]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/socket.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
macro: introduce new TAKE_FD() macro
[thirdparty/systemd.git] / src / core / socket.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2 /***
3 This file is part of systemd.
4
5 Copyright 2010 Lennart Poettering
6
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
11
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
16
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
19 ***/
20
21 #include <arpa/inet.h>
22 #include <errno.h>
23 #include <fcntl.h>
24 #include <mqueue.h>
25 #include <netinet/tcp.h>
26 #include <signal.h>
27 #include <sys/epoll.h>
28 #include <sys/stat.h>
29 #include <unistd.h>
30 #include <linux/sctp.h>
31
32 #include "alloc-util.h"
33 #include "bpf-firewall.h"
34 #include "bus-error.h"
35 #include "bus-util.h"
36 #include "copy.h"
37 #include "dbus-socket.h"
38 #include "def.h"
39 #include "exit-status.h"
40 #include "fd-util.h"
41 #include "format-util.h"
42 #include "fs-util.h"
43 #include "in-addr-util.h"
44 #include "io-util.h"
45 #include "label.h"
46 #include "log.h"
47 #include "missing.h"
48 #include "mkdir.h"
49 #include "parse-util.h"
50 #include "path-util.h"
51 #include "process-util.h"
52 #include "selinux-util.h"
53 #include "signal-util.h"
54 #include "smack-util.h"
55 #include "socket.h"
56 #include "socket-protocol-list.h"
57 #include "special.h"
58 #include "string-table.h"
59 #include "string-util.h"
60 #include "strv.h"
61 #include "unit-name.h"
62 #include "unit.h"
63 #include "user-util.h"
64
65 struct SocketPeer {
66 unsigned n_ref;
67
68 Socket *socket;
69 union sockaddr_union peer;
70 socklen_t peer_salen;
71 };
72
73 static const UnitActiveState state_translation_table[_SOCKET_STATE_MAX] = {
74 [SOCKET_DEAD] = UNIT_INACTIVE,
75 [SOCKET_START_PRE] = UNIT_ACTIVATING,
76 [SOCKET_START_CHOWN] = UNIT_ACTIVATING,
77 [SOCKET_START_POST] = UNIT_ACTIVATING,
78 [SOCKET_LISTENING] = UNIT_ACTIVE,
79 [SOCKET_RUNNING] = UNIT_ACTIVE,
80 [SOCKET_STOP_PRE] = UNIT_DEACTIVATING,
81 [SOCKET_STOP_PRE_SIGTERM] = UNIT_DEACTIVATING,
82 [SOCKET_STOP_PRE_SIGKILL] = UNIT_DEACTIVATING,
83 [SOCKET_STOP_POST] = UNIT_DEACTIVATING,
84 [SOCKET_FINAL_SIGTERM] = UNIT_DEACTIVATING,
85 [SOCKET_FINAL_SIGKILL] = UNIT_DEACTIVATING,
86 [SOCKET_FAILED] = UNIT_FAILED
87 };
88
89 static int socket_dispatch_io(sd_event_source *source, int fd, uint32_t revents, void *userdata);
90 static int socket_dispatch_timer(sd_event_source *source, usec_t usec, void *userdata);
91
92 static void socket_init(Unit *u) {
93 Socket *s = SOCKET(u);
94
95 assert(u);
96 assert(u->load_state == UNIT_STUB);
97
98 s->backlog = SOMAXCONN;
99 s->timeout_usec = u->manager->default_timeout_start_usec;
100 s->directory_mode = 0755;
101 s->socket_mode = 0666;
102
103 s->max_connections = 64;
104
105 s->priority = -1;
106 s->ip_tos = -1;
107 s->ip_ttl = -1;
108 s->mark = -1;
109
110 s->exec_context.std_output = u->manager->default_std_output;
111 s->exec_context.std_error = u->manager->default_std_error;
112
113 s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
114
115 s->trigger_limit.interval = USEC_INFINITY;
116 s->trigger_limit.burst = (unsigned) -1;
117 }
118
119 static void socket_unwatch_control_pid(Socket *s) {
120 assert(s);
121
122 if (s->control_pid <= 0)
123 return;
124
125 unit_unwatch_pid(UNIT(s), s->control_pid);
126 s->control_pid = 0;
127 }
128
129 static void socket_cleanup_fd_list(SocketPort *p) {
130 assert(p);
131
132 close_many(p->auxiliary_fds, p->n_auxiliary_fds);
133 p->auxiliary_fds = mfree(p->auxiliary_fds);
134 p->n_auxiliary_fds = 0;
135 }
136
137 void socket_free_ports(Socket *s) {
138 SocketPort *p;
139
140 assert(s);
141
142 while ((p = s->ports)) {
143 LIST_REMOVE(port, s->ports, p);
144
145 sd_event_source_unref(p->event_source);
146
147 socket_cleanup_fd_list(p);
148 safe_close(p->fd);
149 free(p->path);
150 free(p);
151 }
152 }
153
154 static void socket_done(Unit *u) {
155 Socket *s = SOCKET(u);
156 SocketPeer *p;
157
158 assert(s);
159
160 socket_free_ports(s);
161
162 while ((p = set_steal_first(s->peers_by_address)))
163 p->socket = NULL;
164
165 s->peers_by_address = set_free(s->peers_by_address);
166
167 s->exec_runtime = exec_runtime_unref(s->exec_runtime, false);
168 exec_command_free_array(s->exec_command, _SOCKET_EXEC_COMMAND_MAX);
169 s->control_command = NULL;
170
171 dynamic_creds_unref(&s->dynamic_creds);
172
173 socket_unwatch_control_pid(s);
174
175 unit_ref_unset(&s->service);
176
177 s->tcp_congestion = mfree(s->tcp_congestion);
178 s->bind_to_device = mfree(s->bind_to_device);
179
180 s->smack = mfree(s->smack);
181 s->smack_ip_in = mfree(s->smack_ip_in);
182 s->smack_ip_out = mfree(s->smack_ip_out);
183
184 strv_free(s->symlinks);
185
186 s->user = mfree(s->user);
187 s->group = mfree(s->group);
188
189 s->fdname = mfree(s->fdname);
190
191 s->timer_event_source = sd_event_source_unref(s->timer_event_source);
192 }
193
194 static int socket_arm_timer(Socket *s, usec_t usec) {
195 int r;
196
197 assert(s);
198
199 if (s->timer_event_source) {
200 r = sd_event_source_set_time(s->timer_event_source, usec);
201 if (r < 0)
202 return r;
203
204 return sd_event_source_set_enabled(s->timer_event_source, SD_EVENT_ONESHOT);
205 }
206
207 if (usec == USEC_INFINITY)
208 return 0;
209
210 r = sd_event_add_time(
211 UNIT(s)->manager->event,
212 &s->timer_event_source,
213 CLOCK_MONOTONIC,
214 usec, 0,
215 socket_dispatch_timer, s);
216 if (r < 0)
217 return r;
218
219 (void) sd_event_source_set_description(s->timer_event_source, "socket-timer");
220
221 return 0;
222 }
223
224 int socket_instantiate_service(Socket *s) {
225 _cleanup_free_ char *prefix = NULL, *name = NULL;
226 int r;
227 Unit *u;
228
229 assert(s);
230
231 /* This fills in s->service if it isn't filled in yet. For
232 * Accept=yes sockets we create the next connection service
233 * here. For Accept=no this is mostly a NOP since the service
234 * is figured out at load time anyway. */
235
236 if (UNIT_DEREF(s->service))
237 return 0;
238
239 if (!s->accept)
240 return 0;
241
242 r = unit_name_to_prefix(UNIT(s)->id, &prefix);
243 if (r < 0)
244 return r;
245
246 if (asprintf(&name, "%s@%u.service", prefix, s->n_accepted) < 0)
247 return -ENOMEM;
248
249 r = manager_load_unit(UNIT(s)->manager, name, NULL, NULL, &u);
250 if (r < 0)
251 return r;
252
253 unit_ref_set(&s->service, UNIT(s), u);
254
255 return unit_add_two_dependencies(UNIT(s), UNIT_BEFORE, UNIT_TRIGGERS, u, false, UNIT_DEPENDENCY_IMPLICIT);
256 }
257
258 static bool have_non_accept_socket(Socket *s) {
259 SocketPort *p;
260
261 assert(s);
262
263 if (!s->accept)
264 return true;
265
266 LIST_FOREACH(port, p, s->ports) {
267
268 if (p->type != SOCKET_SOCKET)
269 return true;
270
271 if (!socket_address_can_accept(&p->address))
272 return true;
273 }
274
275 return false;
276 }
277
278 static int socket_add_mount_dependencies(Socket *s) {
279 SocketPort *p;
280 int r;
281
282 assert(s);
283
284 LIST_FOREACH(port, p, s->ports) {
285 const char *path = NULL;
286
287 if (p->type == SOCKET_SOCKET)
288 path = socket_address_get_path(&p->address);
289 else if (IN_SET(p->type, SOCKET_FIFO, SOCKET_SPECIAL, SOCKET_USB_FUNCTION))
290 path = p->path;
291
292 if (!path)
293 continue;
294
295 r = unit_require_mounts_for(UNIT(s), path, UNIT_DEPENDENCY_FILE);
296 if (r < 0)
297 return r;
298 }
299
300 return 0;
301 }
302
303 static int socket_add_device_dependencies(Socket *s) {
304 char *t;
305
306 assert(s);
307
308 if (!s->bind_to_device || streq(s->bind_to_device, "lo"))
309 return 0;
310
311 t = strjoina("/sys/subsystem/net/devices/", s->bind_to_device);
312 return unit_add_node_dependency(UNIT(s), t, false, UNIT_BINDS_TO, UNIT_DEPENDENCY_FILE);
313 }
314
315 static int socket_add_default_dependencies(Socket *s) {
316 int r;
317 assert(s);
318
319 if (!UNIT(s)->default_dependencies)
320 return 0;
321
322 r = unit_add_dependency_by_name(UNIT(s), UNIT_BEFORE, SPECIAL_SOCKETS_TARGET, NULL, true, UNIT_DEPENDENCY_DEFAULT);
323 if (r < 0)
324 return r;
325
326 if (MANAGER_IS_SYSTEM(UNIT(s)->manager)) {
327 r = unit_add_two_dependencies_by_name(UNIT(s), UNIT_AFTER, UNIT_REQUIRES, SPECIAL_SYSINIT_TARGET, NULL, true, UNIT_DEPENDENCY_DEFAULT);
328 if (r < 0)
329 return r;
330 }
331
332 return unit_add_two_dependencies_by_name(UNIT(s), UNIT_BEFORE, UNIT_CONFLICTS, SPECIAL_SHUTDOWN_TARGET, NULL, true, UNIT_DEPENDENCY_DEFAULT);
333 }
334
335 _pure_ static bool socket_has_exec(Socket *s) {
336 unsigned i;
337 assert(s);
338
339 for (i = 0; i < _SOCKET_EXEC_COMMAND_MAX; i++)
340 if (s->exec_command[i])
341 return true;
342
343 return false;
344 }
345
346 static int socket_add_extras(Socket *s) {
347 Unit *u = UNIT(s);
348 int r;
349
350 assert(s);
351
352 /* Pick defaults for the trigger limit, if nothing was explicitly configured. We pick a relatively high limit
353 * in Accept=yes mode, and a lower limit for Accept=no. Reason: in Accept=yes mode we are invoking accept()
354 * ourselves before the trigger limit can hit, thus incoming connections are taken off the socket queue quickly
355 * and reliably. This is different for Accept=no, where the spawned service has to take the incoming traffic
356 * off the queues, which it might not necessarily do. Moreover, while Accept=no services are supposed to
357 * process whatever is queued in one go, and thus should normally never have to be started frequently. This is
358 * different for Accept=yes where each connection is processed by a new service instance, and thus frequent
359 * service starts are typical. */
360
361 if (s->trigger_limit.interval == USEC_INFINITY)
362 s->trigger_limit.interval = 2 * USEC_PER_SEC;
363
364 if (s->trigger_limit.burst == (unsigned) -1) {
365 if (s->accept)
366 s->trigger_limit.burst = 200;
367 else
368 s->trigger_limit.burst = 20;
369 }
370
371 if (have_non_accept_socket(s)) {
372
373 if (!UNIT_DEREF(s->service)) {
374 Unit *x;
375
376 r = unit_load_related_unit(u, ".service", &x);
377 if (r < 0)
378 return r;
379
380 unit_ref_set(&s->service, u, x);
381 }
382
383 r = unit_add_two_dependencies(u, UNIT_BEFORE, UNIT_TRIGGERS, UNIT_DEREF(s->service), true, UNIT_DEPENDENCY_IMPLICIT);
384 if (r < 0)
385 return r;
386 }
387
388 r = socket_add_mount_dependencies(s);
389 if (r < 0)
390 return r;
391
392 r = socket_add_device_dependencies(s);
393 if (r < 0)
394 return r;
395
396 r = unit_patch_contexts(u);
397 if (r < 0)
398 return r;
399
400 if (socket_has_exec(s)) {
401 r = unit_add_exec_dependencies(u, &s->exec_context);
402 if (r < 0)
403 return r;
404 }
405
406 r = unit_set_default_slice(u);
407 if (r < 0)
