]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/core/socket.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
tree-wide: use TAKE_PTR() and TAKE_FD() macros
[thirdparty/systemd.git] / src / core / socket.c
CommitLineData
53e1b683 1/* SPDX-License-Identifier: LGPL-2.1+ */
a7334b09
LP		 2/***
3 This file is part of systemd.
4
5 Copyright 2010 Lennart Poettering
6
7 systemd is free software; you can redistribute it and/or modify it
5430f7f2
LP		 8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
a7334b09
LP		 10 (at your option) any later version.
11
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2 15 Lesser General Public License for more details.
a7334b09 16
5430f7f2 17 You should have received a copy of the GNU Lesser General Public License
a7334b09
LP		 18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
19***/
20
e8da24a6 21#include <arpa/inet.h>
83c60c9f
LP		 22#include <errno.h>
23#include <fcntl.h>
916abb21 24#include <mqueue.h>
e8da24a6
LP		 25#include <netinet/tcp.h>
26#include <signal.h>
27#include <sys/epoll.h>
28#include <sys/stat.h>
29#include <unistd.h>
62bc4efc 30#include <linux/sctp.h>
83c60c9f 31
b5efdb8a 32#include "alloc-util.h"
a79279c7 33#include "bpf-firewall.h"
e8da24a6
LP		 34#include "bus-error.h"
35#include "bus-util.h"
36#include "copy.h"
37#include "dbus-socket.h"
38#include "def.h"
39#include "exit-status.h"
3ffd4af2 40#include "fd-util.h"
f97b34a6 41#include "format-util.h"
95f7fbbf 42#include "fs-util.h"
a79279c7 43#include "in-addr-util.h"
60d9771c 44#include "io-util.h"
e8da24a6 45#include "label.h"
83c60c9f 46#include "log.h"
e8da24a6 47#include "missing.h"
49e942b2 48#include "mkdir.h"
6bedfcbb 49#include "parse-util.h"
9eb977db 50#include "path-util.h"
7b3e062c 51#include "process-util.h"
d7b8eec7 52#include "selinux-util.h"
24882e06 53#include "signal-util.h"
e8da24a6 54#include "smack-util.h"
24882e06 55#include "socket.h"
e045e325 56#include "socket-protocol-list.h"
e8da24a6 57#include "special.h"
8b43440b 58#include "string-table.h"
07630cea 59#include "string-util.h"
e8da24a6
LP		 60#include "strv.h"
61#include "unit-name.h"
e8da24a6 62#include "unit.h"
b1d4f8e1 63#include "user-util.h"
83c60c9f 64
166cf510
ZJS		 65struct SocketPeer {
66 unsigned n_ref;
67
68 Socket *socket;
69 union sockaddr_union peer;
41733ae1 70 socklen_t peer_salen;
166cf510
ZJS		 71};
72
acbb0225 73static const UnitActiveState state_translation_table[_SOCKET_STATE_MAX] = {
87f0e418
LP		 74 [SOCKET_DEAD] = UNIT_INACTIVE,
75 [SOCKET_START_PRE] = UNIT_ACTIVATING,
3900e5fd 76 [SOCKET_START_CHOWN] = UNIT_ACTIVATING,
87f0e418
LP		 77 [SOCKET_START_POST] = UNIT_ACTIVATING,
78 [SOCKET_LISTENING] = UNIT_ACTIVE,
79 [SOCKET_RUNNING] = UNIT_ACTIVE,
80 [SOCKET_STOP_PRE] = UNIT_DEACTIVATING,
81 [SOCKET_STOP_PRE_SIGTERM] = UNIT_DEACTIVATING,
82 [SOCKET_STOP_PRE_SIGKILL] = UNIT_DEACTIVATING,
83 [SOCKET_STOP_POST] = UNIT_DEACTIVATING,
80876c20
LP		 84 [SOCKET_FINAL_SIGTERM] = UNIT_DEACTIVATING,
85 [SOCKET_FINAL_SIGKILL] = UNIT_DEACTIVATING,
fdf20a31 86 [SOCKET_FAILED] = UNIT_FAILED
83c60c9f 87};
5cb5a6ff 88
718db961
LP		 89static int socket_dispatch_io(sd_event_source *source, int fd, uint32_t revents, void *userdata);
90static int socket_dispatch_timer(sd_event_source *source, usec_t usec, void *userdata);
91
a16e1123
LP		 92static void socket_init(Unit *u) {
93 Socket *s = SOCKET(u);
94
95 assert(u);
ac155bb8 96 assert(u->load_state == UNIT_STUB);
a16e1123 97
a16e1123 98 s->backlog = SOMAXCONN;
1f19a534 99 s->timeout_usec = u->manager->default_timeout_start_usec;
a16e1123 100 s->directory_mode = 0755;
9131f660 101 s->socket_mode = 0666;
a16e1123 102
6cf6bbc2
LP		 103 s->max_connections = 64;
104
4fd5948e 105 s->priority = -1;
4fd5948e
LP		 106 s->ip_tos = -1;
107 s->ip_ttl = -1;
4fd5948e 108 s->mark = -1;
4fd5948e 109
ac155bb8
MS		 110 s->exec_context.std_output = u->manager->default_std_output;
111 s->exec_context.std_error = u->manager->default_std_error;
085afe36 112
a16e1123 113 s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
8b26cdbd 114
1f15ce28
LP		 115 s->trigger_limit.interval = USEC_INFINITY;
116 s->trigger_limit.burst = (unsigned) -1;
a16e1123 117}
acbb0225 118
5e94833f
LP		 119static void socket_unwatch_control_pid(Socket *s) {
120 assert(s);
121
122 if (s->control_pid <= 0)
123 return;
124
125 unit_unwatch_pid(UNIT(s), s->control_pid);
126 s->control_pid = 0;
127}
128
15087cdb 129static void socket_cleanup_fd_list(SocketPort *p) {
3ffd4af2 130 assert(p);
15087cdb 131
3ffd4af2 132 close_many(p->auxiliary_fds, p->n_auxiliary_fds);
15087cdb
PS		 133 p->auxiliary_fds = mfree(p->auxiliary_fds);
134 p->n_auxiliary_fds = 0;
135}
136
74051b9b 137void socket_free_ports(Socket *s) {
034c6ed7
LP		 138 SocketPort *p;
139
140 assert(s);
141
142 while ((p = s->ports)) {
71fda00f 143 LIST_REMOVE(port, s->ports, p);
034c6ed7 144
718db961
LP		 145 sd_event_source_unref(p->event_source);
146
15087cdb 147 socket_cleanup_fd_list(p);
03e334a1 148 safe_close(p->fd);
034c6ed7
LP		 149 free(p->path);
150 free(p);
151 }
74051b9b
LP		 152}
153
154static void socket_done(Unit *u) {
155 Socket *s = SOCKET(u);
9d565427 156 SocketPeer *p;
74051b9b
LP		 157
158 assert(s);
159
160 socket_free_ports(s);
034c6ed7 161
9a73653c 162 while ((p = set_steal_first(s->peers_by_address)))
9d565427
SS		 163 p->socket = NULL;
164
9a73653c 165 s->peers_by_address = set_free(s->peers_by_address);
9d565427 166
e8a565cb 167 s->exec_runtime = exec_runtime_unref(s->exec_runtime, false);
e537352b 168 exec_command_free_array(s->exec_command, _SOCKET_EXEC_COMMAND_MAX);
034c6ed7
LP		 169 s->control_command = NULL;
170
29206d46
LP		 171 dynamic_creds_unref(&s->dynamic_creds);
172
5e94833f 173 socket_unwatch_control_pid(s);
034c6ed7 174
57020a3a 175 unit_ref_unset(&s->service);
034c6ed7 176
a1e58e8e
LP		 177 s->tcp_congestion = mfree(s->tcp_congestion);
178 s->bind_to_device = mfree(s->bind_to_device);
acbb0225 179
0a78712e
DM		 180 s->smack = mfree(s->smack);
181 s->smack_ip_in = mfree(s->smack_ip_in);
182 s->smack_ip_out = mfree(s->smack_ip_out);
0eb59ccf 183
811ba7a0
LP		 184 strv_free(s->symlinks);
185
0a78712e
DM		 186 s->user = mfree(s->user);
187 s->group = mfree(s->group);
3900e5fd 188
a97b23d6
DM		 189 s->fdname = mfree(s->fdname);
190
718db961
LP		 191 s->timer_event_source = sd_event_source_unref(s->timer_event_source);
192}
193
36c16a7c 194static int socket_arm_timer(Socket *s, usec_t usec) {
718db961
LP		 195 int r;
196
197 assert(s);
198
718db961 199 if (s->timer_event_source) {
36c16a7c 200 r = sd_event_source_set_time(s->timer_event_source, usec);
718db961
LP		 201 if (r < 0)
202 return r;
203
204 return sd_event_source_set_enabled(s->timer_event_source, SD_EVENT_ONESHOT);
205 }
206
36c16a7c
LP		 207 if (usec == USEC_INFINITY)
208 return 0;
209
7dfbe2e3 210 r = sd_event_add_time(
6a0f1f6d
LP		 211 UNIT(s)->manager->event,
212 &s->timer_event_source,
213 CLOCK_MONOTONIC,
36c16a7c 214 usec, 0,
6a0f1f6d 215 socket_dispatch_timer, s);
7dfbe2e3
TG		 216 if (r < 0)
217 return r;
218
219 (void) sd_event_source_set_description(s->timer_event_source, "socket-timer");
220
221 return 0;
5cb5a6ff
LP		 222}
223
8b835fcc
ZJS		 224int socket_instantiate_service(Socket *s) {
225 _cleanup_free_ char *prefix = NULL, *name = NULL;
b15bdda8
LP		 226 int r;
227 Unit *u;
228
229 assert(s);
230
231 /* This fills in s->service if it isn't filled in yet. For
232 * Accept=yes sockets we create the next connection service
233 * here. For Accept=no this is mostly a NOP since the service
234 * is figured out at load time anyway. */
235
7410616c 236 if (UNIT_DEREF(s->service))
b15bdda8
LP		 237 return 0;
238
7410616c
LP		 239 if (!s->accept)
240 return 0;
241
242 r = unit_name_to_prefix(UNIT(s)->id, &prefix);
243 if (r < 0)
244 return r;
b15bdda8 245
315db1a8 246 if (asprintf(&name, "%s@%u.service", prefix, s->n_accepted) < 0)
b15bdda8
LP		 247 return -ENOMEM;
248
1124fe6f 249 r = manager_load_unit(UNIT(s)->manager, name, NULL, NULL, &u);
b15bdda8
LP		 250 if (r < 0)
251 return r;
252
7f7d01ed 253 unit_ref_set(&s->service, UNIT(s), u);
57020a3a 254
eef85c4a 255 return unit_add_two_dependencies(UNIT(s), UNIT_BEFORE, UNIT_TRIGGERS, u, false, UNIT_DEPENDENCY_IMPLICIT);
b15bdda8
LP		 256}
257
4f2d528d
LP		 258static bool have_non_accept_socket(Socket *s) {
259 SocketPort *p;
260
261 assert(s);
262
263 if (!s->accept)
264 return true;
265
dd5ad9d4
LP		 266 LIST_FOREACH(port, p, s->ports) {
267
268 if (p->type != SOCKET_SOCKET)
269 return true;
270
4f2d528d
LP		 271 if (!socket_address_can_accept(&p->address))
272 return true;
dd5ad9d4 273 }
4f2d528d
LP		 274
275 return false;
276}
277
eef85c4a 278static int socket_add_mount_dependencies(Socket *s) {
6e2ef85b 279 SocketPort *p;
6e2ef85b
LP		 280 int r;
281
282 assert(s);
6e2ef85b 283
a57f7e2c
LP		 284 LIST_FOREACH(port, p, s->ports) {
285 const char *path = NULL;
6e2ef85b 286
a57f7e2c
LP		 287 if (p->type == SOCKET_SOCKET)
288 path = socket_address_get_path(&p->address);
60252446 289 else if (IN_SET(p->type, SOCKET_FIFO, SOCKET_SPECIAL, SOCKET_USB_FUNCTION))
a57f7e2c 290 path = p->path;
6e2ef85b 291
a57f7e2c
LP		 292 if (!path)
293 continue;
6e2ef85b 294
eef85c4a 295 r = unit_require_mounts_for(UNIT(s), path, UNIT_DEPENDENCY_FILE);
b87705cd 296 if (r < 0)
6e2ef85b 297 return r;
b87705cd 298 }
6e2ef85b
LP		 299
300 return 0;
301}
302
eef85c4a 303static int socket_add_device_dependencies(Socket *s) {
6e2ef85b 304 char *t;
6e2ef85b
LP		 305
306 assert(s);
307
7d0c710d 308 if (!s->bind_to_device || streq(s->bind_to_device, "lo"))
6e2ef85b
LP		 309 return 0;
310
63c372cb 311 t = strjoina("/sys/subsystem/net/devices/", s->bind_to_device);
eef85c4a 312 return unit_add_node_dependency(UNIT(s), t, false, UNIT_BINDS_TO, UNIT_DEPENDENCY_FILE);
6e2ef85b
LP		 313}
314
a40eb732
LP		 315static int socket_add_default_dependencies(Socket *s) {
316 int r;
317 assert(s);
318
4c9ea260
LP		 319 if (!UNIT(s)->default_dependencies)
320 return 0;
321
eef85c4a 322 r = unit_add_dependency_by_name(UNIT(s), UNIT_BEFORE, SPECIAL_SOCKETS_TARGET, NULL, true, UNIT_DEPENDENCY_DEFAULT);
e3d84721
LP		 323 if (r < 0)
324 return r;
2a77d31d 325
463d0d15 326 if (MANAGER_IS_SYSTEM(UNIT(s)->manager)) {
eef85c4a 327 r = unit_add_two_dependencies_by_name(UNIT(s), UNIT_AFTER, UNIT_REQUIRES, SPECIAL_SYSINIT_TARGET, NULL, true, UNIT_DEPENDENCY_DEFAULT);
e3d84721 328 if (r < 0)
a40eb732 329 return r;
2a77d31d 330 }
a40eb732 331
eef85c4a 332 return unit_add_two_dependencies_by_name(UNIT(s), UNIT_BEFORE, UNIT_CONFLICTS, SPECIAL_SHUTDOWN_TARGET, NULL, true, UNIT_DEPENDENCY_DEFAULT);
a40eb732
LP		 333}
334
44a6b1b6 335_pure_ static bool socket_has_exec(Socket *s) {
4cfc6dbe
LP		 336 unsigned i;
337 assert(s);
338
339 for (i = 0; i < _SOCKET_EXEC_COMMAND_MAX; i++)
340 if (s->exec_command[i])
341 return true;
342
343 return false;
344}
345
e821075a
LP		 346static int socket_add_extras(Socket *s) {
347 Unit *u = UNIT(s);
e537352b 348 int r;
44d8db9e 349
e821075a 350 assert(s);
57020a3a 351
1f15ce28
LP		 352 /* Pick defaults for the trigger limit, if nothing was explicitly configured. We pick a relatively high limit
353 * in Accept=yes mode, and a lower limit for Accept=no. Reason: in Accept=yes mode we are invoking accept()
354 * ourselves before the trigger limit can hit, thus incoming connections are taken off the socket queue quickly
355 * and reliably. This is different for Accept=no, where the spawned service has to take the incoming traffic
356 * off the queues, which it might not necessarily do. Moreover, while Accept=no services are supposed to
357 * process whatever is queued in one go, and thus should normally never have to be started frequently. This is
358 * different for Accept=yes where each connection is processed by a new service instance, and thus frequent
359 * service starts are typical. */
360
361 if (s->trigger_limit.interval == USEC_INFINITY)
362 s->trigger_limit.interval = 2 * USEC_PER_SEC;
363
364 if (s->trigger_limit.burst == (unsigned) -1) {
365 if (s->accept)
366 s->trigger_limit.burst = 200;
367 else
368 s->trigger_limit.burst = 20;
369 }
370
e821075a 371 if (have_non_accept_socket(s)) {
23a177ef 372
e821075a
LP		 373 if (!UNIT_DEREF(s->service)) {
374 Unit *x;
57020a3a 375
e821075a 376 r = unit_load_related_unit(u, ".service", &x);
57020a3a 377 if (r < 0)
4f2d528d 378 return r;
e821075a 379
7f7d01ed 380 unit_ref_set(&s->service, u, x);
4f2d528d 381 }
44d8db9e 382
eef85c4a 383 r = unit_add_two_dependencies(u, UNIT_BEFORE, UNIT_TRIGGERS, UNIT_DEREF(s->service), true, UNIT_DEPENDENCY_IMPLICIT);
e821075a 384 if (r < 0)
6e2ef85b 385 return r;
e821075a 386 }
6e2ef85b 387
