]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/core/socket.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add SPDX license identifiers to source files under the LGPL
[thirdparty/systemd.git] / src / core / socket.c
CommitLineData
53e1b683 1/* SPDX-License-Identifier: LGPL-2.1+ */
a7334b09
LP		 2/***
3 This file is part of systemd.
4
5 Copyright 2010 Lennart Poettering
6
7 systemd is free software; you can redistribute it and/or modify it
5430f7f2
LP		 8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
a7334b09
LP		 10 (at your option) any later version.
11
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2 15 Lesser General Public License for more details.
a7334b09 16
5430f7f2 17 You should have received a copy of the GNU Lesser General Public License
a7334b09
LP		 18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
19***/
20
e8da24a6 21#include <arpa/inet.h>
83c60c9f
LP		 22#include <errno.h>
23#include <fcntl.h>
916abb21 24#include <mqueue.h>
e8da24a6
LP		 25#include <netinet/tcp.h>
26#include <signal.h>
27#include <sys/epoll.h>
28#include <sys/stat.h>
29#include <unistd.h>
62bc4efc 30#include <linux/sctp.h>
83c60c9f 31
b5efdb8a 32#include "alloc-util.h"
a79279c7 33#include "bpf-firewall.h"
e8da24a6
LP		 34#include "bus-error.h"
35#include "bus-util.h"
36#include "copy.h"
37#include "dbus-socket.h"
38#include "def.h"
39#include "exit-status.h"
3ffd4af2 40#include "fd-util.h"
f97b34a6 41#include "format-util.h"
95f7fbbf 42#include "fs-util.h"
a79279c7 43#include "in-addr-util.h"
60d9771c 44#include "io-util.h"
e8da24a6 45#include "label.h"
83c60c9f 46#include "log.h"
e8da24a6 47#include "missing.h"
49e942b2 48#include "mkdir.h"
6bedfcbb 49#include "parse-util.h"
9eb977db 50#include "path-util.h"
7b3e062c 51#include "process-util.h"
d7b8eec7 52#include "selinux-util.h"
24882e06 53#include "signal-util.h"
e8da24a6 54#include "smack-util.h"
24882e06 55#include "socket.h"
e8da24a6 56#include "special.h"
8b43440b 57#include "string-table.h"
07630cea 58#include "string-util.h"
e8da24a6
LP		 59#include "strv.h"
60#include "unit-name.h"
e8da24a6 61#include "unit.h"
b1d4f8e1 62#include "user-util.h"
83c60c9f 63
166cf510
ZJS		 64struct SocketPeer {
65 unsigned n_ref;
66
67 Socket *socket;
68 union sockaddr_union peer;
41733ae1 69 socklen_t peer_salen;
166cf510
ZJS		 70};
71
acbb0225 72static const UnitActiveState state_translation_table[_SOCKET_STATE_MAX] = {
87f0e418
LP		 73 [SOCKET_DEAD] = UNIT_INACTIVE,
74 [SOCKET_START_PRE] = UNIT_ACTIVATING,
3900e5fd 75 [SOCKET_START_CHOWN] = UNIT_ACTIVATING,
87f0e418
LP		 76 [SOCKET_START_POST] = UNIT_ACTIVATING,
77 [SOCKET_LISTENING] = UNIT_ACTIVE,
78 [SOCKET_RUNNING] = UNIT_ACTIVE,
79 [SOCKET_STOP_PRE] = UNIT_DEACTIVATING,
80 [SOCKET_STOP_PRE_SIGTERM] = UNIT_DEACTIVATING,
81 [SOCKET_STOP_PRE_SIGKILL] = UNIT_DEACTIVATING,
82 [SOCKET_STOP_POST] = UNIT_DEACTIVATING,
80876c20
LP		 83 [SOCKET_FINAL_SIGTERM] = UNIT_DEACTIVATING,
84 [SOCKET_FINAL_SIGKILL] = UNIT_DEACTIVATING,
fdf20a31 85 [SOCKET_FAILED] = UNIT_FAILED
83c60c9f 86};
5cb5a6ff 87
718db961
LP		 88static int socket_dispatch_io(sd_event_source *source, int fd, uint32_t revents, void *userdata);
89static int socket_dispatch_timer(sd_event_source *source, usec_t usec, void *userdata);
90
a16e1123
LP		 91static void socket_init(Unit *u) {
92 Socket *s = SOCKET(u);
93
94 assert(u);
ac155bb8 95 assert(u->load_state == UNIT_STUB);
a16e1123 96
a16e1123 97 s->backlog = SOMAXCONN;
1f19a534 98 s->timeout_usec = u->manager->default_timeout_start_usec;
a16e1123 99 s->directory_mode = 0755;
9131f660 100 s->socket_mode = 0666;
a16e1123 101
6cf6bbc2
LP		 102 s->max_connections = 64;
103
4fd5948e 104 s->priority = -1;
4fd5948e
LP		 105 s->ip_tos = -1;
106 s->ip_ttl = -1;
4fd5948e 107 s->mark = -1;
4fd5948e 108
ac155bb8
MS		 109 s->exec_context.std_output = u->manager->default_std_output;
110 s->exec_context.std_error = u->manager->default_std_error;
085afe36 111
a16e1123 112 s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
8b26cdbd 113
1f15ce28
LP		 114 s->trigger_limit.interval = USEC_INFINITY;
115 s->trigger_limit.burst = (unsigned) -1;
a16e1123 116}
acbb0225 117
5e94833f
LP		 118static void socket_unwatch_control_pid(Socket *s) {
119 assert(s);
120
121 if (s->control_pid <= 0)
122 return;
123
124 unit_unwatch_pid(UNIT(s), s->control_pid);
125 s->control_pid = 0;
126}
127
15087cdb 128static void socket_cleanup_fd_list(SocketPort *p) {
3ffd4af2 129 assert(p);
15087cdb 130
3ffd4af2 131 close_many(p->auxiliary_fds, p->n_auxiliary_fds);
15087cdb
PS		 132 p->auxiliary_fds = mfree(p->auxiliary_fds);
133 p->n_auxiliary_fds = 0;
134}
135
74051b9b 136void socket_free_ports(Socket *s) {
034c6ed7
LP		 137 SocketPort *p;
138
139 assert(s);
140
141 while ((p = s->ports)) {
71fda00f 142 LIST_REMOVE(port, s->ports, p);
034c6ed7 143
718db961
LP		 144 sd_event_source_unref(p->event_source);
145
15087cdb 146 socket_cleanup_fd_list(p);
03e334a1 147 safe_close(p->fd);
034c6ed7
LP		 148 free(p->path);
149 free(p);
150 }
74051b9b
LP		 151}
152
153static void socket_done(Unit *u) {
154 Socket *s = SOCKET(u);
9d565427 155 SocketPeer *p;
74051b9b
LP		 156
157 assert(s);
158
159 socket_free_ports(s);
034c6ed7 160
9a73653c 161 while ((p = set_steal_first(s->peers_by_address)))
9d565427
SS		 162 p->socket = NULL;
163
9a73653c 164 s->peers_by_address = set_free(s->peers_by_address);
9d565427 165
613b411c 166 s->exec_runtime = exec_runtime_unref(s->exec_runtime);
e537352b 167 exec_command_free_array(s->exec_command, _SOCKET_EXEC_COMMAND_MAX);
034c6ed7
LP		 168 s->control_command = NULL;
169
29206d46
LP		 170 dynamic_creds_unref(&s->dynamic_creds);
171
5e94833f 172 socket_unwatch_control_pid(s);
034c6ed7 173
57020a3a 174 unit_ref_unset(&s->service);
034c6ed7 175
a1e58e8e
LP		 176 s->tcp_congestion = mfree(s->tcp_congestion);
177 s->bind_to_device = mfree(s->bind_to_device);
acbb0225 178
0a78712e
DM		 179 s->smack = mfree(s->smack);
180 s->smack_ip_in = mfree(s->smack_ip_in);
181 s->smack_ip_out = mfree(s->smack_ip_out);
0eb59ccf 182
811ba7a0
LP		 183 strv_free(s->symlinks);
184
0a78712e
DM		 185 s->user = mfree(s->user);
186 s->group = mfree(s->group);
3900e5fd 187
a97b23d6
DM		 188 s->fdname = mfree(s->fdname);
189
718db961
LP		 190 s->timer_event_source = sd_event_source_unref(s->timer_event_source);
191}
192
36c16a7c 193static int socket_arm_timer(Socket *s, usec_t usec) {
718db961
LP		 194 int r;
195
196 assert(s);
197
718db961 198 if (s->timer_event_source) {
36c16a7c 199 r = sd_event_source_set_time(s->timer_event_source, usec);
718db961
LP		 200 if (r < 0)
201 return r;
202
203 return sd_event_source_set_enabled(s->timer_event_source, SD_EVENT_ONESHOT);
204 }
205
36c16a7c
LP		 206 if (usec == USEC_INFINITY)
207 return 0;
208
7dfbe2e3 209 r = sd_event_add_time(
6a0f1f6d
LP		 210 UNIT(s)->manager->event,
211 &s->timer_event_source,
212 CLOCK_MONOTONIC,
36c16a7c 213 usec, 0,
6a0f1f6d 214 socket_dispatch_timer, s);
7dfbe2e3
TG		 215 if (r < 0)
216 return r;
217
218 (void) sd_event_source_set_description(s->timer_event_source, "socket-timer");
219
220 return 0;
5cb5a6ff
LP		 221}
222
8b835fcc
ZJS		 223int socket_instantiate_service(Socket *s) {
224 _cleanup_free_ char *prefix = NULL, *name = NULL;
b15bdda8
LP		 225 int r;
226 Unit *u;
227
228 assert(s);
229
230 /* This fills in s->service if it isn't filled in yet. For
231 * Accept=yes sockets we create the next connection service
232 * here. For Accept=no this is mostly a NOP since the service
233 * is figured out at load time anyway. */
234
7410616c 235 if (UNIT_DEREF(s->service))
b15bdda8
LP		 236 return 0;
237
7410616c
LP		 238 if (!s->accept)
239 return 0;
240
241 r = unit_name_to_prefix(UNIT(s)->id, &prefix);
242 if (r < 0)
243 return r;
b15bdda8 244
315db1a8 245 if (asprintf(&name, "%s@%u.service", prefix, s->n_accepted) < 0)
b15bdda8
LP		 246 return -ENOMEM;
247
1124fe6f 248 r = manager_load_unit(UNIT(s)->manager, name, NULL, NULL, &u);
b15bdda8
LP		 249 if (r < 0)
250 return r;
251
57020a3a
LP		 252 unit_ref_set(&s->service, u);
253
eef85c4a 254 return unit_add_two_dependencies(UNIT(s), UNIT_BEFORE, UNIT_TRIGGERS, u, false, UNIT_DEPENDENCY_IMPLICIT);
b15bdda8
LP		 255}
256
4f2d528d
LP		 257static bool have_non_accept_socket(Socket *s) {
258 SocketPort *p;
259
260 assert(s);
261
262 if (!s->accept)
263 return true;
264
dd5ad9d4
LP		 265 LIST_FOREACH(port, p, s->ports) {
266
267 if (p->type != SOCKET_SOCKET)
268 return true;
269
4f2d528d
LP		 270 if (!socket_address_can_accept(&p->address))
271 return true;
dd5ad9d4 272 }
4f2d528d
LP		 273
274 return false;
275}
276
eef85c4a 277static int socket_add_mount_dependencies(Socket *s) {
6e2ef85b 278 SocketPort *p;
6e2ef85b
LP		 279 int r;
280
281 assert(s);
6e2ef85b 282
a57f7e2c
LP		 283 LIST_FOREACH(port, p, s->ports) {
284 const char *path = NULL;
6e2ef85b 285
a57f7e2c
LP		 286 if (p->type == SOCKET_SOCKET)
287 path = socket_address_get_path(&p->address);
60252446 288 else if (IN_SET(p->type, SOCKET_FIFO, SOCKET_SPECIAL, SOCKET_USB_FUNCTION))
a57f7e2c 289 path = p->path;
6e2ef85b 290
a57f7e2c
LP		 291 if (!path)
292 continue;
6e2ef85b 293
eef85c4a 294 r = unit_require_mounts_for(UNIT(s), path, UNIT_DEPENDENCY_FILE);
b87705cd 295 if (r < 0)
6e2ef85b 296 return r;
b87705cd 297 }
6e2ef85b
LP		 298
299 return 0;
300}
301
eef85c4a 302static int socket_add_device_dependencies(Socket *s) {
6e2ef85b 303 char *t;
6e2ef85b
LP		 304
305 assert(s);
306
7d0c710d 307 if (!s->bind_to_device || streq(s->bind_to_device, "lo"))
6e2ef85b
LP		 308 return 0;
309
63c372cb 310 t = strjoina("/sys/subsystem/net/devices/", s->bind_to_device);
eef85c4a 311 return unit_add_node_dependency(UNIT(s), t, false, UNIT_BINDS_TO, UNIT_DEPENDENCY_FILE);
6e2ef85b
LP		 312}
313
a40eb732
LP		 314static int socket_add_default_dependencies(Socket *s) {
315 int r;
316 assert(s);
317
4c9ea260
LP		 318 if (!UNIT(s)->default_dependencies)
319 return 0;
320
eef85c4a 321 r = unit_add_dependency_by_name(UNIT(s), UNIT_BEFORE, SPECIAL_SOCKETS_TARGET, NULL, true, UNIT_DEPENDENCY_DEFAULT);
e3d84721
LP		 322 if (r < 0)
323 return r;
2a77d31d 324
463d0d15 325 if (MANAGER_IS_SYSTEM(UNIT(s)->manager)) {
eef85c4a 326 r = unit_add_two_dependencies_by_name(UNIT(s), UNIT_AFTER, UNIT_REQUIRES, SPECIAL_SYSINIT_TARGET, NULL, true, UNIT_DEPENDENCY_DEFAULT);
e3d84721 327 if (r < 0)
a40eb732 328 return r;
2a77d31d 329 }
a40eb732 330
eef85c4a 331 return unit_add_two_dependencies_by_name(UNIT(s), UNIT_BEFORE, UNIT_CONFLICTS, SPECIAL_SHUTDOWN_TARGET, NULL, true, UNIT_DEPENDENCY_DEFAULT);
a40eb732
LP		 332}
333
44a6b1b6 334_pure_ static bool socket_has_exec(Socket *s) {
4cfc6dbe
LP		 335 unsigned i;
336 assert(s);
337
338 for (i = 0; i < _SOCKET_EXEC_COMMAND_MAX; i++)
339 if (s->exec_command[i])
340 return true;
341
342 return false;
343}
344
e821075a
LP		 345static int socket_add_extras(Socket *s) {
346 Unit *u = UNIT(s);
e537352b 347 int r;
44d8db9e 348
e821075a 349 assert(s);
57020a3a 350
1f15ce28
LP		 351 /* Pick defaults for the trigger limit, if nothing was explicitly configured. We pick a relatively high limit
352 * in Accept=yes mode, and a lower limit for Accept=no. Reason: in Accept=yes mode we are invoking accept()
353 * ourselves before the trigger limit can hit, thus incoming connections are taken off the socket queue quickly
354 * and reliably. This is different for Accept=no, where the spawned service has to take the incoming traffic
355 * off the queues, which it might not necessarily do. Moreover, while Accept=no services are supposed to
356 * process whatever is queued in one go, and thus should normally never have to be started frequently. This is
357 * different for Accept=yes where each connection is processed by a new service instance, and thus frequent
358 * service starts are typical. */
359
360 if (s->trigger_limit.interval == USEC_INFINITY)
361 s->trigger_limit.interval = 2 * USEC_PER_SEC;
362
363 if (s->trigger_limit.burst == (unsigned) -1) {
364 if (s->accept)
365 s->trigger_limit.burst = 200;
366 else
367 s->trigger_limit.burst = 20;
368 }
369
e821075a 370 if (have_non_accept_socket(s)) {
23a177ef 371
e821075a
LP		 372 if (!UNIT_DEREF(s->service)) {
373 Unit *x;
57020a3a 374
e821075a 375 r = unit_load_related_unit(u, ".service", &x);
57020a3a 376 if (r < 0)
4f2d528d 377 return r;
e821075a
LP		 378
379 unit_ref_set(&s->service, x);
4f2d528d 380 }
44d8db9e 381
eef85c4a 382 r = unit_add_two_dependencies(u, UNIT_BEFORE, UNIT_TRIGGERS, UNIT_DEREF(s->service), true, UNIT_DEPENDENCY_IMPLICIT);
e821075a 383 if (r < 0)
6e2ef85b 384 return r;
e821075a 385 }