408 return r;
409
410 r = socket_add_default_dependencies(s);
411 if (r < 0)
412 return r;
413
414 return 0;
415 }
416
417 static const char *socket_find_symlink_target(Socket *s) {
418 const char *found = NULL;
419 SocketPort *p;
420
421 LIST_FOREACH(port, p, s->ports) {
422 const char *f = NULL;
423
424 switch (p->type) {
425
426 case SOCKET_FIFO:
427 f = p->path;
428 break;
429
430 case SOCKET_SOCKET:
431 f = socket_address_get_path(&p->address);
432 break;
433
434 default:
435 break;
436 }
437
438 if (f) {
439 if (found)
440 return NULL;
441
442 found = f;
443 }
444 }
445
446 return found;
447 }
448
449 static int socket_verify(Socket *s) {
450 assert(s);
451
452 if (UNIT(s)->load_state != UNIT_LOADED)
453 return 0;
454
455 if (!s->ports) {
456 log_unit_error(UNIT(s), "Unit has no Listen setting (ListenStream=, ListenDatagram=, ListenFIFO=, ...). Refusing.");
457 return -EINVAL;
458 }
459
460 if (s->accept && have_non_accept_socket(s)) {
461 log_unit_error(UNIT(s), "Unit configured for accepting sockets, but sockets are non-accepting. Refusing.");
462 return -EINVAL;
463 }
464
465 if (s->accept && s->max_connections <= 0) {
466 log_unit_error(UNIT(s), "MaxConnection= setting too small. Refusing.");
467 return -EINVAL;
468 }
469
470 if (s->accept && UNIT_DEREF(s->service)) {
471 log_unit_error(UNIT(s), "Explicit service configuration for accepting socket units not supported. Refusing.");
472 return -EINVAL;
473 }
474
475 if (s->exec_context.pam_name && s->kill_context.kill_mode != KILL_CONTROL_GROUP) {
476 log_unit_error(UNIT(s), "Unit has PAM enabled. Kill mode must be set to 'control-group'. Refusing.");
477 return -EINVAL;
478 }
479
480 if (!strv_isempty(s->symlinks) && !socket_find_symlink_target(s)) {
481 log_unit_error(UNIT(s), "Unit has symlinks set but none or more than one node in the file system. Refusing.");
482 return -EINVAL;
483 }
484
485 return 0;
486 }
487
488 static void peer_address_hash_func(const void *p, struct siphash *state) {
489 const SocketPeer *s = p;
490
491 assert(s);
492
493 if (s->peer.sa.sa_family == AF_INET)
494 siphash24_compress(&s->peer.in.sin_addr, sizeof(s->peer.in.sin_addr), state);
495 else if (s->peer.sa.sa_family == AF_INET6)
496 siphash24_compress(&s->peer.in6.sin6_addr, sizeof(s->peer.in6.sin6_addr), state);
497 else if (s->peer.sa.sa_family == AF_VSOCK)
498 siphash24_compress(&s->peer.vm.svm_cid, sizeof(s->peer.vm.svm_cid), state);
499 else
500 assert_not_reached("Unknown address family.");
501 }
502
503 static int peer_address_compare_func(const void *a, const void *b) {
504 const SocketPeer *x = a, *y = b;
505
506 if (x->peer.sa.sa_family < y->peer.sa.sa_family)
507 return -1;
508 if (x->peer.sa.sa_family > y->peer.sa.sa_family)
509 return 1;
510
511 switch(x->peer.sa.sa_family) {
512 case AF_INET:
513 return memcmp(&x->peer.in.sin_addr, &y->peer.in.sin_addr, sizeof(x->peer.in.sin_addr));
514 case AF_INET6:
515 return memcmp(&x->peer.in6.sin6_addr, &y->peer.in6.sin6_addr, sizeof(x->peer.in6.sin6_addr));
516 case AF_VSOCK:
517 if (x->peer.vm.svm_cid < y->peer.vm.svm_cid)
518 return -1;
519 if (x->peer.vm.svm_cid > y->peer.vm.svm_cid)
520 return 1;
521 return 0;
522 }
523 assert_not_reached("Black sheep in the family!");
524 }
525
526 const struct hash_ops peer_address_hash_ops = {
527 .hash = peer_address_hash_func,
528 .compare = peer_address_compare_func
529 };
530
531 static int socket_load(Unit *u) {
532 Socket *s = SOCKET(u);
533 int r;
534
535 assert(u);
536 assert(u->load_state == UNIT_STUB);
537
538 r = set_ensure_allocated(&s->peers_by_address, &peer_address_hash_ops);
539 if (r < 0)
540 return r;
541
542 r = unit_load_fragment_and_dropin(u);
543 if (r < 0)
544 return r;
545
546 if (u->load_state == UNIT_LOADED) {
547 /* This is a new unit? Then let's add in some extras */
548 r = socket_add_extras(s);
549 if (r < 0)
550 return r;
551 }
552
553 return socket_verify(s);
554 }
555
556 static SocketPeer *socket_peer_new(void) {
557 SocketPeer *p;
558
559 p = new0(SocketPeer, 1);
560 if (!p)
561 return NULL;
562
563 p->n_ref = 1;
564
565 return p;
566 }
567
568 SocketPeer *socket_peer_ref(SocketPeer *p) {
569 if (!p)
570 return NULL;
571
572 assert(p->n_ref > 0);
573 p->n_ref++;
574
575 return p;
576 }
577
578 SocketPeer *socket_peer_unref(SocketPeer *p) {
579 if (!p)
580 return NULL;
581
582 assert(p->n_ref > 0);
583
584 p->n_ref--;
585
586 if (p->n_ref > 0)
587 return NULL;
588
589 if (p->socket)
590 set_remove(p->socket->peers_by_address, p);
591
592 return mfree(p);
593 }
594
595 int socket_acquire_peer(Socket *s, int fd, SocketPeer **p) {
596 _cleanup_(socket_peer_unrefp) SocketPeer *remote = NULL;
597 SocketPeer sa = {}, *i;
598 socklen_t salen = sizeof(sa.peer);
599 int r;
600
601 assert(fd >= 0);
602 assert(s);
603
604 r = getpeername(fd, &sa.peer.sa, &salen);
605 if (r < 0)
606 return log_error_errno(errno, "getpeername failed: %m");
607
608 if (!IN_SET(sa.peer.sa.sa_family, AF_INET, AF_INET6, AF_VSOCK)) {
609 *p = NULL;
610 return 0;
611 }
612
613 i = set_get(s->peers_by_address, &sa);
614 if (i) {
615 *p = socket_peer_ref(i);
616 return 1;
617 }
618
619 remote = socket_peer_new();
620 if (!remote)
621 return log_oom();
622
623 remote->peer = sa.peer;
624 remote->peer_salen = salen;
625
626 r = set_put(s->peers_by_address, remote);
627 if (r < 0)
628 return r;
629
630 remote->socket = s;
631
632 *p = remote;
633 remote = NULL;
634
635 return 1;
636 }
637
638 _const_ static const char* listen_lookup(int family, int type) {
639
640 if (family == AF_NETLINK)
641 return "ListenNetlink";
642
643 if (type == SOCK_STREAM)
644 return "ListenStream";
645 else if (type == SOCK_DGRAM)
646 return "ListenDatagram";
647 else if (type == SOCK_SEQPACKET)
648 return "ListenSequentialPacket";
649
650 assert_not_reached("Unknown socket type");
651 return NULL;
652 }
653
654 static void socket_dump(Unit *u, FILE *f, const char *prefix) {
655 char time_string[FORMAT_TIMESPAN_MAX];
656 SocketExecCommand c;
657 Socket *s = SOCKET(u);
658 SocketPort *p;
659 const char *prefix2, *str;
660
661 assert(s);
662 assert(f);
663
664 prefix = strempty(prefix);
665 prefix2 = strjoina(prefix, "\t");
666
667 fprintf(f,
668 "%sSocket State: %s\n"
669 "%sResult: %s\n"
670 "%sBindIPv6Only: %s\n"
671 "%sBacklog: %u\n"
672 "%sSocketMode: %04o\n"
673 "%sDirectoryMode: %04o\n"
674 "%sKeepAlive: %s\n"
675 "%sNoDelay: %s\n"
676 "%sFreeBind: %s\n"
677 "%sTransparent: %s\n"
678 "%sBroadcast: %s\n"
679 "%sPassCredentials: %s\n"
680 "%sPassSecurity: %s\n"
681 "%sTCPCongestion: %s\n"
682 "%sRemoveOnStop: %s\n"
683 "%sWritable: %s\n"
684 "%sFileDescriptorName: %s\n"
685 "%sSELinuxContextFromNet: %s\n",
686 prefix, socket_state_to_string(s->state),
687 prefix, socket_result_to_string(s->result),
688 prefix, socket_address_bind_ipv6_only_to_string(s->bind_ipv6_only),
689 prefix, s->backlog,
690 prefix, s->socket_mode,
691 prefix, s->directory_mode,
692 prefix, yes_no(s->keep_alive),
693 prefix, yes_no(s->no_delay),
694 prefix, yes_no(s->free_bind),
695 prefix, yes_no(s->transparent),
696 prefix, yes_no(s->broadcast),
697 prefix, yes_no(s->pass_cred),
698 prefix, yes_no(s->pass_sec),
699 prefix, strna(s->tcp_congestion),
700 prefix, yes_no(s->remove_on_stop),
701 prefix, yes_no(s->writable),
702 prefix, socket_fdname(s),
703 prefix, yes_no(s->selinux_context_from_net));
704
705 if (s->control_pid > 0)
706 fprintf(f,
707 "%sControl PID: "PID_FMT"\n",
708 prefix, s->control_pid);
709
710 if (s->bind_to_device)
711 fprintf(f,
712 "%sBindToDevice: %s\n",
713 prefix, s->bind_to_device);
714
715 if (s->accept)
716 fprintf(f,
717 "%sAccepted: %u\n"
718 "%sNConnections: %u\n"
719 "%sMaxConnections: %u\n"
720 "%sMaxConnectionsPerSource: %u\n",
721 prefix, s->n_accepted,
722 prefix, s->n_connections,
723 prefix, s->max_connections,
724 prefix, s->max_connections_per_source);
725
726 if (s->priority >= 0)
727 fprintf(f,
728 "%sPriority: %i\n",
729 prefix, s->priority);
730
731 if (s->receive_buffer > 0)
732 fprintf(f,
733 "%sReceiveBuffer: %zu\n",
734 prefix, s->receive_buffer);
735
736 if (s->send_buffer > 0)
737 fprintf(f,
738 "%sSendBuffer: %zu\n",
739 prefix, s->send_buffer);
740
741 if (s->ip_tos >= 0)
742 fprintf(f,
743 "%sIPTOS: %i\n",
744 prefix, s->ip_tos);
745
746 if (s->ip_ttl >= 0)
747 fprintf(f,
748 "%sIPTTL: %i\n",
749 prefix, s->ip_ttl);
750
751 if (s->pipe_size > 0)
752 fprintf(f,
753 "%sPipeSize: %zu\n",
754 prefix, s->pipe_size);
755
756 if (s->mark >= 0)
757 fprintf(f,
758 "%sMark: %i\n",
759 prefix, s->mark);
760
761 if (s->mq_maxmsg > 0)
762 fprintf(f,
763 "%sMessageQueueMaxMessages: %li\n",
764 prefix, s->mq_maxmsg);
765
766 if (s->mq_msgsize > 0)
767 fprintf(f,
768 "%sMessageQueueMessageSize: %li\n",
769 prefix, s->mq_msgsize);
770
771 if (s->reuse_port)
772 fprintf(f,
773 "%sReusePort: %s\n",
774 prefix, yes_no(s->reuse_port));
775
776 if (s->smack)
777 fprintf(f,
778 "%sSmackLabel: %s\n",
779 prefix, s->smack);
780
781 if (s->smack_ip_in)
782 fprintf(f,
783 "%sSmackLabelIPIn: %s\n",
784 prefix, s->smack_ip_in);
785
786 if (s->smack_ip_out)
787 fprintf(f,
788 "%sSmackLabelIPOut: %s\n",
789 prefix, s->smack_ip_out);
790
791 if (!isempty(s->user) || !isempty(s->group))
792 fprintf(f,
793 "%sSocketUser: %s\n"
794 "%sSocketGroup: %s\n",
795 prefix, strna(s->user),
796 prefix, strna(s->group));
797
798 if (s->keep_alive_time > 0)
799 fprintf(f,
800 "%sKeepAliveTimeSec: %s\n",
801 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->keep_alive_time, USEC_PER_SEC));
802
803 if (s->keep_alive_interval)
804 fprintf(f,
805 "%sKeepAliveIntervalSec: %s\n",
806 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->keep_alive_interval, USEC_PER_SEC));
807
808 if (s->keep_alive_cnt)
809 fprintf(f,
810 "%sKeepAliveProbes: %u\n",
811 prefix, s->keep_alive_cnt);
812
813 if (s->defer_accept)
814 fprintf(f,
815 "%sDeferAcceptSec: %s\n",
816 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->defer_accept, USEC_PER_SEC));
817
818 LIST_FOREACH(port, p, s->ports) {
819
820 if (p->type == SOCKET_SOCKET) {
821 const char *t;
822 int r;
823 char *k = NULL;
824
825 r = socket_address_print(&p->address, &k);
826 if (r < 0)
827 t = strerror(-r);
828 else
829 t = k;
830
831 fprintf(f, "%s%s: %s\n", prefix, listen_lookup(socket_address_family(&p->address), p->address.type), t);
832 free(k);
833 } else if (p->type == SOCKET_SPECIAL)
834 fprintf(f, "%sListenSpecial: %s\n", prefix, p->path);
835 else if (p->type == SOCKET_USB_FUNCTION)
836 fprintf(f, "%sListenUSBFunction: %s\n", prefix, p->path);
837 else if (p->type == SOCKET_MQUEUE)
838 fprintf(f, "%sListenMessageQueue: %s\n", prefix, p->path);
839 else
840 fprintf(f, "%sListenFIFO: %s\n", prefix, p->path);