eef85c4a 388 r = socket_add_mount_dependencies(s);
e821075a
LP		 389 if (r < 0)
390 return r;
6e2ef85b 391
eef85c4a 392 r = socket_add_device_dependencies(s);
e821075a
LP		 393 if (r < 0)
394 return r;
395
598459ce 396 r = unit_patch_contexts(u);
e821075a
LP		 397 if (r < 0)
398 return r;
399
400 if (socket_has_exec(s)) {
401 r = unit_add_exec_dependencies(u, &s->exec_context);
402 if (r < 0)
403 return r;
e821075a 404 }
a016b922 405
88af31f9
LP		 406 r = unit_set_default_slice(u);
407 if (r < 0)
408 return r;
409
4c9ea260
LP		 410 r = socket_add_default_dependencies(s);
411 if (r < 0)
412 return r;
e821075a
LP		 413
414 return 0;
415}
416
811ba7a0
LP		 417static const char *socket_find_symlink_target(Socket *s) {
418 const char *found = NULL;
419 SocketPort *p;
420
421 LIST_FOREACH(port, p, s->ports) {
422 const char *f = NULL;
423
424 switch (p->type) {
425
426 case SOCKET_FIFO:
427 f = p->path;
428 break;
429
430 case SOCKET_SOCKET:
b9495e8d 431 f = socket_address_get_path(&p->address);
811ba7a0
LP		 432 break;
433
434 default:
435 break;
436 }
437
438 if (f) {
439 if (found)
440 return NULL;
441
442 found = f;
443 }
444 }
445
446 return found;
447}
448
e821075a
LP		 449static int socket_verify(Socket *s) {
450 assert(s);
451
452 if (UNIT(s)->load_state != UNIT_LOADED)
453 return 0;
454
455 if (!s->ports) {
da3bddc9 456 log_unit_error(UNIT(s), "Unit has no Listen setting (ListenStream=, ListenDatagram=, ListenFIFO=, ...). Refusing.");
e821075a
LP		 457 return -EINVAL;
458 }
459
460 if (s->accept && have_non_accept_socket(s)) {
f2341e0a 461 log_unit_error(UNIT(s), "Unit configured for accepting sockets, but sockets are non-accepting. Refusing.");
e821075a
LP		 462 return -EINVAL;
463 }
464
465 if (s->accept && s->max_connections <= 0) {
f2341e0a 466 log_unit_error(UNIT(s), "MaxConnection= setting too small. Refusing.");
e821075a
LP		 467 return -EINVAL;
468 }
e06c73cc 469
e821075a 470 if (s->accept && UNIT_DEREF(s->service)) {
f2341e0a 471 log_unit_error(UNIT(s), "Explicit service configuration for accepting socket units not supported. Refusing.");
e821075a
LP		 472 return -EINVAL;
473 }
474
475 if (s->exec_context.pam_name && s->kill_context.kill_mode != KILL_CONTROL_GROUP) {
f2341e0a 476 log_unit_error(UNIT(s), "Unit has PAM enabled. Kill mode must be set to 'control-group'. Refusing.");
e821075a
LP		 477 return -EINVAL;
478 }
479
811ba7a0 480 if (!strv_isempty(s->symlinks) && !socket_find_symlink_target(s)) {
f2341e0a 481 log_unit_error(UNIT(s), "Unit has symlinks set but none or more than one node in the file system. Refusing.");
811ba7a0
LP		 482 return -EINVAL;
483 }
484
e821075a
LP		 485 return 0;
486}
487
9d565427
SS		 488static void peer_address_hash_func(const void *p, struct siphash *state) {
489 const SocketPeer *s = p;
490
491 assert(s);
492
493 if (s->peer.sa.sa_family == AF_INET)
494 siphash24_compress(&s->peer.in.sin_addr, sizeof(s->peer.in.sin_addr), state);
41733ae1 495 else if (s->peer.sa.sa_family == AF_INET6)
9d565427 496 siphash24_compress(&s->peer.in6.sin6_addr, sizeof(s->peer.in6.sin6_addr), state);
359a5bcf
SH		 497 else if (s->peer.sa.sa_family == AF_VSOCK)
498 siphash24_compress(&s->peer.vm.svm_cid, sizeof(s->peer.vm.svm_cid), state);
41733ae1
LP		 499 else
500 assert_not_reached("Unknown address family.");
9d565427
SS		 501}
502
503static int peer_address_compare_func(const void *a, const void *b) {
504 const SocketPeer *x = a, *y = b;
505
506 if (x->peer.sa.sa_family < y->peer.sa.sa_family)
507 return -1;
508 if (x->peer.sa.sa_family > y->peer.sa.sa_family)
509 return 1;
510
511 switch(x->peer.sa.sa_family) {
512 case AF_INET:
513 return memcmp(&x->peer.in.sin_addr, &y->peer.in.sin_addr, sizeof(x->peer.in.sin_addr));
514 case AF_INET6:
515 return memcmp(&x->peer.in6.sin6_addr, &y->peer.in6.sin6_addr, sizeof(x->peer.in6.sin6_addr));
359a5bcf
SH		 516 case AF_VSOCK:
517 if (x->peer.vm.svm_cid < y->peer.vm.svm_cid)
518 return -1;
519 if (x->peer.vm.svm_cid > y->peer.vm.svm_cid)
520 return 1;
521 return 0;
9d565427 522 }
166cf510 523 assert_not_reached("Black sheep in the family!");
9d565427
SS		 524}
525
526const struct hash_ops peer_address_hash_ops = {
527 .hash = peer_address_hash_func,
528 .compare = peer_address_compare_func
529};
530
e821075a
LP		 531static int socket_load(Unit *u) {
532 Socket *s = SOCKET(u);
533 int r;
534
535 assert(u);
536 assert(u->load_state == UNIT_STUB);
537
9a73653c 538 r = set_ensure_allocated(&s->peers_by_address, &peer_address_hash_ops);
9d565427
SS		 539 if (r < 0)
540 return r;
541
e821075a
LP		 542 r = unit_load_fragment_and_dropin(u);
543 if (r < 0)
544 return r;
545
546 if (u->load_state == UNIT_LOADED) {
547 /* This is a new unit? Then let's add in some extras */
548 r = socket_add_extras(s);
e06c73cc
LP		 549 if (r < 0)
550 return r;
23a177ef
LP		 551 }
552
4f2d528d 553 return socket_verify(s);
44d8db9e
LP		 554}
555
166cf510
ZJS		 556static SocketPeer *socket_peer_new(void) {
557 SocketPeer *p;
558
559 p = new0(SocketPeer, 1);
560 if (!p)
561 return NULL;
562
563 p->n_ref = 1;
564
565 return p;
566}
567
568SocketPeer *socket_peer_ref(SocketPeer *p) {
569 if (!p)
570 return NULL;
571
572 assert(p->n_ref > 0);
573 p->n_ref++;
574
575 return p;
576}
577
578SocketPeer *socket_peer_unref(SocketPeer *p) {
579 if (!p)
580 return NULL;
581
582 assert(p->n_ref > 0);
583
584 p->n_ref--;
585
586 if (p->n_ref > 0)
587 return NULL;
588
589 if (p->socket)
590 set_remove(p->socket->peers_by_address, p);
591
592 return mfree(p);
593}
594
3ebcd323 595int socket_acquire_peer(Socket *s, int fd, SocketPeer **p) {
166cf510
ZJS		 596 _cleanup_(socket_peer_unrefp) SocketPeer *remote = NULL;
597 SocketPeer sa = {}, *i;
598 socklen_t salen = sizeof(sa.peer);
599 int r;
600
601 assert(fd >= 0);
602 assert(s);
603
604 r = getpeername(fd, &sa.peer.sa, &salen);
605 if (r < 0)
606 return log_error_errno(errno, "getpeername failed: %m");
607
359a5bcf 608 if (!IN_SET(sa.peer.sa.sa_family, AF_INET, AF_INET6, AF_VSOCK)) {
166cf510
ZJS		 609 *p = NULL;
610 return 0;
611 }
612
613 i = set_get(s->peers_by_address, &sa);
614 if (i) {
615 *p = socket_peer_ref(i);
616 return 1;
617 }
618
619 remote = socket_peer_new();
620 if (!remote)
621 return log_oom();
622
623 remote->peer = sa.peer;
41733ae1 624 remote->peer_salen = salen;
166cf510
ZJS		 625
626 r = set_put(s->peers_by_address, remote);
627 if (r < 0)
628 return r;
629
630 remote->socket = s;
631
1cc6c93a 632 *p = TAKE_PTR(remote);
166cf510
ZJS		 633
634 return 1;
635}
636
44a6b1b6 637_const_ static const char* listen_lookup(int family, int type) {
7a22745a
LP		 638
639 if (family == AF_NETLINK)
640 return "ListenNetlink";
542563ba
LP		 641
642 if (type == SOCK_STREAM)
643 return "ListenStream";
644 else if (type == SOCK_DGRAM)
645 return "ListenDatagram";
646 else if (type == SOCK_SEQPACKET)
647 return "ListenSequentialPacket";
648
034c6ed7 649 assert_not_reached("Unknown socket type");
542563ba
LP		 650 return NULL;
651}
652
87f0e418 653static void socket_dump(Unit *u, FILE *f, const char *prefix) {
209e9dcd 654 char time_string[FORMAT_TIMESPAN_MAX];
5cb5a6ff 655 SocketExecCommand c;
87f0e418 656 Socket *s = SOCKET(u);
542563ba 657 SocketPort *p;
827d9bf2 658 const char *prefix2, *str;
5cb5a6ff
LP		 659
660 assert(s);
fa068367 661 assert(f);
5cb5a6ff 662
4c940960 663 prefix = strempty(prefix);
63c372cb 664 prefix2 = strjoina(prefix, "\t");
c43d20a0 665
5cb5a6ff
LP		 666 fprintf(f,
667 "%sSocket State: %s\n"
81a5c6d0 668 "%sResult: %s\n"
542563ba 669 "%sBindIPv6Only: %s\n"
b5a0699f
LP		 670 "%sBacklog: %u\n"
671 "%sSocketMode: %04o\n"
4fd5948e
LP		 672 "%sDirectoryMode: %04o\n"
673 "%sKeepAlive: %s\n"
4427c3f4 674 "%sNoDelay: %s\n"
cebf8b20 675 "%sFreeBind: %s\n"
6b6d2dee 676 "%sTransparent: %s\n"
ec6370a2 677 "%sBroadcast: %s\n"
ede3deb4 678 "%sPassCredentials: %s\n"
54ecda32 679 "%sPassSecurity: %s\n"
bd1fe7c7 680 "%sTCPCongestion: %s\n"
16115b0a 681 "%sRemoveOnStop: %s\n"
55301ec0 682 "%sWritable: %s\n"
827d9bf2 683 "%sFileDescriptorName: %s\n"
16115b0a 684 "%sSELinuxContextFromNet: %s\n",
a16e1123 685 prefix, socket_state_to_string(s->state),
81a5c6d0 686 prefix, socket_result_to_string(s->result),
c0120d99 687 prefix, socket_address_bind_ipv6_only_to_string(s->bind_ipv6_only),
b5a0699f
LP		 688 prefix, s->backlog,
689 prefix, s->socket_mode,
4fd5948e
LP		 690 prefix, s->directory_mode,
691 prefix, yes_no(s->keep_alive),
4427c3f4 692 prefix, yes_no(s->no_delay),
cebf8b20 693 prefix, yes_no(s->free_bind),
6b6d2dee 694 prefix, yes_no(s->transparent),
ec6370a2 695 prefix, yes_no(s->broadcast),
d68af586 696 prefix, yes_no(s->pass_cred),
54ecda32 697 prefix, yes_no(s->pass_sec),
bd1fe7c7 698 prefix, strna(s->tcp_congestion),
16115b0a 699 prefix, yes_no(s->remove_on_stop),
55301ec0 700 prefix, yes_no(s->writable),
8dd4c05b 701 prefix, socket_fdname(s),
16115b0a 702 prefix, yes_no(s->selinux_context_from_net));
542563ba 703
70123e68
LP		 704 if (s->control_pid > 0)
705 fprintf(f,
de0671ee
ZJS		 706 "%sControl PID: "PID_FMT"\n",
707 prefix, s->control_pid);
70123e68 708
acbb0225
LP		 709 if (s->bind_to_device)
710 fprintf(f,
711 "%sBindToDevice: %s\n",
712 prefix, s->bind_to_device);
713
4f2d528d
LP		 714 if (s->accept)
715 fprintf(f,
6cf6bbc2
LP		 716 "%sAccepted: %u\n"
717 "%sNConnections: %u\n"
827d9bf2
YW		 718 "%sMaxConnections: %u\n"
719 "%sMaxConnectionsPerSource: %u\n",
6cf6bbc2
LP		 720 prefix, s->n_accepted,
721 prefix, s->n_connections,
827d9bf2
YW		 722 prefix, s->max_connections,
723 prefix, s->max_connections_per_source);
4f2d528d 724
4fd5948e
LP		 725 if (s->priority >= 0)
726 fprintf(f,
727 "%sPriority: %i\n",
728 prefix, s->priority);
729
730 if (s->receive_buffer > 0)
731 fprintf(f,
732 "%sReceiveBuffer: %zu\n",
733 prefix, s->receive_buffer);
734
735 if (s->send_buffer > 0)
736 fprintf(f,
737 "%sSendBuffer: %zu\n",
738 prefix, s->send_buffer);
739
740 if (s->ip_tos >= 0)
741 fprintf(f,
742 "%sIPTOS: %i\n",
743 prefix, s->ip_tos);
744
745 if (s->ip_ttl >= 0)
746 fprintf(f,
747 "%sIPTTL: %i\n",
748 prefix, s->ip_ttl);
749
750 if (s->pipe_size > 0)
751 fprintf(f,
752 "%sPipeSize: %zu\n",
753 prefix, s->pipe_size);
754
755 if (s->mark >= 0)
756 fprintf(f,
757 "%sMark: %i\n",
758 prefix, s->mark);
759
916abb21
LP		 760 if (s->mq_maxmsg > 0)
761 fprintf(f,
762 "%sMessageQueueMaxMessages: %li\n",
763 prefix, s->mq_maxmsg);
764
765 if (s->mq_msgsize > 0)
766 fprintf(f,
767 "%sMessageQueueMessageSize: %li\n",
768 prefix, s->mq_msgsize);
769
718db961 770 if (s->reuse_port)
f7db7a69
SL		 771 fprintf(f,
772 "%sReusePort: %s\n",
718db961 773 prefix, yes_no(s->reuse_port));
f7db7a69 774
0eb59ccf
AK		 775 if (s->smack)
776 fprintf(f,
777 "%sSmackLabel: %s\n",
778 prefix, s->smack);
779
780 if (s->smack_ip_in)
781 fprintf(f,
782 "%sSmackLabelIPIn: %s\n",
783 prefix, s->smack_ip_in);
784
785 if (s->smack_ip_out)
786 fprintf(f,
787 "%sSmackLabelIPOut: %s\n",
788 prefix, s->smack_ip_out);
789
3900e5fd
LP		 790 if (!isempty(s->user) || !isempty(s->group))
791 fprintf(f,
d2a50e3b
LP		 792 "%sSocketUser: %s\n"
793 "%sSocketGroup: %s\n",
3900e5fd
LP		 794 prefix, strna(s->user),
795 prefix, strna(s->group));
796
3cd761e4 797 if (s->keep_alive_time > 0)
209e9dcd 798 fprintf(f,
3cd761e4
LP		 799 "%sKeepAliveTimeSec: %s\n",
800 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->keep_alive_time, USEC_PER_SEC));
209e9dcd 801
3cd761e4 802 if (s->keep_alive_interval)
209e9dcd 803 fprintf(f,
3cd761e4
LP		 804 "%sKeepAliveIntervalSec: %s\n",
805 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->keep_alive_interval, USEC_PER_SEC));
209e9dcd 806
3cd761e4 807 if (s->keep_alive_cnt)
209e9dcd
SS		 808 fprintf(f,
809 "%sKeepAliveProbes: %u\n",
810 prefix, s->keep_alive_cnt);
811
3cd761e4 812 if (s->defer_accept)
cc567c9b 813 fprintf(f,
3cd761e4
LP		 814 "%sDeferAcceptSec: %s\n",
815 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->defer_accept, USEC_PER_SEC));
cc567c9b 816
034c6ed7 817 LIST_FOREACH(port, p, s->ports) {
5cb5a6ff 818
542563ba
LP		 819 if (p->type == SOCKET_SOCKET) {
820 const char *t;
821 int r;
e364ad06 822 char *k = NULL;
542563ba 823
e53fc357
LP		 824 r = socket_address_print(&p->address, &k);
825 if (r < 0)
542563ba
LP		 826 t = strerror(-r);
827 else
828 t = k;
829
7a22745a 830 fprintf(f, "%s%s: %s\n", prefix, listen_lookup(socket_address_family(&p->address), p->address.type), t);
542563ba 831 free(k);
b0a3f2bc
LP		 832 } else if (p->type == SOCKET_SPECIAL)
833 fprintf(f, "%sListenSpecial: %s\n", prefix, p->path);
60252446
PS		 834 else if (p->type == SOCKET_USB_FUNCTION)
835 fprintf(f, "%sListenUSBFunction: %s\n", prefix, p->path);
916abb21
LP		 836 else if (p->type == SOCKET_MQUEUE)