6e2ef85b 386
eef85c4a 387 r = socket_add_mount_dependencies(s);
e821075a
LP		 388 if (r < 0)
389 return r;
6e2ef85b 390
eef85c4a 391 r = socket_add_device_dependencies(s);
e821075a
LP		 392 if (r < 0)
393 return r;
394
598459ce 395 r = unit_patch_contexts(u);
e821075a
LP		 396 if (r < 0)
397 return r;
398
399 if (socket_has_exec(s)) {
400 r = unit_add_exec_dependencies(u, &s->exec_context);
401 if (r < 0)
402 return r;
e821075a 403 }
a016b922 404
88af31f9
LP		 405 r = unit_set_default_slice(u);
406 if (r < 0)
407 return r;
408
4c9ea260
LP		 409 r = socket_add_default_dependencies(s);
410 if (r < 0)
411 return r;
e821075a
LP		 412
413 return 0;
414}
415
811ba7a0
LP		 416static const char *socket_find_symlink_target(Socket *s) {
417 const char *found = NULL;
418 SocketPort *p;
419
420 LIST_FOREACH(port, p, s->ports) {
421 const char *f = NULL;
422
423 switch (p->type) {
424
425 case SOCKET_FIFO:
426 f = p->path;
427 break;
428
429 case SOCKET_SOCKET:
b9495e8d 430 f = socket_address_get_path(&p->address);
811ba7a0
LP		 431 break;
432
433 default:
434 break;
435 }
436
437 if (f) {
438 if (found)
439 return NULL;
440
441 found = f;
442 }
443 }
444
445 return found;
446}
447
e821075a
LP		 448static int socket_verify(Socket *s) {
449 assert(s);
450
451 if (UNIT(s)->load_state != UNIT_LOADED)
452 return 0;
453
454 if (!s->ports) {
da3bddc9 455 log_unit_error(UNIT(s), "Unit has no Listen setting (ListenStream=, ListenDatagram=, ListenFIFO=, ...). Refusing.");
e821075a
LP		 456 return -EINVAL;
457 }
458
459 if (s->accept && have_non_accept_socket(s)) {
f2341e0a 460 log_unit_error(UNIT(s), "Unit configured for accepting sockets, but sockets are non-accepting. Refusing.");
e821075a
LP		 461 return -EINVAL;
462 }
463
464 if (s->accept && s->max_connections <= 0) {
f2341e0a 465 log_unit_error(UNIT(s), "MaxConnection= setting too small. Refusing.");
e821075a
LP		 466 return -EINVAL;
467 }
e06c73cc 468
e821075a 469 if (s->accept && UNIT_DEREF(s->service)) {
f2341e0a 470 log_unit_error(UNIT(s), "Explicit service configuration for accepting socket units not supported. Refusing.");
e821075a
LP		 471 return -EINVAL;
472 }
473
474 if (s->exec_context.pam_name && s->kill_context.kill_mode != KILL_CONTROL_GROUP) {
f2341e0a 475 log_unit_error(UNIT(s), "Unit has PAM enabled. Kill mode must be set to 'control-group'. Refusing.");
e821075a
LP		 476 return -EINVAL;
477 }
478
811ba7a0 479 if (!strv_isempty(s->symlinks) && !socket_find_symlink_target(s)) {
f2341e0a 480 log_unit_error(UNIT(s), "Unit has symlinks set but none or more than one node in the file system. Refusing.");
811ba7a0
LP		 481 return -EINVAL;
482 }
483
e821075a
LP		 484 return 0;
485}
486
9d565427
SS		 487static void peer_address_hash_func(const void *p, struct siphash *state) {
488 const SocketPeer *s = p;
489
490 assert(s);
491
492 if (s->peer.sa.sa_family == AF_INET)
493 siphash24_compress(&s->peer.in.sin_addr, sizeof(s->peer.in.sin_addr), state);
41733ae1 494 else if (s->peer.sa.sa_family == AF_INET6)
9d565427 495 siphash24_compress(&s->peer.in6.sin6_addr, sizeof(s->peer.in6.sin6_addr), state);
359a5bcf
SH		 496 else if (s->peer.sa.sa_family == AF_VSOCK)
497 siphash24_compress(&s->peer.vm.svm_cid, sizeof(s->peer.vm.svm_cid), state);
41733ae1
LP		 498 else
499 assert_not_reached("Unknown address family.");
9d565427
SS		 500}
501
502static int peer_address_compare_func(const void *a, const void *b) {
503 const SocketPeer *x = a, *y = b;
504
505 if (x->peer.sa.sa_family < y->peer.sa.sa_family)
506 return -1;
507 if (x->peer.sa.sa_family > y->peer.sa.sa_family)
508 return 1;
509
510 switch(x->peer.sa.sa_family) {
511 case AF_INET:
512 return memcmp(&x->peer.in.sin_addr, &y->peer.in.sin_addr, sizeof(x->peer.in.sin_addr));
513 case AF_INET6:
514 return memcmp(&x->peer.in6.sin6_addr, &y->peer.in6.sin6_addr, sizeof(x->peer.in6.sin6_addr));
359a5bcf
SH		 515 case AF_VSOCK:
516 if (x->peer.vm.svm_cid < y->peer.vm.svm_cid)
517 return -1;
518 if (x->peer.vm.svm_cid > y->peer.vm.svm_cid)
519 return 1;
520 return 0;
9d565427 521 }
166cf510 522 assert_not_reached("Black sheep in the family!");
9d565427
SS		 523}
524
525const struct hash_ops peer_address_hash_ops = {
526 .hash = peer_address_hash_func,
527 .compare = peer_address_compare_func
528};
529
e821075a
LP		 530static int socket_load(Unit *u) {
531 Socket *s = SOCKET(u);
532 int r;
533
534 assert(u);
535 assert(u->load_state == UNIT_STUB);
536
9a73653c 537 r = set_ensure_allocated(&s->peers_by_address, &peer_address_hash_ops);
9d565427
SS		 538 if (r < 0)
539 return r;
540
e821075a
LP		 541 r = unit_load_fragment_and_dropin(u);
542 if (r < 0)
543 return r;
544
545 if (u->load_state == UNIT_LOADED) {
546 /* This is a new unit? Then let's add in some extras */
547 r = socket_add_extras(s);
e06c73cc
LP		 548 if (r < 0)
549 return r;
23a177ef
LP		 550 }
551
4f2d528d 552 return socket_verify(s);
44d8db9e
LP		 553}
554
166cf510
ZJS		 555static SocketPeer *socket_peer_new(void) {
556 SocketPeer *p;
557
558 p = new0(SocketPeer, 1);
559 if (!p)
560 return NULL;
561
562 p->n_ref = 1;
563
564 return p;
565}
566
567SocketPeer *socket_peer_ref(SocketPeer *p) {
568 if (!p)
569 return NULL;
570
571 assert(p->n_ref > 0);
572 p->n_ref++;
573
574 return p;
575}
576
577SocketPeer *socket_peer_unref(SocketPeer *p) {
578 if (!p)
579 return NULL;
580
581 assert(p->n_ref > 0);
582
583 p->n_ref--;
584
585 if (p->n_ref > 0)
586 return NULL;
587
588 if (p->socket)
589 set_remove(p->socket->peers_by_address, p);
590
591 return mfree(p);
592}
593
3ebcd323 594int socket_acquire_peer(Socket *s, int fd, SocketPeer **p) {
166cf510
ZJS		 595 _cleanup_(socket_peer_unrefp) SocketPeer *remote = NULL;
596 SocketPeer sa = {}, *i;
597 socklen_t salen = sizeof(sa.peer);
598 int r;
599
600 assert(fd >= 0);
601 assert(s);
602
603 r = getpeername(fd, &sa.peer.sa, &salen);
604 if (r < 0)
605 return log_error_errno(errno, "getpeername failed: %m");
606
359a5bcf 607 if (!IN_SET(sa.peer.sa.sa_family, AF_INET, AF_INET6, AF_VSOCK)) {
166cf510
ZJS		 608 *p = NULL;
609 return 0;
610 }
611
612 i = set_get(s->peers_by_address, &sa);
613 if (i) {
614 *p = socket_peer_ref(i);
615 return 1;
616 }
617
618 remote = socket_peer_new();
619 if (!remote)
620 return log_oom();
621
622 remote->peer = sa.peer;
41733ae1 623 remote->peer_salen = salen;
166cf510
ZJS		 624
625 r = set_put(s->peers_by_address, remote);
626 if (r < 0)
627 return r;
628
629 remote->socket = s;
630
631 *p = remote;
632 remote = NULL;
633
634 return 1;
635}
636
44a6b1b6 637_const_ static const char* listen_lookup(int family, int type) {
7a22745a
LP		 638
639 if (family == AF_NETLINK)
640 return "ListenNetlink";
542563ba
LP		 641
642 if (type == SOCK_STREAM)
643 return "ListenStream";
644 else if (type == SOCK_DGRAM)
645 return "ListenDatagram";
646 else if (type == SOCK_SEQPACKET)
647 return "ListenSequentialPacket";
648
034c6ed7 649 assert_not_reached("Unknown socket type");
542563ba
LP		 650 return NULL;
651}
652
87f0e418 653static void socket_dump(Unit *u, FILE *f, const char *prefix) {
209e9dcd 654 char time_string[FORMAT_TIMESPAN_MAX];
5cb5a6ff 655 SocketExecCommand c;
87f0e418 656 Socket *s = SOCKET(u);
542563ba 657 SocketPort *p;
82ba9f08 658 const char *prefix2;
5cb5a6ff
LP		 659
660 assert(s);
fa068367 661 assert(f);
5cb5a6ff 662
4c940960 663 prefix = strempty(prefix);
63c372cb 664 prefix2 = strjoina(prefix, "\t");
c43d20a0 665
5cb5a6ff
LP		 666 fprintf(f,
667 "%sSocket State: %s\n"
81a5c6d0 668 "%sResult: %s\n"
542563ba 669 "%sBindIPv6Only: %s\n"
b5a0699f
LP		 670 "%sBacklog: %u\n"
671 "%sSocketMode: %04o\n"
4fd5948e
LP		 672 "%sDirectoryMode: %04o\n"
673 "%sKeepAlive: %s\n"
4427c3f4 674 "%sNoDelay: %s\n"
cebf8b20 675 "%sFreeBind: %s\n"
6b6d2dee 676 "%sTransparent: %s\n"
ec6370a2 677 "%sBroadcast: %s\n"
ede3deb4 678 "%sPassCredentials: %s\n"
54ecda32 679 "%sPassSecurity: %s\n"
bd1fe7c7 680 "%sTCPCongestion: %s\n"
16115b0a 681 "%sRemoveOnStop: %s\n"
55301ec0 682 "%sWritable: %s\n"
8dd4c05b 683 "%sFDName: %s\n"
16115b0a 684 "%sSELinuxContextFromNet: %s\n",
a16e1123 685 prefix, socket_state_to_string(s->state),
81a5c6d0 686 prefix, socket_result_to_string(s->result),
c0120d99 687 prefix, socket_address_bind_ipv6_only_to_string(s->bind_ipv6_only),
b5a0699f
LP		 688 prefix, s->backlog,
689 prefix, s->socket_mode,
4fd5948e
LP		 690 prefix, s->directory_mode,
691 prefix, yes_no(s->keep_alive),
4427c3f4 692 prefix, yes_no(s->no_delay),
cebf8b20 693 prefix, yes_no(s->free_bind),
6b6d2dee 694 prefix, yes_no(s->transparent),
ec6370a2 695 prefix, yes_no(s->broadcast),
d68af586 696 prefix, yes_no(s->pass_cred),
54ecda32 697 prefix, yes_no(s->pass_sec),
bd1fe7c7 698 prefix, strna(s->tcp_congestion),
16115b0a 699 prefix, yes_no(s->remove_on_stop),
55301ec0 700 prefix, yes_no(s->writable),
8dd4c05b 701 prefix, socket_fdname(s),
16115b0a 702 prefix, yes_no(s->selinux_context_from_net));
542563ba 703
70123e68
LP		 704 if (s->control_pid > 0)
705 fprintf(f,
de0671ee
ZJS		 706 "%sControl PID: "PID_FMT"\n",
707 prefix, s->control_pid);
70123e68 708
acbb0225
LP		 709 if (s->bind_to_device)
710 fprintf(f,
711 "%sBindToDevice: %s\n",
712 prefix, s->bind_to_device);
713
4f2d528d
LP		 714 if (s->accept)
715 fprintf(f,
6cf6bbc2
LP		 716 "%sAccepted: %u\n"
717 "%sNConnections: %u\n"
718 "%sMaxConnections: %u\n",
719 prefix, s->n_accepted,
720 prefix, s->n_connections,
721 prefix, s->max_connections);
4f2d528d 722
4fd5948e
LP		 723 if (s->priority >= 0)
724 fprintf(f,
725 "%sPriority: %i\n",
726 prefix, s->priority);
727
728 if (s->receive_buffer > 0)
729 fprintf(f,
730 "%sReceiveBuffer: %zu\n",
731 prefix, s->receive_buffer);
732
733 if (s->send_buffer > 0)
734 fprintf(f,
735 "%sSendBuffer: %zu\n",
736 prefix, s->send_buffer);
737
738 if (s->ip_tos >= 0)
739 fprintf(f,
740 "%sIPTOS: %i\n",
741 prefix, s->ip_tos);
742
743 if (s->ip_ttl >= 0)
744 fprintf(f,
745 "%sIPTTL: %i\n",
746 prefix, s->ip_ttl);
747
748 if (s->pipe_size > 0)
749 fprintf(f,
750 "%sPipeSize: %zu\n",
751 prefix, s->pipe_size);
752
753 if (s->mark >= 0)
754 fprintf(f,
755 "%sMark: %i\n",
756 prefix, s->mark);
757
916abb21
LP		 758 if (s->mq_maxmsg > 0)
759 fprintf(f,
760 "%sMessageQueueMaxMessages: %li\n",
761 prefix, s->mq_maxmsg);
762
763 if (s->mq_msgsize > 0)
764 fprintf(f,
765 "%sMessageQueueMessageSize: %li\n",
766 prefix, s->mq_msgsize);
767
718db961 768 if (s->reuse_port)
f7db7a69
SL		 769 fprintf(f,
770 "%sReusePort: %s\n",
718db961 771 prefix, yes_no(s->reuse_port));
f7db7a69 772
0eb59ccf
AK		 773 if (s->smack)
774 fprintf(f,
775 "%sSmackLabel: %s\n",
776 prefix, s->smack);
777
778 if (s->smack_ip_in)
779 fprintf(f,
780 "%sSmackLabelIPIn: %s\n",
781 prefix, s->smack_ip_in);
782
783 if (s->smack_ip_out)
784 fprintf(f,
785 "%sSmackLabelIPOut: %s\n",
786 prefix, s->smack_ip_out);
787
3900e5fd
LP		 788 if (!isempty(s->user) || !isempty(s->group))
789 fprintf(f,
d2a50e3b
LP		 790 "%sSocketUser: %s\n"
791 "%sSocketGroup: %s\n",
3900e5fd
LP		 792 prefix, strna(s->user),
793 prefix, strna(s->group));
794
3cd761e4 795 if (s->keep_alive_time > 0)
209e9dcd 796 fprintf(f,
3cd761e4
LP		 797 "%sKeepAliveTimeSec: %s\n",
798 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->keep_alive_time, USEC_PER_SEC));
209e9dcd 799
3cd761e4 800 if (s->keep_alive_interval)
209e9dcd 801 fprintf(f,
3cd761e4
LP		 802 "%sKeepAliveIntervalSec: %s\n",
803 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->keep_alive_interval, USEC_PER_SEC));
209e9dcd 804
3cd761e4 805 if (s->keep_alive_cnt)
209e9dcd
SS		 806 fprintf(f,
807 "%sKeepAliveProbes: %u\n",
808 prefix, s->keep_alive_cnt);
809
3cd761e4 810 if (s->defer_accept)
cc567c9b 811 fprintf(f,
3cd761e4
LP		 812 "%sDeferAcceptSec: %s\n",
813 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->defer_accept, USEC_PER_SEC));
cc567c9b 814
034c6ed7 815 LIST_FOREACH(port, p, s->ports) {
5cb5a6ff 816
542563ba
LP		 817 if (p->type == SOCKET_SOCKET) {
818 const char *t;
819 int r;
e364ad06 820 char *k = NULL;
542563ba 821
e53fc357
LP		 822 r = socket_address_print(&p->address, &k);
823 if (r < 0)
542563ba
LP		 824 t = strerror(-r);
825 else
826 t = k;
827
7a22745a 828 fprintf(f, "%s%s: %s\n", prefix, listen_lookup(socket_address_family(&p->address), p->address.type), t);
542563ba 829 free(k);
b0a3f2bc
LP		 830 } else if (p->type == SOCKET_SPECIAL)
831 fprintf(f, "%sListenSpecial: %s\n", prefix, p->path);
60252446
PS		 832 else if (p->type == SOCKET_USB_FUNCTION)
833 fprintf(f, "%sListenUSBFunction: %s\n", prefix, p->path);
916abb21
LP		 834 else if (p->type == SOCKET_MQUEUE)
835 fprintf(f, "%sListenMessageQueue: %s\n", prefix, p->path);