841 }
842
843 fprintf(f,
844 "%sTriggerLimitIntervalSec: %s\n"
845 "%sTriggerLimitBurst: %u\n",
846 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->trigger_limit.interval, USEC_PER_SEC),
847 prefix, s->trigger_limit.burst);
848
849 str = socket_protocol_to_name(s->socket_protocol);
850 if (str)
851 fprintf(f, "%sSocketProtocol: %s\n", prefix, str);
852
853 if (!strv_isempty(s->symlinks)) {
854 char **q;
855
856 fprintf(f, "%sSymlinks:", prefix);
857 STRV_FOREACH(q, s->symlinks)
858 fprintf(f, " %s", *q);
859
860 fprintf(f, "\n");
861 }
862
863 fprintf(f,
864 "%sTimeoutSec: %s\n",
865 prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->timeout_usec, USEC_PER_SEC));
866
867 exec_context_dump(&s->exec_context, f, prefix);
868 kill_context_dump(&s->kill_context, f, prefix);
869
870 for (c = 0; c < _SOCKET_EXEC_COMMAND_MAX; c++) {
871 if (!s->exec_command[c])
872 continue;
873
874 fprintf(f, "%s-> %s:\n",
875 prefix, socket_exec_command_to_string(c));
876
877 exec_command_dump_list(s->exec_command[c], f, prefix2);
878 }
879
880 cgroup_context_dump(&s->cgroup_context, f, prefix);
881 }
882
883 static int instance_from_socket(int fd, unsigned nr, char **instance) {
884 socklen_t l;
885 char *r;
886 union sockaddr_union local, remote;
887
888 assert(fd >= 0);
889 assert(instance);
890
891 l = sizeof(local);
892 if (getsockname(fd, &local.sa, &l) < 0)
893 return -errno;
894
895 l = sizeof(remote);
896 if (getpeername(fd, &remote.sa, &l) < 0)
897 return -errno;
898
899 switch (local.sa.sa_family) {
900
901 case AF_INET: {
902 uint32_t
903 a = be32toh(local.in.sin_addr.s_addr),
904 b = be32toh(remote.in.sin_addr.s_addr);
905
906 if (asprintf(&r,
907 "%u-%u.%u.%u.%u:%u-%u.%u.%u.%u:%u",
908 nr,
909 a >> 24, (a >> 16) & 0xFF, (a >> 8) & 0xFF, a & 0xFF,
910 be16toh(local.in.sin_port),
911 b >> 24, (b >> 16) & 0xFF, (b >> 8) & 0xFF, b & 0xFF,
912 be16toh(remote.in.sin_port)) < 0)
913 return -ENOMEM;
914
915 break;
916 }
917
918 case AF_INET6: {
919 static const unsigned char ipv4_prefix[] = {
920 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xFF, 0xFF
921 };
922
923 if (memcmp(&local.in6.sin6_addr, ipv4_prefix, sizeof(ipv4_prefix)) == 0 &&
924 memcmp(&remote.in6.sin6_addr, ipv4_prefix, sizeof(ipv4_prefix)) == 0) {
925 const uint8_t
926 *a = local.in6.sin6_addr.s6_addr+12,
927 *b = remote.in6.sin6_addr.s6_addr+12;
928
929 if (asprintf(&r,
930 "%u-%u.%u.%u.%u:%u-%u.%u.%u.%u:%u",
931 nr,
932 a[0], a[1], a[2], a[3],
933 be16toh(local.in6.sin6_port),
934 b[0], b[1], b[2], b[3],
935 be16toh(remote.in6.sin6_port)) < 0)
936 return -ENOMEM;
937 } else {
938 char a[INET6_ADDRSTRLEN], b[INET6_ADDRSTRLEN];
939
940 if (asprintf(&r,
941 "%u-%s:%u-%s:%u",
942 nr,
943 inet_ntop(AF_INET6, &local.in6.sin6_addr, a, sizeof(a)),
944 be16toh(local.in6.sin6_port),
945 inet_ntop(AF_INET6, &remote.in6.sin6_addr, b, sizeof(b)),
946 be16toh(remote.in6.sin6_port)) < 0)
947 return -ENOMEM;
948 }
949
950 break;
951 }
952
953 case AF_UNIX: {
954 struct ucred ucred;
955 int k;
956
957 k = getpeercred(fd, &ucred);
958 if (k >= 0) {
959 if (asprintf(&r,
960 "%u-"PID_FMT"-"UID_FMT,
961 nr, ucred.pid, ucred.uid) < 0)
962 return -ENOMEM;
963 } else if (k == -ENODATA) {
964 /* This handles the case where somebody is
965 * connecting from another pid/uid namespace
966 * (e.g. from outside of our container). */
967 if (asprintf(&r,
968 "%u-unknown",
969 nr) < 0)
970 return -ENOMEM;
971 } else
972 return k;
973
974 break;
975 }
976
977 case AF_VSOCK:
978 if (asprintf(&r,
979 "%u-%u:%u-%u:%u",
980 nr,
981 local.vm.svm_cid, local.vm.svm_port,
982 remote.vm.svm_cid, remote.vm.svm_port) < 0)
983 return -ENOMEM;
984
985 break;
986
987 default:
988 assert_not_reached("Unhandled socket type.");
989 }
990
991 *instance = r;
992 return 0;
993 }
994
995 static void socket_close_fds(Socket *s) {
996 SocketPort *p;
997 char **i;
998
999 assert(s);
1000
1001 LIST_FOREACH(port, p, s->ports) {
1002 bool was_open;
1003
1004 was_open = p->fd >= 0;
1005
1006 p->event_source = sd_event_source_unref(p->event_source);
1007 p->fd = safe_close(p->fd);
1008 socket_cleanup_fd_list(p);
1009
1010 /* One little note: we should normally not delete any sockets in the file system here! After all some
1011 * other process we spawned might still have a reference of this fd and wants to continue to use
1012 * it. Therefore we normally delete sockets in the file system before we create a new one, not after we
1013 * stopped using one! That all said, if the user explicitly requested this, we'll delete them here
1014 * anyway, but only then. */
1015
1016 if (!was_open || !s->remove_on_stop)
1017 continue;
1018
1019 switch (p->type) {
1020
1021 case SOCKET_FIFO:
1022 (void) unlink(p->path);
1023 break;
1024
1025 case SOCKET_MQUEUE:
1026 (void) mq_unlink(p->path);
1027 break;
1028
1029 case SOCKET_SOCKET:
1030 (void) socket_address_unlink(&p->address);
1031 break;
1032
1033 default:
1034 break;
1035 }
1036 }
1037
1038 if (s->remove_on_stop)
1039 STRV_FOREACH(i, s->symlinks)
1040 (void) unlink(*i);
1041 }
1042
1043 static void socket_apply_socket_options(Socket *s, int fd) {
1044 int r;
1045
1046 assert(s);
1047 assert(fd >= 0);
1048
1049 if (s->keep_alive) {
1050 int b = s->keep_alive;
1051 if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, &b, sizeof(b)) < 0)
1052 log_unit_warning_errno(UNIT(s), errno, "SO_KEEPALIVE failed: %m");
1053 }
1054
1055 if (s->keep_alive_time) {
1056 int value = s->keep_alive_time / USEC_PER_SEC;
1057 if (setsockopt(fd, SOL_TCP, TCP_KEEPIDLE, &value, sizeof(value)) < 0)
1058 log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPIDLE failed: %m");
1059 }
1060
1061 if (s->keep_alive_interval) {
1062 int value = s->keep_alive_interval / USEC_PER_SEC;
1063 if (setsockopt(fd, SOL_TCP, TCP_KEEPINTVL, &value, sizeof(value)) < 0)
1064 log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPINTVL failed: %m");
1065 }
1066
1067 if (s->keep_alive_cnt) {
1068 int value = s->keep_alive_cnt;
1069 if (setsockopt(fd, SOL_TCP, TCP_KEEPCNT, &value, sizeof(value)) < 0)
1070 log_unit_warning_errno(UNIT(s), errno, "TCP_KEEPCNT failed: %m");
1071 }
1072
1073 if (s->defer_accept) {
1074 int value = s->defer_accept / USEC_PER_SEC;
1075 if (setsockopt(fd, SOL_TCP, TCP_DEFER_ACCEPT, &value, sizeof(value)) < 0)
1076 log_unit_warning_errno(UNIT(s), errno, "TCP_DEFER_ACCEPT failed: %m");
1077 }
1078
1079 if (s->no_delay) {
1080 int b = s->no_delay;
1081
1082 if (s->socket_protocol == IPPROTO_SCTP) {
1083 if (setsockopt(fd, SOL_SCTP, SCTP_NODELAY, &b, sizeof(b)) < 0)
1084 log_unit_warning_errno(UNIT(s), errno, "SCTP_NODELAY failed: %m");
1085 } else {
1086 if (setsockopt(fd, SOL_TCP, TCP_NODELAY, &b, sizeof(b)) < 0)
1087 log_unit_warning_errno(UNIT(s), errno, "TCP_NODELAY failed: %m");
1088 }
1089 }
1090
1091 if (s->broadcast) {
1092 int one = 1;
1093 if (setsockopt(fd, SOL_SOCKET, SO_BROADCAST, &one, sizeof(one)) < 0)
1094 log_unit_warning_errno(UNIT(s), errno, "SO_BROADCAST failed: %m");
1095 }
1096
1097 if (s->pass_cred) {
1098 int one = 1;
1099 if (setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &one, sizeof(one)) < 0)
1100 log_unit_warning_errno(UNIT(s), errno, "SO_PASSCRED failed: %m");
1101 }
1102
1103 if (s->pass_sec) {
1104 int one = 1;
1105 if (setsockopt(fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one)) < 0)
1106 log_unit_warning_errno(UNIT(s), errno, "SO_PASSSEC failed: %m");
1107 }
1108
1109 if (s->priority >= 0)
1110 if (setsockopt(fd, SOL_SOCKET, SO_PRIORITY, &s->priority, sizeof(s->priority)) < 0)
1111 log_unit_warning_errno(UNIT(s), errno, "SO_PRIORITY failed: %m");
1112
1113 if (s->receive_buffer > 0) {
1114 int value = (int) s->receive_buffer;
1115
1116 /* We first try with SO_RCVBUFFORCE, in case we have the perms for that */
1117
1118 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUFFORCE, &value, sizeof(value)) < 0)
1119 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &value, sizeof(value)) < 0)
1120 log_unit_warning_errno(UNIT(s), errno, "SO_RCVBUF failed: %m");
1121 }
1122
1123 if (s->send_buffer > 0) {
1124 int value = (int) s->send_buffer;
1125 if (setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, &value, sizeof(value)) < 0)
1126 if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &value, sizeof(value)) < 0)
1127 log_unit_warning_errno(UNIT(s), errno, "SO_SNDBUF failed: %m");
1128 }
1129
1130 if (s->mark >= 0)
1131 if (setsockopt(fd, SOL_SOCKET, SO_MARK, &s->mark, sizeof(s->mark)) < 0)
1132 log_unit_warning_errno(UNIT(s), errno, "SO_MARK failed: %m");
1133
1134 if (s->ip_tos >= 0)
1135 if (setsockopt(fd, IPPROTO_IP, IP_TOS, &s->ip_tos, sizeof(s->ip_tos)) < 0)
1136 log_unit_warning_errno(UNIT(s), errno, "IP_TOS failed: %m");
1137
1138 if (s->ip_ttl >= 0) {
1139 int x;
1140
1141 r = setsockopt(fd, IPPROTO_IP, IP_TTL, &s->ip_ttl, sizeof(s->ip_ttl));
1142
1143 if (socket_ipv6_is_supported())
1144 x = setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &s->ip_ttl, sizeof(s->ip_ttl));
1145 else {
1146 x = -1;
1147 errno = EAFNOSUPPORT;
1148 }
1149
1150 if (r < 0 && x < 0)
1151 log_unit_warning_errno(UNIT(s), errno, "IP_TTL/IPV6_UNICAST_HOPS failed: %m");
1152 }
1153
1154 if (s->tcp_congestion)
1155 if (setsockopt(fd, SOL_TCP, TCP_CONGESTION, s->tcp_congestion, strlen(s->tcp_congestion)+1) < 0)
1156 log_unit_warning_errno(UNIT(s), errno, "TCP_CONGESTION failed: %m");
1157
1158 if (s->smack_ip_in) {
1159 r = mac_smack_apply_fd(fd, SMACK_ATTR_IPIN, s->smack_ip_in);
1160 if (r < 0)
1161 log_unit_error_errno(UNIT(s), r, "mac_smack_apply_ip_in_fd: %m");
1162 }
1163
1164 if (s->smack_ip_out) {
1165 r = mac_smack_apply_fd(fd, SMACK_ATTR_IPOUT, s->smack_ip_out);
1166 if (r < 0)
1167 log_unit_error_errno(UNIT(s), r, "mac_smack_apply_ip_out_fd: %m");
1168 }
1169 }
1170
1171 static void socket_apply_fifo_options(Socket *s, int fd) {
1172 int r;
1173
1174 assert(s);
1175 assert(fd >= 0);
1176
1177 if (s->pipe_size > 0)
1178 if (fcntl(fd, F_SETPIPE_SZ, s->pipe_size) < 0)
1179 log_unit_warning_errno(UNIT(s), errno, "Setting pipe size failed, ignoring: %m");
1180
1181 if (s->smack) {
1182 r = mac_smack_apply_fd(fd, SMACK_ATTR_ACCESS, s->smack);
1183 if (r < 0)
1184 log_unit_error_errno(UNIT(s), r, "SMACK relabelling failed, ignoring: %m");
1185 }
1186 }
1187
1188 static int fifo_address_create(
1189 const char *path,
1190 mode_t directory_mode,
1191 mode_t socket_mode) {
1192
1193 _cleanup_close_ int fd = -1;
1194 mode_t old_mask;
1195 struct stat st;
1196 int r;
1197
1198 assert(path);
1199
1200 (void) mkdir_parents_label(path, directory_mode);
1201
1202 r = mac_selinux_create_file_prepare(path, S_IFIFO);
1203 if (r < 0)