837 fprintf(f, "%sListenMessageQueue: %s\n", prefix, p->path);
b0a3f2bc 838 else
542563ba
LP		 839 fprintf(f, "%sListenFIFO: %s\n", prefix, p->path);
840 }
5cb5a6ff 841
1745fa70
EV		 842 fprintf(f,
843 "%sTriggerLimitIntervalSec: %s\n"
844 "%sTriggerLimitBurst: %u\n",
845 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->trigger_limit.interval, USEC_PER_SEC),
846 prefix, s->trigger_limit.burst);
847
827d9bf2
YW		 848 str = socket_protocol_to_name(s->socket_protocol);
849 if (str)
850 fprintf(f, "%sSocketProtocol: %s\n", prefix, str);
851
852 if (!strv_isempty(s->symlinks)) {
853 char **q;
854
855 fprintf(f, "%sSymlinks:", prefix);
856 STRV_FOREACH(q, s->symlinks)
857 fprintf(f, " %s", *q);
858
859 fprintf(f, "\n");
860 }
861
862 fprintf(f,
863 "%sTimeoutSec: %s\n",
864 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->timeout_usec, USEC_PER_SEC));
865
5cb5a6ff 866 exec_context_dump(&s->exec_context, f, prefix);
4819ff03 867 kill_context_dump(&s->kill_context, f, prefix);
5cb5a6ff 868
e537352b 869 for (c = 0; c < _SOCKET_EXEC_COMMAND_MAX; c++) {
c43d20a0
LP		 870 if (!s->exec_command[c])
871 continue;
5cb5a6ff 872
40d50879 873 fprintf(f, "%s-> %s:\n",
a16e1123 874 prefix, socket_exec_command_to_string(c));
c43d20a0
LP		 875
876 exec_command_dump_list(s->exec_command[c], f, prefix2);
5cb5a6ff 877 }
18f573aa
LP		 878
879 cgroup_context_dump(&s->cgroup_context, f, prefix);
5cb5a6ff
LP		 880}
881
4f2d528d
LP		 882static int instance_from_socket(int fd, unsigned nr, char **instance) {
883 socklen_t l;
884 char *r;
9d16d0c7 885 union sockaddr_union local, remote;
4f2d528d
LP		 886
887 assert(fd >= 0);
888 assert(instance);
889
890 l = sizeof(local);
891 if (getsockname(fd, &local.sa, &l) < 0)
892 return -errno;
893
894 l = sizeof(remote);
895 if (getpeername(fd, &remote.sa, &l) < 0)
896 return -errno;
897
898 switch (local.sa.sa_family) {
899
900 case AF_INET: {
901 uint32_t
8e38570e
LP		 902 a = be32toh(local.in.sin_addr.s_addr),
903 b = be32toh(remote.in.sin_addr.s_addr);
4f2d528d
LP		 904
905 if (asprintf(&r,
77b088c2
LP		 906 "%u-%u.%u.%u.%u:%u-%u.%u.%u.%u:%u",
907 nr,
4f2d528d 908 a >> 24, (a >> 16) & 0xFF, (a >> 8) & 0xFF, a & 0xFF,
8e38570e 909 be16toh(local.in.sin_port),
4f2d528d 910 b >> 24, (b >> 16) & 0xFF, (b >> 8) & 0xFF, b & 0xFF,
8e38570e 911 be16toh(remote.in.sin_port)) < 0)
4f2d528d
LP		 912 return -ENOMEM;
913
914 break;
915 }
916
917 case AF_INET6: {
c65a0b14 918 static const unsigned char ipv4_prefix[] = {
2b061f5a
LP		 919 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xFF, 0xFF
920 };
921
922 if (memcmp(&local.in6.sin6_addr, ipv4_prefix, sizeof(ipv4_prefix)) == 0 &&
923 memcmp(&remote.in6.sin6_addr, ipv4_prefix, sizeof(ipv4_prefix)) == 0) {
924 const uint8_t
925 *a = local.in6.sin6_addr.s6_addr+12,
926 *b = remote.in6.sin6_addr.s6_addr+12;
927
928 if (asprintf(&r,
77b088c2
LP		 929 "%u-%u.%u.%u.%u:%u-%u.%u.%u.%u:%u",
930 nr,
2b061f5a 931 a[0], a[1], a[2], a[3],
8e38570e 932 be16toh(local.in6.sin6_port),
2b061f5a 933 b[0], b[1], b[2], b[3],
8e38570e 934 be16toh(remote.in6.sin6_port)) < 0)
2b061f5a
LP		 935 return -ENOMEM;
936 } else {
937 char a[INET6_ADDRSTRLEN], b[INET6_ADDRSTRLEN];
938
939 if (asprintf(&r,
77b088c2
LP		 940 "%u-%s:%u-%s:%u",
941 nr,
2b061f5a 942 inet_ntop(AF_INET6, &local.in6.sin6_addr, a, sizeof(a)),
8e38570e 943 be16toh(local.in6.sin6_port),
2b061f5a 944 inet_ntop(AF_INET6, &remote.in6.sin6_addr, b, sizeof(b)),
8e38570e 945 be16toh(remote.in6.sin6_port)) < 0)
2b061f5a
LP		 946 return -ENOMEM;
947 }
4f2d528d
LP		 948
949 break;
950 }
951
952 case AF_UNIX: {
953 struct ucred ucred;
eff05270 954 int k;
4f2d528d 955
eff05270 956 k = getpeercred(fd, &ucred);
d38f6e34
ZJS		 957 if (k >= 0) {
958 if (asprintf(&r,
959 "%u-"PID_FMT"-"UID_FMT,
960 nr, ucred.pid, ucred.uid) < 0)
961 return -ENOMEM;
962 } else if (k == -ENODATA) {
963 /* This handles the case where somebody is
964 * connecting from another pid/uid namespace
965 * (e.g. from outside of our container). */
966 if (asprintf(&r,
967 "%u-unknown",
968 nr) < 0)
969 return -ENOMEM;
970 } else
eff05270 971 return k;
2f20a8eb 972
2f20a8eb 973 break;
4f2d528d
LP		 974 }
975
359a5bcf
SH		 976 case AF_VSOCK:
977 if (asprintf(&r,
978 "%u-%u:%u-%u:%u",
979 nr,
980 local.vm.svm_cid, local.vm.svm_port,
981 remote.vm.svm_cid, remote.vm.svm_port) < 0)
982 return -ENOMEM;
983
984 break;
985
4f2d528d
LP		 986 default:
987 assert_not_reached("Unhandled socket type.");
988 }
989
990 *instance = r;
991 return 0;
992}
993
034c6ed7 994static void socket_close_fds(Socket *s) {
83c60c9f 995 SocketPort *p;
811ba7a0 996 char **i;
83c60c9f
LP		 997
998 assert(s);
999
034c6ed7 1000 LIST_FOREACH(port, p, s->ports) {
18e854f8 1001 bool was_open;
718db961 1002
18e854f8 1003 was_open = p->fd >= 0;
83c60c9f 1004
18e854f8 1005 p->event_source = sd_event_source_unref(p->event_source);
03e334a1 1006 p->fd = safe_close(p->fd);
15087cdb 1007 socket_cleanup_fd_list(p);
a16e1123 1008
18e854f8
LP		 1009 /* One little note: we should normally not delete any sockets in the file system here! After all some
1010 * other process we spawned might still have a reference of this fd and wants to continue to use
1011 * it. Therefore we normally delete sockets in the file system before we create a new one, not after we
1012 * stopped using one! That all said, if the user explicitly requested this, we'll delete them here
1013 * anyway, but only then. */
bd1fe7c7 1014
18e854f8
LP		 1015 if (!was_open || !s->remove_on_stop)
1016 continue;
1017
1018 switch (p->type) {
bd1fe7c7 1019
18e854f8
LP		 1020 case SOCKET_FIFO:
1021 (void) unlink(p->path);
1022 break;
bd1fe7c7 1023
18e854f8
LP		 1024 case SOCKET_MQUEUE:
1025 (void) mq_unlink(p->path);
1026 break;
bd1fe7c7 1027
18e854f8
LP		 1028 case SOCKET_SOCKET:
1029 (void) socket_address_unlink(&p->address);
1030 break;
bd1fe7c7 1031
18e854f8
LP		 1032 default:
1033 break;
bd1fe7c7 1034 }
83c60c9f 1035 }
811ba7a0
LP		 1036
1037 if (s->remove_on_stop)
1038 STRV_FOREACH(i, s->symlinks)
18e854f8 1039 (void) unlink(*i);
83c60c9f
LP		 1040}
1041
4fd5948e 1042static void socket_apply_socket_options(Socket *s, int fd) {
d53e386d
LP		 1043 int r;
1044
4fd5948e
LP		 1045 assert(s);
1046 assert(fd >= 0);
1047
1048 if (s->keep_alive) {
1049 int b = s->keep_alive;
1050 if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, &b, sizeof(b)) < 0)
f2341e0a 1051 log_unit_warning_errno(UNIT(s), errno, "SO_KEEPALIVE failed: %m");
4fd5948e
LP		 1052 }
1053
209e9dcd
SS		 1054 if (s->keep_alive_time) {
1055 int value = s->keep_alive_time / USEC_PER_SEC;
1056 if (setsockopt(fd, SOL_TCP, TCP_KEEPIDLE, &value, sizeof(value)) < 0)
f2341e0a 1057 log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPIDLE failed: %m");
209e9dcd
SS		 1058 }
1059
1060 if (s->keep_alive_interval) {
920b52e4 1061 int value = s->keep_alive_interval / USEC_PER_SEC;
209e9dcd 1062 if (setsockopt(fd, SOL_TCP, TCP_KEEPINTVL, &value, sizeof(value)) < 0)
f2341e0a 1063 log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPINTVL failed: %m");
209e9dcd
SS		 1064 }
1065
1066 if (s->keep_alive_cnt) {
1067 int value = s->keep_alive_cnt;
172cfe87 1068 if (setsockopt(fd, SOL_TCP, TCP_KEEPCNT, &value, sizeof(value)) < 0)
f2341e0a 1069 log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPCNT failed: %m");
209e9dcd
SS		 1070 }
1071
cc567c9b
SS		 1072 if (s->defer_accept) {
1073 int value = s->defer_accept / USEC_PER_SEC;
1074 if (setsockopt(fd, SOL_TCP, TCP_DEFER_ACCEPT, &value, sizeof(value)) < 0)
f2341e0a 1075 log_unit_warning_errno(UNIT(s), errno, "TCP_DEFER_ACCEPT failed: %m");
cc567c9b
SS		 1076 }
1077
4427c3f4
SS		 1078 if (s->no_delay) {
1079 int b = s->no_delay;
62bc4efc
SS		 1080
1081 if (s->socket_protocol == IPPROTO_SCTP) {
1082 if (setsockopt(fd, SOL_SCTP, SCTP_NODELAY, &b, sizeof(b)) < 0)
1083 log_unit_warning_errno(UNIT(s), errno, "SCTP_NODELAY failed: %m");
1084 } else {
1085 if (setsockopt(fd, SOL_TCP, TCP_NODELAY, &b, sizeof(b)) < 0)
1086 log_unit_warning_errno(UNIT(s), errno, "TCP_NODELAY failed: %m");
1087 }
4427c3f4
SS		 1088 }
1089
ec6370a2
LP		 1090 if (s->broadcast) {
1091 int one = 1;
1092 if (setsockopt(fd, SOL_SOCKET, SO_BROADCAST, &one, sizeof(one)) < 0)
f2341e0a 1093 log_unit_warning_errno(UNIT(s), errno, "SO_BROADCAST failed: %m");
ec6370a2
LP		 1094 }
1095
d68af586
MS		 1096 if (s->pass_cred) {
1097 int one = 1;
1098 if (setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &one, sizeof(one)) < 0)
f2341e0a 1099 log_unit_warning_errno(UNIT(s), errno, "SO_PASSCRED failed: %m");
d68af586
MS		 1100 }
1101
54ecda32
LP		 1102 if (s->pass_sec) {
1103 int one = 1;
1104 if (setsockopt(fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one)) < 0)
f2341e0a 1105 log_unit_warning_errno(UNIT(s), errno, "SO_PASSSEC failed: %m");
54ecda32
LP		 1106 }
1107
4fd5948e
LP		 1108 if (s->priority >= 0)
1109 if (setsockopt(fd, SOL_SOCKET, SO_PRIORITY, &s->priority, sizeof(s->priority)) < 0)
f2341e0a 1110 log_unit_warning_errno(UNIT(s), errno, "SO_PRIORITY failed: %m");
4fd5948e
LP		 1111
1112 if (s->receive_buffer > 0) {
1113 int value = (int) s->receive_buffer;
7d9eaa84
LP		 1114
1115 /* We first try with SO_RCVBUFFORCE, in case we have the perms for that */
1116
b8cef44e 1117 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUFFORCE, &value, sizeof(value)) < 0)
7d9eaa84 1118 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &value, sizeof(value)) < 0)
f2341e0a 1119 log_unit_warning_errno(UNIT(s), errno, "SO_RCVBUF failed: %m");
4fd5948e
LP		 1120 }
1121
1122 if (s->send_buffer > 0) {
1123 int value = (int) s->send_buffer;
b8cef44e 1124 if (setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, &value, sizeof(value)) < 0)
7d9eaa84 1125 if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &value, sizeof(value)) < 0)
f2341e0a 1126 log_unit_warning_errno(UNIT(s), errno, "SO_SNDBUF failed: %m");
4fd5948e
LP		 1127 }
1128
1129 if (s->mark >= 0)
1130 if (setsockopt(fd, SOL_SOCKET, SO_MARK, &s->mark, sizeof(s->mark)) < 0)
f2341e0a 1131 log_unit_warning_errno(UNIT(s), errno, "SO_MARK failed: %m");
4fd5948e
LP		 1132
1133 if (s->ip_tos >= 0)
1134 if (setsockopt(fd, IPPROTO_IP, IP_TOS, &s->ip_tos, sizeof(s->ip_tos)) < 0)
f2341e0a 1135 log_unit_warning_errno(UNIT(s), errno, "IP_TOS failed: %m");
4fd5948e 1136
46925ac5 1137 if (s->ip_ttl >= 0) {
d53e386d 1138 int x;
46925ac5
LP		 1139
1140 r = setsockopt(fd, IPPROTO_IP, IP_TTL, &s->ip_ttl, sizeof(s->ip_ttl));
5bfcc1c6
FF		 1141
1142 if (socket_ipv6_is_supported())
1143 x = setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &s->ip_ttl, sizeof(s->ip_ttl));
1144 else {
1145 x = -1;
1146 errno = EAFNOSUPPORT;
1147 }
46925ac5
LP		 1148
1149 if (r < 0 && x < 0)
f2341e0a 1150 log_unit_warning_errno(UNIT(s), errno, "IP_TTL/IPV6_UNICAST_HOPS failed: %m");
46925ac5 1151 }
cebf8b20
TT		 1152
1153 if (s->tcp_congestion)
1154 if (setsockopt(fd, SOL_TCP, TCP_CONGESTION, s->tcp_congestion, strlen(s->tcp_congestion)+1) < 0)
f2341e0a 1155 log_unit_warning_errno(UNIT(s), errno, "TCP_CONGESTION failed: %m");
0eb59ccf 1156
d53e386d 1157 if (s->smack_ip_in) {
5ab58c20 1158 r = mac_smack_apply_fd(fd, SMACK_ATTR_IPIN, s->smack_ip_in);
d53e386d 1159 if (r < 0)
f2341e0a 1160 log_unit_error_errno(UNIT(s), r, "mac_smack_apply_ip_in_fd: %m");
d53e386d 1161 }
9a4e038c 1162
d53e386d 1163 if (s->smack_ip_out) {
5ab58c20 1164 r = mac_smack_apply_fd(fd, SMACK_ATTR_IPOUT, s->smack_ip_out);
d53e386d 1165 if (r < 0)
f2341e0a 1166 log_unit_error_errno(UNIT(s), r, "mac_smack_apply_ip_out_fd: %m");
d53e386d 1167 }
4fd5948e
LP		 1168}
1169
b15bdda8 1170static void socket_apply_fifo_options(Socket *s, int fd) {
d53e386d
LP		 1171 int r;
1172
4fd5948e
LP		 1173 assert(s);
1174 assert(fd >= 0);
1175
1176 if (s->pipe_size > 0)
1177 if (fcntl(fd, F_SETPIPE_SZ, s->pipe_size) < 0)
ed460b07 1178 log_unit_warning_errno(UNIT(s), errno, "Setting pipe size failed, ignoring: %m");
0eb59ccf 1179
d53e386d 1180 if (s->smack) {
5ab58c20 1181 r = mac_smack_apply_fd(fd, SMACK_ATTR_ACCESS, s->smack);
d53e386d 1182 if (r < 0)
ed460b07 1183 log_unit_error_errno(UNIT(s), r, "SMACK relabelling failed, ignoring: %m");
d53e386d 1184 }
4fd5948e
LP		 1185}
1186
b15bdda8
LP		 1187static int fifo_address_create(
1188 const char *path,
1189 mode_t directory_mode,
e8da24a6 1190 mode_t socket_mode) {
b15bdda8 1191
e8da24a6 1192 _cleanup_close_ int fd = -1;
b15bdda8 1193 mode_t old_mask;
e8da24a6
LP		 1194 struct stat st;
1195 int r;
b15bdda8
LP		 1196
1197 assert(path);
b15bdda8 1198
1af87ab7 1199 (void) mkdir_parents_label(path, directory_mode);
b15bdda8 1200
ecabcf8b 1201 r = mac_selinux_create_file_prepare(path, S_IFIFO);
e9a5ef7c 1202 if (r < 0)