b0a3f2bc 836 else
542563ba
LP		 837 fprintf(f, "%sListenFIFO: %s\n", prefix, p->path);
838 }
5cb5a6ff 839
1745fa70
EV		 840 fprintf(f,
841 "%sTriggerLimitIntervalSec: %s\n"
842 "%sTriggerLimitBurst: %u\n",
843 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->trigger_limit.interval, USEC_PER_SEC),
844 prefix, s->trigger_limit.burst);
845
5cb5a6ff 846 exec_context_dump(&s->exec_context, f, prefix);
4819ff03 847 kill_context_dump(&s->kill_context, f, prefix);
5cb5a6ff 848
e537352b 849 for (c = 0; c < _SOCKET_EXEC_COMMAND_MAX; c++) {
c43d20a0
LP		 850 if (!s->exec_command[c])
851 continue;
5cb5a6ff 852
40d50879 853 fprintf(f, "%s-> %s:\n",
a16e1123 854 prefix, socket_exec_command_to_string(c));
c43d20a0
LP		 855
856 exec_command_dump_list(s->exec_command[c], f, prefix2);
5cb5a6ff 857 }
18f573aa
LP		 858
859 cgroup_context_dump(&s->cgroup_context, f, prefix);
5cb5a6ff
LP		 860}
861
4f2d528d
LP		 862static int instance_from_socket(int fd, unsigned nr, char **instance) {
863 socklen_t l;
864 char *r;
9d16d0c7 865 union sockaddr_union local, remote;
4f2d528d
LP		 866
867 assert(fd >= 0);
868 assert(instance);
869
870 l = sizeof(local);
871 if (getsockname(fd, &local.sa, &l) < 0)
872 return -errno;
873
874 l = sizeof(remote);
875 if (getpeername(fd, &remote.sa, &l) < 0)
876 return -errno;
877
878 switch (local.sa.sa_family) {
879
880 case AF_INET: {
881 uint32_t
8e38570e
LP		 882 a = be32toh(local.in.sin_addr.s_addr),
883 b = be32toh(remote.in.sin_addr.s_addr);
4f2d528d
LP		 884
885 if (asprintf(&r,
77b088c2
LP		 886 "%u-%u.%u.%u.%u:%u-%u.%u.%u.%u:%u",
887 nr,
4f2d528d 888 a >> 24, (a >> 16) & 0xFF, (a >> 8) & 0xFF, a & 0xFF,
8e38570e 889 be16toh(local.in.sin_port),
4f2d528d 890 b >> 24, (b >> 16) & 0xFF, (b >> 8) & 0xFF, b & 0xFF,
8e38570e 891 be16toh(remote.in.sin_port)) < 0)
4f2d528d
LP		 892 return -ENOMEM;
893
894 break;
895 }
896
897 case AF_INET6: {
c65a0b14 898 static const unsigned char ipv4_prefix[] = {
2b061f5a
LP		 899 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xFF, 0xFF
900 };
901
902 if (memcmp(&local.in6.sin6_addr, ipv4_prefix, sizeof(ipv4_prefix)) == 0 &&
903 memcmp(&remote.in6.sin6_addr, ipv4_prefix, sizeof(ipv4_prefix)) == 0) {
904 const uint8_t
905 *a = local.in6.sin6_addr.s6_addr+12,
906 *b = remote.in6.sin6_addr.s6_addr+12;
907
908 if (asprintf(&r,
77b088c2
LP		 909 "%u-%u.%u.%u.%u:%u-%u.%u.%u.%u:%u",
910 nr,
2b061f5a 911 a[0], a[1], a[2], a[3],
8e38570e 912 be16toh(local.in6.sin6_port),
2b061f5a 913 b[0], b[1], b[2], b[3],
8e38570e 914 be16toh(remote.in6.sin6_port)) < 0)
2b061f5a
LP		 915 return -ENOMEM;
916 } else {
917 char a[INET6_ADDRSTRLEN], b[INET6_ADDRSTRLEN];
918
919 if (asprintf(&r,
77b088c2
LP		 920 "%u-%s:%u-%s:%u",
921 nr,
2b061f5a 922 inet_ntop(AF_INET6, &local.in6.sin6_addr, a, sizeof(a)),
8e38570e 923 be16toh(local.in6.sin6_port),
2b061f5a 924 inet_ntop(AF_INET6, &remote.in6.sin6_addr, b, sizeof(b)),
8e38570e 925 be16toh(remote.in6.sin6_port)) < 0)
2b061f5a
LP		 926 return -ENOMEM;
927 }
4f2d528d
LP		 928
929 break;
930 }
931
932 case AF_UNIX: {
933 struct ucred ucred;
eff05270 934 int k;
4f2d528d 935
eff05270 936 k = getpeercred(fd, &ucred);
d38f6e34
ZJS		 937 if (k >= 0) {
938 if (asprintf(&r,
939 "%u-"PID_FMT"-"UID_FMT,
940 nr, ucred.pid, ucred.uid) < 0)
941 return -ENOMEM;
942 } else if (k == -ENODATA) {
943 /* This handles the case where somebody is
944 * connecting from another pid/uid namespace
945 * (e.g. from outside of our container). */
946 if (asprintf(&r,
947 "%u-unknown",
948 nr) < 0)
949 return -ENOMEM;
950 } else
eff05270 951 return k;
2f20a8eb 952
2f20a8eb 953 break;
4f2d528d
LP		 954 }
955
359a5bcf
SH		 956 case AF_VSOCK:
957 if (asprintf(&r,
958 "%u-%u:%u-%u:%u",
959 nr,
960 local.vm.svm_cid, local.vm.svm_port,
961 remote.vm.svm_cid, remote.vm.svm_port) < 0)
962 return -ENOMEM;
963
964 break;
965
4f2d528d
LP		 966 default:
967 assert_not_reached("Unhandled socket type.");
968 }
969
970 *instance = r;
971 return 0;
972}
973
034c6ed7 974static void socket_close_fds(Socket *s) {
83c60c9f 975 SocketPort *p;
811ba7a0 976 char **i;
83c60c9f
LP		 977
978 assert(s);
979
034c6ed7 980 LIST_FOREACH(port, p, s->ports) {
18e854f8 981 bool was_open;
718db961 982
18e854f8 983 was_open = p->fd >= 0;
83c60c9f 984
18e854f8 985 p->event_source = sd_event_source_unref(p->event_source);
03e334a1 986 p->fd = safe_close(p->fd);
15087cdb 987 socket_cleanup_fd_list(p);
a16e1123 988
18e854f8
LP		 989 /* One little note: we should normally not delete any sockets in the file system here! After all some
990 * other process we spawned might still have a reference of this fd and wants to continue to use
991 * it. Therefore we normally delete sockets in the file system before we create a new one, not after we
992 * stopped using one! That all said, if the user explicitly requested this, we'll delete them here
993 * anyway, but only then. */
bd1fe7c7 994
18e854f8
LP		 995 if (!was_open || !s->remove_on_stop)
996 continue;
997
998 switch (p->type) {
bd1fe7c7 999
18e854f8
LP		 1000 case SOCKET_FIFO:
1001 (void) unlink(p->path);
1002 break;
bd1fe7c7 1003
18e854f8
LP		 1004 case SOCKET_MQUEUE:
1005 (void) mq_unlink(p->path);
1006 break;
bd1fe7c7 1007
18e854f8
LP		 1008 case SOCKET_SOCKET:
1009 (void) socket_address_unlink(&p->address);
1010 break;
bd1fe7c7 1011
18e854f8
LP		 1012 default:
1013 break;
bd1fe7c7 1014 }
83c60c9f 1015 }
811ba7a0
LP		 1016
1017 if (s->remove_on_stop)
1018 STRV_FOREACH(i, s->symlinks)
18e854f8 1019 (void) unlink(*i);
83c60c9f
LP		 1020}
1021
4fd5948e 1022static void socket_apply_socket_options(Socket *s, int fd) {
d53e386d
LP		 1023 int r;
1024
4fd5948e
LP		 1025 assert(s);
1026 assert(fd >= 0);
1027
1028 if (s->keep_alive) {
1029 int b = s->keep_alive;
1030 if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, &b, sizeof(b)) < 0)
f2341e0a 1031 log_unit_warning_errno(UNIT(s), errno, "SO_KEEPALIVE failed: %m");
4fd5948e
LP		 1032 }
1033
209e9dcd
SS		 1034 if (s->keep_alive_time) {
1035 int value = s->keep_alive_time / USEC_PER_SEC;
1036 if (setsockopt(fd, SOL_TCP, TCP_KEEPIDLE, &value, sizeof(value)) < 0)
f2341e0a 1037 log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPIDLE failed: %m");
209e9dcd
SS		 1038 }
1039
1040 if (s->keep_alive_interval) {
920b52e4 1041 int value = s->keep_alive_interval / USEC_PER_SEC;
209e9dcd 1042 if (setsockopt(fd, SOL_TCP, TCP_KEEPINTVL, &value, sizeof(value)) < 0)
f2341e0a 1043 log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPINTVL failed: %m");
209e9dcd
SS		 1044 }
1045
1046 if (s->keep_alive_cnt) {
1047 int value = s->keep_alive_cnt;
172cfe87 1048 if (setsockopt(fd, SOL_TCP, TCP_KEEPCNT, &value, sizeof(value)) < 0)
f2341e0a 1049 log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPCNT failed: %m");
209e9dcd
SS		 1050 }
1051
cc567c9b
SS		 1052 if (s->defer_accept) {
1053 int value = s->defer_accept / USEC_PER_SEC;
1054 if (setsockopt(fd, SOL_TCP, TCP_DEFER_ACCEPT, &value, sizeof(value)) < 0)
f2341e0a 1055 log_unit_warning_errno(UNIT(s), errno, "TCP_DEFER_ACCEPT failed: %m");
cc567c9b
SS		 1056 }
1057
4427c3f4
SS		 1058 if (s->no_delay) {
1059 int b = s->no_delay;
62bc4efc
SS		 1060
1061 if (s->socket_protocol == IPPROTO_SCTP) {
1062 if (setsockopt(fd, SOL_SCTP, SCTP_NODELAY, &b, sizeof(b)) < 0)
1063 log_unit_warning_errno(UNIT(s), errno, "SCTP_NODELAY failed: %m");
1064 } else {
1065 if (setsockopt(fd, SOL_TCP, TCP_NODELAY, &b, sizeof(b)) < 0)
1066 log_unit_warning_errno(UNIT(s), errno, "TCP_NODELAY failed: %m");
1067 }
4427c3f4
SS		 1068 }
1069
ec6370a2
LP		 1070 if (s->broadcast) {
1071 int one = 1;
1072 if (setsockopt(fd, SOL_SOCKET, SO_BROADCAST, &one, sizeof(one)) < 0)
f2341e0a 1073 log_unit_warning_errno(UNIT(s), errno, "SO_BROADCAST failed: %m");
ec6370a2
LP		 1074 }
1075
d68af586
MS		 1076 if (s->pass_cred) {
1077 int one = 1;
1078 if (setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &one, sizeof(one)) < 0)
f2341e0a 1079 log_unit_warning_errno(UNIT(s), errno, "SO_PASSCRED failed: %m");
d68af586
MS		 1080 }
1081
54ecda32
LP		 1082 if (s->pass_sec) {
1083 int one = 1;
1084 if (setsockopt(fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one)) < 0)
f2341e0a 1085 log_unit_warning_errno(UNIT(s), errno, "SO_PASSSEC failed: %m");
54ecda32
LP		 1086 }
1087
4fd5948e
LP		 1088 if (s->priority >= 0)
1089 if (setsockopt(fd, SOL_SOCKET, SO_PRIORITY, &s->priority, sizeof(s->priority)) < 0)
f2341e0a 1090 log_unit_warning_errno(UNIT(s), errno, "SO_PRIORITY failed: %m");
4fd5948e
LP		 1091
1092 if (s->receive_buffer > 0) {
1093 int value = (int) s->receive_buffer;
7d9eaa84
LP		 1094
1095 /* We first try with SO_RCVBUFFORCE, in case we have the perms for that */
1096
b8cef44e 1097 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUFFORCE, &value, sizeof(value)) < 0)
7d9eaa84 1098 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &value, sizeof(value)) < 0)
f2341e0a 1099 log_unit_warning_errno(UNIT(s), errno, "SO_RCVBUF failed: %m");
4fd5948e
LP		 1100 }
1101
1102 if (s->send_buffer > 0) {
1103 int value = (int) s->send_buffer;
b8cef44e 1104 if (setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, &value, sizeof(value)) < 0)
7d9eaa84 1105 if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &value, sizeof(value)) < 0)
f2341e0a 1106 log_unit_warning_errno(UNIT(s), errno, "SO_SNDBUF failed: %m");
4fd5948e
LP		 1107 }
1108
1109 if (s->mark >= 0)
1110 if (setsockopt(fd, SOL_SOCKET, SO_MARK, &s->mark, sizeof(s->mark)) < 0)
f2341e0a 1111 log_unit_warning_errno(UNIT(s), errno, "SO_MARK failed: %m");
4fd5948e
LP		 1112
1113 if (s->ip_tos >= 0)
1114 if (setsockopt(fd, IPPROTO_IP, IP_TOS, &s->ip_tos, sizeof(s->ip_tos)) < 0)
f2341e0a 1115 log_unit_warning_errno(UNIT(s), errno, "IP_TOS failed: %m");
4fd5948e 1116
46925ac5 1117 if (s->ip_ttl >= 0) {
d53e386d 1118 int x;
46925ac5
LP		 1119
1120 r = setsockopt(fd, IPPROTO_IP, IP_TTL, &s->ip_ttl, sizeof(s->ip_ttl));
5bfcc1c6
FF		 1121
1122 if (socket_ipv6_is_supported())
1123 x = setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &s->ip_ttl, sizeof(s->ip_ttl));
1124 else {
1125 x = -1;
1126 errno = EAFNOSUPPORT;
1127 }
46925ac5
LP		 1128
1129 if (r < 0 && x < 0)
f2341e0a 1130 log_unit_warning_errno(UNIT(s), errno, "IP_TTL/IPV6_UNICAST_HOPS failed: %m");
46925ac5 1131 }
cebf8b20
TT		 1132
1133 if (s->tcp_congestion)
1134 if (setsockopt(fd, SOL_TCP, TCP_CONGESTION, s->tcp_congestion, strlen(s->tcp_congestion)+1) < 0)
f2341e0a 1135 log_unit_warning_errno(UNIT(s), errno, "TCP_CONGESTION failed: %m");
0eb59ccf 1136
d53e386d 1137 if (s->smack_ip_in) {
5ab58c20 1138 r = mac_smack_apply_fd(fd, SMACK_ATTR_IPIN, s->smack_ip_in);
d53e386d 1139 if (r < 0)
f2341e0a 1140 log_unit_error_errno(UNIT(s), r, "mac_smack_apply_ip_in_fd: %m");
d53e386d 1141 }
9a4e038c 1142
d53e386d 1143 if (s->smack_ip_out) {
5ab58c20 1144 r = mac_smack_apply_fd(fd, SMACK_ATTR_IPOUT, s->smack_ip_out);
d53e386d 1145 if (r < 0)
f2341e0a 1146 log_unit_error_errno(UNIT(s), r, "mac_smack_apply_ip_out_fd: %m");
d53e386d 1147 }
4fd5948e
LP		 1148}
1149
b15bdda8 1150static void socket_apply_fifo_options(Socket *s, int fd) {
d53e386d
LP		 1151 int r;
1152
4fd5948e
LP		 1153 assert(s);
1154 assert(fd >= 0);
1155
1156 if (s->pipe_size > 0)
1157 if (fcntl(fd, F_SETPIPE_SZ, s->pipe_size) < 0)
ed460b07 1158 log_unit_warning_errno(UNIT(s), errno, "Setting pipe size failed, ignoring: %m");
0eb59ccf 1159
d53e386d 1160 if (s->smack) {
5ab58c20 1161 r = mac_smack_apply_fd(fd, SMACK_ATTR_ACCESS, s->smack);
d53e386d 1162 if (r < 0)
ed460b07 1163 log_unit_error_errno(UNIT(s), r, "SMACK relabelling failed, ignoring: %m");
d53e386d 1164 }
4fd5948e
LP		 1165}
1166
b15bdda8
LP		 1167static int fifo_address_create(
1168 const char *path,
1169 mode_t directory_mode,
e8da24a6 1170 mode_t socket_mode) {
b15bdda8 1171
e8da24a6 1172 _cleanup_close_ int fd = -1;
b15bdda8 1173 mode_t old_mask;
e8da24a6
LP		 1174 struct stat st;
1175 int r;
b15bdda8
LP		 1176
1177 assert(path);
b15bdda8 1178
1af87ab7 1179 (void) mkdir_parents_label(path, directory_mode);
b15bdda8 1180
ecabcf8b 1181 r = mac_selinux_create_file_prepare(path, S_IFIFO);
e9a5ef7c 1182 if (r < 0)
e8da24a6 1183 return r;
b15bdda8
LP		 1184
1185 /* Enforce the right access mode for the fifo */
1186 old_mask = umask(~ socket_mode);
1187
1188 /* Include the original umask in our mask */
e8da24a6 1189 (void) umask(~socket_mode | old_mask);
b15bdda8
LP		 1190
1191 r = mkfifo(path, socket_mode);
e8da24a6 1192 (void) umask(old_mask);
b15bdda8 1193
94bc2731 1194 if (r < 0 && errno != EEXIST) {
b15bdda8
LP		 1195 r = -errno;