1204 return r;
1205
1206 /* Enforce the right access mode for the fifo */
1207 old_mask = umask(~ socket_mode);
1208
1209 /* Include the original umask in our mask */
1210 (void) umask(~socket_mode | old_mask);
1211
1212 r = mkfifo(path, socket_mode);
1213 (void) umask(old_mask);
1214
1215 if (r < 0 && errno != EEXIST) {
1216 r = -errno;
1217 goto fail;
1218 }
1219
1220 fd = open(path, O_RDWR | O_CLOEXEC | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW);
1221 if (fd < 0) {
1222 r = -errno;
1223 goto fail;
1224 }
1225
1226 mac_selinux_create_file_clear();
1227
1228 if (fstat(fd, &st) < 0) {
1229 r = -errno;
1230 goto fail;
1231 }
1232
1233 if (!S_ISFIFO(st.st_mode) ||
1234 (st.st_mode & 0777) != (socket_mode & ~old_mask) ||
1235 st.st_uid != getuid() ||
1236 st.st_gid != getgid()) {
1237 r = -EEXIST;
1238 goto fail;
1239 }
1240
1241 return TAKE_FD(fd);
1242
1243 fail:
1244 mac_selinux_create_file_clear();
1245 return r;
1246 }
1247
1248 static int special_address_create(const char *path, bool writable) {
1249 _cleanup_close_ int fd = -1;
1250 struct stat st;
1251
1252 assert(path);
1253
1254 fd = open(path, (writable ? O_RDWR : O_RDONLY)|O_CLOEXEC|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW);
1255 if (fd < 0)
1256 return -errno;
1257
1258 if (fstat(fd, &st) < 0)
1259 return -errno;
1260
1261 /* Check whether this is a /proc, /sys or /dev file or char device */
1262 if (!S_ISREG(st.st_mode) && !S_ISCHR(st.st_mode))
1263 return -EEXIST;
1264
1265 return TAKE_FD(fd);
1266 }
1267
1268 static int usbffs_address_create(const char *path) {
1269 _cleanup_close_ int fd = -1;
1270 struct stat st;
1271
1272 assert(path);
1273
1274 fd = open(path, O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW);
1275 if (fd < 0)
1276 return -errno;
1277
1278 if (fstat(fd, &st) < 0)
1279 return -errno;
1280
1281 /* Check whether this is a regular file (ffs endpoint) */
1282 if (!S_ISREG(st.st_mode))
1283 return -EEXIST;
1284
1285 return TAKE_FD(fd);
1286 }
1287
1288 static int mq_address_create(
1289 const char *path,
1290 mode_t mq_mode,
1291 long maxmsg,
1292 long msgsize) {
1293
1294 _cleanup_close_ int fd = -1;
1295 struct stat st;
1296 mode_t old_mask;
1297 struct mq_attr _attr, *attr = NULL;
1298
1299 assert(path);
1300
1301 if (maxmsg > 0 && msgsize > 0) {
1302 _attr = (struct mq_attr) {
1303 .mq_flags = O_NONBLOCK,
1304 .mq_maxmsg = maxmsg,
1305 .mq_msgsize = msgsize,
1306 };
1307 attr = &_attr;
1308 }
1309
1310 /* Enforce the right access mode for the mq */
1311 old_mask = umask(~ mq_mode);
1312
1313 /* Include the original umask in our mask */
1314 (void) umask(~mq_mode | old_mask);
1315 fd = mq_open(path, O_RDONLY|O_CLOEXEC|O_NONBLOCK|O_CREAT, mq_mode, attr);
1316 (void) umask(old_mask);
1317
1318 if (fd < 0)
1319 return -errno;
1320
1321 if (fstat(fd, &st) < 0)
1322 return -errno;
1323
1324 if ((st.st_mode & 0777) != (mq_mode & ~old_mask) ||
1325 st.st_uid != getuid() ||
1326 st.st_gid != getgid())
1327 return -EEXIST;
1328
1329 return TAKE_FD(fd);
1330 }
1331
1332 static int socket_symlink(Socket *s) {
1333 const char *p;
1334 char **i;
1335 int r;
1336
1337 assert(s);
1338
1339 p = socket_find_symlink_target(s);
1340 if (!p)
1341 return 0;
1342
1343 STRV_FOREACH(i, s->symlinks) {
1344 (void) mkdir_parents_label(*i, s->directory_mode);
1345
1346 r = symlink_idempotent(p, *i);
1347
1348 if (r == -EEXIST && s->remove_on_stop) {
1349 /* If there's already something where we want to create the symlink, and the destructive
1350 * RemoveOnStop= mode is set, then we might as well try to remove what already exists and try
1351 * again. */
1352
1353 if (unlink(*i) >= 0)
1354 r = symlink_idempotent(p, *i);
1355 }
1356
1357 if (r < 0)
1358 log_unit_warning_errno(UNIT(s), r, "Failed to create symlink %s → %s, ignoring: %m", p, *i);
1359 }
1360
1361 return 0;
1362 }
1363
1364 static int usbffs_write_descs(int fd, Service *s) {
1365 int r;
1366
1367 if (!s->usb_function_descriptors || !s->usb_function_strings)
1368 return -EINVAL;
1369
1370 r = copy_file_fd(s->usb_function_descriptors, fd, 0);
1371 if (r < 0)
1372 return r;
1373
1374 return copy_file_fd(s->usb_function_strings, fd, 0);
1375 }
1376
1377 static int usbffs_select_ep(const struct dirent *d) {
1378 return d->d_name[0] != '.' && !streq(d->d_name, "ep0");
1379 }
1380
1381 static int usbffs_dispatch_eps(SocketPort *p) {
1382 _cleanup_free_ struct dirent **ent = NULL;
1383 int r, i, n, k;
1384
1385 r = scandir(p->path, &ent, usbffs_select_ep, alphasort);
1386 if (r < 0)
1387 return -errno;
1388
1389 n = r;
1390 p->auxiliary_fds = new(int, n);
1391 if (!p->auxiliary_fds)
1392 return -ENOMEM;
1393
1394 p->n_auxiliary_fds = n;
1395
1396 k = 0;
1397 for (i = 0; i < n; ++i) {
1398 _cleanup_free_ char *ep = NULL;
1399
1400 ep = path_make_absolute(ent[i]->d_name, p->path);
1401 if (!ep)
1402 return -ENOMEM;
1403
1404 path_kill_slashes(ep);
1405
1406 r = usbffs_address_create(ep);
1407 if (r < 0)
1408 goto fail;
1409
1410 p->auxiliary_fds[k] = r;
1411
1412 ++k;
1413 free(ent[i]);
1414 }
1415
1416 return r;
1417
1418 fail:
1419 close_many(p->auxiliary_fds, k);
1420 p->auxiliary_fds = mfree(p->auxiliary_fds);
1421 p->n_auxiliary_fds = 0;
1422
1423 return r;
1424 }
1425
1426 static int socket_determine_selinux_label(Socket *s, char **ret) {
1427 Service *service;
1428 ExecCommand *c;
1429 const char *path;
1430 int r;
1431
1432 assert(s);
1433 assert(ret);
1434
1435 if (s->selinux_context_from_net) {
1436 /* If this is requested, get label from the network label */
1437
1438 r = mac_selinux_get_our_label(ret);
1439 if (r == -EOPNOTSUPP)
1440 goto no_label;
1441
1442 } else {
1443 /* Otherwise, get it from the executable we are about to start */
1444 r = socket_instantiate_service(s);
1445 if (r < 0)
1446 return r;
1447
1448 if (!UNIT_ISSET(s->service))
1449 goto no_label;
1450
1451 service = SERVICE(UNIT_DEREF(s->service));
1452 c = service->exec_command[SERVICE_EXEC_START];
1453 if (!c)
1454 goto no_label;
1455
1456 path = prefix_roota(service->exec_context.root_directory, c->path);
1457 r = mac_selinux_get_create_label_from_exe(path, ret);
1458 if (IN_SET(r, -EPERM, -EOPNOTSUPP))
1459 goto no_label;
1460 }
1461
1462 return r;
1463
1464 no_label:
1465 *ret = NULL;
1466 return 0;
1467 }
1468
1469 static int socket_address_listen_do(
1470 Socket *s,
1471 const SocketAddress *address,
1472 const char *label) {
1473
1474 assert(s);
1475 assert(address);
1476
1477 return socket_address_listen(
1478 address,
1479 SOCK_CLOEXEC|SOCK_NONBLOCK,
1480 s->backlog,
1481 s->bind_ipv6_only,
1482 s->bind_to_device,
1483 s->reuse_port,
1484 s->free_bind,
1485 s->transparent,
1486 s->directory_mode,
1487 s->socket_mode,
1488 label);
1489 }
1490
1491 static int socket_address_listen_in_cgroup(
1492 Socket *s,
1493 const SocketAddress *address,
1494 const char *label) {
1495
1496 _cleanup_close_pair_ int pair[2] = { -1, -1 };
1497 int fd, r;
1498 pid_t pid;
1499
1500 assert(s);
1501 assert(address);
1502
1503 /* This is a wrapper around socket_address_listen(), that forks off a helper process inside the socket's cgroup
1504 * in which the socket is actually created. This way we ensure the socket is actually properly attached to the
1505 * unit's cgroup for the purpose of BPF filtering and such. */
1506
1507 if (!IN_SET(address->sockaddr.sa.sa_family, AF_INET, AF_INET6))
1508 goto shortcut; /* BPF filtering only applies to IPv4 + IPv6, shortcut things for other protocols */
1509
1510 r = bpf_firewall_supported();
1511 if (r < 0)
1512 return r;
1513 if (r == BPF_FIREWALL_UNSUPPORTED) /* If BPF firewalling isn't supported anyway — there's no point in this forking complexity */
1514 goto shortcut;
1515
1516 if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, pair) < 0)
1517 return log_unit_error_errno(UNIT(s), errno, "Failed to create communication channel: %m");
1518
1519 r = unit_fork_helper_process(UNIT(s), "(sd-listen)", &pid);
1520 if (r < 0)
1521 return log_unit_error_errno(UNIT(s), r, "Failed to fork off listener stub process: %m");
1522 if (r == 0) {
1523 /* Child */
1524
1525 pair[0] = safe_close(pair[0]);
1526
1527 fd = socket_address_listen_do(s, address, label);
1528 if (fd < 0) {
1529 log_unit_error_errno(UNIT(s), fd, "Failed to create listening socket: %m");
1530 _exit(EXIT_FAILURE);
1531 }
1532
1533 r = send_one_fd(pair[1], fd, 0);
1534 if (r < 0) {
1535 log_unit_error_errno(UNIT(s), r, "Failed to send listening socket to parent: %m");
1536 _exit(EXIT_FAILURE);
1537 }
1538
1539 _exit(EXIT_SUCCESS);
1540 }
1541
1542 pair[1] = safe_close(pair[1]);
1543 fd = receive_one_fd(pair[0], 0);
1544
1545 /* We synchronously wait for the helper, as it shouldn't be slow */
1546 r = wait_for_terminate_and_check("(sd-listen)", pid, WAIT_LOG_ABNORMAL);
1547 if (r < 0) {
1548 safe_close(fd);
1549 return r;
1550 }
1551
1552 if (fd < 0)
1553 return log_unit_error_errno(UNIT(s), fd, "Failed to receive listening socket: %m");
1554
1555 return fd;
1556
1557 shortcut:
1558 fd = socket_address_listen_do(s, address, label);
1559 if (fd < 0)
1560 return log_error_errno(fd, "Failed to create listening socket: %m");
1561
1562 return fd;
1563 }
1564
1565 static int socket_open_fds(Socket *s) {
1566 _cleanup_(mac_selinux_freep) char *label = NULL;
1567 bool know_label = false;
1568 SocketPort *p;
1569 int r;
1570
1571 assert(s);
1572
1573 LIST_FOREACH(port, p, s->ports) {
1574
1575 if (p->fd >= 0)
1576 continue;
1577
1578 switch (p->type) {
1579
1580 case SOCKET_SOCKET:
1581
1582 if (!know_label) {
1583 /* Figure out label, if we don't it know yet. We do it once, for the first socket where
1584 * we need this and remember it for the rest. */
1585
1586 r = socket_determine_selinux_label(s, &label);
1587 if (r < 0)
1588 goto rollback;
1589
1590 know_label = true;
1591 }
1592
1593 /* Apply the socket protocol */
1594 switch (p->address.type) {
1595
1596 case SOCK_STREAM:
1597 case SOCK_SEQPACKET:
1598 if (s->socket_protocol == IPPROTO_SCTP)
1599 p->address.protocol = s->socket_protocol;
1600 break;
1601
1602 case SOCK_DGRAM:
1603 if (s->socket_protocol == IPPROTO_UDPLITE)
1604 p->address.protocol = s->socket_protocol;
1605 break;
1606 }
1607
1608 r = socket_address_listen_in_cgroup(s, &p->address, label);
1609 if (r < 0)
1610 goto rollback;
1611
1612 p->fd = r;
1613 socket_apply_socket_options(s, p->fd);
1614 socket_symlink(s);
1615 break;
1616
1617 case SOCKET_SPECIAL:
1618
1619 p->fd = special_address_create(p->path, s->writable);
1620 if (p->fd < 0) {
1621 r = p->fd;
1622 goto rollback;
1623 }
1624 break;
1625
1626 case SOCKET_FIFO:
1627
1628 p->fd = fifo_address_create(
1629 p->path,
1630 s->directory_mode,