e8da24a6 1203 return r;
b15bdda8
LP		 1204
1205 /* Enforce the right access mode for the fifo */
1206 old_mask = umask(~ socket_mode);
1207
1208 /* Include the original umask in our mask */
e8da24a6 1209 (void) umask(~socket_mode | old_mask);
b15bdda8
LP		 1210
1211 r = mkfifo(path, socket_mode);
e8da24a6 1212 (void) umask(old_mask);
b15bdda8 1213
94bc2731 1214 if (r < 0 && errno != EEXIST) {
b15bdda8
LP		 1215 r = -errno;
1216 goto fail;
1217 }
1218
e8da24a6 1219 fd = open(path, O_RDWR | O_CLOEXEC | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW);
3cc2aff1 1220 if (fd < 0) {
b15bdda8
LP		 1221 r = -errno;
1222 goto fail;
1223 }
1224
ecabcf8b 1225 mac_selinux_create_file_clear();
7a58bfa4 1226
b15bdda8
LP		 1227 if (fstat(fd, &st) < 0) {
1228 r = -errno;
1229 goto fail;
1230 }
1231
1232 if (!S_ISFIFO(st.st_mode) ||
de0200fc 1233 (st.st_mode & 0777) != (socket_mode & ~old_mask) ||
e4f44e73
DR		 1234 st.st_uid != getuid() ||
1235 st.st_gid != getgid()) {
b15bdda8
LP		 1236 r = -EEXIST;
1237 goto fail;
1238 }
1239
c10d6bdb 1240 return TAKE_FD(fd);
b15bdda8
LP		 1241
1242fail:
ecabcf8b 1243 mac_selinux_create_file_clear();
b15bdda8
LP		 1244 return r;
1245}
1246
55301ec0 1247static int special_address_create(const char *path, bool writable) {
e8da24a6 1248 _cleanup_close_ int fd = -1;
b0a3f2bc
LP		 1249 struct stat st;
1250
1251 assert(path);
b0a3f2bc 1252
55301ec0 1253 fd = open(path, (writable ? O_RDWR : O_RDONLY)|O_CLOEXEC|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW);
e8da24a6
LP		 1254 if (fd < 0)
1255 return -errno;
b0a3f2bc 1256
e8da24a6
LP		 1257 if (fstat(fd, &st) < 0)
1258 return -errno;
b0a3f2bc
LP		 1259
1260 /* Check whether this is a /proc, /sys or /dev file or char device */
e8da24a6
LP		 1261 if (!S_ISREG(st.st_mode) && !S_ISCHR(st.st_mode))
1262 return -EEXIST;
b0a3f2bc 1263
c10d6bdb 1264 return TAKE_FD(fd);
b0a3f2bc
LP		 1265}
1266
36078102 1267static int usbffs_address_create(const char *path) {
60252446
PS		 1268 _cleanup_close_ int fd = -1;
1269 struct stat st;
1270
1271 assert(path);
60252446
PS		 1272
1273 fd = open(path, O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW);
1274 if (fd < 0)
1275 return -errno;
1276
1277 if (fstat(fd, &st) < 0)
1278 return -errno;
1279
13e785f7 1280 /* Check whether this is a regular file (ffs endpoint) */
60252446
PS		 1281 if (!S_ISREG(st.st_mode))
1282 return -EEXIST;
1283
c10d6bdb 1284 return TAKE_FD(fd);
60252446
PS		 1285}
1286
916abb21
LP		 1287static int mq_address_create(
1288 const char *path,
1289 mode_t mq_mode,
1290 long maxmsg,
e8da24a6 1291 long msgsize) {
916abb21 1292
e8da24a6 1293 _cleanup_close_ int fd = -1;
916abb21
LP		 1294 struct stat st;
1295 mode_t old_mask;
1296 struct mq_attr _attr, *attr = NULL;
1297
1298 assert(path);
916abb21
LP		 1299
1300 if (maxmsg > 0 && msgsize > 0) {
e8da24a6
LP		 1301 _attr = (struct mq_attr) {
1302 .mq_flags = O_NONBLOCK,
1303 .mq_maxmsg = maxmsg,
1304 .mq_msgsize = msgsize,
1305 };
916abb21
LP		 1306 attr = &_attr;
1307 }
1308
1309 /* Enforce the right access mode for the mq */
1310 old_mask = umask(~ mq_mode);
1311
1312 /* Include the original umask in our mask */
e8da24a6 1313 (void) umask(~mq_mode | old_mask);
916abb21 1314 fd = mq_open(path, O_RDONLY|O_CLOEXEC|O_NONBLOCK|O_CREAT, mq_mode, attr);
e8da24a6 1315 (void) umask(old_mask);
916abb21 1316
e8da24a6
LP		 1317 if (fd < 0)
1318 return -errno;
916abb21 1319
e8da24a6
LP		 1320 if (fstat(fd, &st) < 0)
1321 return -errno;
916abb21
LP		 1322
1323 if ((st.st_mode & 0777) != (mq_mode & ~old_mask) ||
1324 st.st_uid != getuid() ||
e8da24a6
LP		 1325 st.st_gid != getgid())
1326 return -EEXIST;
916abb21 1327
c10d6bdb 1328 return TAKE_FD(fd);
916abb21
LP		 1329}
1330
811ba7a0
LP		 1331static int socket_symlink(Socket *s) {
1332 const char *p;
1333 char **i;
95f7fbbf 1334 int r;
811ba7a0
LP		 1335
1336 assert(s);
1337
1338 p = socket_find_symlink_target(s);
1339 if (!p)
1340 return 0;
1341
95f7fbbf 1342 STRV_FOREACH(i, s->symlinks) {
1af87ab7
LP		 1343 (void) mkdir_parents_label(*i, s->directory_mode);
1344
95f7fbbf 1345 r = symlink_idempotent(p, *i);
22b20752
LP		 1346
1347 if (r == -EEXIST && s->remove_on_stop) {
1348 /* If there's already something where we want to create the symlink, and the destructive
1349 * RemoveOnStop= mode is set, then we might as well try to remove what already exists and try
1350 * again. */
1351
1352 if (unlink(*i) >= 0)
1353 r = symlink_idempotent(p, *i);
1354 }
1355
95f7fbbf
LP		 1356 if (r < 0)
1357 log_unit_warning_errno(UNIT(s), r, "Failed to create symlink %s → %s, ignoring: %m", p, *i);
1358 }
811ba7a0
LP		 1359
1360 return 0;
1361}
1362
36078102 1363static int usbffs_write_descs(int fd, Service *s) {
6b7e5923
PS		 1364 int r;
1365
1366 if (!s->usb_function_descriptors || !s->usb_function_strings)
1367 return -EINVAL;
1368
1c876927 1369 r = copy_file_fd(s->usb_function_descriptors, fd, 0);
6b7e5923 1370 if (r < 0)
e8da24a6 1371 return r;
6b7e5923 1372
1c876927 1373 return copy_file_fd(s->usb_function_strings, fd, 0);
6b7e5923
PS		 1374}
1375
36078102 1376static int usbffs_select_ep(const struct dirent *d) {
60252446
PS		 1377 return d->d_name[0] != '.' && !streq(d->d_name, "ep0");
1378}
1379
36078102 1380static int usbffs_dispatch_eps(SocketPort *p) {
60252446 1381 _cleanup_free_ struct dirent **ent = NULL;
36078102 1382 int r, i, n, k;
60252446 1383
00bb64ec 1384 r = scandir(p->path, &ent, usbffs_select_ep, alphasort);
60252446
PS		 1385 if (r < 0)
1386 return -errno;
1387
1388 n = r;
1389 p->auxiliary_fds = new(int, n);
1390 if (!p->auxiliary_fds)
1391 return -ENOMEM;
1392
1393 p->n_auxiliary_fds = n;
1394
1395 k = 0;
1396 for (i = 0; i < n; ++i) {
1397 _cleanup_free_ char *ep = NULL;
1398
00bb64ec 1399 ep = path_make_absolute(ent[i]->d_name, p->path);
60252446
PS		 1400 if (!ep)
1401 return -ENOMEM;
1402
1403 path_kill_slashes(ep);
1404
36078102 1405 r = usbffs_address_create(ep);
60252446
PS		 1406 if (r < 0)
1407 goto fail;
1408
e8da24a6
LP		 1409 p->auxiliary_fds[k] = r;
1410
60252446
PS		 1411 ++k;
1412 free(ent[i]);
1413 }
1414
1415 return r;
1416
1417fail:
e8da24a6 1418 close_many(p->auxiliary_fds, k);
60252446
PS		 1419 p->auxiliary_fds = mfree(p->auxiliary_fds);
1420 p->n_auxiliary_fds = 0;
1421
1422 return r;
1423}
1424
d24e561d 1425static int socket_determine_selinux_label(Socket *s, char **ret) {
416be1a0 1426 Service *service;
d24e561d 1427 ExecCommand *c;
2ef044ea 1428 _cleanup_free_ char *path = NULL;
d24e561d
LP		 1429 int r;
1430
1431 assert(s);
1432 assert(ret);
1433
1434 if (s->selinux_context_from_net) {
1435 /* If this is requested, get label from the network label */
1436
1437 r = mac_selinux_get_our_label(ret);
1438 if (r == -EOPNOTSUPP)
1439 goto no_label;
1440
1441 } else {
1442 /* Otherwise, get it from the executable we are about to start */
1443 r = socket_instantiate_service(s);
1444 if (r < 0)
1445 return r;
1446
1447 if (!UNIT_ISSET(s->service))
1448 goto no_label;
1449
416be1a0
FB		 1450 service = SERVICE(UNIT_DEREF(s->service));
1451 c = service->exec_command[SERVICE_EXEC_START];
d24e561d
LP		 1452 if (!c)
1453 goto no_label;
1454
2ef044ea
FB		 1455 r = chase_symlinks(c->path, service->exec_context.root_directory, CHASE_PREFIX_ROOT, &path);
1456 if (r < 0)
1457 goto no_label;
1458
416be1a0 1459 r = mac_selinux_get_create_label_from_exe(path, ret);
4c701096 1460 if (IN_SET(r, -EPERM, -EOPNOTSUPP))
d24e561d
LP		 1461 goto no_label;
1462 }
1463
1464 return r;
1465
1466no_label:
1467 *ret = NULL;
1468 return 0;
1469}
1470
a79279c7
LP		 1471static int socket_address_listen_do(
1472 Socket *s,
1473 const SocketAddress *address,
1474 const char *label) {
1475
1476 assert(s);
1477 assert(address);
1478
1479 return socket_address_listen(
1480 address,
1481 SOCK_CLOEXEC|SOCK_NONBLOCK,
1482 s->backlog,
1483 s->bind_ipv6_only,
1484 s->bind_to_device,
1485 s->reuse_port,
1486 s->free_bind,
1487 s->transparent,
1488 s->directory_mode,
1489 s->socket_mode,
1490 label);
1491}
1492
1493static int socket_address_listen_in_cgroup(
1494 Socket *s,
1495 const SocketAddress *address,
1496 const char *label) {
1497
1498 _cleanup_close_pair_ int pair[2] = { -1, -1 };
1499 int fd, r;
1500 pid_t pid;
1501
1502 assert(s);
1503 assert(address);
1504
1505 /* This is a wrapper around socket_address_listen(), that forks off a helper process inside the socket's cgroup
1506 * in which the socket is actually created. This way we ensure the socket is actually properly attached to the
1507 * unit's cgroup for the purpose of BPF filtering and such. */
1508
1509 if (!IN_SET(address->sockaddr.sa.sa_family, AF_INET, AF_INET6))
1510 goto shortcut; /* BPF filtering only applies to IPv4 + IPv6, shortcut things for other protocols */
1511
1512 r = bpf_firewall_supported();
1513 if (r < 0)
1514 return r;
2ae7ee58 1515 if (r == BPF_FIREWALL_UNSUPPORTED) /* If BPF firewalling isn't supported anyway — there's no point in this forking complexity */
a79279c7
LP		 1516 goto shortcut;
1517
1518 if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, pair) < 0)
1519 return log_unit_error_errno(UNIT(s), errno, "Failed to create communication channel: %m");
1520
4c253ed1 1521 r = unit_fork_helper_process(UNIT(s), "(sd-listen)", &pid);
a79279c7
LP		 1522 if (r < 0)
1523 return log_unit_error_errno(UNIT(s), r, "Failed to fork off listener stub process: %m");
1524 if (r == 0) {
1525 /* Child */
1526
1527 pair[0] = safe_close(pair[0]);
1528
1529 fd = socket_address_listen_do(s, address, label);
1530 if (fd < 0) {
1531 log_unit_error_errno(UNIT(s), fd, "Failed to create listening socket: %m");
1532 _exit(EXIT_FAILURE);
1533 }
1534
1535 r = send_one_fd(pair[1], fd, 0);
1536 if (r < 0) {
1537 log_unit_error_errno(UNIT(s), r, "Failed to send listening socket to parent: %m");
1538 _exit(EXIT_FAILURE);
1539 }
1540
1541 _exit(EXIT_SUCCESS);
1542 }
1543
1544 pair[1] = safe_close(pair[1]);
1545 fd = receive_one_fd(pair[0], 0);
1546
1547 /* We synchronously wait for the helper, as it shouldn't be slow */
d2e0ac3d 1548 r = wait_for_terminate_and_check("(sd-listen)", pid, WAIT_LOG_ABNORMAL);
a79279c7
LP		 1549 if (r < 0) {
1550 safe_close(fd);
1551 return r;
1552 }
1553
1554 if (fd < 0)
1555 return log_unit_error_errno(UNIT(s), fd, "Failed to receive listening socket: %m");
1556
1557 return fd;
1558
1559shortcut:
1560 fd = socket_address_listen_do(s, address, label);
1561 if (fd < 0)
1562 return log_error_errno(fd, "Failed to create listening socket: %m");
1563
1564 return fd;
1565}
1566
034c6ed7 1567static int socket_open_fds(Socket *s) {
710a6b50
LP		 1568 _cleanup_(mac_selinux_freep) char *label = NULL;
1569 bool know_label = false;
83c60c9f
LP		 1570 SocketPort *p;
1571 int r;
1572
1573 assert(s);
1574
034c6ed7 1575 LIST_FOREACH(port, p, s->ports) {
83c60c9f 1576
034c6ed7
LP		 1577 if (p->fd >= 0)
1578 continue;
83c60c9f 1579
00411a13
LP		 1580 switch (p->type) {
1581
1582 case SOCKET_SOCKET:
049f8642 1583
7f416dae 1584 if (!know_label) {
d24e561d
LP		 1585 /* Figure out label, if we don't it know yet. We do it once, for the first socket where
1586 * we need this and remember it for the rest. */
7f416dae 1587
d24e561d
LP		 1588 r = socket_determine_selinux_label(s, &label);
1589 if (r < 0)
1590 goto rollback;
049f8642
LP		 1591
1592 know_label = true;
1593 }
1594
74bb646e 1595 /* Apply the socket protocol */
d24e561d 1596 switch (p->address.type) {
d2a50e3b 1597
74bb646e
SS		 1598 case SOCK_STREAM:
1599 case SOCK_SEQPACKET:
d24e561d
LP		 1600 if (s->socket_protocol == IPPROTO_SCTP)
1601 p->address.protocol = s->socket_protocol;
74bb646e 1602 break;
d2a50e3b 1603
74bb646e 1604 case SOCK_DGRAM:
d24e561d
LP		 1605 if (s->socket_protocol == IPPROTO_UDPLITE)
1606 p->address.protocol = s->socket_protocol;
74bb646e
SS		 1607 break;
1608 }
1609
a79279c7 1610 r = socket_address_listen_in_cgroup(s, &p->address, label);
175a3d25 1611 if (r < 0)
83c60c9f
LP		 1612 goto rollback;
1613
175a3d25 1614 p->fd = r;
4fd5948e 1615 socket_apply_socket_options(s, p->fd);
811ba7a0 1616 socket_symlink(s);
00411a13 1617 break;
4fd5948e 1618
00411a13 1619 case SOCKET_SPECIAL:
b0a3f2bc 1620
55301ec0 1621 p->fd = special_address_create(p->path, s->writable);
e8da24a6
LP		 1622 if (p->fd < 0) {
1623 r = p->fd;
b0a3f2bc 1624 goto rollback;
e8da24a6 1625 }
00411a13 1626 break;
b0a3f2bc 1627
00411a13 1628 case SOCKET_FIFO:
83c60c9f 1629
e8da24a6 1630 p->fd = fifo_address_create(
175a3d25
LP		 1631 p->path,
1632 s->directory_mode,
e8da24a6
LP		 1633 s->socket_mode);
1634 if (p->fd < 0) {
1635 r = p->fd;
83c60c9f 1636 goto rollback;
e8da24a6 1637 }
83c60c9f 1638
b15bdda8 1639 socket_apply_fifo_options(s, p->fd);
811ba7a0 1640 socket_symlink(s);