1196 goto fail;
1197 }
1198
e8da24a6 1199 fd = open(path, O_RDWR | O_CLOEXEC | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW);
3cc2aff1 1200 if (fd < 0) {
b15bdda8
LP		 1201 r = -errno;
1202 goto fail;
1203 }
1204
ecabcf8b 1205 mac_selinux_create_file_clear();
7a58bfa4 1206
b15bdda8
LP		 1207 if (fstat(fd, &st) < 0) {
1208 r = -errno;
1209 goto fail;
1210 }
1211
1212 if (!S_ISFIFO(st.st_mode) ||
de0200fc 1213 (st.st_mode & 0777) != (socket_mode & ~old_mask) ||
e4f44e73
DR		 1214 st.st_uid != getuid() ||
1215 st.st_gid != getgid()) {
b15bdda8
LP		 1216 r = -EEXIST;
1217 goto fail;
1218 }
1219
e8da24a6
LP		 1220 r = fd;
1221 fd = -1;
1222
1223 return r;
b15bdda8
LP		 1224
1225fail:
ecabcf8b 1226 mac_selinux_create_file_clear();
b15bdda8
LP		 1227 return r;
1228}
1229
55301ec0 1230static int special_address_create(const char *path, bool writable) {
e8da24a6 1231 _cleanup_close_ int fd = -1;
b0a3f2bc 1232 struct stat st;
e8da24a6 1233 int r;
b0a3f2bc
LP		 1234
1235 assert(path);
b0a3f2bc 1236
55301ec0 1237 fd = open(path, (writable ? O_RDWR : O_RDONLY)|O_CLOEXEC|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW);
e8da24a6
LP		 1238 if (fd < 0)
1239 return -errno;
b0a3f2bc 1240
e8da24a6
LP		 1241 if (fstat(fd, &st) < 0)
1242 return -errno;
b0a3f2bc
LP		 1243
1244 /* Check whether this is a /proc, /sys or /dev file or char device */
e8da24a6
LP		 1245 if (!S_ISREG(st.st_mode) && !S_ISCHR(st.st_mode))
1246 return -EEXIST;
b0a3f2bc 1247
e8da24a6
LP		 1248 r = fd;
1249 fd = -1;
b0a3f2bc
LP		 1250
1251 return r;
1252}
1253
36078102 1254static int usbffs_address_create(const char *path) {
60252446
PS		 1255 _cleanup_close_ int fd = -1;
1256 struct stat st;
e8da24a6 1257 int r;
60252446
PS		 1258
1259 assert(path);
60252446
PS		 1260
1261 fd = open(path, O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW);
1262 if (fd < 0)
1263 return -errno;
1264
1265 if (fstat(fd, &st) < 0)
1266 return -errno;
1267
13e785f7 1268 /* Check whether this is a regular file (ffs endpoint) */
60252446
PS		 1269 if (!S_ISREG(st.st_mode))
1270 return -EEXIST;
1271
e8da24a6 1272 r = fd;
60252446
PS		 1273 fd = -1;
1274
e8da24a6 1275 return r;
60252446
PS		 1276}
1277
916abb21
LP		 1278static int mq_address_create(
1279 const char *path,
1280 mode_t mq_mode,
1281 long maxmsg,
e8da24a6 1282 long msgsize) {
916abb21 1283
e8da24a6 1284 _cleanup_close_ int fd = -1;
916abb21
LP		 1285 struct stat st;
1286 mode_t old_mask;
1287 struct mq_attr _attr, *attr = NULL;
e8da24a6 1288 int r;
916abb21
LP		 1289
1290 assert(path);
916abb21
LP		 1291
1292 if (maxmsg > 0 && msgsize > 0) {
e8da24a6
LP		 1293 _attr = (struct mq_attr) {
1294 .mq_flags = O_NONBLOCK,
1295 .mq_maxmsg = maxmsg,
1296 .mq_msgsize = msgsize,
1297 };
916abb21
LP		 1298 attr = &_attr;
1299 }
1300
1301 /* Enforce the right access mode for the mq */
1302 old_mask = umask(~ mq_mode);
1303
1304 /* Include the original umask in our mask */
e8da24a6 1305 (void) umask(~mq_mode | old_mask);
916abb21 1306 fd = mq_open(path, O_RDONLY|O_CLOEXEC|O_NONBLOCK|O_CREAT, mq_mode, attr);
e8da24a6 1307 (void) umask(old_mask);
916abb21 1308
e8da24a6
LP		 1309 if (fd < 0)
1310 return -errno;
916abb21 1311
e8da24a6
LP		 1312 if (fstat(fd, &st) < 0)
1313 return -errno;
916abb21
LP		 1314
1315 if ((st.st_mode & 0777) != (mq_mode & ~old_mask) ||
1316 st.st_uid != getuid() ||
e8da24a6
LP		 1317 st.st_gid != getgid())
1318 return -EEXIST;
916abb21 1319
e8da24a6
LP		 1320 r = fd;
1321 fd = -1;
916abb21 1322
916abb21
LP		 1323 return r;
1324}
1325
811ba7a0
LP		 1326static int socket_symlink(Socket *s) {
1327 const char *p;
1328 char **i;
95f7fbbf 1329 int r;
811ba7a0
LP		 1330
1331 assert(s);
1332
1333 p = socket_find_symlink_target(s);
1334 if (!p)
1335 return 0;
1336
95f7fbbf 1337 STRV_FOREACH(i, s->symlinks) {
1af87ab7
LP		 1338 (void) mkdir_parents_label(*i, s->directory_mode);
1339
95f7fbbf 1340 r = symlink_idempotent(p, *i);
22b20752
LP		 1341
1342 if (r == -EEXIST && s->remove_on_stop) {
1343 /* If there's already something where we want to create the symlink, and the destructive
1344 * RemoveOnStop= mode is set, then we might as well try to remove what already exists and try
1345 * again. */
1346
1347 if (unlink(*i) >= 0)
1348 r = symlink_idempotent(p, *i);
1349 }
1350
95f7fbbf
LP		 1351 if (r < 0)
1352 log_unit_warning_errno(UNIT(s), r, "Failed to create symlink %s → %s, ignoring: %m", p, *i);
1353 }
811ba7a0
LP		 1354
1355 return 0;
1356}
1357
36078102 1358static int usbffs_write_descs(int fd, Service *s) {
6b7e5923
PS		 1359 int r;
1360
1361 if (!s->usb_function_descriptors || !s->usb_function_strings)
1362 return -EINVAL;
1363
1c876927 1364 r = copy_file_fd(s->usb_function_descriptors, fd, 0);
6b7e5923 1365 if (r < 0)
e8da24a6 1366 return r;
6b7e5923 1367
1c876927 1368 return copy_file_fd(s->usb_function_strings, fd, 0);
6b7e5923
PS		 1369}
1370
36078102 1371static int usbffs_select_ep(const struct dirent *d) {
60252446
PS		 1372 return d->d_name[0] != '.' && !streq(d->d_name, "ep0");
1373}
1374
36078102 1375static int usbffs_dispatch_eps(SocketPort *p) {
60252446 1376 _cleanup_free_ struct dirent **ent = NULL;
36078102 1377 int r, i, n, k;
60252446 1378
00bb64ec 1379 r = scandir(p->path, &ent, usbffs_select_ep, alphasort);
60252446
PS		 1380 if (r < 0)
1381 return -errno;
1382
1383 n = r;
1384 p->auxiliary_fds = new(int, n);
1385 if (!p->auxiliary_fds)
1386 return -ENOMEM;
1387
1388 p->n_auxiliary_fds = n;
1389
1390 k = 0;
1391 for (i = 0; i < n; ++i) {
1392 _cleanup_free_ char *ep = NULL;
1393
00bb64ec 1394 ep = path_make_absolute(ent[i]->d_name, p->path);
60252446
PS		 1395 if (!ep)
1396 return -ENOMEM;
1397
1398 path_kill_slashes(ep);
1399
36078102 1400 r = usbffs_address_create(ep);
60252446
PS		 1401 if (r < 0)
1402 goto fail;
1403
e8da24a6
LP		 1404 p->auxiliary_fds[k] = r;
1405
60252446
PS		 1406 ++k;
1407 free(ent[i]);
1408 }
1409
1410 return r;
1411
1412fail:
e8da24a6 1413 close_many(p->auxiliary_fds, k);
60252446
PS		 1414 p->auxiliary_fds = mfree(p->auxiliary_fds);
1415 p->n_auxiliary_fds = 0;
1416
1417 return r;
1418}
1419
d24e561d
LP		 1420static int socket_determine_selinux_label(Socket *s, char **ret) {
1421 ExecCommand *c;
1422 int r;
1423
1424 assert(s);
1425 assert(ret);
1426
1427 if (s->selinux_context_from_net) {
1428 /* If this is requested, get label from the network label */
1429
1430 r = mac_selinux_get_our_label(ret);
1431 if (r == -EOPNOTSUPP)
1432 goto no_label;
1433
1434 } else {
1435 /* Otherwise, get it from the executable we are about to start */
1436 r = socket_instantiate_service(s);
1437 if (r < 0)
1438 return r;
1439
1440 if (!UNIT_ISSET(s->service))
1441 goto no_label;
1442
1443 c = SERVICE(UNIT_DEREF(s->service))->exec_command[SERVICE_EXEC_START];
1444 if (!c)
1445 goto no_label;
1446
1447 r = mac_selinux_get_create_label_from_exe(c->path, ret);
4c701096 1448 if (IN_SET(r, -EPERM, -EOPNOTSUPP))
d24e561d
LP		 1449 goto no_label;
1450 }
1451
1452 return r;
1453
1454no_label:
1455 *ret = NULL;
1456 return 0;
1457}
1458
a79279c7
LP		 1459static int socket_address_listen_do(
1460 Socket *s,
1461 const SocketAddress *address,
1462 const char *label) {
1463
1464 assert(s);
1465 assert(address);
1466
1467 return socket_address_listen(
1468 address,
1469 SOCK_CLOEXEC|SOCK_NONBLOCK,
1470 s->backlog,
1471 s->bind_ipv6_only,
1472 s->bind_to_device,
1473 s->reuse_port,
1474 s->free_bind,
1475 s->transparent,
1476 s->directory_mode,
1477 s->socket_mode,
1478 label);
1479}
1480
1481static int socket_address_listen_in_cgroup(
1482 Socket *s,
1483 const SocketAddress *address,
1484 const char *label) {
1485
1486 _cleanup_close_pair_ int pair[2] = { -1, -1 };
1487 int fd, r;
1488 pid_t pid;
1489
1490 assert(s);
1491 assert(address);
1492
1493 /* This is a wrapper around socket_address_listen(), that forks off a helper process inside the socket's cgroup
1494 * in which the socket is actually created. This way we ensure the socket is actually properly attached to the
1495 * unit's cgroup for the purpose of BPF filtering and such. */
1496
1497 if (!IN_SET(address->sockaddr.sa.sa_family, AF_INET, AF_INET6))
1498 goto shortcut; /* BPF filtering only applies to IPv4 + IPv6, shortcut things for other protocols */
1499
1500 r = bpf_firewall_supported();
1501 if (r < 0)
1502 return r;
1503 if (r == 0) /* If BPF firewalling isn't supported anyway — there's no point in this forking complexity */
1504 goto shortcut;
1505
1506 if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, pair) < 0)
1507 return log_unit_error_errno(UNIT(s), errno, "Failed to create communication channel: %m");
1508
1509 r = unit_fork_helper_process(UNIT(s), &pid);
1510 if (r < 0)
1511 return log_unit_error_errno(UNIT(s), r, "Failed to fork off listener stub process: %m");
1512 if (r == 0) {
1513 /* Child */
1514
1515 pair[0] = safe_close(pair[0]);
1516
1517 fd = socket_address_listen_do(s, address, label);
1518 if (fd < 0) {
1519 log_unit_error_errno(UNIT(s), fd, "Failed to create listening socket: %m");
1520 _exit(EXIT_FAILURE);
1521 }
1522
1523 r = send_one_fd(pair[1], fd, 0);
1524 if (r < 0) {
1525 log_unit_error_errno(UNIT(s), r, "Failed to send listening socket to parent: %m");
1526 _exit(EXIT_FAILURE);
1527 }
1528
1529 _exit(EXIT_SUCCESS);
1530 }
1531
1532 pair[1] = safe_close(pair[1]);
1533 fd = receive_one_fd(pair[0], 0);
1534
1535 /* We synchronously wait for the helper, as it shouldn't be slow */
1536 r = wait_for_terminate_and_warn("listen-cgroup-helper", pid, false);
1537 if (r < 0) {
1538 safe_close(fd);
1539 return r;
1540 }
1541
1542 if (fd < 0)
1543 return log_unit_error_errno(UNIT(s), fd, "Failed to receive listening socket: %m");
1544
1545 return fd;
1546
1547shortcut:
1548 fd = socket_address_listen_do(s, address, label);
1549 if (fd < 0)
1550 return log_error_errno(fd, "Failed to create listening socket: %m");
1551
1552 return fd;
1553}
1554
034c6ed7 1555static int socket_open_fds(Socket *s) {
710a6b50
LP		 1556 _cleanup_(mac_selinux_freep) char *label = NULL;
1557 bool know_label = false;
83c60c9f
LP		 1558 SocketPort *p;
1559 int r;
1560
1561 assert(s);
1562
034c6ed7 1563 LIST_FOREACH(port, p, s->ports) {
83c60c9f 1564
034c6ed7
LP		 1565 if (p->fd >= 0)
1566 continue;
83c60c9f 1567
00411a13
LP		 1568 switch (p->type) {
1569
1570 case SOCKET_SOCKET:
049f8642 1571
7f416dae 1572 if (!know_label) {
d24e561d
LP		 1573 /* Figure out label, if we don't it know yet. We do it once, for the first socket where
1574 * we need this and remember it for the rest. */
7f416dae 1575
d24e561d
LP		 1576 r = socket_determine_selinux_label(s, &label);
1577 if (r < 0)
1578 goto rollback;
049f8642
LP		 1579
1580 know_label = true;
1581 }
1582
74bb646e 1583 /* Apply the socket protocol */
d24e561d 1584 switch (p->address.type) {
d2a50e3b 1585
74bb646e
SS		 1586 case SOCK_STREAM:
1587 case SOCK_SEQPACKET:
d24e561d
LP		 1588 if (s->socket_protocol == IPPROTO_SCTP)
1589 p->address.protocol = s->socket_protocol;
74bb646e 1590 break;
d2a50e3b 1591
74bb646e 1592 case SOCK_DGRAM:
d24e561d
LP		 1593 if (s->socket_protocol == IPPROTO_UDPLITE)
1594 p->address.protocol = s->socket_protocol;
74bb646e
SS		 1595 break;
1596 }
1597
a79279c7 1598 r = socket_address_listen_in_cgroup(s, &p->address, label);
175a3d25 1599 if (r < 0)
83c60c9f
LP		 1600 goto rollback;
1601
175a3d25 1602 p->fd = r;
4fd5948e 1603 socket_apply_socket_options(s, p->fd);
811ba7a0 1604 socket_symlink(s);
00411a13 1605 break;
4fd5948e 1606
00411a13 1607 case SOCKET_SPECIAL:
b0a3f2bc 1608
55301ec0 1609 p->fd = special_address_create(p->path, s->writable);
e8da24a6
LP		 1610 if (p->fd < 0) {
1611 r = p->fd;
b0a3f2bc 1612 goto rollback;
e8da24a6 1613 }
00411a13 1614 break;
b0a3f2bc 1615
00411a13 1616 case SOCKET_FIFO:
83c60c9f 1617
e8da24a6 1618 p->fd = fifo_address_create(
175a3d25
LP		 1619 p->path,
1620 s->directory_mode,
e8da24a6
LP		 1621 s->socket_mode);
1622 if (p->fd < 0) {
1623 r = p->fd;
83c60c9f 1624 goto rollback;
e8da24a6 1625 }
83c60c9f 1626
b15bdda8 1627 socket_apply_fifo_options(s, p->fd);
811ba7a0 1628 socket_symlink(s);
00411a13 1629 break;
811ba7a0 1630
00411a13 1631 case SOCKET_MQUEUE:
83c60c9f 1632
e8da24a6 1633 p->fd = mq_address_create(
175a3d25
LP		 1634 p->path,
1635 s->socket_mode,
1636 s->mq_maxmsg,
e8da24a6
LP		 1637 s->mq_msgsize);
1638 if (p->fd < 0) {
1639 r = p->fd;
916abb21 1640 goto rollback;
e8da24a6 1641 }
00411a13 1642 break;
e8da24a6 1643
d2a50e3b 1644 case SOCKET_USB_FUNCTION: {
27a6ea91 1645 _cleanup_free_ char *ep = NULL;
60252446 1646
27a6ea91
GB		 1647 ep = path_make_absolute("ep0", p->path);