1631 s->socket_mode);
1632 if (p->fd < 0) {
1633 r = p->fd;
1634 goto rollback;
1635 }
1636
1637 socket_apply_fifo_options(s, p->fd);
1638 socket_symlink(s);
1639 break;
1640
1641 case SOCKET_MQUEUE:
1642
1643 p->fd = mq_address_create(
1644 p->path,
1645 s->socket_mode,
1646 s->mq_maxmsg,
1647 s->mq_msgsize);
1648 if (p->fd < 0) {
1649 r = p->fd;
1650 goto rollback;
1651 }
1652 break;
1653
1654 case SOCKET_USB_FUNCTION: {
1655 _cleanup_free_ char *ep = NULL;
1656
1657 ep = path_make_absolute("ep0", p->path);
1658
1659 p->fd = usbffs_address_create(ep);
1660 if (p->fd < 0) {
1661 r = p->fd;
1662 goto rollback;
1663 }
1664
1665 r = usbffs_write_descs(p->fd, SERVICE(UNIT_DEREF(s->service)));
1666 if (r < 0)
1667 goto rollback;
1668
1669 r = usbffs_dispatch_eps(p);
1670 if (r < 0)
1671 goto rollback;
1672
1673 break;
1674 }
1675 default:
1676 assert_not_reached("Unknown port type");
1677 }
1678 }
1679
1680 return 0;
1681
1682 rollback:
1683 socket_close_fds(s);
1684 return r;
1685 }
1686
1687 static void socket_unwatch_fds(Socket *s) {
1688 SocketPort *p;
1689 int r;
1690
1691 assert(s);
1692
1693 LIST_FOREACH(port, p, s->ports) {
1694 if (p->fd < 0)
1695 continue;
1696
1697 if (!p->event_source)
1698 continue;
1699
1700 r = sd_event_source_set_enabled(p->event_source, SD_EVENT_OFF);
1701 if (r < 0)
1702 log_unit_debug_errno(UNIT(s), r, "Failed to disable event source: %m");
1703 }
1704 }
1705
1706 static int socket_watch_fds(Socket *s) {
1707 SocketPort *p;
1708 int r;
1709
1710 assert(s);
1711
1712 LIST_FOREACH(port, p, s->ports) {
1713 if (p->fd < 0)
1714 continue;
1715
1716 if (p->event_source) {
1717 r = sd_event_source_set_enabled(p->event_source, SD_EVENT_ON);
1718 if (r < 0)
1719 goto fail;
1720 } else {
1721 r = sd_event_add_io(UNIT(s)->manager->event, &p->event_source, p->fd, EPOLLIN, socket_dispatch_io, p);
1722 if (r < 0)
1723 goto fail;
1724
1725 (void) sd_event_source_set_description(p->event_source, "socket-port-io");
1726 }
1727 }
1728
1729 return 0;
1730
1731 fail:
1732 log_unit_warning_errno(UNIT(s), r, "Failed to watch listening fds: %m");
1733 socket_unwatch_fds(s);
1734 return r;
1735 }
1736
1737 enum {
1738 SOCKET_OPEN_NONE,
1739 SOCKET_OPEN_SOME,
1740 SOCKET_OPEN_ALL,
1741 };
1742
1743 static int socket_check_open(Socket *s) {
1744 bool have_open = false, have_closed = false;
1745 SocketPort *p;
1746
1747 assert(s);
1748
1749 LIST_FOREACH(port, p, s->ports) {
1750 if (p->fd < 0)
1751 have_closed = true;
1752 else
1753 have_open = true;
1754
1755 if (have_open && have_closed)
1756 return SOCKET_OPEN_SOME;
1757 }
1758
1759 if (have_open)
1760 return SOCKET_OPEN_ALL;
1761
1762 return SOCKET_OPEN_NONE;
1763 }
1764
1765 static void socket_set_state(Socket *s, SocketState state) {
1766 SocketState old_state;
1767 assert(s);
1768
1769 old_state = s->state;
1770 s->state = state;
1771
1772 if (!IN_SET(state,
1773 SOCKET_START_PRE,
1774 SOCKET_START_CHOWN,
1775 SOCKET_START_POST,
1776 SOCKET_STOP_PRE,
1777 SOCKET_STOP_PRE_SIGTERM,
1778 SOCKET_STOP_PRE_SIGKILL,
1779 SOCKET_STOP_POST,
1780 SOCKET_FINAL_SIGTERM,
1781 SOCKET_FINAL_SIGKILL)) {
1782
1783 s->timer_event_source = sd_event_source_unref(s->timer_event_source);
1784 socket_unwatch_control_pid(s);
1785 s->control_command = NULL;
1786 s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
1787 }
1788
1789 if (state != SOCKET_LISTENING)
1790 socket_unwatch_fds(s);
1791
1792 if (!IN_SET(state,
1793 SOCKET_START_CHOWN,
1794 SOCKET_START_POST,
1795 SOCKET_LISTENING,
1796 SOCKET_RUNNING,
1797 SOCKET_STOP_PRE,
1798 SOCKET_STOP_PRE_SIGTERM,
1799 SOCKET_STOP_PRE_SIGKILL))
1800 socket_close_fds(s);
1801
1802 if (state != old_state)
1803 log_unit_debug(UNIT(s), "Changed %s -> %s", socket_state_to_string(old_state), socket_state_to_string(state));
1804
1805 unit_notify(UNIT(s), state_translation_table[old_state], state_translation_table[state], true);
1806 }
1807
1808 static int socket_coldplug(Unit *u) {
1809 Socket *s = SOCKET(u);
1810 int r;
1811
1812 assert(s);
1813 assert(s->state == SOCKET_DEAD);
1814
1815 if (s->deserialized_state == s->state)
1816 return 0;
1817
1818 if (s->control_pid > 0 &&
1819 pid_is_unwaited(s->control_pid) &&
1820 IN_SET(s->deserialized_state,
1821 SOCKET_START_PRE,
1822 SOCKET_START_CHOWN,
1823 SOCKET_START_POST,
1824 SOCKET_STOP_PRE,
1825 SOCKET_STOP_PRE_SIGTERM,
1826 SOCKET_STOP_PRE_SIGKILL,
1827 SOCKET_STOP_POST,
1828 SOCKET_FINAL_SIGTERM,
1829 SOCKET_FINAL_SIGKILL)) {
1830
1831 r = unit_watch_pid(UNIT(s), s->control_pid);
1832 if (r < 0)
1833 return r;
1834
1835 r = socket_arm_timer(s, usec_add(u->state_change_timestamp.monotonic, s->timeout_usec));
1836 if (r < 0)
1837 return r;
1838 }
1839
1840 if (IN_SET(s->deserialized_state,
1841 SOCKET_START_CHOWN,
1842 SOCKET_START_POST,
1843 SOCKET_LISTENING,
1844 SOCKET_RUNNING)) {
1845
1846 /* Originally, we used to simply reopen all sockets here that we didn't have file descriptors
1847 * for. However, this is problematic, as we won't traverse throught the SOCKET_START_CHOWN state for
1848 * them, and thus the UID/GID wouldn't be right. Hence, instead simply check if we have all fds open,
1849 * and if there's a mismatch, warn loudly. */
1850
1851 r = socket_check_open(s);
1852 if (r == SOCKET_OPEN_NONE)
1853 log_unit_warning(UNIT(s),
1854 "Socket unit configuration has changed while unit has been running, "
1855 "no open socket file descriptor left. "
1856 "The socket unit is not functional until restarted.");
1857 else if (r == SOCKET_OPEN_SOME)
1858 log_unit_warning(UNIT(s),
1859 "Socket unit configuration has changed while unit has been running, "
1860 "and some socket file descriptors have not been opened yet. "
1861 "The socket unit is not fully functional until restarted.");
1862 }
1863
1864 if (s->deserialized_state == SOCKET_LISTENING) {
1865 r = socket_watch_fds(s);
1866 if (r < 0)
1867 return r;
1868 }
1869
1870 if (!IN_SET(s->deserialized_state, SOCKET_DEAD, SOCKET_FAILED)) {
1871 (void) unit_setup_dynamic_creds(u);
1872 (void) unit_setup_exec_runtime(u);
1873 }
1874
1875 socket_set_state(s, s->deserialized_state);
1876 return 0;
1877 }
1878
1879 static int socket_spawn(Socket *s, ExecCommand *c, pid_t *_pid) {
1880
1881 ExecParameters exec_params = {
1882 .flags = EXEC_APPLY_SANDBOXING|EXEC_APPLY_CHROOT|EXEC_APPLY_TTY_STDIN,
1883 .stdin_fd = -1,
1884 .stdout_fd = -1,
1885 .stderr_fd = -1,
1886 };
1887 pid_t pid;
1888 int r;
1889
1890 assert(s);
1891 assert(c);
1892 assert(_pid);
1893
1894 r = unit_prepare_exec(UNIT(s));
1895 if (r < 0)
1896 return r;
1897
1898 r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
1899 if (r < 0)
1900 return r;
1901
1902 unit_set_exec_params(UNIT(s), &exec_params);
1903
1904 exec_params.argv = c->argv;
1905
1906 r = exec_spawn(UNIT(s),
1907 c,
1908 &s->exec_context,
1909 &exec_params,
1910 s->exec_runtime,
1911 &s->dynamic_creds,
1912 &pid);
1913 if (r < 0)
1914 return r;
1915
1916 r = unit_watch_pid(UNIT(s), pid);
1917 if (r < 0)
1918 /* FIXME: we need to do something here */
1919 return r;
1920
1921 *_pid = pid;
1922
1923 return 0;
1924 }
1925
1926 static int socket_chown(Socket *s, pid_t *_pid) {
1927 pid_t pid;
1928 int r;
1929
1930 r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
1931 if (r < 0)
1932 goto fail;
1933
1934 /* We have to resolve the user names out-of-process, hence
1935 * let's fork here. It's messy, but well, what can we do? */
1936
1937 r = unit_fork_helper_process(UNIT(s), "(sd-chown)", &pid);
1938 if (r < 0)
1939 return r;
1940 if (r == 0) {
1941 uid_t uid = UID_INVALID;
1942 gid_t gid = GID_INVALID;
1943 SocketPort *p;
1944
1945 /* Child */
1946
1947 if (!isempty(s->user)) {
1948 const char *user = s->user;
1949
1950 r = get_user_creds(&user, &uid, &gid, NULL, NULL);
1951 if (r < 0) {
1952 log_unit_error_errno(UNIT(s), r, "Failed to resolve user %s: %m", user);
1953 _exit(EXIT_USER);
1954 }
1955 }
1956
1957 if (!isempty(s->group)) {
1958 const char *group = s->group;
1959
1960 r = get_group_creds(&group, &gid);
1961 if (r < 0) {
1962 log_unit_error_errno(UNIT(s), r, "Failed to resolve group %s: %m", group);
1963 _exit(EXIT_GROUP);
1964 }
1965 }
1966
1967 LIST_FOREACH(port, p, s->ports) {
1968 const char *path = NULL;
1969
1970 if (p->type == SOCKET_SOCKET)
1971 path = socket_address_get_path(&p->address);
1972 else if (p->type == SOCKET_FIFO)
1973 path = p->path;
1974
1975 if (!path)
1976 continue;
1977
1978 if (chown(path, uid, gid) < 0) {
1979 log_unit_error_errno(UNIT(s), errno, "Failed to chown(): %m");
1980 _exit(EXIT_CHOWN);
1981 }
1982 }
1983
1984 _exit(EXIT_SUCCESS);
1985 }
1986
1987 r = unit_watch_pid(UNIT(s), pid);
1988 if (r < 0)
1989 goto fail;
1990
1991 *_pid = pid;
1992 return 0;
1993
1994 fail:
1995 s->timer_event_source = sd_event_source_unref(s->timer_event_source);
1996 return r;
1997 }
1998
1999 static void socket_enter_dead(Socket *s, SocketResult f) {
2000 assert(s);
2001
2002 if (s->result == SOCKET_SUCCESS)
2003 s->result = f;
2004
2005 if (s->result != SOCKET_SUCCESS)
2006 log_unit_warning(UNIT(s), "Failed with result '%s'.", socket_result_to_string(s->result));
2007
2008 socket_set_state(s, s->result != SOCKET_SUCCESS ? SOCKET_FAILED : SOCKET_DEAD);
2009
2010 s->exec_runtime = exec_runtime_unref(s->exec_runtime, true);
2011
2012 exec_context_destroy_runtime_directory(&s->exec_context, UNIT(s)->manager->prefix[EXEC_DIRECTORY_RUNTIME]);
2013
2014 unit_unref_uid_gid(UNIT(s), true);
2015
2016 dynamic_creds_destroy(&s->dynamic_creds);
2017 }
2018
2019 static void socket_enter_signal(Socket *s, SocketState state, SocketResult f);
2020
2021 static void socket_enter_stop_post(Socket *s, SocketResult f) {
2022 int r;
2023 assert(s);
2024
2025 if (s->result == SOCKET_SUCCESS)
2026 s->result = f;
2027
2028 socket_unwatch_control_pid(s);
2029 s->control_command_id = SOCKET_EXEC_STOP_POST;
2030 s->control_command = s->exec_command[SOCKET_EXEC_STOP_POST];
2031
2032 if (s->control_command) {
2033 r = socket_spawn(s, s->control_command, &s->control_pid);
2034 if (r < 0)
2035 goto fail;
2036
2037 socket_set_state(s, SOCKET_STOP_POST);
2038 } else
2039 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_SUCCESS);
2040
2041 return;
2042
2043 fail:
2044 log_unit_warning_errno(UNIT(s), r, "Failed to run 'stop-post' task: %m");
2045 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_RESOURCES);
2046 }
2047
2048 static void socket_enter_signal(Socket *s, SocketState state, SocketResult f) {
2049 int r;
2050
2051 assert(s);
2052
2053 if (s->result == SOCKET_SUCCESS)
2054 s->result = f;
2055
2056 r = unit_kill_context(
2057 UNIT(s),
2058 &s->kill_context,
2059 !IN_SET(state, SOCKET_STOP_PRE_SIGTERM, SOCKET_FINAL_SIGTERM) ?