00411a13 1641 break;
811ba7a0 1642
00411a13 1643 case SOCKET_MQUEUE:
83c60c9f 1644
e8da24a6 1645 p->fd = mq_address_create(
175a3d25
LP		 1646 p->path,
1647 s->socket_mode,
1648 s->mq_maxmsg,
e8da24a6
LP		 1649 s->mq_msgsize);
1650 if (p->fd < 0) {
1651 r = p->fd;
916abb21 1652 goto rollback;
e8da24a6 1653 }
00411a13 1654 break;
e8da24a6 1655
d2a50e3b 1656 case SOCKET_USB_FUNCTION: {
27a6ea91 1657 _cleanup_free_ char *ep = NULL;
60252446 1658
27a6ea91
GB		 1659 ep = path_make_absolute("ep0", p->path);
1660
1661 p->fd = usbffs_address_create(ep);
e8da24a6
LP		 1662 if (p->fd < 0) {
1663 r = p->fd;
60252446 1664 goto rollback;
e8da24a6 1665 }
60252446 1666
36078102 1667 r = usbffs_write_descs(p->fd, SERVICE(UNIT_DEREF(s->service)));
6b7e5923
PS		 1668 if (r < 0)
1669 goto rollback;
1670
36078102 1671 r = usbffs_dispatch_eps(p);
60252446
PS		 1672 if (r < 0)
1673 goto rollback;
00411a13
LP		 1674
1675 break;
27a6ea91 1676 }
00411a13 1677 default:
b15bdda8 1678 assert_not_reached("Unknown port type");
00411a13 1679 }
034c6ed7
LP		 1680 }
1681
1682 return 0;
1683
1684rollback:
1685 socket_close_fds(s);
1686 return r;
1687}
1688
1689static void socket_unwatch_fds(Socket *s) {
1690 SocketPort *p;
718db961 1691 int r;
9152c765 1692
034c6ed7
LP		 1693 assert(s);
1694
1695 LIST_FOREACH(port, p, s->ports) {
1696 if (p->fd < 0)
1697 continue;
1698
a4152e3f
LP		 1699 if (!p->event_source)
1700 continue;
1701
1702 r = sd_event_source_set_enabled(p->event_source, SD_EVENT_OFF);
1703 if (r < 0)
f2341e0a 1704 log_unit_debug_errno(UNIT(s), r, "Failed to disable event source: %m");
83c60c9f 1705 }
034c6ed7
LP		 1706}
1707
1708static int socket_watch_fds(Socket *s) {
1709 SocketPort *p;
1710 int r;
1711
1712 assert(s);
83c60c9f 1713
034c6ed7
LP		 1714 LIST_FOREACH(port, p, s->ports) {
1715 if (p->fd < 0)
1716 continue;
1717
cbf60d0a 1718 if (p->event_source) {
718db961 1719 r = sd_event_source_set_enabled(p->event_source, SD_EVENT_ON);
cbf60d0a
LP		 1720 if (r < 0)
1721 goto fail;
1722 } else {
151b9b96 1723 r = sd_event_add_io(UNIT(s)->manager->event, &p->event_source, p->fd, EPOLLIN, socket_dispatch_io, p);
cbf60d0a
LP		 1724 if (r < 0)
1725 goto fail;
4f2d528d 1726
cbf60d0a 1727 (void) sd_event_source_set_description(p->event_source, "socket-port-io");
718db961 1728 }
034c6ed7 1729 }
83c60c9f 1730
542563ba 1731 return 0;
83c60c9f 1732
034c6ed7 1733fail:
cbf60d0a 1734 log_unit_warning_errno(UNIT(s), r, "Failed to watch listening fds: %m");
034c6ed7
LP		 1735 socket_unwatch_fds(s);
1736 return r;
1737}
1738
01a8b467
LP		 1739enum {
1740 SOCKET_OPEN_NONE,
1741 SOCKET_OPEN_SOME,
1742 SOCKET_OPEN_ALL,
1743};
1744
1745static int socket_check_open(Socket *s) {
1746 bool have_open = false, have_closed = false;
1747 SocketPort *p;
1748
1749 assert(s);
1750
1751 LIST_FOREACH(port, p, s->ports) {
1752 if (p->fd < 0)
1753 have_closed = true;
1754 else
1755 have_open = true;
1756
1757 if (have_open && have_closed)
1758 return SOCKET_OPEN_SOME;
1759 }
1760
1761 if (have_open)
1762 return SOCKET_OPEN_ALL;
1763
1764 return SOCKET_OPEN_NONE;
1765}
1766
034c6ed7
LP		 1767static void socket_set_state(Socket *s, SocketState state) {
1768 SocketState old_state;
1769 assert(s);
1770
1771 old_state = s->state;
1772 s->state = state;
1773
bd1fe7c7
LP		 1774 if (!IN_SET(state,
1775 SOCKET_START_PRE,
3900e5fd 1776 SOCKET_START_CHOWN,
bd1fe7c7
LP		 1777 SOCKET_START_POST,
1778 SOCKET_STOP_PRE,
1779 SOCKET_STOP_PRE_SIGTERM,
1780 SOCKET_STOP_PRE_SIGKILL,
1781 SOCKET_STOP_POST,
1782 SOCKET_FINAL_SIGTERM,
1783 SOCKET_FINAL_SIGKILL)) {
718db961
LP		 1784
1785 s->timer_event_source = sd_event_source_unref(s->timer_event_source);
5e94833f 1786 socket_unwatch_control_pid(s);
034c6ed7 1787 s->control_command = NULL;
a16e1123 1788 s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
e537352b 1789 }
034c6ed7 1790
a16e1123
LP		 1791 if (state != SOCKET_LISTENING)
1792 socket_unwatch_fds(s);
1793
bd1fe7c7 1794 if (!IN_SET(state,
3900e5fd 1795 SOCKET_START_CHOWN,
bd1fe7c7
LP		 1796 SOCKET_START_POST,
1797 SOCKET_LISTENING,
1798 SOCKET_RUNNING,
1799 SOCKET_STOP_PRE,
1800 SOCKET_STOP_PRE_SIGTERM,
1801 SOCKET_STOP_PRE_SIGKILL))
034c6ed7
LP		 1802 socket_close_fds(s);
1803
e537352b 1804 if (state != old_state)
f2341e0a 1805 log_unit_debug(UNIT(s), "Changed %s -> %s", socket_state_to_string(old_state), socket_state_to_string(state));
acbb0225 1806
e2f3b44c 1807 unit_notify(UNIT(s), state_translation_table[old_state], state_translation_table[state], true);
034c6ed7
LP		 1808}
1809
be847e82 1810static int socket_coldplug(Unit *u) {
a16e1123
LP		 1811 Socket *s = SOCKET(u);
1812 int r;
1813
1814 assert(s);
1815 assert(s->state == SOCKET_DEAD);
1816
e821075a
LP		 1817 if (s->deserialized_state == s->state)
1818 return 0;
a16e1123 1819
c386f588
LP		 1820 if (s->control_pid > 0 &&
1821 pid_is_unwaited(s->control_pid) &&
1822 IN_SET(s->deserialized_state,
3900e5fd
LP		 1823 SOCKET_START_PRE,
1824 SOCKET_START_CHOWN,
1825 SOCKET_START_POST,
1826 SOCKET_STOP_PRE,
1827 SOCKET_STOP_PRE_SIGTERM,
1828 SOCKET_STOP_PRE_SIGKILL,
1829 SOCKET_STOP_POST,
1830 SOCKET_FINAL_SIGTERM,
1831 SOCKET_FINAL_SIGKILL)) {
a16e1123 1832
e821075a
LP		 1833 r = unit_watch_pid(UNIT(s), s->control_pid);
1834 if (r < 0)
1835 return r;
a16e1123 1836
36c16a7c 1837 r = socket_arm_timer(s, usec_add(u->state_change_timestamp.monotonic, s->timeout_usec));
e821075a
LP		 1838 if (r < 0)
1839 return r;
1840 }
a16e1123 1841
3900e5fd
LP		 1842 if (IN_SET(s->deserialized_state,
1843 SOCKET_START_CHOWN,
1844 SOCKET_START_POST,
1845 SOCKET_LISTENING,
01a8b467
LP		 1846 SOCKET_RUNNING)) {
1847
1848 /* Originally, we used to simply reopen all sockets here that we didn't have file descriptors
1849 * for. However, this is problematic, as we won't traverse throught the SOCKET_START_CHOWN state for
1850 * them, and thus the UID/GID wouldn't be right. Hence, instead simply check if we have all fds open,
1851 * and if there's a mismatch, warn loudly. */
1852
1853 r = socket_check_open(s);
1854 if (r == SOCKET_OPEN_NONE)
1855 log_unit_warning(UNIT(s),
1856 "Socket unit configuration has changed while unit has been running, "
1857 "no open socket file descriptor left. "
1858 "The socket unit is not functional until restarted.");
1859 else if (r == SOCKET_OPEN_SOME)
1860 log_unit_warning(UNIT(s),
1861 "Socket unit configuration has changed while unit has been running, "
1862 "and some socket file descriptors have not been opened yet. "
1863 "The socket unit is not fully functional until restarted.");
e821075a 1864 }
a16e1123 1865
e821075a
LP		 1866 if (s->deserialized_state == SOCKET_LISTENING) {
1867 r = socket_watch_fds(s);
1868 if (r < 0)
1869 return r;
a16e1123
LP		 1870 }
1871
e8a565cb 1872 if (!IN_SET(s->deserialized_state, SOCKET_DEAD, SOCKET_FAILED)) {
29206d46 1873 (void) unit_setup_dynamic_creds(u);
e8a565cb
YW		 1874 (void) unit_setup_exec_runtime(u);
1875 }
29206d46 1876
e821075a 1877 socket_set_state(s, s->deserialized_state);
a16e1123
LP		 1878 return 0;
1879}
1880
e537352b 1881static int socket_spawn(Socket *s, ExecCommand *c, pid_t *_pid) {
3c7416b6 1882
9fa95f85 1883 ExecParameters exec_params = {
1703fa41 1884 .flags = EXEC_APPLY_SANDBOXING|EXEC_APPLY_CHROOT|EXEC_APPLY_TTY_STDIN,
c39f1ce2
LP		 1885 .stdin_fd = -1,
1886 .stdout_fd = -1,
1887 .stderr_fd = -1,
9fa95f85 1888 };
3c7416b6
LP		 1889 pid_t pid;
1890 int r;
034c6ed7
LP		 1891
1892 assert(s);
1893 assert(c);
1894 assert(_pid);
1895
3c7416b6 1896 r = unit_prepare_exec(UNIT(s));
29206d46
LP		 1897 if (r < 0)
1898 return r;
1899
36c16a7c 1900 r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
36697dc0 1901 if (r < 0)
36c16a7c 1902 return r;
034c6ed7 1903
f0d47797 1904 unit_set_exec_params(UNIT(s), &exec_params);
3536f49e 1905
5125e762 1906 exec_params.argv = c->argv;
9fa95f85 1907
f2341e0a
LP		 1908 r = exec_spawn(UNIT(s),
1909 c,
9e2f7c11 1910 &s->exec_context,
9fa95f85 1911 &exec_params,
613b411c 1912 s->exec_runtime,
29206d46 1913 &s->dynamic_creds,
9e2f7c11 1914 &pid);
cee288ad 1915 if (r < 0)
36c16a7c 1916 return r;
9e2f7c11 1917
3900e5fd 1918 r = unit_watch_pid(UNIT(s), pid);
9e2f7c11 1919 if (r < 0)
3900e5fd 1920 /* FIXME: we need to do something here */
36c16a7c 1921 return r;
034c6ed7 1922
3900e5fd 1923 *_pid = pid;
3536f49e 1924
3900e5fd 1925 return 0;
3900e5fd
LP		 1926}
1927
1928static int socket_chown(Socket *s, pid_t *_pid) {
1929 pid_t pid;
1930 int r;
1931
36c16a7c 1932 r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
3900e5fd
LP		 1933 if (r < 0)
1934 goto fail;
1935
1936 /* We have to resolve the user names out-of-process, hence
1937 * let's fork here. It's messy, but well, what can we do? */
1938
4c253ed1 1939 r = unit_fork_helper_process(UNIT(s), "(sd-chown)", &pid);
a79279c7
LP		 1940 if (r < 0)
1941 return r;
1942 if (r == 0) {
fed1e721
LP		 1943 uid_t uid = UID_INVALID;
1944 gid_t gid = GID_INVALID;
a79279c7 1945 SocketPort *p;
3900e5fd 1946
a79279c7 1947 /* Child */
3900e5fd
LP		 1948
1949 if (!isempty(s->user)) {
1950 const char *user = s->user;
1951
1952 r = get_user_creds(&user, &uid, &gid, NULL, NULL);
1953 if (r < 0) {
a79279c7
LP		 1954 log_unit_error_errno(UNIT(s), r, "Failed to resolve user %s: %m", user);
1955 _exit(EXIT_USER);
3900e5fd
LP		 1956 }
1957 }
1958
1959 if (!isempty(s->group)) {
1960 const char *group = s->group;
1961
1962 r = get_group_creds(&group, &gid);
1963 if (r < 0) {
a79279c7
LP		 1964 log_unit_error_errno(UNIT(s), r, "Failed to resolve group %s: %m", group);
1965 _exit(EXIT_GROUP);
3900e5fd
LP		 1966 }
1967 }
1968
1969 LIST_FOREACH(port, p, s->ports) {
e5a1c18d 1970 const char *path = NULL;
3900e5fd
LP		 1971
1972 if (p->type == SOCKET_SOCKET)
1973 path = socket_address_get_path(&p->address);
1974 else if (p->type == SOCKET_FIFO)
1975 path = p->path;
1976
1977 if (!path)
1978 continue;
1979
1980 if (chown(path, uid, gid) < 0) {
a79279c7
LP		 1981 log_unit_error_errno(UNIT(s), errno, "Failed to chown(): %m");
1982 _exit(EXIT_CHOWN);
3900e5fd
LP		 1983 }
1984 }
1985
a79279c7 1986 _exit(EXIT_SUCCESS);
3900e5fd
LP		 1987 }
1988
718db961
LP		 1989 r = unit_watch_pid(UNIT(s), pid);
1990 if (r < 0)
034c6ed7 1991 goto fail;
83c60c9f 1992
034c6ed7 1993 *_pid = pid;
034c6ed7
LP		 1994 return 0;
1995
1996fail:
718db961 1997 s->timer_event_source = sd_event_source_unref(s->timer_event_source);
83c60c9f 1998 return r;
542563ba
LP		 1999}
2000
cfc4eb4c 2001static void socket_enter_dead(Socket *s, SocketResult f) {
034c6ed7
LP		 2002 assert(s);
2003
a0fef983 2004 if (s->result == SOCKET_SUCCESS)
cfc4eb4c 2005 s->result = f;
034c6ed7 2006
ed77d407
LP		 2007 if (s->result != SOCKET_SUCCESS)
2008 log_unit_warning(UNIT(s), "Failed with result '%s'.", socket_result_to_string(s->result));
2009
29206d46
LP		 2010 socket_set_state(s, s->result != SOCKET_SUCCESS ? SOCKET_FAILED : SOCKET_DEAD);
2011
e8a565cb 2012 s->exec_runtime = exec_runtime_unref(s->exec_runtime, true);
613b411c 2013
3536f49e 2014 exec_context_destroy_runtime_directory(&s->exec_context, UNIT(s)->manager->prefix[EXEC_DIRECTORY_RUNTIME]);
e66cf1a3 2015
00d9ef85
LP		 2016 unit_unref_uid_gid(UNIT(s), true);
2017
29206d46 2018 dynamic_creds_destroy(&s->dynamic_creds);
034c6ed7
LP		 2019}
2020
cfc4eb4c 2021static void socket_enter_signal(Socket *s, SocketState state, SocketResult f);
80876c20 2022
cfc4eb4c 2023static void socket_enter_stop_post(Socket *s, SocketResult f) {
034c6ed7
LP		 2024 int r;
2025 assert(s);
2026
a0fef983 2027 if (s->result == SOCKET_SUCCESS)
cfc4eb4c 2028 s->result = f;
034c6ed7 2029
5e94833f 2030 socket_unwatch_control_pid(s);
a16e1123 2031 s->control_command_id = SOCKET_EXEC_STOP_POST;
3900e5fd 2032 s->control_command = s->exec_command[SOCKET_EXEC_STOP_POST];
a16e1123 2033
3900e5fd
LP		 2034 if (s->control_command) {
2035 r = socket_spawn(s, s->control_command, &s->control_pid);
2036 if (r < 0)
034c6ed7
LP		 2037 goto fail;
2038
80876c20
LP		 2039 socket_set_state(s, SOCKET_STOP_POST);
2040 } else
cfc4eb4c 2041 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_SUCCESS);
034c6ed7
LP		 2042
2043 return;
2044
2045fail:
f2341e0a 2046 log_unit_warning_errno(UNIT(s), r, "Failed to run 'stop-post' task: %m");
cfc4eb4c 2047 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_RESOURCES);
034c6ed7
LP		 2048}
2049
cfc4eb4c 2050static void socket_enter_signal(Socket *s, SocketState state, SocketResult f) {
034c6ed7
LP		 2051 int r;
2052
2053 assert(s);
2054
a0fef983 2055 if (s->result == SOCKET_SUCCESS)
cfc4eb4c 2056 s->result = f;
034c6ed7 2057
cd2086fe
LP		 2058 r = unit_kill_context(
2059 UNIT(s),
2060 &s->kill_context,
ec2ce0c5 2061 !IN_SET(state, SOCKET_STOP_PRE_SIGTERM, SOCKET_FINAL_SIGTERM) ?