1648
1649 p->fd = usbffs_address_create(ep);
e8da24a6
LP		 1650 if (p->fd < 0) {
1651 r = p->fd;
60252446 1652 goto rollback;
e8da24a6 1653 }
60252446 1654
36078102 1655 r = usbffs_write_descs(p->fd, SERVICE(UNIT_DEREF(s->service)));
6b7e5923
PS		 1656 if (r < 0)
1657 goto rollback;
1658
36078102 1659 r = usbffs_dispatch_eps(p);
60252446
PS		 1660 if (r < 0)
1661 goto rollback;
00411a13
LP		 1662
1663 break;
27a6ea91 1664 }
00411a13 1665 default:
b15bdda8 1666 assert_not_reached("Unknown port type");
00411a13 1667 }
034c6ed7
LP		 1668 }
1669
1670 return 0;
1671
1672rollback:
1673 socket_close_fds(s);
1674 return r;
1675}
1676
1677static void socket_unwatch_fds(Socket *s) {
1678 SocketPort *p;
718db961 1679 int r;
9152c765 1680
034c6ed7
LP		 1681 assert(s);
1682
1683 LIST_FOREACH(port, p, s->ports) {
1684 if (p->fd < 0)
1685 continue;
1686
a4152e3f
LP		 1687 if (!p->event_source)
1688 continue;
1689
1690 r = sd_event_source_set_enabled(p->event_source, SD_EVENT_OFF);
1691 if (r < 0)
f2341e0a 1692 log_unit_debug_errno(UNIT(s), r, "Failed to disable event source: %m");
83c60c9f 1693 }
034c6ed7
LP		 1694}
1695
1696static int socket_watch_fds(Socket *s) {
1697 SocketPort *p;
1698 int r;
1699
1700 assert(s);
83c60c9f 1701
034c6ed7
LP		 1702 LIST_FOREACH(port, p, s->ports) {
1703 if (p->fd < 0)
1704 continue;
1705
cbf60d0a 1706 if (p->event_source) {
718db961 1707 r = sd_event_source_set_enabled(p->event_source, SD_EVENT_ON);
cbf60d0a
LP		 1708 if (r < 0)
1709 goto fail;
1710 } else {
151b9b96 1711 r = sd_event_add_io(UNIT(s)->manager->event, &p->event_source, p->fd, EPOLLIN, socket_dispatch_io, p);
cbf60d0a
LP		 1712 if (r < 0)
1713 goto fail;
4f2d528d 1714
cbf60d0a 1715 (void) sd_event_source_set_description(p->event_source, "socket-port-io");
718db961 1716 }
034c6ed7 1717 }
83c60c9f 1718
542563ba 1719 return 0;
83c60c9f 1720
034c6ed7 1721fail:
cbf60d0a 1722 log_unit_warning_errno(UNIT(s), r, "Failed to watch listening fds: %m");
034c6ed7
LP		 1723 socket_unwatch_fds(s);
1724 return r;
1725}
1726
01a8b467
LP		 1727enum {
1728 SOCKET_OPEN_NONE,
1729 SOCKET_OPEN_SOME,
1730 SOCKET_OPEN_ALL,
1731};
1732
1733static int socket_check_open(Socket *s) {
1734 bool have_open = false, have_closed = false;
1735 SocketPort *p;
1736
1737 assert(s);
1738
1739 LIST_FOREACH(port, p, s->ports) {
1740 if (p->fd < 0)
1741 have_closed = true;
1742 else
1743 have_open = true;
1744
1745 if (have_open && have_closed)
1746 return SOCKET_OPEN_SOME;
1747 }
1748
1749 if (have_open)
1750 return SOCKET_OPEN_ALL;
1751
1752 return SOCKET_OPEN_NONE;
1753}
1754
034c6ed7
LP		 1755static void socket_set_state(Socket *s, SocketState state) {
1756 SocketState old_state;
1757 assert(s);
1758
1759 old_state = s->state;
1760 s->state = state;
1761
bd1fe7c7
LP		 1762 if (!IN_SET(state,
1763 SOCKET_START_PRE,
3900e5fd 1764 SOCKET_START_CHOWN,
bd1fe7c7
LP		 1765 SOCKET_START_POST,
1766 SOCKET_STOP_PRE,
1767 SOCKET_STOP_PRE_SIGTERM,
1768 SOCKET_STOP_PRE_SIGKILL,
1769 SOCKET_STOP_POST,
1770 SOCKET_FINAL_SIGTERM,
1771 SOCKET_FINAL_SIGKILL)) {
718db961
LP		 1772
1773 s->timer_event_source = sd_event_source_unref(s->timer_event_source);
5e94833f 1774 socket_unwatch_control_pid(s);
034c6ed7 1775 s->control_command = NULL;
a16e1123 1776 s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
e537352b 1777 }
034c6ed7 1778
a16e1123
LP		 1779 if (state != SOCKET_LISTENING)
1780 socket_unwatch_fds(s);
1781
bd1fe7c7 1782 if (!IN_SET(state,
3900e5fd 1783 SOCKET_START_CHOWN,
bd1fe7c7
LP		 1784 SOCKET_START_POST,
1785 SOCKET_LISTENING,
1786 SOCKET_RUNNING,
1787 SOCKET_STOP_PRE,
1788 SOCKET_STOP_PRE_SIGTERM,
1789 SOCKET_STOP_PRE_SIGKILL))
034c6ed7
LP		 1790 socket_close_fds(s);
1791
e537352b 1792 if (state != old_state)
f2341e0a 1793 log_unit_debug(UNIT(s), "Changed %s -> %s", socket_state_to_string(old_state), socket_state_to_string(state));
acbb0225 1794
e2f3b44c 1795 unit_notify(UNIT(s), state_translation_table[old_state], state_translation_table[state], true);
034c6ed7
LP		 1796}
1797
be847e82 1798static int socket_coldplug(Unit *u) {
a16e1123
LP		 1799 Socket *s = SOCKET(u);
1800 int r;
1801
1802 assert(s);
1803 assert(s->state == SOCKET_DEAD);
1804
e821075a
LP		 1805 if (s->deserialized_state == s->state)
1806 return 0;
a16e1123 1807
c386f588
LP		 1808 if (s->control_pid > 0 &&
1809 pid_is_unwaited(s->control_pid) &&
1810 IN_SET(s->deserialized_state,
3900e5fd
LP		 1811 SOCKET_START_PRE,
1812 SOCKET_START_CHOWN,
1813 SOCKET_START_POST,
1814 SOCKET_STOP_PRE,
1815 SOCKET_STOP_PRE_SIGTERM,
1816 SOCKET_STOP_PRE_SIGKILL,
1817 SOCKET_STOP_POST,
1818 SOCKET_FINAL_SIGTERM,
1819 SOCKET_FINAL_SIGKILL)) {
a16e1123 1820
e821075a
LP		 1821 r = unit_watch_pid(UNIT(s), s->control_pid);
1822 if (r < 0)
1823 return r;
a16e1123 1824
36c16a7c 1825 r = socket_arm_timer(s, usec_add(u->state_change_timestamp.monotonic, s->timeout_usec));
e821075a
LP		 1826 if (r < 0)
1827 return r;
1828 }
a16e1123 1829
3900e5fd
LP		 1830 if (IN_SET(s->deserialized_state,
1831 SOCKET_START_CHOWN,
1832 SOCKET_START_POST,
1833 SOCKET_LISTENING,
01a8b467
LP		 1834 SOCKET_RUNNING)) {
1835
1836 /* Originally, we used to simply reopen all sockets here that we didn't have file descriptors
1837 * for. However, this is problematic, as we won't traverse throught the SOCKET_START_CHOWN state for
1838 * them, and thus the UID/GID wouldn't be right. Hence, instead simply check if we have all fds open,
1839 * and if there's a mismatch, warn loudly. */
1840
1841 r = socket_check_open(s);
1842 if (r == SOCKET_OPEN_NONE)
1843 log_unit_warning(UNIT(s),
1844 "Socket unit configuration has changed while unit has been running, "
1845 "no open socket file descriptor left. "
1846 "The socket unit is not functional until restarted.");
1847 else if (r == SOCKET_OPEN_SOME)
1848 log_unit_warning(UNIT(s),
1849 "Socket unit configuration has changed while unit has been running, "
1850 "and some socket file descriptors have not been opened yet. "
1851 "The socket unit is not fully functional until restarted.");
e821075a 1852 }
a16e1123 1853
e821075a
LP		 1854 if (s->deserialized_state == SOCKET_LISTENING) {
1855 r = socket_watch_fds(s);
1856 if (r < 0)
1857 return r;
a16e1123
LP		 1858 }
1859
29206d46
LP		 1860 if (!IN_SET(s->deserialized_state, SOCKET_DEAD, SOCKET_FAILED))
1861 (void) unit_setup_dynamic_creds(u);
1862
e821075a 1863 socket_set_state(s, s->deserialized_state);
a16e1123
LP		 1864 return 0;
1865}
1866
e537352b 1867static int socket_spawn(Socket *s, ExecCommand *c, pid_t *_pid) {
034c6ed7
LP		 1868 pid_t pid;
1869 int r;
9fa95f85 1870 ExecParameters exec_params = {
1703fa41 1871 .flags = EXEC_APPLY_SANDBOXING|EXEC_APPLY_CHROOT|EXEC_APPLY_TTY_STDIN,
c39f1ce2
LP		 1872 .stdin_fd = -1,
1873 .stdout_fd = -1,
1874 .stderr_fd = -1,
9fa95f85 1875 };
034c6ed7
LP		 1876
1877 assert(s);
1878 assert(c);
1879 assert(_pid);
1880
5ad096b3 1881 (void) unit_realize_cgroup(UNIT(s));
906c06f6
DM		 1882 if (s->reset_accounting) {
1883 (void) unit_reset_cpu_accounting(UNIT(s));
1884 (void) unit_reset_ip_accounting(UNIT(s));
1885 s->reset_accounting = false;
5ad096b3 1886 }
4ad49000 1887
d3070fbd
LP		 1888 unit_export_state_files(UNIT(s));
1889
613b411c
LP		 1890 r = unit_setup_exec_runtime(UNIT(s));
1891 if (r < 0)
36c16a7c 1892 return r;
613b411c 1893
29206d46
LP		 1894 r = unit_setup_dynamic_creds(UNIT(s));
1895 if (r < 0)
1896 return r;
1897
36c16a7c 1898 r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
36697dc0 1899 if (r < 0)
36c16a7c 1900 return r;
034c6ed7 1901
19bbdd98 1902 manager_set_exec_params(UNIT(s)->manager, &exec_params);
f0d47797 1903 unit_set_exec_params(UNIT(s), &exec_params);
3536f49e 1904
5125e762 1905 exec_params.argv = c->argv;
9fa95f85 1906
f2341e0a
LP		 1907 r = exec_spawn(UNIT(s),
1908 c,
9e2f7c11 1909 &s->exec_context,
9fa95f85 1910 &exec_params,
613b411c 1911 s->exec_runtime,
29206d46 1912 &s->dynamic_creds,
9e2f7c11 1913 &pid);
cee288ad 1914 if (r < 0)
36c16a7c 1915 return r;
9e2f7c11 1916
3900e5fd 1917 r = unit_watch_pid(UNIT(s), pid);
9e2f7c11 1918 if (r < 0)
3900e5fd 1919 /* FIXME: we need to do something here */
36c16a7c 1920 return r;
034c6ed7 1921
3900e5fd 1922 *_pid = pid;
3536f49e 1923
3900e5fd 1924 return 0;
3900e5fd
LP		 1925}
1926
1927static int socket_chown(Socket *s, pid_t *_pid) {
1928 pid_t pid;
1929 int r;
1930
36c16a7c 1931 r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
3900e5fd
LP		 1932 if (r < 0)
1933 goto fail;
1934
1935 /* We have to resolve the user names out-of-process, hence
1936 * let's fork here. It's messy, but well, what can we do? */
1937
a79279c7
LP		 1938 r = unit_fork_helper_process(UNIT(s), &pid);
1939 if (r < 0)
1940 return r;
1941 if (r == 0) {
fed1e721
LP		 1942 uid_t uid = UID_INVALID;
1943 gid_t gid = GID_INVALID;
a79279c7 1944 SocketPort *p;
3900e5fd 1945
a79279c7 1946 /* Child */
3900e5fd
LP		 1947
1948 if (!isempty(s->user)) {
1949 const char *user = s->user;
1950
1951 r = get_user_creds(&user, &uid, &gid, NULL, NULL);
1952 if (r < 0) {
a79279c7
LP		 1953 log_unit_error_errno(UNIT(s), r, "Failed to resolve user %s: %m", user);
1954 _exit(EXIT_USER);
3900e5fd
LP		 1955 }
1956 }
1957
1958 if (!isempty(s->group)) {
1959 const char *group = s->group;
1960
1961 r = get_group_creds(&group, &gid);
1962 if (r < 0) {
a79279c7
LP		 1963 log_unit_error_errno(UNIT(s), r, "Failed to resolve group %s: %m", group);
1964 _exit(EXIT_GROUP);
3900e5fd
LP		 1965 }
1966 }
1967
1968 LIST_FOREACH(port, p, s->ports) {
e5a1c18d 1969 const char *path = NULL;
3900e5fd
LP		 1970
1971 if (p->type == SOCKET_SOCKET)
1972 path = socket_address_get_path(&p->address);
1973 else if (p->type == SOCKET_FIFO)
1974 path = p->path;
1975
1976 if (!path)
1977 continue;
1978
1979 if (chown(path, uid, gid) < 0) {
a79279c7
LP		 1980 log_unit_error_errno(UNIT(s), errno, "Failed to chown(): %m");
1981 _exit(EXIT_CHOWN);
3900e5fd
LP		 1982 }
1983 }
1984
a79279c7 1985 _exit(EXIT_SUCCESS);
3900e5fd
LP		 1986 }
1987
718db961
LP		 1988 r = unit_watch_pid(UNIT(s), pid);
1989 if (r < 0)
034c6ed7 1990 goto fail;
83c60c9f 1991
034c6ed7 1992 *_pid = pid;
034c6ed7
LP		 1993 return 0;
1994
1995fail:
718db961 1996 s->timer_event_source = sd_event_source_unref(s->timer_event_source);
83c60c9f 1997 return r;
542563ba
LP		 1998}
1999
cfc4eb4c 2000static void socket_enter_dead(Socket *s, SocketResult f) {
034c6ed7
LP		 2001 assert(s);
2002
a0fef983 2003 if (s->result == SOCKET_SUCCESS)
cfc4eb4c 2004 s->result = f;
034c6ed7 2005
ed77d407
LP		 2006 if (s->result != SOCKET_SUCCESS)
2007 log_unit_warning(UNIT(s), "Failed with result '%s'.", socket_result_to_string(s->result));
2008
29206d46
LP		 2009 socket_set_state(s, s->result != SOCKET_SUCCESS ? SOCKET_FAILED : SOCKET_DEAD);
2010
613b411c
LP		 2011 exec_runtime_destroy(s->exec_runtime);
2012 s->exec_runtime = exec_runtime_unref(s->exec_runtime);
2013
3536f49e 2014 exec_context_destroy_runtime_directory(&s->exec_context, UNIT(s)->manager->prefix[EXEC_DIRECTORY_RUNTIME]);
e66cf1a3 2015
00d9ef85
LP		 2016 unit_unref_uid_gid(UNIT(s), true);
2017
29206d46 2018 dynamic_creds_destroy(&s->dynamic_creds);
034c6ed7
LP		 2019}
2020
cfc4eb4c 2021static void socket_enter_signal(Socket *s, SocketState state, SocketResult f);
80876c20 2022
cfc4eb4c 2023static void socket_enter_stop_post(Socket *s, SocketResult f) {
034c6ed7
LP		 2024 int r;
2025 assert(s);
2026
a0fef983 2027 if (s->result == SOCKET_SUCCESS)
cfc4eb4c 2028 s->result = f;
034c6ed7 2029
5e94833f 2030 socket_unwatch_control_pid(s);
a16e1123 2031 s->control_command_id = SOCKET_EXEC_STOP_POST;
3900e5fd 2032 s->control_command = s->exec_command[SOCKET_EXEC_STOP_POST];
a16e1123 2033
3900e5fd
LP		 2034 if (s->control_command) {
2035 r = socket_spawn(s, s->control_command, &s->control_pid);
2036 if (r < 0)
034c6ed7
LP		 2037 goto fail;
2038
80876c20
LP		 2039 socket_set_state(s, SOCKET_STOP_POST);
2040 } else
cfc4eb4c 2041 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_SUCCESS);
034c6ed7
LP		 2042
2043 return;
2044
2045fail:
f2341e0a 2046 log_unit_warning_errno(UNIT(s), r, "Failed to run 'stop-post' task: %m");
cfc4eb4c 2047 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_RESOURCES);
034c6ed7
LP		 2048}
2049
cfc4eb4c 2050static void socket_enter_signal(Socket *s, SocketState state, SocketResult f) {
034c6ed7
LP		 2051 int r;
2052
2053 assert(s);
2054
a0fef983 2055 if (s->result == SOCKET_SUCCESS)
cfc4eb4c 2056 s->result = f;
034c6ed7 2057
cd2086fe
LP		 2058 r = unit_kill_context(
2059 UNIT(s),
2060 &s->kill_context,
ec2ce0c5 2061 !IN_SET(state, SOCKET_STOP_PRE_SIGTERM, SOCKET_FINAL_SIGTERM) ?