2060 KILL_KILL : KILL_TERMINATE,
2061 -1,
2062 s->control_pid,
2063 false);
2064 if (r < 0)
2065 goto fail;
2066
2067 if (r > 0) {
2068 r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
2069 if (r < 0)
2070 goto fail;
2071
2072 socket_set_state(s, state);
2073 } else if (state == SOCKET_STOP_PRE_SIGTERM)
2074 socket_enter_signal(s, SOCKET_STOP_PRE_SIGKILL, SOCKET_SUCCESS);
2075 else if (state == SOCKET_STOP_PRE_SIGKILL)
2076 socket_enter_stop_post(s, SOCKET_SUCCESS);
2077 else if (state == SOCKET_FINAL_SIGTERM)
2078 socket_enter_signal(s, SOCKET_FINAL_SIGKILL, SOCKET_SUCCESS);
2079 else
2080 socket_enter_dead(s, SOCKET_SUCCESS);
2081
2082 return;
2083
2084 fail:
2085 log_unit_warning_errno(UNIT(s), r, "Failed to kill processes: %m");
2086
2087 if (IN_SET(state, SOCKET_STOP_PRE_SIGTERM, SOCKET_STOP_PRE_SIGKILL))
2088 socket_enter_stop_post(s, SOCKET_FAILURE_RESOURCES);
2089 else
2090 socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
2091 }
2092
2093 static void socket_enter_stop_pre(Socket *s, SocketResult f) {
2094 int r;
2095 assert(s);
2096
2097 if (s->result == SOCKET_SUCCESS)
2098 s->result = f;
2099
2100 socket_unwatch_control_pid(s);
2101 s->control_command_id = SOCKET_EXEC_STOP_PRE;
2102 s->control_command = s->exec_command[SOCKET_EXEC_STOP_PRE];
2103
2104 if (s->control_command) {
2105 r = socket_spawn(s, s->control_command, &s->control_pid);
2106 if (r < 0)
2107 goto fail;
2108
2109 socket_set_state(s, SOCKET_STOP_PRE);
2110 } else
2111 socket_enter_stop_post(s, SOCKET_SUCCESS);
2112
2113 return;
2114
2115 fail:
2116 log_unit_warning_errno(UNIT(s), r, "Failed to run 'stop-pre' task: %m");
2117 socket_enter_stop_post(s, SOCKET_FAILURE_RESOURCES);
2118 }
2119
2120 static void socket_enter_listening(Socket *s) {
2121 int r;
2122 assert(s);
2123
2124 r = socket_watch_fds(s);
2125 if (r < 0) {
2126 log_unit_warning_errno(UNIT(s), r, "Failed to watch sockets: %m");
2127 goto fail;
2128 }
2129
2130 socket_set_state(s, SOCKET_LISTENING);
2131 return;
2132
2133 fail:
2134 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2135 }
2136
2137 static void socket_enter_start_post(Socket *s) {
2138 int r;
2139 assert(s);
2140
2141 socket_unwatch_control_pid(s);
2142 s->control_command_id = SOCKET_EXEC_START_POST;
2143 s->control_command = s->exec_command[SOCKET_EXEC_START_POST];
2144
2145 if (s->control_command) {
2146 r = socket_spawn(s, s->control_command, &s->control_pid);
2147 if (r < 0) {
2148 log_unit_warning_errno(UNIT(s), r, "Failed to run 'start-post' task: %m");
2149 goto fail;
2150 }
2151
2152 socket_set_state(s, SOCKET_START_POST);
2153 } else
2154 socket_enter_listening(s);
2155
2156 return;
2157
2158 fail:
2159 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2160 }
2161
2162 static void socket_enter_start_chown(Socket *s) {
2163 int r;
2164
2165 assert(s);
2166
2167 r = socket_open_fds(s);
2168 if (r < 0) {
2169 log_unit_warning_errno(UNIT(s), r, "Failed to listen on sockets: %m");
2170 goto fail;
2171 }
2172
2173 if (!isempty(s->user) || !isempty(s->group)) {
2174
2175 socket_unwatch_control_pid(s);
2176 s->control_command_id = SOCKET_EXEC_START_CHOWN;
2177 s->control_command = NULL;
2178
2179 r = socket_chown(s, &s->control_pid);
2180 if (r < 0) {
2181 log_unit_warning_errno(UNIT(s), r, "Failed to fork 'start-chown' task: %m");
2182 goto fail;
2183 }
2184
2185 socket_set_state(s, SOCKET_START_CHOWN);
2186 } else
2187 socket_enter_start_post(s);
2188
2189 return;
2190
2191 fail:
2192 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2193 }
2194
2195 static void socket_enter_start_pre(Socket *s) {
2196 int r;
2197 assert(s);
2198
2199 socket_unwatch_control_pid(s);
2200
2201 unit_warn_leftover_processes(UNIT(s));
2202
2203 s->control_command_id = SOCKET_EXEC_START_PRE;
2204 s->control_command = s->exec_command[SOCKET_EXEC_START_PRE];
2205
2206 if (s->control_command) {
2207 r = socket_spawn(s, s->control_command, &s->control_pid);
2208 if (r < 0) {
2209 log_unit_warning_errno(UNIT(s), r, "Failed to run 'start-pre' task: %m");
2210 goto fail;
2211 }
2212
2213 socket_set_state(s, SOCKET_START_PRE);
2214 } else
2215 socket_enter_start_chown(s);
2216
2217 return;
2218
2219 fail:
2220 socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
2221 }
2222
2223 static void flush_ports(Socket *s) {
2224 SocketPort *p;
2225
2226 /* Flush all incoming traffic, regardless if actual bytes or new connections, so that this socket isn't busy
2227 * anymore */
2228
2229 LIST_FOREACH(port, p, s->ports) {
2230 if (p->fd < 0)
2231 continue;
2232
2233 (void) flush_accept(p->fd);
2234 (void) flush_fd(p->fd);
2235 }
2236 }
2237
2238 static void socket_enter_running(Socket *s, int cfd) {
2239 _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
2240 int r;
2241
2242 /* Note that this call takes possession of the connection fd passed. It either has to assign it somewhere or
2243 * close it. */
2244
2245 assert(s);
2246
2247 /* We don't take connections anymore if we are supposed to shut down anyway */
2248 if (unit_stop_pending(UNIT(s))) {
2249
2250 log_unit_debug(UNIT(s), "Suppressing connection request since unit stop is scheduled.");
2251
2252 if (cfd >= 0)
2253 cfd = safe_close(cfd);
2254 else
2255 flush_ports(s);
2256
2257 return;
2258 }
2259
2260 if (!ratelimit_test(&s->trigger_limit)) {
2261 safe_close(cfd);
2262 log_unit_warning(UNIT(s), "Trigger limit hit, refusing further activation.");
2263 socket_enter_stop_pre(s, SOCKET_FAILURE_TRIGGER_LIMIT_HIT);
2264 return;
2265 }
2266
2267 if (cfd < 0) {
2268 bool pending = false;
2269 Unit *other;
2270 Iterator i;
2271 void *v;
2272
2273 /* If there's already a start pending don't bother to
2274 * do anything */
2275 HASHMAP_FOREACH_KEY(v, other, UNIT(s)->dependencies[UNIT_TRIGGERS], i)
2276 if (unit_active_or_pending(other)) {
2277 pending = true;
2278 break;
2279 }
2280
2281 if (!pending) {
2282 if (!UNIT_ISSET(s->service)) {
2283 log_unit_error(UNIT(s), "Service to activate vanished, refusing activation.");
2284 r = -ENOENT;
2285 goto fail;
2286 }
2287
2288 r = manager_add_job(UNIT(s)->manager, JOB_START, UNIT_DEREF(s->service), JOB_REPLACE, &error, NULL);
2289 if (r < 0)
2290 goto fail;
2291 }
2292
2293 socket_set_state(s, SOCKET_RUNNING);
2294 } else {
2295 _cleanup_free_ char *prefix = NULL, *instance = NULL, *name = NULL;
2296 _cleanup_(socket_peer_unrefp) SocketPeer *p = NULL;
2297 Service *service;
2298
2299 if (s->n_connections >= s->max_connections) {
2300 log_unit_warning(UNIT(s), "Too many incoming connections (%u), dropping connection.",
2301 s->n_connections);
2302 safe_close(cfd);
2303 return;
2304 }
2305
2306 if (s->max_connections_per_source > 0) {
2307 r = socket_acquire_peer(s, cfd, &p);
2308 if (r < 0) {
2309 safe_close(cfd);
2310 return;
2311 } else if (r > 0 && p->n_ref > s->max_connections_per_source) {
2312 _cleanup_free_ char *t = NULL;
2313
2314 (void) sockaddr_pretty(&p->peer.sa, p->peer_salen, true, false, &t);
2315
2316 log_unit_warning(UNIT(s),
2317 "Too many incoming connections (%u) from source %s, dropping connection.",
2318 p->n_ref, strnull(t));
2319 safe_close(cfd);
2320 return;
2321 }
2322 }
2323
2324 r = socket_instantiate_service(s);
2325 if (r < 0)
2326 goto fail;
2327
2328 r = instance_from_socket(cfd, s->n_accepted, &instance);
2329 if (r < 0) {
2330 if (r != -ENOTCONN)
2331 goto fail;
2332
2333 /* ENOTCONN is legitimate if TCP RST was received.
2334 * This connection is over, but the socket unit lives on. */
2335 log_unit_debug(UNIT(s), "Got ENOTCONN on incoming socket, assuming aborted connection attempt, ignoring.");
2336 safe_close(cfd);
2337 return;
2338 }
2339
2340 r = unit_name_to_prefix(UNIT(s)->id, &prefix);
2341 if (r < 0)
2342 goto fail;
2343
2344 r = unit_name_build(prefix, instance, ".service", &name);
2345 if (r < 0)
2346 goto fail;
2347
2348 r = unit_add_name(UNIT_DEREF(s->service), name);
2349 if (r < 0)
2350 goto fail;
2351
2352 service = SERVICE(UNIT_DEREF(s->service));
2353 unit_ref_unset(&s->service);
2354
2355 s->n_accepted++;
2356 unit_choose_id(UNIT(service), name);
2357
2358 r = service_set_socket_fd(service, cfd, s, s->selinux_context_from_net);
2359 if (r < 0)
2360 goto fail;
2361
2362 cfd = -1; /* We passed ownership of the fd to the service now. Forget it here. */
2363 s->n_connections++;
2364
2365 service->peer = p; /* Pass ownership of the peer reference */
2366 p = NULL;
2367
2368 r = manager_add_job(UNIT(s)->manager, JOB_START, UNIT(service), JOB_REPLACE, &error, NULL);
2369 if (r < 0) {
2370 /* We failed to activate the new service, but it still exists. Let's make sure the service
2371 * closes and forgets the connection fd again, immediately. */
2372 service_close_socket_fd(service);
2373 goto fail;
2374 }
2375
2376 /* Notify clients about changed counters */
2377 unit_add_to_dbus_queue(UNIT(s));
2378 }
2379
2380 return;
2381
2382 fail:
2383 log_unit_warning(UNIT(s), "Failed to queue service startup job (Maybe the service file is missing or not a %s unit?): %s",
2384 cfd >= 0 ? "template" : "non-template",
2385 bus_error_message(&error, r));
2386
2387 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2388 safe_close(cfd);
2389 }
2390
2391 static void socket_run_next(Socket *s) {
2392 int r;
2393
2394 assert(s);
2395 assert(s->control_command);
2396 assert(s->control_command->command_next);
2397
2398 socket_unwatch_control_pid(s);
2399
2400 s->control_command = s->control_command->command_next;
2401
2402 r = socket_spawn(s, s->control_command, &s->control_pid);
2403 if (r < 0)
2404 goto fail;
2405
2406 return;
2407
2408 fail:
2409 log_unit_warning_errno(UNIT(s), r, "Failed to run next task: %m");
2410
2411 if (s->state == SOCKET_START_POST)
2412 socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2413 else if (s->state == SOCKET_STOP_POST)
2414 socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
2415 else
2416 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_RESOURCES);
2417 }
2418
2419 static int socket_start(Unit *u) {
2420 Socket *s = SOCKET(u);
2421 int r;
2422
2423 assert(s);
2424
2425 /* We cannot fulfill this request right now, try again later
2426 * please! */
2427 if (IN_SET(s->state,
2428 SOCKET_STOP_PRE,
2429 SOCKET_STOP_PRE_SIGKILL,
2430 SOCKET_STOP_PRE_SIGTERM,
2431 SOCKET_STOP_POST,
2432 SOCKET_FINAL_SIGTERM,
2433 SOCKET_FINAL_SIGKILL))
2434 return -EAGAIN;
2435
2436 /* Already on it! */
2437 if (IN_SET(s->state,
2438 SOCKET_START_PRE,
2439 SOCKET_START_CHOWN,
2440 SOCKET_START_POST))
2441 return 0;
2442
2443 /* Cannot run this without the service being around */
2444 if (UNIT_ISSET(s->service)) {
2445 Service *service;
2446
2447 service = SERVICE(UNIT_DEREF(s->service));
2448
2449 if (UNIT(service)->load_state != UNIT_LOADED) {
2450 log_unit_error(u, "Socket service %s not loaded, refusing.", UNIT(service)->id);
2451 return -ENOENT;
2452 }
2453
2454 /* If the service is already active we cannot start the
2455 * socket */
2456 if (!IN_SET(service->state, SERVICE_DEAD, SERVICE_FAILED, SERVICE_AUTO_RESTART)) {
2457 log_unit_error(u, "Socket service %s already active, refusing.", UNIT(service)->id);
2458 return -EBUSY;
2459 }
2460 }
2461
2462 assert(IN_SET(s->state, SOCKET_DEAD, SOCKET_FAILED));
2463
2464 r = unit_start_limit_test(u);
2465 if (r < 0) {
2466 socket_enter_dead(s, SOCKET_FAILURE_START_LIMIT_HIT);
2467 return r;
2468 }
2469
2470 r = unit_acquire_invocation_id(u);
2471 if (r < 0)
2472 return r;
2473
2474 s->result = SOCKET_SUCCESS;
2475
2476 u->reset_accounting = true;
2477
2478 socket_enter_start_pre(s);
2479 return 1;
2480 }
2481
2482 static int socket_stop(Unit *u) {
2483 Socket *s = SOCKET(u);
2484
2485 assert(s);
2486
2487 /* Already on it */
2488 if (IN_SET(s->state,
2489 SOCKET_STOP_PRE,
2490 SOCKET_STOP_PRE_SIGTERM,
2491 SOCKET_STOP_PRE_SIGKILL,
2492 SOCKET_STOP_POST,
