ffd4af2	31	#include "fd-util.h"
93cc7779	32	#include "log.h"
cc527a47	33	#include "macro.h"
cc527a47	34	#include "missing.h"
3ffd4af2	35	#include "mkdir.h"
d7b8eec7 LP	36	#include "selinux-util.h"
d7b8eec7 LP	37	#include "socket-util.h"
825546ef	38	#include "umask-util.h"
cc527a47 KS	39
	40	int socket_address_listen(
	41	const SocketAddress *a,
175a3d25	42	int flags,
cc527a47 KS	43	int backlog,
	44	SocketAddressBindIPv6Only only,
	45	const char *bind_to_device,
54255c64	46	bool reuse_port,
cc527a47 KS	47	bool free_bind,
	48	bool transparent,
	49	mode_t directory_mode,
	50	mode_t socket_mode,
175a3d25 LP	51	const char *label) {
	52
	53	_cleanup_close_ int fd = -1;
	54	int r, one;
cc527a47	55
cc527a47	56	assert(a);
cc527a47	57
175a3d25 LP	58	r = socket_address_verify(a);
175a3d25 LP	59	if (r < 0)
cc527a47 KS	60	return r;
	61
	62	if (socket_address_family(a) == AF_INET6 && !socket_ipv6_is_supported())
	63	return -EAFNOSUPPORT;
	64
175a3d25	65	if (label) {
ecabcf8b	66	r = mac_selinux_create_socket_prepare(label);
175a3d25 LP	67	if (r < 0)
	68	return r;
	69	}
cc527a47	70
175a3d25	71	fd = socket(socket_address_family(a), a->type \| flags, a->protocol);
cc527a47 KS	72	r = fd < 0 ? -errno : 0;
cc527a47 KS	73
175a3d25	74	if (label)
ecabcf8b	75	mac_selinux_create_socket_clear();
cc527a47 KS	76
	77	if (r < 0)
	78	return r;
	79
	80	if (socket_address_family(a) == AF_INET6 && only != SOCKET_ADDRESS_DEFAULT) {
	81	int flag = only == SOCKET_ADDRESS_IPV6_ONLY;
	82
	83	if (setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &flag, sizeof(flag)) < 0)
175a3d25	84	return -errno;
cc527a47 KS	85	}
cc527a47 KS	86
5ed272cf	87	if (IN_SET(socket_address_family(a), AF_INET, AF_INET6)) {
cc527a47 KS	88	if (bind_to_device)
cc527a47 KS	89	if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, bind_to_device, strlen(bind_to_device)+1) < 0)
175a3d25	90	return -errno;
cc527a47	91
54255c64 CT	92	if (reuse_port) {
	93	one = 1;
	94	if (setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, &one, sizeof(one)) < 0)
	95	log_warning_errno(errno, "SO_REUSEPORT failed: %m");
	96	}
	97
cc527a47 KS	98	if (free_bind) {
	99	one = 1;
	100	if (setsockopt(fd, IPPROTO_IP, IP_FREEBIND, &one, sizeof(one)) < 0)
56f64d95	101	log_warning_errno(errno, "IP_FREEBIND failed: %m");
cc527a47 KS	102	}
	103
	104	if (transparent) {
	105	one = 1;
	106	if (setsockopt(fd, IPPROTO_IP, IP_TRANSPARENT, &one, sizeof(one)) < 0)
56f64d95	107	log_warning_errno(errno, "IP_TRANSPARENT failed: %m");
cc527a47 KS	108	}
	109	}
	110
	111	one = 1;
	112	if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)) < 0)
175a3d25	113	return -errno;
cc527a47 KS	114
cc527a47 KS	115	if (socket_address_family(a) == AF_UNIX && a->sockaddr.un.sun_path[0] != 0) {
cc527a47	116	/* Create parents */
825546ef	117	(void) mkdir_parents_label(a->sockaddr.un.sun_path, directory_mode);
cc527a47	118
175a3d25	119	/* Enforce the right access mode for the socket */
825546ef ZJS	120	RUN_WITH_UMASK(~socket_mode) {
	121	r = mac_selinux_bind(fd, &a->sockaddr.sa, a->size);
	122	if (r == -EADDRINUSE) {
	123	/* Unlink and try again */
	124	unlink(a->sockaddr.un.sun_path);
	125	if (bind(fd, &a->sockaddr.sa, a->size) < 0)
	126	return -errno;
	127	} else if (r < 0)
	128	return r;
cc527a47	129	}
825546ef ZJS	130	} else {
	131	if (bind(fd, &a->sockaddr.sa, a->size) < 0)
	132	return -errno;
	133	}
cc527a47 KS	134
	135	if (socket_address_can_accept(a))
	136	if (listen(fd, backlog) < 0)
175a3d25	137	return -errno;
cc527a47	138
175a3d25 LP	139	r = fd;
175a3d25 LP	140	fd = -1;
cc527a47	141
cc527a47 KS	142	return r;
cc527a47 KS	143	}
e0aa3726	144
7b7afdfc	145	int make_socket_fd(int log_level, const char* address, int type, int flags) {
e0aa3726 ZJS	146	SocketAddress a;
	147	int fd, r;
	148
	149	r = socket_address_parse(&a, address);
e53fc357 LP	150	if (r < 0)
e53fc357 LP	151	return log_error_errno(r, "Failed to parse socket address \"%s\": %m", address);
e0aa3726	152
7b7afdfc SS	153	a.type = type;
	154
	155	fd = socket_address_listen(&a, type \| flags, SOMAXCONN, SOCKET_ADDRESS_DEFAULT,
54255c64	156	NULL, false, false, false, 0755, 0644, NULL);
e0aa3726	157	if (fd < 0 \|\| log_get_max_level() >= log_level) {
c8b32e11	158	_cleanup_free_ char *p = NULL;
e0aa3726 ZJS	159
e0aa3726 ZJS	160	r = socket_address_print(&a, &p);
f647962d MS	161	if (r < 0)
f647962d MS	162	return log_error_errno(r, "socket_address_print(): %m");
e0aa3726 ZJS	163
e0aa3726 ZJS	164	if (fd < 0)
da927ba9	165	log_error_errno(fd, "Failed to listen on %s: %m", p);
e0aa3726 ZJS	166	else
	167	log_full(log_level, "Listening on %s", p);
	168	}
	169
	170	return fd;
	171	}