db2cb23b 2062 KILL_KILL : KILL_TERMINATE,
cd2086fe
LP		 2063 -1,
2064 s->control_pid,
2065 false);
2066 if (r < 0)
2067 goto fail;
034c6ed7 2068
cd2086fe 2069 if (r > 0) {
36c16a7c 2070 r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
36697dc0 2071 if (r < 0)
80876c20 2072 goto fail;
d6ea93e3 2073
80876c20 2074 socket_set_state(s, state);
ac84d1fb
LP		 2075 } else if (state == SOCKET_STOP_PRE_SIGTERM)
2076 socket_enter_signal(s, SOCKET_STOP_PRE_SIGKILL, SOCKET_SUCCESS);
2077 else if (state == SOCKET_STOP_PRE_SIGKILL)
cfc4eb4c 2078 socket_enter_stop_post(s, SOCKET_SUCCESS);
ac84d1fb
LP		 2079 else if (state == SOCKET_FINAL_SIGTERM)
2080 socket_enter_signal(s, SOCKET_FINAL_SIGKILL, SOCKET_SUCCESS);
80876c20 2081 else
cfc4eb4c 2082 socket_enter_dead(s, SOCKET_SUCCESS);
034c6ed7
LP		 2083
2084 return;
2085
2086fail:
f2341e0a 2087 log_unit_warning_errno(UNIT(s), r, "Failed to kill processes: %m");
034c6ed7 2088
3742095b 2089 if (IN_SET(state, SOCKET_STOP_PRE_SIGTERM, SOCKET_STOP_PRE_SIGKILL))
cfc4eb4c 2090 socket_enter_stop_post(s, SOCKET_FAILURE_RESOURCES);
034c6ed7 2091 else
cfc4eb4c 2092 socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
034c6ed7
LP		 2093}
2094
cfc4eb4c 2095static void socket_enter_stop_pre(Socket *s, SocketResult f) {
034c6ed7
LP		 2096 int r;
2097 assert(s);
2098
a0fef983 2099 if (s->result == SOCKET_SUCCESS)
cfc4eb4c 2100 s->result = f;
034c6ed7 2101
5e94833f 2102 socket_unwatch_control_pid(s);
a16e1123 2103 s->control_command_id = SOCKET_EXEC_STOP_PRE;
3900e5fd 2104 s->control_command = s->exec_command[SOCKET_EXEC_STOP_PRE];
a16e1123 2105
3900e5fd
LP		 2106 if (s->control_command) {
2107 r = socket_spawn(s, s->control_command, &s->control_pid);
2108 if (r < 0)
034c6ed7
LP		 2109 goto fail;
2110
80876c20
LP		 2111 socket_set_state(s, SOCKET_STOP_PRE);
2112 } else
cfc4eb4c 2113 socket_enter_stop_post(s, SOCKET_SUCCESS);
034c6ed7
LP		 2114
2115 return;
2116
2117fail:
f2341e0a 2118 log_unit_warning_errno(UNIT(s), r, "Failed to run 'stop-pre' task: %m");
cfc4eb4c 2119 socket_enter_stop_post(s, SOCKET_FAILURE_RESOURCES);
034c6ed7
LP		 2120}
2121
e9af15c3
LP		 2122static void socket_enter_listening(Socket *s) {
2123 int r;
2124 assert(s);
2125
cfc4eb4c
LP		 2126 r = socket_watch_fds(s);
2127 if (r < 0) {
f2341e0a 2128 log_unit_warning_errno(UNIT(s), r, "Failed to watch sockets: %m");
e9af15c3
LP		 2129 goto fail;
2130 }
2131
2132 socket_set_state(s, SOCKET_LISTENING);
2133 return;
2134
2135fail:
cfc4eb4c 2136 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
e9af15c3
LP		 2137}
2138
034c6ed7
LP		 2139static void socket_enter_start_post(Socket *s) {
2140 int r;
2141 assert(s);
2142
3900e5fd
LP		 2143 socket_unwatch_control_pid(s);
2144 s->control_command_id = SOCKET_EXEC_START_POST;
2145 s->control_command = s->exec_command[SOCKET_EXEC_START_POST];
2146
2147 if (s->control_command) {
2148 r = socket_spawn(s, s->control_command, &s->control_pid);
2149 if (r < 0) {
f2341e0a 2150 log_unit_warning_errno(UNIT(s), r, "Failed to run 'start-post' task: %m");
3900e5fd
LP		 2151 goto fail;
2152 }
2153
2154 socket_set_state(s, SOCKET_START_POST);
2155 } else
2156 socket_enter_listening(s);
2157
2158 return;
2159
2160fail:
2161 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2162}
2163
2164static void socket_enter_start_chown(Socket *s) {
2165 int r;
2166
2167 assert(s);
2168
cfc4eb4c
LP		 2169 r = socket_open_fds(s);
2170 if (r < 0) {
f2341e0a 2171 log_unit_warning_errno(UNIT(s), r, "Failed to listen on sockets: %m");
034c6ed7
LP		 2172 goto fail;
2173 }
2174
3900e5fd 2175 if (!isempty(s->user) || !isempty(s->group)) {
5e94833f 2176
3900e5fd
LP		 2177 socket_unwatch_control_pid(s);
2178 s->control_command_id = SOCKET_EXEC_START_CHOWN;
2179 s->control_command = NULL;
a16e1123 2180
3900e5fd 2181 r = socket_chown(s, &s->control_pid);
cfc4eb4c 2182 if (r < 0) {
f2341e0a 2183 log_unit_warning_errno(UNIT(s), r, "Failed to fork 'start-chown' task: %m");
034c6ed7
LP		 2184 goto fail;
2185 }
2186
3900e5fd 2187 socket_set_state(s, SOCKET_START_CHOWN);
80876c20 2188 } else
3900e5fd 2189 socket_enter_start_post(s);
034c6ed7
LP		 2190
2191 return;
2192
2193fail:
cfc4eb4c 2194 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
034c6ed7
LP		 2195}
2196
2197static void socket_enter_start_pre(Socket *s) {
2198 int r;
2199 assert(s);
2200
5e94833f 2201 socket_unwatch_control_pid(s);
a16e1123 2202 s->control_command_id = SOCKET_EXEC_START_PRE;
3900e5fd 2203 s->control_command = s->exec_command[SOCKET_EXEC_START_PRE];
a16e1123 2204
3900e5fd 2205 if (s->control_command) {
e821075a 2206 r = socket_spawn(s, s->control_command, &s->control_pid);
3900e5fd 2207 if (r < 0) {
f2341e0a 2208 log_unit_warning_errno(UNIT(s), r, "Failed to run 'start-pre' task: %m");
034c6ed7 2209 goto fail;
3900e5fd 2210 }
034c6ed7 2211
80876c20
LP		 2212 socket_set_state(s, SOCKET_START_PRE);
2213 } else
3900e5fd 2214 socket_enter_start_chown(s);
034c6ed7
LP		 2215
2216 return;
2217
2218fail:
cfc4eb4c 2219 socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
034c6ed7
LP		 2220}
2221
60d9771c
LP		 2222static void flush_ports(Socket *s) {
2223 SocketPort *p;
2224
2225 /* Flush all incoming traffic, regardless if actual bytes or new connections, so that this socket isn't busy
2226 * anymore */
2227
2228 LIST_FOREACH(port, p, s->ports) {
2229 if (p->fd < 0)
2230 continue;
2231
2232 (void) flush_accept(p->fd);
2233 (void) flush_fd(p->fd);
2234 }
2235}
2236
4f2d528d 2237static void socket_enter_running(Socket *s, int cfd) {
4afd3348 2238 _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
034c6ed7
LP		 2239 int r;
2240
8b26cdbd
LP		 2241 /* Note that this call takes possession of the connection fd passed. It either has to assign it somewhere or
2242 * close it. */
2243
034c6ed7
LP		 2244 assert(s);
2245
60d9771c 2246 /* We don't take connections anymore if we are supposed to shut down anyway */
31afa0a4 2247 if (unit_stop_pending(UNIT(s))) {
e821075a 2248
f2341e0a 2249 log_unit_debug(UNIT(s), "Suppressing connection request since unit stop is scheduled.");
5d909e3e 2250
7c610628 2251 if (cfd >= 0)
8b26cdbd 2252 cfd = safe_close(cfd);
60d9771c
LP		 2253 else
2254 flush_ports(s);
7c610628 2255
ba3e67a7
LP		 2256 return;
2257 }
2258
8b26cdbd
LP		 2259 if (!ratelimit_test(&s->trigger_limit)) {
2260 safe_close(cfd);
2261 log_unit_warning(UNIT(s), "Trigger limit hit, refusing further activation.");
2262 socket_enter_stop_pre(s, SOCKET_FAILURE_TRIGGER_LIMIT_HIT);
2263 return;
2264 }
2265
4f2d528d 2266 if (cfd < 0) {
f976f3f6 2267 bool pending = false;
eef85c4a
LP		 2268 Unit *other;
2269 Iterator i;
2270 void *v;
f976f3f6
LP		 2271
2272 /* If there's already a start pending don't bother to
2273 * do anything */
eef85c4a 2274 HASHMAP_FOREACH_KEY(v, other, UNIT(s)->dependencies[UNIT_TRIGGERS], i)
e821075a 2275 if (unit_active_or_pending(other)) {
57020a3a
LP		 2276 pending = true;
2277 break;
2278 }
f976f3f6 2279
1a710b43 2280 if (!pending) {
640ace4a 2281 if (!UNIT_ISSET(s->service)) {
f2341e0a 2282 log_unit_error(UNIT(s), "Service to activate vanished, refusing activation.");
640ace4a
LP		 2283 r = -ENOENT;
2284 goto fail;
2285 }
2286
4bd29fe5 2287 r = manager_add_job(UNIT(s)->manager, JOB_START, UNIT_DEREF(s->service), JOB_REPLACE, &error, NULL);
1a710b43 2288 if (r < 0)
f976f3f6 2289 goto fail;
1a710b43 2290 }
4f2d528d
LP		 2291
2292 socket_set_state(s, SOCKET_RUNNING);
2293 } else {
e55001eb 2294 _cleanup_free_ char *prefix = NULL, *instance = NULL, *name = NULL;
9d565427 2295 _cleanup_(socket_peer_unrefp) SocketPeer *p = NULL;
b15bdda8 2296 Service *service;
4f2d528d 2297
6cf6bbc2 2298 if (s->n_connections >= s->max_connections) {
ea8f50f8 2299 log_unit_warning(UNIT(s), "Too many incoming connections (%u), dropping connection.",
166cf510 2300 s->n_connections);
03e334a1 2301 safe_close(cfd);
6cf6bbc2
LP		 2302 return;
2303 }
2304
9d565427 2305 if (s->max_connections_per_source > 0) {
166cf510 2306 r = socket_acquire_peer(s, cfd, &p);
9d565427
SS		 2307 if (r < 0) {
2308 safe_close(cfd);
2309 return;
166cf510 2310 } else if (r > 0 && p->n_ref > s->max_connections_per_source) {
ea8f50f8
ZJS		 2311 _cleanup_free_ char *t = NULL;
2312
41733ae1 2313 (void) sockaddr_pretty(&p->peer.sa, p->peer_salen, true, false, &t);
ea8f50f8 2314
166cf510 2315 log_unit_warning(UNIT(s),
ea8f50f8
ZJS		 2316 "Too many incoming connections (%u) from source %s, dropping connection.",
2317 p->n_ref, strnull(t));
9d565427 2318 safe_close(cfd);
9d565427
SS		 2319 return;
2320 }
2321 }
2322
1a710b43
MS		 2323 r = socket_instantiate_service(s);
2324 if (r < 0)
b15bdda8
LP		 2325 goto fail;
2326
1a710b43
MS		 2327 r = instance_from_socket(cfd, s->n_accepted, &instance);
2328 if (r < 0) {
2329 if (r != -ENOTCONN)
2330 goto fail;
2331
2332 /* ENOTCONN is legitimate if TCP RST was received.
2333 * This connection is over, but the socket unit lives on. */
8b26cdbd 2334 log_unit_debug(UNIT(s), "Got ENOTCONN on incoming socket, assuming aborted connection attempt, ignoring.");
03e334a1 2335 safe_close(cfd);
1a710b43
MS		 2336 return;
2337 }
4f2d528d 2338
7410616c
LP		 2339 r = unit_name_to_prefix(UNIT(s)->id, &prefix);
2340 if (r < 0)
4f2d528d 2341 goto fail;
4f2d528d 2342
7410616c
LP		 2343 r = unit_name_build(prefix, instance, ".service", &name);
2344 if (r < 0)
b6dbbe1c 2345 goto fail;
4f2d528d 2346
1a710b43 2347 r = unit_add_name(UNIT_DEREF(s->service), name);
e55001eb 2348 if (r < 0)
4f2d528d 2349 goto fail;
b15bdda8 2350
57020a3a
LP		 2351 service = SERVICE(UNIT_DEREF(s->service));
2352 unit_ref_unset(&s->service);
6c073082 2353
e4f67317 2354 s->n_accepted++;
b15bdda8 2355 unit_choose_id(UNIT(service), name);
b15bdda8 2356
16115b0a 2357 r = service_set_socket_fd(service, cfd, s, s->selinux_context_from_net);
1a710b43 2358 if (r < 0)
4f2d528d
LP		 2359 goto fail;
2360
8b26cdbd 2361 cfd = -1; /* We passed ownership of the fd to the service now. Forget it here. */
313cefa1 2362 s->n_connections++;
6cf6bbc2 2363
166cf510
ZJS		 2364 service->peer = p; /* Pass ownership of the peer reference */
2365 p = NULL;
9d565427 2366
4bd29fe5 2367 r = manager_add_job(UNIT(s)->manager, JOB_START, UNIT(service), JOB_REPLACE, &error, NULL);
3e7a1f50
LP		 2368 if (r < 0) {
2369 /* We failed to activate the new service, but it still exists. Let's make sure the service
2370 * closes and forgets the connection fd again, immediately. */
2371 service_close_socket_fd(service);
4f2d528d 2372 goto fail;
3e7a1f50 2373 }
c4e2ceae
LP		 2374
2375 /* Notify clients about changed counters */
2376 unit_add_to_dbus_queue(UNIT(s));
4f2d528d 2377 }
034c6ed7 2378
034c6ed7
LP		 2379 return;
2380
2381fail:
f2341e0a
LP		 2382 log_unit_warning(UNIT(s), "Failed to queue service startup job (Maybe the service file is missing or not a %s unit?): %s",
2383 cfd >= 0 ? "template" : "non-template",
718db961 2384 bus_error_message(&error, r));
e821075a 2385
60089004 2386 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
03e334a1 2387 safe_close(cfd);
034c6ed7
LP		 2388}
2389
cfc4eb4c 2390static void socket_run_next(Socket *s) {
034c6ed7
LP		 2391 int r;
2392
2393 assert(s);
2394 assert(s->control_command);
2395 assert(s->control_command->command_next);
2396
5e94833f
LP		 2397 socket_unwatch_control_pid(s);
2398
034c6ed7
LP		 2399 s->control_command = s->control_command->command_next;
2400
e821075a
LP		 2401 r = socket_spawn(s, s->control_command, &s->control_pid);
2402 if (r < 0)
034c6ed7
LP		 2403 goto fail;
2404
2405 return;
2406
2407fail:
f2341e0a 2408 log_unit_warning_errno(UNIT(s), r, "Failed to run next task: %m");
80876c20
LP		 2409
2410 if (s->state == SOCKET_START_POST)
cfc4eb4c 2411 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
034c6ed7 2412 else if (s->state == SOCKET_STOP_POST)
cfc4eb4c 2413 socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
034c6ed7 2414 else
cfc4eb4c 2415 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_RESOURCES);
034c6ed7
LP		 2416}
2417
87f0e418
LP		 2418static int socket_start(Unit *u) {
2419 Socket *s = SOCKET(u);
07299350 2420 int r;
83c60c9f
LP		 2421
2422 assert(s);
2423
034c6ed7
LP		 2424 /* We cannot fulfill this request right now, try again later
2425 * please! */
3900e5fd
LP		 2426 if (IN_SET(s->state,
2427 SOCKET_STOP_PRE,
2428 SOCKET_STOP_PRE_SIGKILL,
2429 SOCKET_STOP_PRE_SIGTERM,
2430 SOCKET_STOP_POST,
2431 SOCKET_FINAL_SIGTERM,
2432 SOCKET_FINAL_SIGKILL))
034c6ed7
LP		 2433 return -EAGAIN;
2434
a4152e3f 2435 /* Already on it! */
3900e5fd
LP		 2436 if (IN_SET(s->state,
2437 SOCKET_START_PRE,
2438 SOCKET_START_CHOWN,
2439 SOCKET_START_POST))
034c6ed7 2440 return 0;
83c60c9f 2441
034c6ed7 2442 /* Cannot run this without the service being around */
9444b1f2 2443 if (UNIT_ISSET(s->service)) {
57020a3a
LP		 2444 Service *service;
2445
2446 service = SERVICE(UNIT_DEREF(s->service));
2447
1124fe6f 2448 if (UNIT(service)->load_state != UNIT_LOADED) {
f2341e0a 2449 log_unit_error(u, "Socket service %s not loaded, refusing.", UNIT(service)->id);
4f2d528d 2450 return -ENOENT;
4ac9236f 2451 }
4f2d528d 2452
35b8ca3a 2453 /* If the service is already active we cannot start the
4f2d528d 2454 * socket */
ec2ce0c5 2455 if (!IN_SET(service->state, SERVICE_DEAD, SERVICE_FAILED, SERVICE_AUTO_RESTART)) {
f2341e0a 2456 log_unit_error(u, "Socket service %s already active, refusing.", UNIT(service)->id);
4f2d528d 2457 return -EBUSY;
4ac9236f 2458 }
4f2d528d 2459 }
e537352b 2460
3742095b 2461 assert(IN_SET(s->state, SOCKET_DEAD, SOCKET_FAILED));
83c60c9f 2462
07299350
LP		 2463 r = unit_start_limit_test(u);
2464 if (r < 0) {
2465 socket_enter_dead(s, SOCKET_FAILURE_START_LIMIT_HIT);
2466 return r;
2467 }
2468
4b58153d
LP		 2469 r = unit_acquire_invocation_id(u);
2470 if (r < 0)
2471 return r;