2493 SOCKET_FINAL_SIGTERM,
2494 SOCKET_FINAL_SIGKILL))
2495 return 0;
2496
2497 /* If there's already something running we go directly into
2498 * kill mode. */
2499 if (IN_SET(s->state,
2500 SOCKET_START_PRE,
2501 SOCKET_START_CHOWN,
2502 SOCKET_START_POST)) {
2503 socket_enter_signal(s, SOCKET_STOP_PRE_SIGTERM, SOCKET_SUCCESS);
2504 return -EAGAIN;
2505 }
2506
2507 assert(IN_SET(s->state, SOCKET_LISTENING, SOCKET_RUNNING));
2508
2509 socket_enter_stop_pre(s, SOCKET_SUCCESS);
2510 return 1;
2511 }
2512
2513 static int socket_serialize(Unit *u, FILE *f, FDSet *fds) {
2514 Socket *s = SOCKET(u);
2515 SocketPort *p;
2516 int r;
2517
2518 assert(u);
2519 assert(f);
2520 assert(fds);
2521
2522 unit_serialize_item(u, f, "state", socket_state_to_string(s->state));
2523 unit_serialize_item(u, f, "result", socket_result_to_string(s->result));
2524 unit_serialize_item_format(u, f, "n-accepted", "%u", s->n_accepted);
2525
2526 if (s->control_pid > 0)
2527 unit_serialize_item_format(u, f, "control-pid", PID_FMT, s->control_pid);
2528
2529 if (s->control_command_id >= 0)
2530 unit_serialize_item(u, f, "control-command", socket_exec_command_to_string(s->control_command_id));
2531
2532 LIST_FOREACH(port, p, s->ports) {
2533 int copy;
2534
2535 if (p->fd < 0)
2536 continue;
2537
2538 copy = fdset_put_dup(fds, p->fd);
2539 if (copy < 0)
2540 return copy;
2541
2542 if (p->type == SOCKET_SOCKET) {
2543 _cleanup_free_ char *t = NULL;
2544
2545 r = socket_address_print(&p->address, &t);
2546 if (r < 0)
2547 return r;
2548
2549 if (socket_address_family(&p->address) == AF_NETLINK)
2550 unit_serialize_item_format(u, f, "netlink", "%i %s", copy, t);
2551 else
2552 unit_serialize_item_format(u, f, "socket", "%i %i %s", copy, p->address.type, t);
2553
2554 } else if (p->type == SOCKET_SPECIAL)
2555 unit_serialize_item_format(u, f, "special", "%i %s", copy, p->path);
2556 else if (p->type == SOCKET_MQUEUE)
2557 unit_serialize_item_format(u, f, "mqueue", "%i %s", copy, p->path);
2558 else if (p->type == SOCKET_USB_FUNCTION)
2559 unit_serialize_item_format(u, f, "ffs", "%i %s", copy, p->path);
2560 else {
2561 assert(p->type == SOCKET_FIFO);
2562 unit_serialize_item_format(u, f, "fifo", "%i %s", copy, p->path);
2563 }
2564 }
2565
2566 return 0;
2567 }
2568
2569 static void socket_port_take_fd(SocketPort *p, FDSet *fds, int fd) {
2570 safe_close(p->fd);
2571 p->fd = fdset_remove(fds, fd);
2572 }
2573
2574 static int socket_deserialize_item(Unit *u, const char *key, const char *value, FDSet *fds) {
2575 Socket *s = SOCKET(u);
2576
2577 assert(u);
2578 assert(key);
2579 assert(value);
2580
2581 if (streq(key, "state")) {
2582 SocketState state;
2583
2584 state = socket_state_from_string(value);
2585 if (state < 0)
2586 log_unit_debug(u, "Failed to parse state value: %s", value);
2587 else
2588 s->deserialized_state = state;
2589 } else if (streq(key, "result")) {
2590 SocketResult f;
2591
2592 f = socket_result_from_string(value);
2593 if (f < 0)
2594 log_unit_debug(u, "Failed to parse result value: %s", value);
2595 else if (f != SOCKET_SUCCESS)
2596 s->result = f;
2597
2598 } else if (streq(key, "n-accepted")) {
2599 unsigned k;
2600
2601 if (safe_atou(value, &k) < 0)
2602 log_unit_debug(u, "Failed to parse n-accepted value: %s", value);
2603 else
2604 s->n_accepted += k;
2605 } else if (streq(key, "control-pid")) {
2606 pid_t pid;
2607
2608 if (parse_pid(value, &pid) < 0)
2609 log_unit_debug(u, "Failed to parse control-pid value: %s", value);
2610 else
2611 s->control_pid = pid;
2612 } else if (streq(key, "control-command")) {
2613 SocketExecCommand id;
2614
2615 id = socket_exec_command_from_string(value);
2616 if (id < 0)
2617 log_unit_debug(u, "Failed to parse exec-command value: %s", value);
2618 else {
2619 s->control_command_id = id;
2620 s->control_command = s->exec_command[id];
2621 }
2622 } else if (streq(key, "fifo")) {
2623 int fd, skip = 0;
2624 SocketPort *p;
2625
2626 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2627 log_unit_debug(u, "Failed to parse fifo value: %s", value);
2628 else
2629 LIST_FOREACH(port, p, s->ports)
2630 if (p->type == SOCKET_FIFO &&
2631 path_equal_or_files_same(p->path, value+skip, 0)) {
2632 socket_port_take_fd(p, fds, fd);
2633 break;
2634 }
2635
2636 } else if (streq(key, "special")) {
2637 int fd, skip = 0;
2638 SocketPort *p;
2639
2640 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2641 log_unit_debug(u, "Failed to parse special value: %s", value);
2642 else
2643 LIST_FOREACH(port, p, s->ports)
2644 if (p->type == SOCKET_SPECIAL &&
2645 path_equal_or_files_same(p->path, value+skip, 0)) {
2646 socket_port_take_fd(p, fds, fd);
2647 break;
2648 }
2649
2650 } else if (streq(key, "mqueue")) {
2651 int fd, skip = 0;
2652 SocketPort *p;
2653
2654 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2655 log_unit_debug(u, "Failed to parse mqueue value: %s", value);
2656 else
2657 LIST_FOREACH(port, p, s->ports)
2658 if (p->type == SOCKET_MQUEUE &&
2659 streq(p->path, value+skip)) {
2660 socket_port_take_fd(p, fds, fd);
2661 break;
2662 }
2663
2664 } else if (streq(key, "socket")) {
2665 int fd, type, skip = 0;
2666 SocketPort *p;
2667
2668 if (sscanf(value, "%i %i %n", &fd, &type, &skip) < 2 || fd < 0 || type < 0 || !fdset_contains(fds, fd))
2669 log_unit_debug(u, "Failed to parse socket value: %s", value);
2670 else
2671 LIST_FOREACH(port, p, s->ports)
2672 if (socket_address_is(&p->address, value+skip, type)) {
2673 socket_port_take_fd(p, fds, fd);
2674 break;
2675 }
2676
2677 } else if (streq(key, "netlink")) {
2678 int fd, skip = 0;
2679 SocketPort *p;
2680
2681 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2682 log_unit_debug(u, "Failed to parse socket value: %s", value);
2683 else
2684 LIST_FOREACH(port, p, s->ports)
2685 if (socket_address_is_netlink(&p->address, value+skip)) {
2686 socket_port_take_fd(p, fds, fd);
2687 break;
2688 }
2689
2690 } else if (streq(key, "ffs")) {
2691 int fd, skip = 0;
2692 SocketPort *p;
2693
2694 if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2695 log_unit_debug(u, "Failed to parse ffs value: %s", value);
2696 else
2697 LIST_FOREACH(port, p, s->ports)
2698 if (p->type == SOCKET_USB_FUNCTION &&
2699 path_equal_or_files_same(p->path, value+skip, 0)) {
2700 socket_port_take_fd(p, fds, fd);
2701 break;
2702 }
2703
2704 } else
2705 log_unit_debug(UNIT(s), "Unknown serialization key: %s", key);
2706
2707 return 0;
2708 }
2709
2710 static void socket_distribute_fds(Unit *u, FDSet *fds) {
2711 Socket *s = SOCKET(u);
2712 SocketPort *p;
2713
2714 assert(u);
2715
2716 LIST_FOREACH(port, p, s->ports) {
2717 Iterator i;
2718 int fd;
2719
2720 if (p->type != SOCKET_SOCKET)
2721 continue;
2722
2723 if (p->fd >= 0)
2724 continue;
2725
2726 FDSET_FOREACH(fd, fds, i) {
2727 if (socket_address_matches_fd(&p->address, fd)) {
2728 p->fd = fdset_remove(fds, fd);
2729 s->deserialized_state = SOCKET_LISTENING;
2730 break;
2731 }
2732 }
2733 }
2734 }
2735
2736 _pure_ static UnitActiveState socket_active_state(Unit *u) {
2737 assert(u);
2738
2739 return state_translation_table[SOCKET(u)->state];
2740 }
2741
2742 _pure_ static const char *socket_sub_state_to_string(Unit *u) {
2743 assert(u);
2744
2745 return socket_state_to_string(SOCKET(u)->state);
2746 }
2747
2748 const char* socket_port_type_to_string(SocketPort *p) {
2749
2750 assert(p);
2751
2752 switch (p->type) {
2753
2754 case SOCKET_SOCKET:
2755
2756 switch (p->address.type) {
2757
2758 case SOCK_STREAM:
2759 return "Stream";
2760
2761 case SOCK_DGRAM:
2762 return "Datagram";
2763
2764 case SOCK_SEQPACKET:
2765 return "SequentialPacket";
2766
2767 case SOCK_RAW:
2768 if (socket_address_family(&p->address) == AF_NETLINK)
2769 return "Netlink";
2770
2771 _fallthrough_;
2772 default:
2773 return NULL;
2774 }
2775
2776 case SOCKET_SPECIAL:
2777 return "Special";
2778
2779 case SOCKET_MQUEUE:
2780 return "MessageQueue";
2781
2782 case SOCKET_FIFO:
2783 return "FIFO";
2784
2785 case SOCKET_USB_FUNCTION:
2786 return "USBFunction";
2787
2788 default:
2789 return NULL;
2790 }
2791 }
2792
2793 SocketType socket_port_type_from_string(const char *s) {
2794 assert(s);
2795
2796 if (STR_IN_SET(s, "Stream", "Datagram", "SequentialPacket", "Netlink"))
2797 return SOCKET_SOCKET;
2798 else if (streq(s, "Special"))
2799 return SOCKET_SPECIAL;
2800 else if (streq(s, "MessageQueue"))
2801 return SOCKET_MQUEUE;
2802 else if (streq(s, "FIFO"))
2803 return SOCKET_FIFO;
2804 else if (streq(s, "USBFunction"))
2805 return SOCKET_USB_FUNCTION;
2806 else
2807 return _SOCKET_TYPE_INVALID;
2808 }
2809
2810 _pure_ static bool socket_may_gc(Unit *u) {
2811 Socket *s = SOCKET(u);
2812
2813 assert(u);
2814
2815 return s->n_connections == 0;
2816 }
2817
2818 static int socket_accept_do(Socket *s, int fd) {
2819 int cfd;
2820
2821 assert(s);
2822 assert(fd >= 0);
2823
2824 for (;;) {
2825 cfd = accept4(fd, NULL, NULL, SOCK_NONBLOCK);
2826 if (cfd < 0) {
2827 if (errno == EINTR)
2828 continue;
2829
2830 return -errno;
2831 }
2832
2833 break;
2834 }
2835
2836 return cfd;
2837 }
2838
2839 static int socket_accept_in_cgroup(Socket *s, SocketPort *p, int fd) {
2840 _cleanup_close_pair_ int pair[2] = { -1, -1 };
2841 int cfd, r;
2842 pid_t pid;
2843
2844 assert(s);
2845 assert(p);
2846 assert(fd >= 0);
2847
2848 /* Similar to socket_address_listen_in_cgroup(), but for accept() rathern than socket(): make sure that any
2849 * connection socket is also properly associated with the cgroup. */
2850
2851 if (!IN_SET(p->address.sockaddr.sa.sa_family, AF_INET, AF_INET6))
2852 goto shortcut;
2853
2854 r = bpf_firewall_supported();
2855 if (r < 0)
2856 return r;
2857 if (r == BPF_FIREWALL_UNSUPPORTED)
2858 goto shortcut;
2859
2860 if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, pair) < 0)
2861 return log_unit_error_errno(UNIT(s), errno, "Failed to create communication channel: %m");
2862
2863 r = unit_fork_helper_process(UNIT(s), "(sd-accept)", &pid);
2864 if (r < 0)
2865 return log_unit_error_errno(UNIT(s), r, "Failed to fork off accept stub process: %m");
2866 if (r == 0) {
2867 /* Child */
2868
2869 pair[0] = safe_close(pair[0]);
2870
2871 cfd = socket_accept_do(s, fd);
2872 if (cfd < 0) {
2873 log_unit_error_errno(UNIT(s), cfd, "Failed to accept connection socket: %m");
2874 _exit(EXIT_FAILURE);
2875 }
2876
2877 r = send_one_fd(pair[1], cfd, 0);
2878 if (r < 0) {
2879 log_unit_error_errno(UNIT(s), r, "Failed to send connection socket to parent: %m");
2880 _exit(EXIT_FAILURE);
2881 }
2882
2883 _exit(EXIT_SUCCESS);
2884 }
2885
2886 pair[1] = safe_close(pair[1]);
2887 cfd = receive_one_fd(pair[0], 0);
2888
2889 /* We synchronously wait for the helper, as it shouldn't be slow */
2890 r = wait_for_terminate_and_check("(sd-accept)", pid, WAIT_LOG_ABNORMAL);
2891 if (r < 0) {
2892 safe_close(cfd);
2893 return r;
2894 }
2895
2896 if (cfd < 0)
2897 return log_unit_error_errno(UNIT(s), cfd, "Failed to receive connection socket: %m");
2898
2899 return cfd;
2900
2901 shortcut:
2902 cfd = socket_accept_do(s, fd);
2903 if (cfd < 0)
2904 return log_unit_error_errno(UNIT(s), cfd, "Failed to accept connection socket: %m");
2905
2906 return cfd;
2907 }
2908
2909 static int socket_dispatch_io(sd_event_source *source, int fd, uint32_t revents, void *userdata) {
2910 SocketPort *p = userdata;
2911 int cfd = -1;
2912
2913 assert(p);
2914 assert(fd >= 0);
2915
2916 if (p->socket->state != SOCKET_LISTENING)
2917 return 0;
2918
2919 log_unit_debug(UNIT(p->socket), "Incoming traffic");
2920
2921 if (revents != EPOLLIN) {
2922
2923 if (revents & EPOLLHUP)
2924 log_unit_error(UNIT(p->socket), "Got POLLHUP on a listening socket. The service probably invoked shutdown() on it, and should better not do that.");
2925 else
2926 log_unit_error(UNIT(p->socket), "Got unexpected poll event (0x%x) on socket.", revents);