db2cb23b 2062 KILL_KILL : KILL_TERMINATE,
cd2086fe
LP		 2063 -1,
2064 s->control_pid,
2065 false);
2066 if (r < 0)
2067 goto fail;
034c6ed7 2068
cd2086fe 2069 if (r > 0) {
36c16a7c 2070 r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
36697dc0 2071 if (r < 0)
80876c20 2072 goto fail;
d6ea93e3 2073
80876c20 2074 socket_set_state(s, state);
ac84d1fb
LP		 2075 } else if (state == SOCKET_STOP_PRE_SIGTERM)
2076 socket_enter_signal(s, SOCKET_STOP_PRE_SIGKILL, SOCKET_SUCCESS);
2077 else if (state == SOCKET_STOP_PRE_SIGKILL)
cfc4eb4c 2078 socket_enter_stop_post(s, SOCKET_SUCCESS);
ac84d1fb
LP		 2079 else if (state == SOCKET_FINAL_SIGTERM)
2080 socket_enter_signal(s, SOCKET_FINAL_SIGKILL, SOCKET_SUCCESS);
80876c20 2081 else
cfc4eb4c 2082 socket_enter_dead(s, SOCKET_SUCCESS);
034c6ed7
LP		 2083
2084 return;
2085
2086fail:
f2341e0a 2087 log_unit_warning_errno(UNIT(s), r, "Failed to kill processes: %m");
034c6ed7 2088
3742095b 2089 if (IN_SET(state, SOCKET_STOP_PRE_SIGTERM, SOCKET_STOP_PRE_SIGKILL))
cfc4eb4c 2090 socket_enter_stop_post(s, SOCKET_FAILURE_RESOURCES);
034c6ed7 2091 else
cfc4eb4c 2092 socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
034c6ed7
LP		 2093}
2094
cfc4eb4c 2095static void socket_enter_stop_pre(Socket *s, SocketResult f) {
034c6ed7
LP		 2096 int r;
2097 assert(s);
2098
a0fef983 2099 if (s->result == SOCKET_SUCCESS)
cfc4eb4c 2100 s->result = f;
034c6ed7 2101
5e94833f 2102 socket_unwatch_control_pid(s);
a16e1123 2103 s->control_command_id = SOCKET_EXEC_STOP_PRE;
3900e5fd 2104 s->control_command = s->exec_command[SOCKET_EXEC_STOP_PRE];
a16e1123 2105
3900e5fd
LP		 2106 if (s->control_command) {
2107 r = socket_spawn(s, s->control_command, &s->control_pid);
2108 if (r < 0)
034c6ed7
LP		 2109 goto fail;
2110
80876c20
LP		 2111 socket_set_state(s, SOCKET_STOP_PRE);
2112 } else
cfc4eb4c 2113 socket_enter_stop_post(s, SOCKET_SUCCESS);
034c6ed7
LP		 2114
2115 return;
2116
2117fail:
f2341e0a 2118 log_unit_warning_errno(UNIT(s), r, "Failed to run 'stop-pre' task: %m");
cfc4eb4c 2119 socket_enter_stop_post(s, SOCKET_FAILURE_RESOURCES);
034c6ed7
LP		 2120}
2121
e9af15c3
LP		 2122static void socket_enter_listening(Socket *s) {
2123 int r;
2124 assert(s);
2125
cfc4eb4c
LP		 2126 r = socket_watch_fds(s);
2127 if (r < 0) {
f2341e0a 2128 log_unit_warning_errno(UNIT(s), r, "Failed to watch sockets: %m");
e9af15c3
LP		 2129 goto fail;
2130 }
2131
2132 socket_set_state(s, SOCKET_LISTENING);
2133 return;
2134
2135fail:
cfc4eb4c 2136 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
e9af15c3
LP		 2137}
2138
034c6ed7
LP		 2139static void socket_enter_start_post(Socket *s) {
2140 int r;
2141 assert(s);
2142
3900e5fd
LP		 2143 socket_unwatch_control_pid(s);
2144 s->control_command_id = SOCKET_EXEC_START_POST;
2145 s->control_command = s->exec_command[SOCKET_EXEC_START_POST];
2146
2147 if (s->control_command) {
2148 r = socket_spawn(s, s->control_command, &s->control_pid);
2149 if (r < 0) {
f2341e0a 2150 log_unit_warning_errno(UNIT(s), r, "Failed to run 'start-post' task: %m");
3900e5fd
LP		 2151 goto fail;
2152 }
2153
2154 socket_set_state(s, SOCKET_START_POST);
2155 } else
2156 socket_enter_listening(s);
2157
2158 return;
2159
2160fail:
2161 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2162}
2163
2164static void socket_enter_start_chown(Socket *s) {
2165 int r;
2166
2167 assert(s);
2168
cfc4eb4c
LP		 2169 r = socket_open_fds(s);
2170 if (r < 0) {
f2341e0a 2171 log_unit_warning_errno(UNIT(s), r, "Failed to listen on sockets: %m");
034c6ed7
LP		 2172 goto fail;
2173 }
2174
3900e5fd 2175 if (!isempty(s->user) || !isempty(s->group)) {
5e94833f 2176
3900e5fd
LP		 2177 socket_unwatch_control_pid(s);
2178 s->control_command_id = SOCKET_EXEC_START_CHOWN;
2179 s->control_command = NULL;
a16e1123 2180
3900e5fd 2181 r = socket_chown(s, &s->control_pid);
cfc4eb4c 2182 if (r < 0) {
f2341e0a 2183 log_unit_warning_errno(UNIT(s), r, "Failed to fork 'start-chown' task: %m");
034c6ed7
LP		 2184 goto fail;
2185 }
2186
3900e5fd 2187 socket_set_state(s, SOCKET_START_CHOWN);
80876c20 2188 } else
3900e5fd 2189 socket_enter_start_post(s);
034c6ed7
LP		 2190
2191 return;
2192
2193fail:
cfc4eb4c 2194 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
034c6ed7
LP		 2195}
2196
2197static void socket_enter_start_pre(Socket *s) {
2198 int r;
2199 assert(s);
2200
5e94833f 2201 socket_unwatch_control_pid(s);
a4634b21
LP		 2202
2203 unit_warn_leftover_processes(UNIT(s));
2204
a16e1123 2205 s->control_command_id = SOCKET_EXEC_START_PRE;
3900e5fd 2206 s->control_command = s->exec_command[SOCKET_EXEC_START_PRE];
a16e1123 2207
3900e5fd 2208 if (s->control_command) {
e821075a 2209 r = socket_spawn(s, s->control_command, &s->control_pid);
3900e5fd 2210 if (r < 0) {
f2341e0a 2211 log_unit_warning_errno(UNIT(s), r, "Failed to run 'start-pre' task: %m");
034c6ed7 2212 goto fail;
3900e5fd 2213 }
034c6ed7 2214
80876c20
LP		 2215 socket_set_state(s, SOCKET_START_PRE);
2216 } else
3900e5fd 2217 socket_enter_start_chown(s);
034c6ed7
LP		 2218
2219 return;
2220
2221fail:
cfc4eb4c 2222 socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
034c6ed7
LP		 2223}
2224
60d9771c
LP		 2225static void flush_ports(Socket *s) {
2226 SocketPort *p;
2227
2228 /* Flush all incoming traffic, regardless if actual bytes or new connections, so that this socket isn't busy
2229 * anymore */
2230
2231 LIST_FOREACH(port, p, s->ports) {
2232 if (p->fd < 0)
2233 continue;
2234
2235 (void) flush_accept(p->fd);
2236 (void) flush_fd(p->fd);
2237 }
2238}
2239
4f2d528d 2240static void socket_enter_running(Socket *s, int cfd) {
4afd3348 2241 _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
034c6ed7
LP		 2242 int r;
2243
8b26cdbd
LP		 2244 /* Note that this call takes possession of the connection fd passed. It either has to assign it somewhere or
2245 * close it. */
2246
034c6ed7
LP		 2247 assert(s);
2248
60d9771c 2249 /* We don't take connections anymore if we are supposed to shut down anyway */
31afa0a4 2250 if (unit_stop_pending(UNIT(s))) {
e821075a 2251
f2341e0a 2252 log_unit_debug(UNIT(s), "Suppressing connection request since unit stop is scheduled.");
5d909e3e 2253
7c610628 2254 if (cfd >= 0)
8b26cdbd 2255 cfd = safe_close(cfd);
60d9771c
LP		 2256 else
2257 flush_ports(s);
7c610628 2258
ba3e67a7
LP		 2259 return;
2260 }
2261
8b26cdbd
LP		 2262 if (!ratelimit_test(&s->trigger_limit)) {
2263 safe_close(cfd);
2264 log_unit_warning(UNIT(s), "Trigger limit hit, refusing further activation.");
2265 socket_enter_stop_pre(s, SOCKET_FAILURE_TRIGGER_LIMIT_HIT);
2266 return;
2267 }
2268
4f2d528d 2269 if (cfd < 0) {
f976f3f6 2270 bool pending = false;
eef85c4a
LP		 2271 Unit *other;
2272 Iterator i;
2273 void *v;
f976f3f6
LP		 2274
2275 /* If there's already a start pending don't bother to
2276 * do anything */
eef85c4a 2277 HASHMAP_FOREACH_KEY(v, other, UNIT(s)->dependencies[UNIT_TRIGGERS], i)
e821075a 2278 if (unit_active_or_pending(other)) {
57020a3a
LP		 2279 pending = true;
2280 break;
2281 }
f976f3f6 2282
1a710b43 2283 if (!pending) {
640ace4a 2284 if (!UNIT_ISSET(s->service)) {
f2341e0a 2285 log_unit_error(UNIT(s), "Service to activate vanished, refusing activation.");
640ace4a
LP		 2286 r = -ENOENT;
2287 goto fail;
2288 }
2289
4bd29fe5 2290 r = manager_add_job(UNIT(s)->manager, JOB_START, UNIT_DEREF(s->service), JOB_REPLACE, &error, NULL);
1a710b43 2291 if (r < 0)
f976f3f6 2292 goto fail;
1a710b43 2293 }
4f2d528d
LP		 2294
2295 socket_set_state(s, SOCKET_RUNNING);
2296 } else {
e55001eb 2297 _cleanup_free_ char *prefix = NULL, *instance = NULL, *name = NULL;
9d565427 2298 _cleanup_(socket_peer_unrefp) SocketPeer *p = NULL;
b15bdda8 2299 Service *service;
4f2d528d 2300
6cf6bbc2 2301 if (s->n_connections >= s->max_connections) {
ea8f50f8 2302 log_unit_warning(UNIT(s), "Too many incoming connections (%u), dropping connection.",
166cf510 2303 s->n_connections);
03e334a1 2304 safe_close(cfd);
6cf6bbc2
LP		 2305 return;
2306 }
2307
9d565427 2308 if (s->max_connections_per_source > 0) {
166cf510 2309 r = socket_acquire_peer(s, cfd, &p);
9d565427
SS		 2310 if (r < 0) {
2311 safe_close(cfd);
2312 return;
166cf510 2313 } else if (r > 0 && p->n_ref > s->max_connections_per_source) {
ea8f50f8
ZJS		 2314 _cleanup_free_ char *t = NULL;
2315
41733ae1 2316 (void) sockaddr_pretty(&p->peer.sa, p->peer_salen, true, false, &t);
ea8f50f8 2317
166cf510 2318 log_unit_warning(UNIT(s),
ea8f50f8
ZJS		 2319 "Too many incoming connections (%u) from source %s, dropping connection.",
2320 p->n_ref, strnull(t));
9d565427 2321 safe_close(cfd);
9d565427
SS		 2322 return;
2323 }
2324 }
2325
1a710b43
MS		 2326 r = socket_instantiate_service(s);
2327 if (r < 0)
b15bdda8
LP		 2328 goto fail;
2329
1a710b43
MS		 2330 r = instance_from_socket(cfd, s->n_accepted, &instance);
2331 if (r < 0) {
2332 if (r != -ENOTCONN)
2333 goto fail;
2334
2335 /* ENOTCONN is legitimate if TCP RST was received.
2336 * This connection is over, but the socket unit lives on. */
8b26cdbd 2337 log_unit_debug(UNIT(s), "Got ENOTCONN on incoming socket, assuming aborted connection attempt, ignoring.");
03e334a1 2338 safe_close(cfd);
1a710b43
MS		 2339 return;
2340 }
4f2d528d 2341
7410616c
LP		 2342 r = unit_name_to_prefix(UNIT(s)->id, &prefix);
2343 if (r < 0)
4f2d528d 2344 goto fail;
4f2d528d 2345
7410616c
LP		 2346 r = unit_name_build(prefix, instance, ".service", &name);
2347 if (r < 0)
b6dbbe1c 2348 goto fail;
4f2d528d 2349
1a710b43 2350 r = unit_add_name(UNIT_DEREF(s->service), name);
e55001eb 2351 if (r < 0)
4f2d528d 2352 goto fail;
b15bdda8 2353
57020a3a
LP		 2354 service = SERVICE(UNIT_DEREF(s->service));
2355 unit_ref_unset(&s->service);
6c073082 2356
e4f67317 2357 s->n_accepted++;
b15bdda8 2358 unit_choose_id(UNIT(service), name);
b15bdda8 2359
16115b0a 2360 r = service_set_socket_fd(service, cfd, s, s->selinux_context_from_net);
1a710b43 2361 if (r < 0)
4f2d528d
LP		 2362 goto fail;
2363
8b26cdbd 2364 cfd = -1; /* We passed ownership of the fd to the service now. Forget it here. */
313cefa1 2365 s->n_connections++;
6cf6bbc2 2366
1cc6c93a 2367 service->peer = TAKE_PTR(p); /* Pass ownership of the peer reference */
9d565427 2368
4bd29fe5 2369 r = manager_add_job(UNIT(s)->manager, JOB_START, UNIT(service), JOB_REPLACE, &error, NULL);
3e7a1f50
LP		 2370 if (r < 0) {
2371 /* We failed to activate the new service, but it still exists. Let's make sure the service
2372 * closes and forgets the connection fd again, immediately. */
2373 service_close_socket_fd(service);
4f2d528d 2374 goto fail;
3e7a1f50 2375 }
c4e2ceae
LP		 2376
2377 /* Notify clients about changed counters */
2378 unit_add_to_dbus_queue(UNIT(s));
4f2d528d 2379 }
034c6ed7 2380
034c6ed7
LP		 2381 return;
2382
2383fail:
f2341e0a
LP		 2384 log_unit_warning(UNIT(s), "Failed to queue service startup job (Maybe the service file is missing or not a %s unit?): %s",
2385 cfd >= 0 ? "template" : "non-template",
718db961 2386 bus_error_message(&error, r));
e821075a 2387
60089004 2388 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
03e334a1 2389 safe_close(cfd);
034c6ed7
LP		 2390}
2391
cfc4eb4c 2392static void socket_run_next(Socket *s) {
034c6ed7
LP		 2393 int r;
2394
2395 assert(s);
2396 assert(s->control_command);
2397 assert(s->control_command->command_next);
2398
5e94833f
LP		 2399 socket_unwatch_control_pid(s);
2400
034c6ed7
LP		 2401 s->control_command = s->control_command->command_next;
2402
e821075a
LP		 2403 r = socket_spawn(s, s->control_command, &s->control_pid);
2404 if (r < 0)
034c6ed7
LP		 2405 goto fail;
2406
2407 return;
2408
2409fail:
f2341e0a 2410 log_unit_warning_errno(UNIT(s), r, "Failed to run next task: %m");
80876c20
LP		 2411
2412 if (s->state == SOCKET_START_POST)
cfc4eb4c 2413 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
034c6ed7 2414 else if (s->state == SOCKET_STOP_POST)
cfc4eb4c 2415 socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
034c6ed7 2416 else
cfc4eb4c 2417 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_RESOURCES);
034c6ed7
LP		 2418}
2419
87f0e418
LP		 2420static int socket_start(Unit *u) {
2421 Socket *s = SOCKET(u);
07299350 2422 int r;
83c60c9f
LP		 2423
2424 assert(s);
2425
034c6ed7
LP		 2426 /* We cannot fulfill this request right now, try again later
2427 * please! */
3900e5fd
LP		 2428 if (IN_SET(s->state,
2429 SOCKET_STOP_PRE,
2430 SOCKET_STOP_PRE_SIGKILL,
2431 SOCKET_STOP_PRE_SIGTERM,
2432 SOCKET_STOP_POST,
2433 SOCKET_FINAL_SIGTERM,
2434 SOCKET_FINAL_SIGKILL))
034c6ed7
LP		 2435 return -EAGAIN;
2436
a4152e3f 2437 /* Already on it! */
3900e5fd
LP		 2438 if (IN_SET(s->state,
2439 SOCKET_START_PRE,
2440 SOCKET_START_CHOWN,
2441 SOCKET_START_POST))
034c6ed7 2442 return 0;
83c60c9f 2443
034c6ed7 2444 /* Cannot run this without the service being around */
9444b1f2 2445 if (UNIT_ISSET(s->service)) {
57020a3a
LP		 2446 Service *service;
2447
2448 service = SERVICE(UNIT_DEREF(s->service));
2449
1124fe6f 2450 if (UNIT(service)->load_state != UNIT_LOADED) {
f2341e0a 2451 log_unit_error(u, "Socket service %s not loaded, refusing.", UNIT(service)->id);
4f2d528d 2452 return -ENOENT;
4ac9236f 2453 }
4f2d528d 2454
35b8ca3a 2455 /* If the service is already active we cannot start the
4f2d528d 2456 * socket */
ec2ce0c5 2457 if (!IN_SET(service->state, SERVICE_DEAD, SERVICE_FAILED, SERVICE_AUTO_RESTART)) {
f2341e0a 2458 log_unit_error(u, "Socket service %s already active, refusing.", UNIT(service)->id);
4f2d528d 2459 return -EBUSY;
4ac9236f 2460 }
4f2d528d 2461 }
e537352b 2462
3742095b 2463 assert(IN_SET(s->state, SOCKET_DEAD, SOCKET_FAILED));
83c60c9f 2464
07299350
LP		 2465 r = unit_start_limit_test(u);
2466 if (r < 0) {
2467 socket_enter_dead(s, SOCKET_FAILURE_START_LIMIT_HIT);
2468 return r;
2469 }
2470
4b58153d
LP		 2471 r = unit_acquire_invocation_id(u);
2472 if (r < 0)
2473 return r;
2474
cfc4eb4c 2475 s->result = SOCKET_SUCCESS;
3c7416b6
LP		 2476
2477 u->reset_accounting = true;
5ad096b3 2478
034c6ed7 2479 socket_enter_start_pre(s);
82a2b6bb 2480 return 1;
034c6ed7 2481}
83c60c9f 2482