2472
cfc4eb4c 2473 s->result = SOCKET_SUCCESS;
906c06f6 2474 s->reset_accounting = true;
5ad096b3 2475
034c6ed7 2476 socket_enter_start_pre(s);
82a2b6bb 2477 return 1;
034c6ed7 2478}
83c60c9f 2479
87f0e418
LP		 2480static int socket_stop(Unit *u) {
2481 Socket *s = SOCKET(u);
034c6ed7
LP		 2482
2483 assert(s);
2484
e537352b 2485 /* Already on it */
3900e5fd
LP		 2486 if (IN_SET(s->state,
2487 SOCKET_STOP_PRE,
2488 SOCKET_STOP_PRE_SIGTERM,
2489 SOCKET_STOP_PRE_SIGKILL,
2490 SOCKET_STOP_POST,
2491 SOCKET_FINAL_SIGTERM,
2492 SOCKET_FINAL_SIGKILL))
e537352b
LP		 2493 return 0;
2494
3f6c78dc
LP		 2495 /* If there's already something running we go directly into
2496 * kill mode. */
3900e5fd
LP		 2497 if (IN_SET(s->state,
2498 SOCKET_START_PRE,
2499 SOCKET_START_CHOWN,
2500 SOCKET_START_POST)) {
cfc4eb4c 2501 socket_enter_signal(s, SOCKET_STOP_PRE_SIGTERM, SOCKET_SUCCESS);
3f6c78dc
LP		 2502 return -EAGAIN;
2503 }
2504
3742095b 2505 assert(IN_SET(s->state, SOCKET_LISTENING, SOCKET_RUNNING));
83c60c9f 2506
cfc4eb4c 2507 socket_enter_stop_pre(s, SOCKET_SUCCESS);
82a2b6bb 2508 return 1;
542563ba
LP		 2509}
2510
a16e1123
LP		 2511static int socket_serialize(Unit *u, FILE *f, FDSet *fds) {
2512 Socket *s = SOCKET(u);
2513 SocketPort *p;
2514 int r;
2515
2516 assert(u);
2517 assert(f);
2518 assert(fds);
2519
2520 unit_serialize_item(u, f, "state", socket_state_to_string(s->state));
cfc4eb4c 2521 unit_serialize_item(u, f, "result", socket_result_to_string(s->result));
a16e1123
LP		 2522 unit_serialize_item_format(u, f, "n-accepted", "%u", s->n_accepted);
2523
2524 if (s->control_pid > 0)
de0671ee 2525 unit_serialize_item_format(u, f, "control-pid", PID_FMT, s->control_pid);
a16e1123
LP		 2526
2527 if (s->control_command_id >= 0)
2528 unit_serialize_item(u, f, "control-command", socket_exec_command_to_string(s->control_command_id));
2529
2530 LIST_FOREACH(port, p, s->ports) {
2531 int copy;
2532
2533 if (p->fd < 0)
2534 continue;
2535
613b411c
LP		 2536 copy = fdset_put_dup(fds, p->fd);
2537 if (copy < 0)
a16e1123
LP		 2538 return copy;
2539
2540 if (p->type == SOCKET_SOCKET) {
613b411c 2541 _cleanup_free_ char *t = NULL;
a16e1123 2542
ee092817
LP		 2543 r = socket_address_print(&p->address, &t);
2544 if (r < 0)
a16e1123
LP		 2545 return r;
2546
7a22745a
LP		 2547 if (socket_address_family(&p->address) == AF_NETLINK)
2548 unit_serialize_item_format(u, f, "netlink", "%i %s", copy, t);
2549 else
2550 unit_serialize_item_format(u, f, "socket", "%i %i %s", copy, p->address.type, t);
613b411c 2551
b0a3f2bc
LP		 2552 } else if (p->type == SOCKET_SPECIAL)
2553 unit_serialize_item_format(u, f, "special", "%i %s", copy, p->path);
ee092817
LP		 2554 else if (p->type == SOCKET_MQUEUE)
2555 unit_serialize_item_format(u, f, "mqueue", "%i %s", copy, p->path);
60252446
PS		 2556 else if (p->type == SOCKET_USB_FUNCTION)
2557 unit_serialize_item_format(u, f, "ffs", "%i %s", copy, p->path);
b0a3f2bc 2558 else {
a16e1123
LP		 2559 assert(p->type == SOCKET_FIFO);
2560 unit_serialize_item_format(u, f, "fifo", "%i %s", copy, p->path);
2561 }
2562 }
2563
2564 return 0;
2565}
2566
80a58668
ZJS		 2567static void socket_port_take_fd(SocketPort *p, FDSet *fds, int fd) {
2568 safe_close(p->fd);
2569 p->fd = fdset_remove(fds, fd);
2570}
2571
a16e1123
LP		 2572static int socket_deserialize_item(Unit *u, const char *key, const char *value, FDSet *fds) {
2573 Socket *s = SOCKET(u);
a16e1123
LP		 2574
2575 assert(u);
2576 assert(key);
2577 assert(value);
a16e1123
LP		 2578
2579 if (streq(key, "state")) {
2580 SocketState state;
2581
ee092817
LP		 2582 state = socket_state_from_string(value);
2583 if (state < 0)
f2341e0a 2584 log_unit_debug(u, "Failed to parse state value: %s", value);
a16e1123
LP		 2585 else
2586 s->deserialized_state = state;
cfc4eb4c
LP		 2587 } else if (streq(key, "result")) {
2588 SocketResult f;
a16e1123 2589
cfc4eb4c
LP		 2590 f = socket_result_from_string(value);
2591 if (f < 0)
f2341e0a 2592 log_unit_debug(u, "Failed to parse result value: %s", value);
cfc4eb4c
LP		 2593 else if (f != SOCKET_SUCCESS)
2594 s->result = f;
a16e1123
LP		 2595
2596 } else if (streq(key, "n-accepted")) {
2597 unsigned k;
2598
e364ad06 2599 if (safe_atou(value, &k) < 0)
f2341e0a 2600 log_unit_debug(u, "Failed to parse n-accepted value: %s", value);
a16e1123
LP		 2601 else
2602 s->n_accepted += k;
2603 } else if (streq(key, "control-pid")) {
5925dd3c 2604 pid_t pid;
a16e1123 2605
e364ad06 2606 if (parse_pid(value, &pid) < 0)
f2341e0a 2607 log_unit_debug(u, "Failed to parse control-pid value: %s", value);
a16e1123 2608 else
5925dd3c 2609 s->control_pid = pid;
a16e1123
LP		 2610 } else if (streq(key, "control-command")) {
2611 SocketExecCommand id;
2612
66870f90
ZJS		 2613 id = socket_exec_command_from_string(value);
2614 if (id < 0)
f2341e0a 2615 log_unit_debug(u, "Failed to parse exec-command value: %s", value);
a16e1123
LP		 2616 else {
2617 s->control_command_id = id;
2618 s->control_command = s->exec_command[id];
2619 }
2620 } else if (streq(key, "fifo")) {
2621 int fd, skip = 0;
2622 SocketPort *p;
2623
2624 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
f2341e0a 2625 log_unit_debug(u, "Failed to parse fifo value: %s", value);
80a58668 2626 else
a16e1123 2627 LIST_FOREACH(port, p, s->ports)
b0a3f2bc 2628 if (p->type == SOCKET_FIFO &&
e3f791a2 2629 path_equal_or_files_same(p->path, value+skip, 0)) {
80a58668 2630 socket_port_take_fd(p, fds, fd);
b0a3f2bc 2631 break;
80a58668 2632 }
b0a3f2bc
LP		 2633
2634 } else if (streq(key, "special")) {
2635 int fd, skip = 0;
2636 SocketPort *p;
2637
2638 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
f2341e0a 2639 log_unit_debug(u, "Failed to parse special value: %s", value);
80a58668 2640 else
b0a3f2bc
LP		 2641 LIST_FOREACH(port, p, s->ports)
2642 if (p->type == SOCKET_SPECIAL &&
e3f791a2 2643 path_equal_or_files_same(p->path, value+skip, 0)) {
80a58668 2644 socket_port_take_fd(p, fds, fd);
a16e1123 2645 break;
80a58668 2646 }
a16e1123 2647
ee092817
LP		 2648 } else if (streq(key, "mqueue")) {
2649 int fd, skip = 0;
2650 SocketPort *p;
2651
2652 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
f2341e0a 2653 log_unit_debug(u, "Failed to parse mqueue value: %s", value);
80a58668 2654 else
ee092817
LP		 2655 LIST_FOREACH(port, p, s->ports)
2656 if (p->type == SOCKET_MQUEUE &&
80a58668
ZJS		 2657 streq(p->path, value+skip)) {
2658 socket_port_take_fd(p, fds, fd);
ee092817 2659 break;
80a58668 2660 }
ee092817 2661
a16e1123 2662 } else if (streq(key, "socket")) {
27ca8d7a 2663 int fd, type, skip = 0;
a16e1123
LP		 2664 SocketPort *p;
2665
27ca8d7a 2666 if (sscanf(value, "%i %i %n", &fd, &type, &skip) < 2 || fd < 0 || type < 0 || !fdset_contains(fds, fd))
f2341e0a 2667 log_unit_debug(u, "Failed to parse socket value: %s", value);
80a58668 2668 else
a16e1123 2669 LIST_FOREACH(port, p, s->ports)
80a58668
ZJS		 2670 if (socket_address_is(&p->address, value+skip, type)) {
2671 socket_port_take_fd(p, fds, fd);
a16e1123 2672 break;
80a58668 2673 }
a16e1123 2674
7a22745a
LP		 2675 } else if (streq(key, "netlink")) {
2676 int fd, skip = 0;
2677 SocketPort *p;
2678
2679 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
f2341e0a 2680 log_unit_debug(u, "Failed to parse socket value: %s", value);
80a58668 2681 else
7a22745a 2682 LIST_FOREACH(port, p, s->ports)
80a58668
ZJS		 2683 if (socket_address_is_netlink(&p->address, value+skip)) {
2684 socket_port_take_fd(p, fds, fd);
7a22745a 2685 break;
80a58668 2686 }
60252446
PS		 2687
2688 } else if (streq(key, "ffs")) {
2689 int fd, skip = 0;
2690 SocketPort *p;
2691
2692 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2693 log_unit_debug(u, "Failed to parse ffs value: %s", value);
80a58668 2694 else
60252446
PS		 2695 LIST_FOREACH(port, p, s->ports)
2696 if (p->type == SOCKET_USB_FUNCTION &&
e3f791a2 2697 path_equal_or_files_same(p->path, value+skip, 0)) {
80a58668 2698 socket_port_take_fd(p, fds, fd);
60252446 2699 break;
80a58668 2700 }
60252446 2701
a16e1123 2702 } else
f2341e0a 2703 log_unit_debug(UNIT(s), "Unknown serialization key: %s", key);
a16e1123
LP		 2704
2705 return 0;
2706}
2707
9ff1a6f1 2708static void socket_distribute_fds(Unit *u, FDSet *fds) {
01e10de3
LP		 2709 Socket *s = SOCKET(u);
2710 SocketPort *p;
2711
2712 assert(u);
2713
2714 LIST_FOREACH(port, p, s->ports) {
2715 Iterator i;
2716 int fd;
2717
2718 if (p->type != SOCKET_SOCKET)
2719 continue;
2720
2721 if (p->fd >= 0)
2722 continue;
2723
2724 FDSET_FOREACH(fd, fds, i) {
2725 if (socket_address_matches_fd(&p->address, fd)) {
2726 p->fd = fdset_remove(fds, fd);
2727 s->deserialized_state = SOCKET_LISTENING;
2728 break;
2729 }
2730 }
2731 }
01e10de3
LP		 2732}
2733
44a6b1b6 2734_pure_ static UnitActiveState socket_active_state(Unit *u) {
87f0e418 2735 assert(u);
5cb5a6ff 2736
acbb0225 2737 return state_translation_table[SOCKET(u)->state];
5cb5a6ff
LP		 2738}
2739
44a6b1b6 2740_pure_ static const char *socket_sub_state_to_string(Unit *u) {
10a94420
LP		 2741 assert(u);
2742
a16e1123 2743 return socket_state_to_string(SOCKET(u)->state);
10a94420
LP		 2744}
2745
67419600
OS		 2746const char* socket_port_type_to_string(SocketPort *p) {
2747
2748 assert(p);
2749
2750 switch (p->type) {
718db961
LP		 2751
2752 case SOCKET_SOCKET:
2753
2754 switch (p->address.type) {
2755
2756 case SOCK_STREAM:
2757 return "Stream";
2758
2759 case SOCK_DGRAM:
2760 return "Datagram";
2761
2762 case SOCK_SEQPACKET:
2763 return "SequentialPacket";
2764
2765 case SOCK_RAW:
2766 if (socket_address_family(&p->address) == AF_NETLINK)
2767 return "Netlink";
2768
ec251fe7 2769 /* fall through */
718db961
LP		 2770 default:
2771 return NULL;
2772 }
2773
2774 case SOCKET_SPECIAL:
2775 return "Special";
2776
2777 case SOCKET_MQUEUE:
2778 return "MessageQueue";
2779
2780 case SOCKET_FIFO:
2781 return "FIFO";
2782
60252446
PS		 2783 case SOCKET_USB_FUNCTION:
2784 return "USBFunction";
2785
718db961
LP		 2786 default:
2787 return NULL;
67419600
OS		 2788 }
2789}
2790
44a6b1b6 2791_pure_ static bool socket_check_gc(Unit *u) {
6cf6bbc2
LP		 2792 Socket *s = SOCKET(u);
2793
2794 assert(u);
2795
2796 return s->n_connections > 0;
2797}
2798
a79279c7
LP		 2799static int socket_accept_do(Socket *s, int fd) {
2800 int cfd;
2801
2802 assert(s);
2803 assert(fd >= 0);
2804
2805 for (;;) {
2806 cfd = accept4(fd, NULL, NULL, SOCK_NONBLOCK);
2807 if (cfd < 0) {
2808 if (errno == EINTR)
2809 continue;
2810
2811 return -errno;
2812 }
2813
2814 break;
2815 }
2816
2817 return cfd;
2818}
2819
2820static int socket_accept_in_cgroup(Socket *s, SocketPort *p, int fd) {
2821 _cleanup_close_pair_ int pair[2] = { -1, -1 };
2822 int cfd, r;
2823 pid_t pid;
2824
2825 assert(s);
2826 assert(p);
2827 assert(fd >= 0);
2828
2829 /* Similar to socket_address_listen_in_cgroup(), but for accept() rathern than socket(): make sure that any
2830 * connection socket is also properly associated with the cgroup. */
2831
2832 if (!IN_SET(p->address.sockaddr.sa.sa_family, AF_INET, AF_INET6))
2833 goto shortcut;
2834
2835 r = bpf_firewall_supported();
2836 if (r < 0)
2837 return r;
2838 if (r == 0)
2839 goto shortcut;
2840
2841 if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, pair) < 0)
2842 return log_unit_error_errno(UNIT(s), errno, "Failed to create communication channel: %m");
2843
2844 r = unit_fork_helper_process(UNIT(s), &pid);
2845 if (r < 0)
2846 return log_unit_error_errno(UNIT(s), r, "Failed to fork off accept stub process: %m");
2847 if (r == 0) {
2848 /* Child */
2849
2850 pair[0] = safe_close(pair[0]);
2851
2852 cfd = socket_accept_do(s, fd);
2853 if (cfd < 0) {
2854 log_unit_error_errno(UNIT(s), cfd, "Failed to accept connection socket: %m");
2855 _exit(EXIT_FAILURE);
2856 }
2857
2858 r = send_one_fd(pair[1], cfd, 0);
2859 if (r < 0) {
2860 log_unit_error_errno(UNIT(s), r, "Failed to send connection socket to parent: %m");
2861 _exit(EXIT_FAILURE);
2862 }
2863
2864 _exit(EXIT_SUCCESS);
2865 }
2866
2867 pair[1] = safe_close(pair[1]);
2868 cfd = receive_one_fd(pair[0], 0);
2869
2870 /* We synchronously wait for the helper, as it shouldn't be slow */
2871 r = wait_for_terminate_and_warn("accept-cgroup-helper", pid, false);
2872 if (r < 0) {
2873 safe_close(cfd);
2874 return r;
2875 }
2876
2877 if (cfd < 0)
2878 return log_unit_error_errno(UNIT(s), cfd, "Failed to receive connection socket: %m");
2879
2880 return cfd;
2881
2882shortcut:
2883 cfd = socket_accept_do(s, fd);
2884 if (cfd < 0)
2885 return log_unit_error_errno(UNIT(s), cfd, "Failed to accept connection socket: %m");
2886
2887 return cfd;
2888}
2889
718db961
LP		 2890static int socket_dispatch_io(sd_event_source *source, int fd, uint32_t revents, void *userdata) {
2891 SocketPort *p = userdata;
4f2d528d 2892 int cfd = -1;
9152c765 2893
718db961 2894 assert(p);
8d567588 2895 assert(fd >= 0);
9152c765 2896
718db961
LP		 2897 if (p->socket->state != SOCKET_LISTENING)
2898 return 0;
871d7de4 2899
f2341e0a 2900 log_unit_debug(UNIT(p->socket), "Incoming traffic");
9152c765 2901
718db961 2902 if (revents != EPOLLIN) {
641e01dc 2903
718db961 2904 if (revents & EPOLLHUP)
f2341e0a 2905 log_unit_error(UNIT(p->socket), "Got POLLHUP on a listening socket. The service probably invoked shutdown() on it, and should better not do that.");
641e01dc 2906 else
f2341e0a 2907 log_unit_error(UNIT(p->socket), "Got unexpected poll event (0x%x) on socket.", revents);
8d567588 2908 goto fail;
4f2d528d
LP		 2909 }
2910
718db961
LP		 2911 if (p->socket->accept &&
2912 p->type == SOCKET_SOCKET &&
2913 socket_address_can_accept(&p->address)) {
2914
a79279c7
LP		 2915 cfd = socket_accept_in_cgroup(p->socket, p, fd);
2916 if (cfd < 0)
2917 goto fail;
4fd5948e 2918
718db961 2919 socket_apply_socket_options(p->socket, cfd);