2927 goto fail;
2928 }
2929
2930 if (p->socket->accept &&
2931 p->type == SOCKET_SOCKET &&
2932 socket_address_can_accept(&p->address)) {
2933
2934 cfd = socket_accept_in_cgroup(p->socket, p, fd);
2935 if (cfd < 0)
2936 goto fail;
2937
2938 socket_apply_socket_options(p->socket, cfd);
2939 }
2940
2941 socket_enter_running(p->socket, cfd);
2942 return 0;
2943
2944 fail:
2945 socket_enter_stop_pre(p->socket, SOCKET_FAILURE_RESOURCES);
2946 return 0;
2947 }
2948
2949 static void socket_sigchld_event(Unit *u, pid_t pid, int code, int status) {
2950 Socket *s = SOCKET(u);
2951 SocketResult f;
2952
2953 assert(s);
2954 assert(pid >= 0);
2955
2956 if (pid != s->control_pid)
2957 return;
2958
2959 s->control_pid = 0;
2960
2961 if (is_clean_exit(code, status, EXIT_CLEAN_COMMAND, NULL))
2962 f = SOCKET_SUCCESS;
2963 else if (code == CLD_EXITED)
2964 f = SOCKET_FAILURE_EXIT_CODE;
2965 else if (code == CLD_KILLED)
2966 f = SOCKET_FAILURE_SIGNAL;
2967 else if (code == CLD_DUMPED)
2968 f = SOCKET_FAILURE_CORE_DUMP;
2969 else
2970 assert_not_reached("Unknown sigchld code");
2971
2972 if (s->control_command) {
2973 exec_status_exit(&s->control_command->exec_status, &s->exec_context, pid, code, status);
2974
2975 if (s->control_command->flags & EXEC_COMMAND_IGNORE_FAILURE)
2976 f = SOCKET_SUCCESS;
2977 }
2978
2979 log_unit_full(u, f == SOCKET_SUCCESS ? LOG_DEBUG : LOG_NOTICE, 0,
2980 "Control process exited, code=%s status=%i",
2981 sigchld_code_to_string(code), status);
2982
2983 if (s->result == SOCKET_SUCCESS)
2984 s->result = f;
2985
2986 if (s->control_command &&
2987 s->control_command->command_next &&
2988 f == SOCKET_SUCCESS) {
2989
2990 log_unit_debug(u, "Running next command for state %s", socket_state_to_string(s->state));
2991 socket_run_next(s);
2992 } else {
2993 s->control_command = NULL;
2994 s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
2995
2996 /* No further commands for this step, so let's figure
2997 * out what to do next */
2998
2999 log_unit_debug(u, "Got final SIGCHLD for state %s", socket_state_to_string(s->state));
3000
3001 switch (s->state) {
3002
3003 case SOCKET_START_PRE:
3004 if (f == SOCKET_SUCCESS)
3005 socket_enter_start_chown(s);
3006 else
3007 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, f);
3008 break;
3009
3010 case SOCKET_START_CHOWN:
3011 if (f == SOCKET_SUCCESS)
3012 socket_enter_start_post(s);
3013 else
3014 socket_enter_stop_pre(s, f);
3015 break;
3016
3017 case SOCKET_START_POST:
3018 if (f == SOCKET_SUCCESS)
3019 socket_enter_listening(s);
3020 else
3021 socket_enter_stop_pre(s, f);
3022 break;
3023
3024 case SOCKET_STOP_PRE:
3025 case SOCKET_STOP_PRE_SIGTERM:
3026 case SOCKET_STOP_PRE_SIGKILL:
3027 socket_enter_stop_post(s, f);
3028 break;
3029
3030 case SOCKET_STOP_POST:
3031 case SOCKET_FINAL_SIGTERM:
3032 case SOCKET_FINAL_SIGKILL:
3033 socket_enter_dead(s, f);
3034 break;
3035
3036 default:
3037 assert_not_reached("Uh, control process died at wrong time.");
3038 }
3039 }
3040
3041 /* Notify clients about changed exit status */
3042 unit_add_to_dbus_queue(u);
3043 }
3044
3045 static int socket_dispatch_timer(sd_event_source *source, usec_t usec, void *userdata) {
3046 Socket *s = SOCKET(userdata);
3047
3048 assert(s);
3049 assert(s->timer_event_source == source);
3050
3051 switch (s->state) {
3052
3053 case SOCKET_START_PRE:
3054 log_unit_warning(UNIT(s), "Starting timed out. Terminating.");
3055 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_TIMEOUT);
3056 break;
3057
3058 case SOCKET_START_CHOWN:
3059 case SOCKET_START_POST:
3060 log_unit_warning(UNIT(s), "Starting timed out. Stopping.");
3061 socket_enter_stop_pre(s, SOCKET_FAILURE_TIMEOUT);
3062 break;
3063
3064 case SOCKET_STOP_PRE:
3065 log_unit_warning(UNIT(s), "Stopping timed out. Terminating.");
3066 socket_enter_signal(s, SOCKET_STOP_PRE_SIGTERM, SOCKET_FAILURE_TIMEOUT);
3067 break;
3068
3069 case SOCKET_STOP_PRE_SIGTERM:
3070 if (s->kill_context.send_sigkill) {
3071 log_unit_warning(UNIT(s), "Stopping timed out. Killing.");
3072 socket_enter_signal(s, SOCKET_STOP_PRE_SIGKILL, SOCKET_FAILURE_TIMEOUT);
3073 } else {
3074 log_unit_warning(UNIT(s), "Stopping timed out. Skipping SIGKILL. Ignoring.");
3075 socket_enter_stop_post(s, SOCKET_FAILURE_TIMEOUT);
3076 }
3077 break;
3078
3079 case SOCKET_STOP_PRE_SIGKILL:
3080 log_unit_warning(UNIT(s), "Processes still around after SIGKILL. Ignoring.");
3081 socket_enter_stop_post(s, SOCKET_FAILURE_TIMEOUT);
3082 break;
3083
3084 case SOCKET_STOP_POST:
3085 log_unit_warning(UNIT(s), "Stopping timed out (2). Terminating.");
3086 socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_TIMEOUT);
3087 break;
3088
3089 case SOCKET_FINAL_SIGTERM:
3090 if (s->kill_context.send_sigkill) {
3091 log_unit_warning(UNIT(s), "Stopping timed out (2). Killing.");
3092 socket_enter_signal(s, SOCKET_FINAL_SIGKILL, SOCKET_FAILURE_TIMEOUT);
3093 } else {
3094 log_unit_warning(UNIT(s), "Stopping timed out (2). Skipping SIGKILL. Ignoring.");
3095 socket_enter_dead(s, SOCKET_FAILURE_TIMEOUT);
3096 }
3097 break;
3098
3099 case SOCKET_FINAL_SIGKILL:
3100 log_unit_warning(UNIT(s), "Still around after SIGKILL (2). Entering failed mode.");
3101 socket_enter_dead(s, SOCKET_FAILURE_TIMEOUT);
3102 break;
3103
3104 default:
3105 assert_not_reached("Timeout at wrong time.");
3106 }
3107
3108 return 0;
3109 }
3110
3111 int socket_collect_fds(Socket *s, int **fds) {
3112 int *rfds, k = 0, n = 0;
3113 SocketPort *p;
3114
3115 assert(s);
3116 assert(fds);
3117
3118 /* Called from the service code for requesting our fds */
3119
3120 LIST_FOREACH(port, p, s->ports) {
3121 if (p->fd >= 0)
3122 n++;
3123 n += p->n_auxiliary_fds;
3124 }
3125
3126 if (n <= 0) {
3127 *fds = NULL;
3128 return 0;
3129 }
3130
3131 rfds = new(int, n);
3132 if (!rfds)
3133 return -ENOMEM;
3134
3135 LIST_FOREACH(port, p, s->ports) {
3136 int i;
3137
3138 if (p->fd >= 0)
3139 rfds[k++] = p->fd;
3140 for (i = 0; i < p->n_auxiliary_fds; ++i)
3141 rfds[k++] = p->auxiliary_fds[i];
3142 }
3143
3144 assert(k == n);
3145
3146 *fds = rfds;
3147 return n;
3148 }
3149
3150 static void socket_reset_failed(Unit *u) {
3151 Socket *s = SOCKET(u);
3152
3153 assert(s);
3154
3155 if (s->state == SOCKET_FAILED)
3156 socket_set_state(s, SOCKET_DEAD);
3157
3158 s->result = SOCKET_SUCCESS;
3159 }
3160
3161 void socket_connection_unref(Socket *s) {
3162 assert(s);
3163
3164 /* The service is dead. Yay!
3165 *
3166 * This is strictly for one-instance-per-connection
3167 * services. */
3168
3169 assert(s->n_connections > 0);
3170 s->n_connections--;
3171
3172 log_unit_debug(UNIT(s), "One connection closed, %u left.", s->n_connections);
3173 }
3174
3175 static void socket_trigger_notify(Unit *u, Unit *other) {
3176 Socket *s = SOCKET(u);
3177
3178 assert(u);
3179 assert(other);
3180
3181 /* Filter out invocations with bogus state */
3182 if (other->load_state != UNIT_LOADED || other->type != UNIT_SERVICE)
3183 return;
3184
3185 /* Don't propagate state changes from the service if we are already down */
3186 if (!IN_SET(s->state, SOCKET_RUNNING, SOCKET_LISTENING))
3187 return;
3188
3189 /* We don't care for the service state if we are in Accept=yes mode */
3190 if (s->accept)
3191 return;
3192
3193 /* Propagate start limit hit state */
3194 if (other->start_limit_hit) {
3195 socket_enter_stop_pre(s, SOCKET_FAILURE_SERVICE_START_LIMIT_HIT);
3196 return;
3197 }
3198
3199 /* Don't propagate anything if there's still a job queued */
3200 if (other->job)
3201 return;
3202
3203 if (IN_SET(SERVICE(other)->state,
3204 SERVICE_DEAD, SERVICE_FAILED,
3205 SERVICE_FINAL_SIGTERM, SERVICE_FINAL_SIGKILL,
3206 SERVICE_AUTO_RESTART))
3207 socket_enter_listening(s);
3208
3209 if (SERVICE(other)->state == SERVICE_RUNNING)
3210 socket_set_state(s, SOCKET_RUNNING);
3211 }
3212
3213 static int socket_kill(Unit *u, KillWho who, int signo, sd_bus_error *error) {
3214 return unit_kill_common(u, who, signo, -1, SOCKET(u)->control_pid, error);
3215 }
3216
3217 static int socket_get_timeout(Unit *u, usec_t *timeout) {
3218 Socket *s = SOCKET(u);
3219 usec_t t;
3220 int r;
3221
3222 if (!s->timer_event_source)
3223 return 0;
3224
3225 r = sd_event_source_get_time(s->timer_event_source, &t);
3226 if (r < 0)
3227 return r;
3228 if (t == USEC_INFINITY)
3229 return 0;
3230
3231 *timeout = t;
3232 return 1;
3233 }
3234
3235 char *socket_fdname(Socket *s) {
3236 assert(s);
3237
3238 /* Returns the name to use for $LISTEN_NAMES. If the user
3239 * didn't specify anything specifically, use the socket unit's
3240 * name as fallback. */
3241
3242 return s->fdname ?: UNIT(s)->id;
3243 }
3244
3245 static int socket_control_pid(Unit *u) {
3246 Socket *s = SOCKET(u);
3247
3248 assert(s);
3249
3250 return s->control_pid;
3251 }
3252
3253 static const char* const socket_exec_command_table[_SOCKET_EXEC_COMMAND_MAX] = {
3254 [SOCKET_EXEC_START_PRE] = "ExecStartPre",
3255 [SOCKET_EXEC_START_CHOWN] = "ExecStartChown",
3256 [SOCKET_EXEC_START_POST] = "ExecStartPost",
3257 [SOCKET_EXEC_STOP_PRE] = "ExecStopPre",
3258 [SOCKET_EXEC_STOP_POST] = "ExecStopPost"
3259 };
3260
3261 DEFINE_STRING_TABLE_LOOKUP(socket_exec_command, SocketExecCommand);
3262
3263 static const char* const socket_result_table[_SOCKET_RESULT_MAX] = {
3264 [SOCKET_SUCCESS] = "success",
3265 [SOCKET_FAILURE_RESOURCES] = "resources",
3266 [SOCKET_FAILURE_TIMEOUT] = "timeout",
3267 [SOCKET_FAILURE_EXIT_CODE] = "exit-code",
3268 [SOCKET_FAILURE_SIGNAL] = "signal",
3269 [SOCKET_FAILURE_CORE_DUMP] = "core-dump",
3270 [SOCKET_FAILURE_START_LIMIT_HIT] = "start-limit-hit",
3271 [SOCKET_FAILURE_TRIGGER_LIMIT_HIT] = "trigger-limit-hit",
3272 [SOCKET_FAILURE_SERVICE_START_LIMIT_HIT] = "service-start-limit-hit"
3273 };
3274
3275 DEFINE_STRING_TABLE_LOOKUP(socket_result, SocketResult);
3276
3277 const UnitVTable socket_vtable = {
3278 .object_size = sizeof(Socket),
3279 .exec_context_offset = offsetof(Socket, exec_context),
3280 .cgroup_context_offset = offsetof(Socket, cgroup_context),
3281 .kill_context_offset = offsetof(Socket, kill_context),
3282 .exec_runtime_offset = offsetof(Socket, exec_runtime),
3283 .dynamic_creds_offset = offsetof(Socket, dynamic_creds),
3284
3285 .sections =
3286 "Unit\0"
3287 "Socket\0"
3288 "Install\0",
3289 .private_section = "Socket",
3290
3291 .can_transient = true,
3292
3293 .init = socket_init,
3294 .done = socket_done,
3295 .load = socket_load,
3296
3297 .coldplug = socket_coldplug,
3298
3299 .dump = socket_dump,
3300
3301 .start = socket_start,
3302 .stop = socket_stop,
3303
3304 .kill = socket_kill,
3305
3306 .get_timeout = socket_get_timeout,
3307
3308 .serialize = socket_serialize,
3309 .deserialize_item = socket_deserialize_item,
3310 .distribute_fds = socket_distribute_fds,
3311
3312 .active_state = socket_active_state,
3313 .sub_state_to_string = socket_sub_state_to_string,
3314
3315 .may_gc = socket_may_gc,
3316
3317 .sigchld_event = socket_sigchld_event,
3318
3319 .trigger_notify = socket_trigger_notify,
3320
3321 .reset_failed = socket_reset_failed,
3322
3323 .control_pid = socket_control_pid,
3324
3325 .bus_vtable = bus_socket_vtable,
3326 .bus_set_property = bus_socket_set_property,
3327 .bus_commit_properties = bus_socket_commit_properties,
3328
3329 .status_message_formats = {
3330 /*.starting_stopping = {
3331 [0] = "Starting socket %s...",
3332 [1] = "Stopping socket %s...",
3333 },*/
3334 .finished_start_job = {
3335 [JOB_DONE] = "Listening on %s.",
3336 [JOB_FAILED] = "Failed to listen on %s.",
3337 [JOB_TIMEOUT] = "Timed out starting %s.",
3338 },
3339 .finished_stop_job = {
3340 [JOB_DONE] = "Closed %s.",
3341 [JOB_FAILED] = "Failed stopping %s.",
3342 [JOB_TIMEOUT] = "Timed out stopping %s.",
3343 },
3344 },
3345 };
Unnamed repository; edit this file 'description' to name the repository.