Line data Source code
1 : /* SPDX-License-Identifier: LGPL-2.1+ */
2 :
3 : #include <arpa/inet.h>
4 : #include <errno.h>
5 : #include <fcntl.h>
6 : #include <mqueue.h>
7 : #include <netinet/tcp.h>
8 : #include <signal.h>
9 : #include <sys/epoll.h>
10 : #include <sys/stat.h>
11 : #include <unistd.h>
12 : #include <linux/sctp.h>
13 :
14 : #include "alloc-util.h"
15 : #include "bpf-firewall.h"
16 : #include "bus-error.h"
17 : #include "bus-util.h"
18 : #include "copy.h"
19 : #include "dbus-socket.h"
20 : #include "dbus-unit.h"
21 : #include "def.h"
22 : #include "exit-status.h"
23 : #include "fd-util.h"
24 : #include "format-util.h"
25 : #include "fs-util.h"
26 : #include "in-addr-util.h"
27 : #include "io-util.h"
28 : #include "ip-protocol-list.h"
29 : #include "label.h"
30 : #include "log.h"
31 : #include "missing.h"
32 : #include "mkdir.h"
33 : #include "parse-util.h"
34 : #include "path-util.h"
35 : #include "process-util.h"
36 : #include "selinux-util.h"
37 : #include "serialize.h"
38 : #include "signal-util.h"
39 : #include "smack-util.h"
40 : #include "socket.h"
41 : #include "special.h"
42 : #include "string-table.h"
43 : #include "string-util.h"
44 : #include "strv.h"
45 : #include "unit-name.h"
46 : #include "unit.h"
47 : #include "user-util.h"
48 :
49 : struct SocketPeer {
50 : unsigned n_ref;
51 :
52 : Socket *socket;
53 : union sockaddr_union peer;
54 : socklen_t peer_salen;
55 : };
56 :
57 : static const UnitActiveState state_translation_table[_SOCKET_STATE_MAX] = {
58 : [SOCKET_DEAD] = UNIT_INACTIVE,
59 : [SOCKET_START_PRE] = UNIT_ACTIVATING,
60 : [SOCKET_START_CHOWN] = UNIT_ACTIVATING,
61 : [SOCKET_START_POST] = UNIT_ACTIVATING,
62 : [SOCKET_LISTENING] = UNIT_ACTIVE,
63 : [SOCKET_RUNNING] = UNIT_ACTIVE,
64 : [SOCKET_STOP_PRE] = UNIT_DEACTIVATING,
65 : [SOCKET_STOP_PRE_SIGTERM] = UNIT_DEACTIVATING,
66 : [SOCKET_STOP_PRE_SIGKILL] = UNIT_DEACTIVATING,
67 : [SOCKET_STOP_POST] = UNIT_DEACTIVATING,
68 : [SOCKET_FINAL_SIGTERM] = UNIT_DEACTIVATING,
69 : [SOCKET_FINAL_SIGKILL] = UNIT_DEACTIVATING,
70 : [SOCKET_FAILED] = UNIT_FAILED
71 : };
72 :
73 : static int socket_dispatch_io(sd_event_source *source, int fd, uint32_t revents, void *userdata);
74 : static int socket_dispatch_timer(sd_event_source *source, usec_t usec, void *userdata);
75 :
76 0 : static void socket_init(Unit *u) {
77 0 : Socket *s = SOCKET(u);
78 :
79 0 : assert(u);
80 0 : assert(u->load_state == UNIT_STUB);
81 :
82 0 : s->backlog = SOMAXCONN;
83 0 : s->timeout_usec = u->manager->default_timeout_start_usec;
84 0 : s->directory_mode = 0755;
85 0 : s->socket_mode = 0666;
86 :
87 0 : s->max_connections = 64;
88 :
89 0 : s->priority = -1;
90 0 : s->ip_tos = -1;
91 0 : s->ip_ttl = -1;
92 0 : s->mark = -1;
93 :
94 0 : s->exec_context.std_output = u->manager->default_std_output;
95 0 : s->exec_context.std_error = u->manager->default_std_error;
96 :
97 0 : s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
98 :