4f2d528d 2920 }
9152c765 2921
718db961
LP		 2922 socket_enter_running(p->socket, cfd);
2923 return 0;
8d567588
LP		 2924
2925fail:
718db961
LP		 2926 socket_enter_stop_pre(p->socket, SOCKET_FAILURE_RESOURCES);
2927 return 0;
9152c765
LP		 2928}
2929
87f0e418
LP		 2930static void socket_sigchld_event(Unit *u, pid_t pid, int code, int status) {
2931 Socket *s = SOCKET(u);
cfc4eb4c 2932 SocketResult f;
5cb5a6ff
LP		 2933
2934 assert(s);
034c6ed7 2935 assert(pid >= 0);
5cb5a6ff 2936
8c47c732
LP		 2937 if (pid != s->control_pid)
2938 return;
542563ba 2939
034c6ed7
LP		 2940 s->control_pid = 0;
2941
1f0958f6 2942 if (is_clean_exit(code, status, EXIT_CLEAN_COMMAND, NULL))
cfc4eb4c
LP		 2943 f = SOCKET_SUCCESS;
2944 else if (code == CLD_EXITED)
2945 f = SOCKET_FAILURE_EXIT_CODE;
2946 else if (code == CLD_KILLED)
2947 f = SOCKET_FAILURE_SIGNAL;
2948 else if (code == CLD_DUMPED)
2949 f = SOCKET_FAILURE_CORE_DUMP;
2950 else
a4152e3f 2951 assert_not_reached("Unknown sigchld code");
8c47c732 2952
b708e7ce 2953 if (s->control_command) {
6ea832a2 2954 exec_status_exit(&s->control_command->exec_status, &s->exec_context, pid, code, status);
a16e1123 2955
3ed0cd26 2956 if (s->control_command->flags & EXEC_COMMAND_IGNORE_FAILURE)
cfc4eb4c 2957 f = SOCKET_SUCCESS;
b708e7ce
LP		 2958 }
2959
f2341e0a
LP		 2960 log_unit_full(u, f == SOCKET_SUCCESS ? LOG_DEBUG : LOG_NOTICE, 0,
2961 "Control process exited, code=%s status=%i",
2962 sigchld_code_to_string(code), status);
034c6ed7 2963
a0fef983 2964 if (s->result == SOCKET_SUCCESS)
cfc4eb4c
LP		 2965 s->result = f;
2966
2967 if (s->control_command &&
2968 s->control_command->command_next &&
2969 f == SOCKET_SUCCESS) {
2970
f2341e0a 2971 log_unit_debug(u, "Running next command for state %s", socket_state_to_string(s->state));
cfc4eb4c 2972 socket_run_next(s);
acbb0225 2973 } else {
a16e1123
LP		 2974 s->control_command = NULL;
2975 s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
2976
034c6ed7
LP		 2977 /* No further commands for this step, so let's figure
2978 * out what to do next */
5cb5a6ff 2979
f2341e0a 2980 log_unit_debug(u, "Got final SIGCHLD for state %s", socket_state_to_string(s->state));
acbb0225 2981
034c6ed7
LP		 2982 switch (s->state) {
2983
2984 case SOCKET_START_PRE:
cfc4eb4c 2985 if (f == SOCKET_SUCCESS)
3900e5fd 2986 socket_enter_start_chown(s);
034c6ed7 2987 else
cfc4eb4c 2988 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, f);
034c6ed7
LP		 2989 break;
2990
3900e5fd
LP		 2991 case SOCKET_START_CHOWN:
2992 if (f == SOCKET_SUCCESS)
2993 socket_enter_start_post(s);
2994 else
2995 socket_enter_stop_pre(s, f);
2996 break;
2997
034c6ed7 2998 case SOCKET_START_POST:
cfc4eb4c 2999 if (f == SOCKET_SUCCESS)
e9af15c3 3000 socket_enter_listening(s);
034c6ed7 3001 else
cfc4eb4c 3002 socket_enter_stop_pre(s, f);
034c6ed7
LP		 3003 break;
3004
3005 case SOCKET_STOP_PRE:
3006 case SOCKET_STOP_PRE_SIGTERM:
3007 case SOCKET_STOP_PRE_SIGKILL:
cfc4eb4c 3008 socket_enter_stop_post(s, f);
034c6ed7
LP		 3009 break;
3010
3011 case SOCKET_STOP_POST:
80876c20
LP		 3012 case SOCKET_FINAL_SIGTERM:
3013 case SOCKET_FINAL_SIGKILL:
cfc4eb4c 3014 socket_enter_dead(s, f);
034c6ed7
LP		 3015 break;
3016
3017 default:
3018 assert_not_reached("Uh, control process died at wrong time.");
3019 }
3020 }
c4e2ceae
LP		 3021
3022 /* Notify clients about changed exit status */
3023 unit_add_to_dbus_queue(u);
034c6ed7 3024}
5cb5a6ff 3025
718db961
LP		 3026static int socket_dispatch_timer(sd_event_source *source, usec_t usec, void *userdata) {
3027 Socket *s = SOCKET(userdata);
5cb5a6ff 3028
034c6ed7 3029 assert(s);
718db961 3030 assert(s->timer_event_source == source);
034c6ed7
LP		 3031
3032 switch (s->state) {
3033
3034 case SOCKET_START_PRE:
f2341e0a 3035 log_unit_warning(UNIT(s), "Starting timed out. Terminating.");
cfc4eb4c 3036 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_TIMEOUT);
da19d5c1 3037 break;
80876c20 3038
3900e5fd 3039 case SOCKET_START_CHOWN:
034c6ed7 3040 case SOCKET_START_POST:
f2341e0a 3041 log_unit_warning(UNIT(s), "Starting timed out. Stopping.");
cfc4eb4c 3042 socket_enter_stop_pre(s, SOCKET_FAILURE_TIMEOUT);
034c6ed7
LP		 3043 break;
3044
3045 case SOCKET_STOP_PRE:
f2341e0a 3046 log_unit_warning(UNIT(s), "Stopping timed out. Terminating.");
cfc4eb4c 3047 socket_enter_signal(s, SOCKET_STOP_PRE_SIGTERM, SOCKET_FAILURE_TIMEOUT);
034c6ed7
LP		 3048 break;
3049
3050 case SOCKET_STOP_PRE_SIGTERM:
4819ff03 3051 if (s->kill_context.send_sigkill) {
f2341e0a 3052 log_unit_warning(UNIT(s), "Stopping timed out. Killing.");
cfc4eb4c 3053 socket_enter_signal(s, SOCKET_STOP_PRE_SIGKILL, SOCKET_FAILURE_TIMEOUT);
ba035df2 3054 } else {
f2341e0a 3055 log_unit_warning(UNIT(s), "Stopping timed out. Skipping SIGKILL. Ignoring.");
cfc4eb4c 3056 socket_enter_stop_post(s, SOCKET_FAILURE_TIMEOUT);
ba035df2 3057 }
034c6ed7
LP		 3058 break;
3059
3060 case SOCKET_STOP_PRE_SIGKILL:
f2341e0a 3061 log_unit_warning(UNIT(s), "Processes still around after SIGKILL. Ignoring.");
cfc4eb4c 3062 socket_enter_stop_post(s, SOCKET_FAILURE_TIMEOUT);
034c6ed7
LP		 3063 break;
3064
3065 case SOCKET_STOP_POST:
f2341e0a 3066 log_unit_warning(UNIT(s), "Stopping timed out (2). Terminating.");
cfc4eb4c 3067 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_TIMEOUT);
034c6ed7
LP		 3068 break;
3069
80876c20 3070 case SOCKET_FINAL_SIGTERM:
4819ff03 3071 if (s->kill_context.send_sigkill) {
f2341e0a 3072 log_unit_warning(UNIT(s), "Stopping timed out (2). Killing.");
cfc4eb4c 3073 socket_enter_signal(s, SOCKET_FINAL_SIGKILL, SOCKET_FAILURE_TIMEOUT);
ba035df2 3074 } else {
f2341e0a 3075 log_unit_warning(UNIT(s), "Stopping timed out (2). Skipping SIGKILL. Ignoring.");
cfc4eb4c 3076 socket_enter_dead(s, SOCKET_FAILURE_TIMEOUT);
ba035df2 3077 }
034c6ed7
LP		 3078 break;
3079
80876c20 3080 case SOCKET_FINAL_SIGKILL:
f2341e0a 3081 log_unit_warning(UNIT(s), "Still around after SIGKILL (2). Entering failed mode.");
cfc4eb4c 3082 socket_enter_dead(s, SOCKET_FAILURE_TIMEOUT);
034c6ed7
LP		 3083 break;
3084
3085 default:
3086 assert_not_reached("Timeout at wrong time.");
3087 }
718db961
LP		 3088
3089 return 0;
5cb5a6ff
LP		 3090}
3091
79c7626d
LP		 3092int socket_collect_fds(Socket *s, int **fds) {
3093 int *rfds, k = 0, n = 0;
44d8db9e
LP		 3094 SocketPort *p;
3095
3096 assert(s);
3097 assert(fds);
44d8db9e
LP		 3098
3099 /* Called from the service code for requesting our fds */
3100
15087cdb 3101 LIST_FOREACH(port, p, s->ports) {
44d8db9e 3102 if (p->fd >= 0)
79c7626d
LP		 3103 n++;
3104 n += p->n_auxiliary_fds;
15087cdb 3105 }
44d8db9e 3106
79c7626d 3107 if (n <= 0) {
de3756ab 3108 *fds = NULL;
de3756ab
LP		 3109 return 0;
3110 }
3111
79c7626d 3112 rfds = new(int, n);
e5403f09 3113 if (!rfds)
44d8db9e
LP		 3114 return -ENOMEM;
3115
15087cdb 3116 LIST_FOREACH(port, p, s->ports) {
79c7626d
LP		 3117 int i;
3118
44d8db9e
LP		 3119 if (p->fd >= 0)
3120 rfds[k++] = p->fd;
15087cdb
PS		 3121 for (i = 0; i < p->n_auxiliary_fds; ++i)
3122 rfds[k++] = p->auxiliary_fds[i];
3123 }
44d8db9e 3124
79c7626d 3125 assert(k == n);
44d8db9e
LP		 3126
3127 *fds = rfds;
79c7626d 3128 return n;
44d8db9e
LP		 3129}
3130
e821075a
LP		 3131static void socket_reset_failed(Unit *u) {
3132 Socket *s = SOCKET(u);
3133
3134 assert(s);
3135
3136 if (s->state == SOCKET_FAILED)
3137 socket_set_state(s, SOCKET_DEAD);
3138
3139 s->result = SOCKET_SUCCESS;
3140}
3141
6cf6bbc2
LP		 3142void socket_connection_unref(Socket *s) {
3143 assert(s);
3144
3145 /* The service is dead. Yay!
3146 *
35b8ca3a 3147 * This is strictly for one-instance-per-connection
6cf6bbc2
LP		 3148 * services. */
3149
3150 assert(s->n_connections > 0);
3151 s->n_connections--;
3152
f2341e0a 3153 log_unit_debug(UNIT(s), "One connection closed, %u left.", s->n_connections);
5632e374
LP		 3154}
3155
d137a488
UTL		 3156static void socket_trigger_notify(Unit *u, Unit *other) {
3157 Socket *s = SOCKET(u);
d137a488
UTL		 3158
3159 assert(u);
3160 assert(other);
3161
d14e3a0d
LP		 3162 /* Filter out invocations with bogus state */
3163 if (other->load_state != UNIT_LOADED || other->type != UNIT_SERVICE)
3164 return;
3165
3166 /* Don't propagate state changes from the service if we are already down */
3167 if (!IN_SET(s->state, SOCKET_RUNNING, SOCKET_LISTENING))
d137a488
UTL		 3168 return;
3169
d14e3a0d
LP		 3170 /* We don't care for the service state if we are in Accept=yes mode */
3171 if (s->accept)
3172 return;
3173
3174 /* Propagate start limit hit state */
6bf0f408
LP		 3175 if (other->start_limit_hit) {
3176 socket_enter_stop_pre(s, SOCKET_FAILURE_SERVICE_START_LIMIT_HIT);
d137a488 3177 return;
6bf0f408 3178 }
d137a488 3179
d14e3a0d
LP		 3180 /* Don't propagate anything if there's still a job queued */
3181 if (other->job)
6bf0f408 3182 return;
d137a488 3183
6bf0f408
LP		 3184 if (IN_SET(SERVICE(other)->state,
3185 SERVICE_DEAD, SERVICE_FAILED,
3186 SERVICE_FINAL_SIGTERM, SERVICE_FINAL_SIGKILL,
3187 SERVICE_AUTO_RESTART))
3188 socket_enter_listening(s);
d137a488 3189
6bf0f408 3190 if (SERVICE(other)->state == SERVICE_RUNNING)
d137a488
UTL		 3191 socket_set_state(s, SOCKET_RUNNING);
3192}
3193
718db961 3194static int socket_kill(Unit *u, KillWho who, int signo, sd_bus_error *error) {
814cc562 3195 return unit_kill_common(u, who, signo, -1, SOCKET(u)->control_pid, error);
8a0867d6
LP		 3196}
3197
7a7821c8 3198static int socket_get_timeout(Unit *u, usec_t *timeout) {
68db7a3b 3199 Socket *s = SOCKET(u);
7a7821c8 3200 usec_t t;
68db7a3b
ZJS		 3201 int r;
3202
3203 if (!s->timer_event_source)
3204 return 0;
3205
7a7821c8 3206 r = sd_event_source_get_time(s->timer_event_source, &t);
68db7a3b
ZJS		 3207 if (r < 0)
3208 return r;
7a7821c8
LP		 3209 if (t == USEC_INFINITY)
3210 return 0;
68db7a3b 3211
7a7821c8 3212 *timeout = t;
68db7a3b
ZJS		 3213 return 1;
3214}
3215
8dd4c05b
LP		 3216char *socket_fdname(Socket *s) {
3217 assert(s);
3218
3219 /* Returns the name to use for $LISTEN_NAMES. If the user
3220 * didn't specify anything specifically, use the socket unit's
3221 * name as fallback. */
3222
3223 if (s->fdname)
3224 return s->fdname;
3225
3226 return UNIT(s)->id;
3227}
3228
291d565a
LP		 3229static int socket_control_pid(Unit *u) {
3230 Socket *s = SOCKET(u);
3231
3232 assert(s);
3233
3234 return s->control_pid;
3235}
3236
a16e1123
LP		 3237static const char* const socket_exec_command_table[_SOCKET_EXEC_COMMAND_MAX] = {
3238 [SOCKET_EXEC_START_PRE] = "StartPre",
3900e5fd 3239 [SOCKET_EXEC_START_CHOWN] = "StartChown",
a16e1123
LP		 3240 [SOCKET_EXEC_START_POST] = "StartPost",
3241 [SOCKET_EXEC_STOP_PRE] = "StopPre",
3242 [SOCKET_EXEC_STOP_POST] = "StopPost"
3243};
3244
3245DEFINE_STRING_TABLE_LOOKUP(socket_exec_command, SocketExecCommand);
3246
cfc4eb4c
LP		 3247static const char* const socket_result_table[_SOCKET_RESULT_MAX] = {
3248 [SOCKET_SUCCESS] = "success",
3249 [SOCKET_FAILURE_RESOURCES] = "resources",
3250 [SOCKET_FAILURE_TIMEOUT] = "timeout",
3251 [SOCKET_FAILURE_EXIT_CODE] = "exit-code",
3252 [SOCKET_FAILURE_SIGNAL] = "signal",
c2f34808 3253 [SOCKET_FAILURE_CORE_DUMP] = "core-dump",
07299350 3254 [SOCKET_FAILURE_START_LIMIT_HIT] = "start-limit-hit",
8b26cdbd 3255 [SOCKET_FAILURE_TRIGGER_LIMIT_HIT] = "trigger-limit-hit",
6bf0f408 3256 [SOCKET_FAILURE_SERVICE_START_LIMIT_HIT] = "service-start-limit-hit"
cfc4eb4c
LP		 3257};
3258
3259DEFINE_STRING_TABLE_LOOKUP(socket_result, SocketResult);
3260
87f0e418 3261const UnitVTable socket_vtable = {
7d17cfbc 3262 .object_size = sizeof(Socket),
718db961
LP		 3263 .exec_context_offset = offsetof(Socket, exec_context),
3264 .cgroup_context_offset = offsetof(Socket, cgroup_context),
3265 .kill_context_offset = offsetof(Socket, kill_context),
613b411c 3266 .exec_runtime_offset = offsetof(Socket, exec_runtime),
29206d46 3267 .dynamic_creds_offset = offsetof(Socket, dynamic_creds),
3ef63c31 3268
f975e971
LP		 3269 .sections =
3270 "Unit\0"
3271 "Socket\0"
3272 "Install\0",
4ad49000 3273 .private_section = "Socket",
71645aca 3274
034c6ed7
LP		 3275 .init = socket_init,
3276 .done = socket_done,
a16e1123
LP		 3277 .load = socket_load,
3278
3279 .coldplug = socket_coldplug,
034c6ed7 3280
5cb5a6ff
LP		 3281 .dump = socket_dump,
3282
542563ba
LP		 3283 .start = socket_start,
3284 .stop = socket_stop,
5cb5a6ff 3285
718db961
LP		 3286 .kill = socket_kill,
3287
68db7a3b
ZJS		 3288 .get_timeout = socket_get_timeout,
3289
a16e1123
LP		 3290 .serialize = socket_serialize,
3291 .deserialize_item = socket_deserialize_item,
01e10de3 3292 .distribute_fds = socket_distribute_fds,
a16e1123 3293
5cb5a6ff 3294 .active_state = socket_active_state,
10a94420 3295 .sub_state_to_string = socket_sub_state_to_string,
5cb5a6ff 3296
6cf6bbc2
LP		 3297 .check_gc = socket_check_gc,
3298
034c6ed7 3299 .sigchld_event = socket_sigchld_event,
4139c1b2 3300
d137a488
UTL		 3301 .trigger_notify = socket_trigger_notify,
3302
fdf20a31 3303 .reset_failed = socket_reset_failed,
5632e374 3304
291d565a
LP		 3305 .control_pid = socket_control_pid,
3306
718db961 3307 .bus_vtable = bus_socket_vtable,
74c964d3
LP		 3308 .bus_set_property = bus_socket_set_property,
3309 .bus_commit_properties = bus_socket_commit_properties,
c6918296
MS		 3310
3311 .status_message_formats = {
3312 /*.starting_stopping = {
3313 [0] = "Starting socket %s...",
3314 [1] = "Stopping socket %s...",
3315 },*/
3316 .finished_start_job = {
3317 [JOB_DONE] = "Listening on %s.",
3318 [JOB_FAILED] = "Failed to listen on %s.",
c6918296
MS		 3319 [JOB_TIMEOUT] = "Timed out starting %s.",
3320 },
3321 .finished_stop_job = {
3322 [JOB_DONE] = "Closed %s.",
3323 [JOB_FAILED] = "Failed stopping %s.",
3324 [JOB_TIMEOUT] = "Timed out stopping %s.",
3325 },
3326 },
5cb5a6ff 3327};
Unnamed repository; edit this file 'description' to name the repository.