87f0e418
LP		 2483static int socket_stop(Unit *u) {
2484 Socket *s = SOCKET(u);
034c6ed7
LP		 2485
2486 assert(s);
2487
e537352b 2488 /* Already on it */
3900e5fd
LP		 2489 if (IN_SET(s->state,
2490 SOCKET_STOP_PRE,
2491 SOCKET_STOP_PRE_SIGTERM,
2492 SOCKET_STOP_PRE_SIGKILL,
2493 SOCKET_STOP_POST,
2494 SOCKET_FINAL_SIGTERM,
2495 SOCKET_FINAL_SIGKILL))
e537352b
LP		 2496 return 0;
2497
3f6c78dc
LP		 2498 /* If there's already something running we go directly into
2499 * kill mode. */
3900e5fd
LP		 2500 if (IN_SET(s->state,
2501 SOCKET_START_PRE,
2502 SOCKET_START_CHOWN,
2503 SOCKET_START_POST)) {
cfc4eb4c 2504 socket_enter_signal(s, SOCKET_STOP_PRE_SIGTERM, SOCKET_SUCCESS);
3f6c78dc
LP		 2505 return -EAGAIN;
2506 }
2507
3742095b 2508 assert(IN_SET(s->state, SOCKET_LISTENING, SOCKET_RUNNING));
83c60c9f 2509
cfc4eb4c 2510 socket_enter_stop_pre(s, SOCKET_SUCCESS);
82a2b6bb 2511 return 1;
542563ba
LP		 2512}
2513
a16e1123
LP		 2514static int socket_serialize(Unit *u, FILE *f, FDSet *fds) {
2515 Socket *s = SOCKET(u);
2516 SocketPort *p;
2517 int r;
2518
2519 assert(u);
2520 assert(f);
2521 assert(fds);
2522
2523 unit_serialize_item(u, f, "state", socket_state_to_string(s->state));
cfc4eb4c 2524 unit_serialize_item(u, f, "result", socket_result_to_string(s->result));
a16e1123
LP		 2525 unit_serialize_item_format(u, f, "n-accepted", "%u", s->n_accepted);
2526
2527 if (s->control_pid > 0)
de0671ee 2528 unit_serialize_item_format(u, f, "control-pid", PID_FMT, s->control_pid);
a16e1123
LP		 2529
2530 if (s->control_command_id >= 0)
2531 unit_serialize_item(u, f, "control-command", socket_exec_command_to_string(s->control_command_id));
2532
2533 LIST_FOREACH(port, p, s->ports) {
2534 int copy;
2535
2536 if (p->fd < 0)
2537 continue;
2538
613b411c
LP		 2539 copy = fdset_put_dup(fds, p->fd);
2540 if (copy < 0)
a16e1123
LP		 2541 return copy;
2542
2543 if (p->type == SOCKET_SOCKET) {
613b411c 2544 _cleanup_free_ char *t = NULL;
a16e1123 2545
ee092817
LP		 2546 r = socket_address_print(&p->address, &t);
2547 if (r < 0)
a16e1123
LP		 2548 return r;
2549
7a22745a
LP		 2550 if (socket_address_family(&p->address) == AF_NETLINK)
2551 unit_serialize_item_format(u, f, "netlink", "%i %s", copy, t);
2552 else
2553 unit_serialize_item_format(u, f, "socket", "%i %i %s", copy, p->address.type, t);
613b411c 2554
b0a3f2bc
LP		 2555 } else if (p->type == SOCKET_SPECIAL)
2556 unit_serialize_item_format(u, f, "special", "%i %s", copy, p->path);
ee092817
LP		 2557 else if (p->type == SOCKET_MQUEUE)
2558 unit_serialize_item_format(u, f, "mqueue", "%i %s", copy, p->path);
60252446
PS		 2559 else if (p->type == SOCKET_USB_FUNCTION)
2560 unit_serialize_item_format(u, f, "ffs", "%i %s", copy, p->path);
b0a3f2bc 2561 else {
a16e1123
LP		 2562 assert(p->type == SOCKET_FIFO);
2563 unit_serialize_item_format(u, f, "fifo", "%i %s", copy, p->path);
2564 }
2565 }
2566
2567 return 0;
2568}
2569
80a58668
ZJS		 2570static void socket_port_take_fd(SocketPort *p, FDSet *fds, int fd) {
2571 safe_close(p->fd);
2572 p->fd = fdset_remove(fds, fd);
2573}
2574
a16e1123
LP		 2575static int socket_deserialize_item(Unit *u, const char *key, const char *value, FDSet *fds) {
2576 Socket *s = SOCKET(u);
a16e1123
LP		 2577
2578 assert(u);
2579 assert(key);
2580 assert(value);
a16e1123
LP		 2581
2582 if (streq(key, "state")) {
2583 SocketState state;
2584
ee092817
LP		 2585 state = socket_state_from_string(value);
2586 if (state < 0)
f2341e0a 2587 log_unit_debug(u, "Failed to parse state value: %s", value);
a16e1123
LP		 2588 else
2589 s->deserialized_state = state;
cfc4eb4c
LP		 2590 } else if (streq(key, "result")) {
2591 SocketResult f;
a16e1123 2592
cfc4eb4c
LP		 2593 f = socket_result_from_string(value);
2594 if (f < 0)
f2341e0a 2595 log_unit_debug(u, "Failed to parse result value: %s", value);
cfc4eb4c
LP		 2596 else if (f != SOCKET_SUCCESS)
2597 s->result = f;
a16e1123
LP		 2598
2599 } else if (streq(key, "n-accepted")) {
2600 unsigned k;
2601
e364ad06 2602 if (safe_atou(value, &k) < 0)
f2341e0a 2603 log_unit_debug(u, "Failed to parse n-accepted value: %s", value);
a16e1123
LP		 2604 else
2605 s->n_accepted += k;
2606 } else if (streq(key, "control-pid")) {
5925dd3c 2607 pid_t pid;
a16e1123 2608
e364ad06 2609 if (parse_pid(value, &pid) < 0)
f2341e0a 2610 log_unit_debug(u, "Failed to parse control-pid value: %s", value);
a16e1123 2611 else
5925dd3c 2612 s->control_pid = pid;
a16e1123
LP		 2613 } else if (streq(key, "control-command")) {
2614 SocketExecCommand id;
2615
66870f90
ZJS		 2616 id = socket_exec_command_from_string(value);
2617 if (id < 0)
f2341e0a 2618 log_unit_debug(u, "Failed to parse exec-command value: %s", value);
a16e1123
LP		 2619 else {
2620 s->control_command_id = id;
2621 s->control_command = s->exec_command[id];
2622 }
2623 } else if (streq(key, "fifo")) {
2624 int fd, skip = 0;
2625 SocketPort *p;
2626
2627 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
f2341e0a 2628 log_unit_debug(u, "Failed to parse fifo value: %s", value);
80a58668 2629 else
a16e1123 2630 LIST_FOREACH(port, p, s->ports)
b0a3f2bc 2631 if (p->type == SOCKET_FIFO &&
e3f791a2 2632 path_equal_or_files_same(p->path, value+skip, 0)) {
80a58668 2633 socket_port_take_fd(p, fds, fd);
b0a3f2bc 2634 break;
80a58668 2635 }
b0a3f2bc
LP		 2636
2637 } else if (streq(key, "special")) {
2638 int fd, skip = 0;
2639 SocketPort *p;
2640
2641 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
f2341e0a 2642 log_unit_debug(u, "Failed to parse special value: %s", value);
80a58668 2643 else
b0a3f2bc
LP		 2644 LIST_FOREACH(port, p, s->ports)
2645 if (p->type == SOCKET_SPECIAL &&
e3f791a2 2646 path_equal_or_files_same(p->path, value+skip, 0)) {
80a58668 2647 socket_port_take_fd(p, fds, fd);
a16e1123 2648 break;
80a58668 2649 }
a16e1123 2650
ee092817
LP		 2651 } else if (streq(key, "mqueue")) {
2652 int fd, skip = 0;
2653 SocketPort *p;
2654
2655 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
f2341e0a 2656 log_unit_debug(u, "Failed to parse mqueue value: %s", value);
80a58668 2657 else
ee092817
LP		 2658 LIST_FOREACH(port, p, s->ports)
2659 if (p->type == SOCKET_MQUEUE &&
80a58668
ZJS		 2660 streq(p->path, value+skip)) {
2661 socket_port_take_fd(p, fds, fd);
ee092817 2662 break;
80a58668 2663 }
ee092817 2664
a16e1123 2665 } else if (streq(key, "socket")) {
27ca8d7a 2666 int fd, type, skip = 0;
a16e1123
LP		 2667 SocketPort *p;
2668
27ca8d7a 2669 if (sscanf(value, "%i %i %n", &fd, &type, &skip) < 2 || fd < 0 || type < 0 || !fdset_contains(fds, fd))
f2341e0a 2670 log_unit_debug(u, "Failed to parse socket value: %s", value);
80a58668 2671 else
a16e1123 2672 LIST_FOREACH(port, p, s->ports)
80a58668
ZJS		 2673 if (socket_address_is(&p->address, value+skip, type)) {
2674 socket_port_take_fd(p, fds, fd);
a16e1123 2675 break;
80a58668 2676 }
a16e1123 2677
7a22745a
LP		 2678 } else if (streq(key, "netlink")) {
2679 int fd, skip = 0;
2680 SocketPort *p;
2681
2682 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
f2341e0a 2683 log_unit_debug(u, "Failed to parse socket value: %s", value);
80a58668 2684 else
7a22745a 2685 LIST_FOREACH(port, p, s->ports)
80a58668
ZJS		 2686 if (socket_address_is_netlink(&p->address, value+skip)) {
2687 socket_port_take_fd(p, fds, fd);
7a22745a 2688 break;
80a58668 2689 }
60252446
PS		 2690
2691 } else if (streq(key, "ffs")) {
2692 int fd, skip = 0;
2693 SocketPort *p;
2694
2695 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2696 log_unit_debug(u, "Failed to parse ffs value: %s", value);
80a58668 2697 else
60252446
PS		 2698 LIST_FOREACH(port, p, s->ports)
2699 if (p->type == SOCKET_USB_FUNCTION &&
e3f791a2 2700 path_equal_or_files_same(p->path, value+skip, 0)) {
80a58668 2701 socket_port_take_fd(p, fds, fd);
60252446 2702 break;
80a58668 2703 }
60252446 2704
a16e1123 2705 } else
f2341e0a 2706 log_unit_debug(UNIT(s), "Unknown serialization key: %s", key);
a16e1123
LP		 2707
2708 return 0;
2709}
2710
9ff1a6f1 2711static void socket_distribute_fds(Unit *u, FDSet *fds) {
01e10de3
LP		 2712 Socket *s = SOCKET(u);
2713 SocketPort *p;
2714
2715 assert(u);
2716
2717 LIST_FOREACH(port, p, s->ports) {
2718 Iterator i;
2719 int fd;
2720
2721 if (p->type != SOCKET_SOCKET)
2722 continue;
2723
2724 if (p->fd >= 0)
2725 continue;
2726
2727 FDSET_FOREACH(fd, fds, i) {
2728 if (socket_address_matches_fd(&p->address, fd)) {
2729 p->fd = fdset_remove(fds, fd);
2730 s->deserialized_state = SOCKET_LISTENING;
2731 break;
2732 }
2733 }
2734 }
01e10de3
LP		 2735}
2736
44a6b1b6 2737_pure_ static UnitActiveState socket_active_state(Unit *u) {
87f0e418 2738 assert(u);
5cb5a6ff 2739
acbb0225 2740 return state_translation_table[SOCKET(u)->state];
5cb5a6ff
LP		 2741}
2742
44a6b1b6 2743_pure_ static const char *socket_sub_state_to_string(Unit *u) {
10a94420
LP		 2744 assert(u);
2745
a16e1123 2746 return socket_state_to_string(SOCKET(u)->state);
10a94420
LP		 2747}
2748
67419600
OS		 2749const char* socket_port_type_to_string(SocketPort *p) {
2750
2751 assert(p);
2752
2753 switch (p->type) {
718db961
LP		 2754
2755 case SOCKET_SOCKET:
2756
2757 switch (p->address.type) {
2758
2759 case SOCK_STREAM:
2760 return "Stream";
2761
2762 case SOCK_DGRAM:
2763 return "Datagram";
2764
2765 case SOCK_SEQPACKET:
2766 return "SequentialPacket";
2767
2768 case SOCK_RAW:
2769 if (socket_address_family(&p->address) == AF_NETLINK)
2770 return "Netlink";
2771
4831981d 2772 _fallthrough_;
718db961
LP		 2773 default:
2774 return NULL;
2775 }
2776
2777 case SOCKET_SPECIAL:
2778 return "Special";
2779
2780 case SOCKET_MQUEUE:
2781 return "MessageQueue";
2782
2783 case SOCKET_FIFO:
2784 return "FIFO";
2785
60252446
PS		 2786 case SOCKET_USB_FUNCTION:
2787 return "USBFunction";
2788
718db961
LP		 2789 default:
2790 return NULL;
67419600
OS		 2791 }
2792}
2793
038ed5a4
YW		 2794SocketType socket_port_type_from_string(const char *s) {
2795 assert(s);
2796
e045e325
YW		 2797 if (STR_IN_SET(s, "Stream", "Datagram", "SequentialPacket", "Netlink"))
2798 return SOCKET_SOCKET;
2799 else if (streq(s, "Special"))
2800 return SOCKET_SPECIAL;
2801 else if (streq(s, "MessageQueue"))
2802 return SOCKET_MQUEUE;
2803 else if (streq(s, "FIFO"))
2804 return SOCKET_FIFO;
2805 else if (streq(s, "USBFunction"))
2806 return SOCKET_USB_FUNCTION;
038ed5a4
YW		 2807 else
2808 return _SOCKET_TYPE_INVALID;
2809}
2810
f2f725e5 2811_pure_ static bool socket_may_gc(Unit *u) {
6cf6bbc2
LP		 2812 Socket *s = SOCKET(u);
2813
2814 assert(u);
2815
f2f725e5 2816 return s->n_connections == 0;
6cf6bbc2
LP		 2817}
2818
a79279c7
LP		 2819static int socket_accept_do(Socket *s, int fd) {
2820 int cfd;
2821
2822 assert(s);
2823 assert(fd >= 0);
2824
2825 for (;;) {
2826 cfd = accept4(fd, NULL, NULL, SOCK_NONBLOCK);
2827 if (cfd < 0) {
2828 if (errno == EINTR)
2829 continue;
2830
2831 return -errno;
2832 }
2833
2834 break;
2835 }
2836
2837 return cfd;
2838}
2839
2840static int socket_accept_in_cgroup(Socket *s, SocketPort *p, int fd) {
2841 _cleanup_close_pair_ int pair[2] = { -1, -1 };
2842 int cfd, r;
2843 pid_t pid;
2844
2845 assert(s);
2846 assert(p);
2847 assert(fd >= 0);
2848
2849 /* Similar to socket_address_listen_in_cgroup(), but for accept() rathern than socket(): make sure that any
2850 * connection socket is also properly associated with the cgroup. */
2851
2852 if (!IN_SET(p->address.sockaddr.sa.sa_family, AF_INET, AF_INET6))
2853 goto shortcut;
2854
2855 r = bpf_firewall_supported();
2856 if (r < 0)
2857 return r;
2ae7ee58 2858 if (r == BPF_FIREWALL_UNSUPPORTED)
a79279c7
LP		 2859 goto shortcut;
2860
2861 if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, pair) < 0)
2862 return log_unit_error_errno(UNIT(s), errno, "Failed to create communication channel: %m");
2863
4c253ed1 2864 r = unit_fork_helper_process(UNIT(s), "(sd-accept)", &pid);
a79279c7
LP		 2865 if (r < 0)
2866 return log_unit_error_errno(UNIT(s), r, "Failed to fork off accept stub process: %m");
2867 if (r == 0) {
2868 /* Child */
2869
2870 pair[0] = safe_close(pair[0]);
2871
2872 cfd = socket_accept_do(s, fd);
2873 if (cfd < 0) {
2874 log_unit_error_errno(UNIT(s), cfd, "Failed to accept connection socket: %m");
2875 _exit(EXIT_FAILURE);
2876 }
2877
2878 r = send_one_fd(pair[1], cfd, 0);
2879 if (r < 0) {
2880 log_unit_error_errno(UNIT(s), r, "Failed to send connection socket to parent: %m");
2881 _exit(EXIT_FAILURE);
2882 }
2883
2884 _exit(EXIT_SUCCESS);
2885 }
2886
2887 pair[1] = safe_close(pair[1]);
2888 cfd = receive_one_fd(pair[0], 0);
2889
2890 /* We synchronously wait for the helper, as it shouldn't be slow */
d2e0ac3d 2891 r = wait_for_terminate_and_check("(sd-accept)", pid, WAIT_LOG_ABNORMAL);
a79279c7
LP		 2892 if (r < 0) {
2893 safe_close(cfd);
2894 return r;
2895 }
2896
2897 if (cfd < 0)
2898 return log_unit_error_errno(UNIT(s), cfd, "Failed to receive connection socket: %m");
2899
2900 return cfd;
2901
2902shortcut:
2903 cfd = socket_accept_do(s, fd);
2904 if (cfd < 0)
2905 return log_unit_error_errno(UNIT(s), cfd, "Failed to accept connection socket: %m");
2906
2907 return cfd;
2908}
2909
718db961
LP		 2910static int socket_dispatch_io(sd_event_source *source, int fd, uint32_t revents, void *userdata) {
2911 SocketPort *p = userdata;
4f2d528d 2912 int cfd = -1;
9152c765 2913
718db961 2914 assert(p);
8d567588 2915 assert(fd >= 0);
9152c765 2916
718db961
LP		 2917 if (p->socket->state != SOCKET_LISTENING)
2918 return 0;
871d7de4 2919
f2341e0a 2920 log_unit_debug(UNIT(p->socket), "Incoming traffic");
9152c765 2921
718db961 2922 if (revents != EPOLLIN) {
641e01dc 2923
718db961 2924 if (revents & EPOLLHUP)
f2341e0a 2925 log_unit_error(UNIT(p->socket), "Got POLLHUP on a listening socket. The service probably invoked shutdown() on it, and should better not do that.");
641e01dc 2926 else
f2341e0a 2927 log_unit_error(UNIT(p->socket), "Got unexpected poll event (0x%x) on socket.", revents);
8d567588 2928 goto fail;
4f2d528d
LP		 2929 }
2930
718db961
LP		 2931 if (p->socket->accept &&
2932 p->type == SOCKET_SOCKET &&
2933 socket_address_can_accept(&p->address)) {
2934
a79279c7
LP		 2935 cfd = socket_accept_in_cgroup(p->socket, p, fd);
2936 if (cfd < 0)
2937 goto fail;
4fd5948e 2938
718db961 2939 socket_apply_socket_options(p->socket, cfd);
4f2d528d 2940 }
9152c765 2941
718db961
LP		 2942 socket_enter_running(p->socket, cfd);
2943 return 0;
8d567588
LP		 2944
2945fail:
718db961
LP		 2946 socket_enter_stop_pre(p->socket, SOCKET_FAILURE_RESOURCES);
2947 return 0;
9152c765
LP		 2948}
2949
87f0e418
LP		 2950static void socket_sigchld_event(Unit *u, pid_t pid, int code, int status) {
2951 Socket *s = SOCKET(u);
cfc4eb4c 2952 SocketResult f;
5cb5a6ff
LP		 2953
2954 assert(s);
034c6ed7 2955 assert(pid >= 0);
5cb5a6ff 2956
8c47c732
LP		 2957 if (pid != s->control_pid)
2958 return;
542563ba 2959
034c6ed7
LP		 2960 s->control_pid = 0;
2961
1f0958f6 2962 if (is_clean_exit(code, status, EXIT_CLEAN_COMMAND, NULL))
cfc4eb4c
LP		 2963 f = SOCKET_SUCCESS;
2964 else if (code == CLD_EXITED)
2965 f = SOCKET_FAILURE_EXIT_CODE;
2966 else if (code == CLD_KILLED)
2967 f = SOCKET_FAILURE_SIGNAL;
2968 else if (code == CLD_DUMPED)
2969 f = SOCKET_FAILURE_CORE_DUMP;
2970 else
a4152e3f 2971 assert_not_reached("Unknown sigchld code");
8c47c732 2972
b708e7ce 2973 if (s->control_command) {
6ea832a2 2974 exec_status_exit(&s->control_command->exec_status, &s->exec_context, pid, code, status);
a16e1123 2975
3ed0cd26 2976 if (s->control_command->flags & EXEC_COMMAND_IGNORE_FAILURE)
cfc4eb4c 2977 f = SOCKET_SUCCESS;
b708e7ce
LP		 2978 }
2979
f2341e0a
LP		 2980 log_unit_full(u, f == SOCKET_SUCCESS ? LOG_DEBUG : LOG_NOTICE, 0,
2981 "Control process exited, code=%s status=%i",
2982 sigchld_code_to_string(code), status);
034c6ed7 2983
a0fef983 2984 if (s->result == SOCKET_SUCCESS)
cfc4eb4c
LP		 2985 s->result = f;
2986
2987 if (s->control_command &&
2988 s->control_command->command_next &&
2989 f == SOCKET_SUCCESS) {
2990
f2341e0a 2991 log_unit_debug(u, "Running next command for state %s", socket_state_to_string(s->state));
cfc4eb4c 2992 socket_run_next(s);
acbb0225 2993 } else {
a16e1123
LP		 2994 s->control_command = NULL;
2995 s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
2996
034c6ed7
LP		 2997 /* No further commands for this step, so let's figure
2998 * out what to do next */
5cb5a6ff 2999
f2341e0a 3000 log_unit_debug(u, "Got final SIGCHLD for state %s", socket_state_to_string(s->state));
acbb0225 3001
034c6ed7
LP		 3002 switch (s->state) {
3003
3004 case SOCKET_START_PRE:
cfc4eb4c 3005 if (f == SOCKET_SUCCESS)
3900e5fd 3006 socket_enter_start_chown(s);
034c6ed7 3007 else
cfc4eb4c 3008 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, f);
034c6ed7
LP		 3009 break;
3010
3900e5fd
LP		 3011 case SOCKET_START_CHOWN:
3012 if (f == SOCKET_SUCCESS)
3013 socket_enter_start_post(s);
3014 else
3015 socket_enter_stop_pre(s, f);
3016 break;
3017
034c6ed7 3018 case SOCKET_START_POST:
cfc4eb4c 3019 if (f == SOCKET_SUCCESS)
e9af15c3 3020 socket_enter_listening(s);
034c6ed7 3021 else
cfc4eb4c 3022 socket_enter_stop_pre(s, f);
034c6ed7
LP		 3023 break;
3024
3025 case SOCKET_STOP_PRE:
3026 case SOCKET_STOP_PRE_SIGTERM:
3027 case SOCKET_STOP_PRE_SIGKILL:
cfc4eb4c 3028 socket_enter_stop_post(s, f);
034c6ed7
LP		 3029 break;
3030
3031 case SOCKET_STOP_POST:
80876c20
LP		 3032 case SOCKET_FINAL_SIGTERM:
3033 case SOCKET_FINAL_SIGKILL:
cfc4eb4c 3034 socket_enter_dead(s, f);
034c6ed7
LP		 3035 break;
3036
3037 default:
3038 assert_not_reached("Uh, control process died at wrong time.");
3039 }
3040 }
c4e2ceae
LP		 3041
3042 /* Notify clients about changed exit status */
3043 unit_add_to_dbus_queue(u);
034c6ed7 3044}
5cb5a6ff 3045
718db961
LP		 3046static int socket_dispatch_timer(sd_event_source *source, usec_t usec, void *userdata) {
3047 Socket *s = SOCKET(userdata);
5cb5a6ff 3048
034c6ed7 3049 assert(s);
718db961 3050 assert(s->timer_event_source == source);
034c6ed7
LP		 3051
3052 switch (s->state) {
3053
3054 case SOCKET_START_PRE:
f2341e0a 3055 log_unit_warning(UNIT(s), "Starting timed out. Terminating.");
cfc4eb4c 3056 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_TIMEOUT);
da19d5c1 3057 break;
80876c20 3058
3900e5fd 3059 case SOCKET_START_CHOWN:
034c6ed7 3060 case SOCKET_START_POST:
f2341e0a 3061 log_unit_warning(UNIT(s), "Starting timed out. Stopping.");
cfc4eb4c 3062 socket_enter_stop_pre(s, SOCKET_FAILURE_TIMEOUT);
034c6ed7
LP		 3063 break;
3064
3065 case SOCKET_STOP_PRE:
f2341e0a 3066 log_unit_warning(UNIT(s), "Stopping timed out. Terminating.");
cfc4eb4c 3067 socket_enter_signal(s, SOCKET_STOP_PRE_SIGTERM, SOCKET_FAILURE_TIMEOUT);
034c6ed7
LP		 3068 break;
3069
3070 case SOCKET_STOP_PRE_SIGTERM:
4819ff03 3071 if (s->kill_context.send_sigkill) {
f2341e0a 3072 log_unit_warning(UNIT(s), "Stopping timed out. Killing.");
cfc4eb4c 3073 socket_enter_signal(s, SOCKET_STOP_PRE_SIGKILL, SOCKET_FAILURE_TIMEOUT);
ba035df2 3074 } else {
f2341e0a 3075 log_unit_warning(UNIT(s), "Stopping timed out. Skipping SIGKILL. Ignoring.");
cfc4eb4c 3076 socket_enter_stop_post(s, SOCKET_FAILURE_TIMEOUT);
ba035df2 3077 }
034c6ed7
LP		 3078 break;
3079
3080 case SOCKET_STOP_PRE_SIGKILL:
f2341e0a 3081 log_unit_warning(UNIT(s), "Processes still around after SIGKILL. Ignoring.");
cfc4eb4c 3082 socket_enter_stop_post(s, SOCKET_FAILURE_TIMEOUT);
034c6ed7
LP		 3083 break;
3084
3085 case SOCKET_STOP_POST:
f2341e0a 3086 log_unit_warning(UNIT(s), "Stopping timed out (2). Terminating.");
cfc4eb4c 3087 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_TIMEOUT);
034c6ed7
LP		 3088 break;
3089
80876c20 3090 case SOCKET_FINAL_SIGTERM:
4819ff03 3091 if (s->kill_context.send_sigkill) {
f2341e0a 3092 log_unit_warning(UNIT(s), "Stopping timed out (2). Killing.");
cfc4eb4c 3093 socket_enter_signal(s, SOCKET_FINAL_SIGKILL, SOCKET_FAILURE_TIMEOUT);
ba035df2 3094 } else {
f2341e0a 3095 log_unit_warning(UNIT(s), "Stopping timed out (2). Skipping SIGKILL. Ignoring.");
cfc4eb4c 3096 socket_enter_dead(s, SOCKET_FAILURE_TIMEOUT);
ba035df2 3097 }
034c6ed7
LP		 3098 break;
3099
80876c20 3100 case SOCKET_FINAL_SIGKILL:
f2341e0a 3101 log_unit_warning(UNIT(s), "Still around after SIGKILL (2). Entering failed mode.");
cfc4eb4c 3102 socket_enter_dead(s, SOCKET_FAILURE_TIMEOUT);
034c6ed7
LP		 3103 break;
3104
3105 default:
3106 assert_not_reached("Timeout at wrong time.");
3107 }
718db961
LP		 3108
3109 return 0;
5cb5a6ff
LP		 3110}
3111
79c7626d
LP		 3112int socket_collect_fds(Socket *s, int **fds) {
3113 int *rfds, k = 0, n = 0;
44d8db9e
LP		 3114 SocketPort *p;
3115
3116 assert(s);
3117 assert(fds);
44d8db9e
LP		 3118
3119 /* Called from the service code for requesting our fds */
3120
15087cdb 3121 LIST_FOREACH(port, p, s->ports) {
44d8db9e 3122 if (p->fd >= 0)
79c7626d
LP		 3123 n++;
3124 n += p->n_auxiliary_fds;
15087cdb 3125 }
44d8db9e 3126
79c7626d 3127 if (n <= 0) {
de3756ab 3128 *fds = NULL;
de3756ab
LP		 3129 return 0;
3130 }
3131
79c7626d 3132 rfds = new(int, n);
e5403f09 3133 if (!rfds)
44d8db9e
LP		 3134 return -ENOMEM;
3135
15087cdb 3136 LIST_FOREACH(port, p, s->ports) {
79c7626d
LP		 3137 int i;
3138
44d8db9e
LP		 3139 if (p->fd >= 0)
3140 rfds[k++] = p->fd;
15087cdb
PS		 3141 for (i = 0; i < p->n_auxiliary_fds; ++i)
3142 rfds[k++] = p->auxiliary_fds[i];
3143 }
44d8db9e 3144
79c7626d 3145 assert(k == n);
44d8db9e
LP		 3146
3147 *fds = rfds;
79c7626d 3148 return n;
44d8db9e
LP		 3149}
3150
e821075a
LP		 3151static void socket_reset_failed(Unit *u) {
3152 Socket *s = SOCKET(u);
3153
3154 assert(s);
3155
3156 if (s->state == SOCKET_FAILED)
3157 socket_set_state(s, SOCKET_DEAD);
3158
3159 s->result = SOCKET_SUCCESS;
3160}
3161
6cf6bbc2
LP		 3162void socket_connection_unref(Socket *s) {
3163 assert(s);
3164
3165 /* The service is dead. Yay!
3166 *
35b8ca3a 3167 * This is strictly for one-instance-per-connection
6cf6bbc2
LP		 3168 * services. */
3169
3170 assert(s->n_connections > 0);
3171 s->n_connections--;
3172
f2341e0a 3173 log_unit_debug(UNIT(s), "One connection closed, %u left.", s->n_connections);
5632e374
LP		 3174}
3175
d137a488
UTL		 3176static void socket_trigger_notify(Unit *u, Unit *other) {
3177 Socket *s = SOCKET(u);
d137a488
UTL		 3178
3179 assert(u);
3180 assert(other);
3181
d14e3a0d
LP		 3182 /* Filter out invocations with bogus state */
3183 if (other->load_state != UNIT_LOADED || other->type != UNIT_SERVICE)
3184 return;
3185
3186 /* Don't propagate state changes from the service if we are already down */
3187 if (!IN_SET(s->state, SOCKET_RUNNING, SOCKET_LISTENING))
d137a488
UTL		 3188 return;
3189
d14e3a0d
LP		 3190 /* We don't care for the service state if we are in Accept=yes mode */
3191 if (s->accept)
3192 return;
3193
3194 /* Propagate start limit hit state */
6bf0f408
LP		 3195 if (other->start_limit_hit) {
3196 socket_enter_stop_pre(s, SOCKET_FAILURE_SERVICE_START_LIMIT_HIT);
d137a488 3197 return;
6bf0f408 3198 }
d137a488 3199
d14e3a0d
LP		 3200 /* Don't propagate anything if there's still a job queued */
3201 if (other->job)
6bf0f408 3202 return;
d137a488 3203
6bf0f408
LP		 3204 if (IN_SET(SERVICE(other)->state,
3205 SERVICE_DEAD, SERVICE_FAILED,
3206 SERVICE_FINAL_SIGTERM, SERVICE_FINAL_SIGKILL,
3207 SERVICE_AUTO_RESTART))
3208 socket_enter_listening(s);
d137a488 3209
6bf0f408 3210 if (SERVICE(other)->state == SERVICE_RUNNING)
d137a488
UTL		 3211 socket_set_state(s, SOCKET_RUNNING);
3212}
3213
718db961 3214static int socket_kill(Unit *u, KillWho who, int signo, sd_bus_error *error) {
814cc562 3215 return unit_kill_common(u, who, signo, -1, SOCKET(u)->control_pid, error);
8a0867d6
LP		 3216}
3217
7a7821c8 3218static int socket_get_timeout(Unit *u, usec_t *timeout) {
68db7a3b 3219 Socket *s = SOCKET(u);
7a7821c8 3220 usec_t t;
68db7a3b
ZJS		 3221 int r;
3222
3223 if (!s->timer_event_source)
3224 return 0;
3225
7a7821c8 3226 r = sd_event_source_get_time(s->timer_event_source, &t);
68db7a3b
ZJS		 3227 if (r < 0)
3228 return r;
7a7821c8
LP		 3229 if (t == USEC_INFINITY)
3230 return 0;
68db7a3b 3231
7a7821c8 3232 *timeout = t;
68db7a3b
ZJS		 3233 return 1;
3234}
3235
8dd4c05b
LP		 3236char *socket_fdname(Socket *s) {
3237 assert(s);
3238
3239 /* Returns the name to use for $LISTEN_NAMES. If the user
3240 * didn't specify anything specifically, use the socket unit's
3241 * name as fallback. */
3242
84500122 3243 return s->fdname ?: UNIT(s)->id;
8dd4c05b
LP		 3244}
3245
291d565a
LP		 3246static int socket_control_pid(Unit *u) {
3247 Socket *s = SOCKET(u);
3248
3249 assert(s);
3250
3251 return s->control_pid;
3252}
3253
a16e1123 3254static const char* const socket_exec_command_table[_SOCKET_EXEC_COMMAND_MAX] = {
836bb1cd
YW		 3255 [SOCKET_EXEC_START_PRE] = "ExecStartPre",
3256 [SOCKET_EXEC_START_CHOWN] = "ExecStartChown",
3257 [SOCKET_EXEC_START_POST] = "ExecStartPost",
3258 [SOCKET_EXEC_STOP_PRE] = "ExecStopPre",
3259 [SOCKET_EXEC_STOP_POST] = "ExecStopPost"
a16e1123
LP		 3260};
3261
3262DEFINE_STRING_TABLE_LOOKUP(socket_exec_command, SocketExecCommand);
3263
cfc4eb4c
LP		 3264static const char* const socket_result_table[_SOCKET_RESULT_MAX] = {
3265 [SOCKET_SUCCESS] = "success",
3266 [SOCKET_FAILURE_RESOURCES] = "resources",
3267 [SOCKET_FAILURE_TIMEOUT] = "timeout",
3268 [SOCKET_FAILURE_EXIT_CODE] = "exit-code",
3269 [SOCKET_FAILURE_SIGNAL] = "signal",
c2f34808 3270 [SOCKET_FAILURE_CORE_DUMP] = "core-dump",
07299350 3271 [SOCKET_FAILURE_START_LIMIT_HIT] = "start-limit-hit",
8b26cdbd 3272 [SOCKET_FAILURE_TRIGGER_LIMIT_HIT] = "trigger-limit-hit",
6bf0f408 3273 [SOCKET_FAILURE_SERVICE_START_LIMIT_HIT] = "service-start-limit-hit"
cfc4eb4c
LP		 3274};
3275
3276DEFINE_STRING_TABLE_LOOKUP(socket_result, SocketResult);
3277
87f0e418 3278const UnitVTable socket_vtable = {
7d17cfbc 3279 .object_size = sizeof(Socket),
718db961
LP		 3280 .exec_context_offset = offsetof(Socket, exec_context),
3281 .cgroup_context_offset = offsetof(Socket, cgroup_context),
3282 .kill_context_offset = offsetof(Socket, kill_context),
613b411c 3283 .exec_runtime_offset = offsetof(Socket, exec_runtime),
29206d46 3284 .dynamic_creds_offset = offsetof(Socket, dynamic_creds),
3ef63c31 3285
f975e971
LP		 3286 .sections =
3287 "Unit\0"
3288 "Socket\0"
3289 "Install\0",
4ad49000 3290 .private_section = "Socket",
71645aca 3291
9c0320e7
YW		 3292 .can_transient = true,
3293
034c6ed7
LP		 3294 .init = socket_init,
3295 .done = socket_done,
a16e1123
LP		 3296 .load = socket_load,
3297
3298 .coldplug = socket_coldplug,
034c6ed7 3299
5cb5a6ff
LP		 3300 .dump = socket_dump,
3301
542563ba
LP		 3302 .start = socket_start,
3303 .stop = socket_stop,
5cb5a6ff 3304
718db961
LP		 3305 .kill = socket_kill,
3306
68db7a3b
ZJS		 3307 .get_timeout = socket_get_timeout,
3308
a16e1123
LP		 3309 .serialize = socket_serialize,
3310 .deserialize_item = socket_deserialize_item,
01e10de3 3311 .distribute_fds = socket_distribute_fds,
a16e1123 3312
5cb5a6ff 3313 .active_state = socket_active_state,
10a94420 3314 .sub_state_to_string = socket_sub_state_to_string,
5cb5a6ff 3315
f2f725e5 3316 .may_gc = socket_may_gc,
6cf6bbc2 3317
034c6ed7 3318 .sigchld_event = socket_sigchld_event,
4139c1b2 3319
d137a488
UTL		 3320 .trigger_notify = socket_trigger_notify,
3321
fdf20a31 3322 .reset_failed = socket_reset_failed,
5632e374 3323
291d565a
LP		 3324 .control_pid = socket_control_pid,
3325
718db961 3326 .bus_vtable = bus_socket_vtable,
74c964d3
LP		 3327 .bus_set_property = bus_socket_set_property,
3328 .bus_commit_properties = bus_socket_commit_properties,
c6918296
MS		 3329
3330 .status_message_formats = {
3331 /*.starting_stopping = {
3332 [0] = "Starting socket %s...",
3333 [1] = "Stopping socket %s...",
3334 },*/
3335 .finished_start_job = {
3336 [JOB_DONE] = "Listening on %s.",
3337 [JOB_FAILED] = "Failed to listen on %s.",
c6918296
MS		 3338 [JOB_TIMEOUT] = "Timed out starting %s.",
3339 },
3340 .finished_stop_job = {
3341 [JOB_DONE] = "Closed %s.",
3342 [JOB_FAILED] = "Failed stopping %s.",
3343 [JOB_TIMEOUT] = "Timed out stopping %s.",
3344 },
3345 },
5cb5a6ff 3346};
Unnamed repository; edit this file 'description' to name the repository.