99 0 : s->trigger_limit.interval = USEC_INFINITY;
100 0 : s->trigger_limit.burst = (unsigned) -1;
101 0 : }
102 :
103 0 : static void socket_unwatch_control_pid(Socket *s) {
104 0 : assert(s);
105 :
106 0 : if (s->control_pid <= 0)
107 0 : return;
108 :
109 0 : unit_unwatch_pid(UNIT(s), s->control_pid);
110 0 : s->control_pid = 0;
111 : }
112 :
113 0 : static void socket_cleanup_fd_list(SocketPort *p) {
114 0 : assert(p);
115 :
116 0 : close_many(p->auxiliary_fds, p->n_auxiliary_fds);
117 0 : p->auxiliary_fds = mfree(p->auxiliary_fds);
118 0 : p->n_auxiliary_fds = 0;
119 0 : }
120 :
121 0 : void socket_free_ports(Socket *s) {
122 : SocketPort *p;
123 :
124 0 : assert(s);
125 :
126 0 : while ((p = s->ports)) {
127 0 : LIST_REMOVE(port, s->ports, p);
128 :
129 0 : sd_event_source_unref(p->event_source);
130 :
131 0 : socket_cleanup_fd_list(p);
132 0 : safe_close(p->fd);
133 0 : free(p->path);
134 0 : free(p);
135 : }
136 0 : }
137 :
138 0 : static void socket_done(Unit *u) {
139 0 : Socket *s = SOCKET(u);
140 : SocketPeer *p;
141 :
142 0 : assert(s);
143 :
144 0 : socket_free_ports(s);
145 :
146 0 : while ((p = set_steal_first(s->peers_by_address)))
147 0 : p->socket = NULL;
148 :
149 0 : s->peers_by_address = set_free(s->peers_by_address);
150 :
151 0 : s->exec_runtime = exec_runtime_unref(s->exec_runtime, false);
152 0 : exec_command_free_array(s->exec_command, _SOCKET_EXEC_COMMAND_MAX);
153 0 : s->control_command = NULL;
154 :
155 0 : dynamic_creds_unref(&s->dynamic_creds);
156 :
157 0 : socket_unwatch_control_pid(s);
158 :
159 0 : unit_ref_unset(&s->service);
160 :
161 0 : s->tcp_congestion = mfree(s->tcp_congestion);
162 0 : s->bind_to_device = mfree(s->bind_to_device);
163 :
164 0 : s->smack = mfree(s->smack);
165 0 : s->smack_ip_in = mfree(s->smack_ip_in);
166 0 : s->smack_ip_out = mfree(s->smack_ip_out);
167 :
168 0 : strv_free(s->symlinks);
169 :
170 0 : s->user = mfree(s->user);
171 0 : s->group = mfree(s->group);
172 :
173 0 : s->fdname = mfree(s->fdname);
174 :
175 0 : s->timer_event_source = sd_event_source_unref(s->timer_event_source);
176 0 : }
177 :
178 0 : static int socket_arm_timer(Socket *s, usec_t usec) {
179 : int r;
180 :
181 0 : assert(s);
182 :
183 0 : if (s->timer_event_source) {
184 0 : r = sd_event_source_set_time(s->timer_event_source, usec);
185 0 : if (r < 0)
186 0 : return r;
187 :
188 0 : return sd_event_source_set_enabled(s->timer_event_source, SD_EVENT_ONESHOT);
189 : }
190 :
191 0 : if (usec == USEC_INFINITY)
192 0 : return 0;
193 :
194 0 : r = sd_event_add_time(
195 0 : UNIT(s)->manager->event,
196 : &s->timer_event_source,
197 : CLOCK_MONOTONIC,
198 : usec, 0,
199 : socket_dispatch_timer, s);
200 0 : if (r < 0)
201 0 : return r;
202 :
203 0 : (void) sd_event_source_set_description(s->timer_event_source, "socket-timer");
204 :
205 0 : return 0;
206 : }
207 :
208 0 : int socket_instantiate_service(Socket *s) {
209 0 : _cleanup_free_ char *prefix = NULL, *name = NULL;
210 : int r;
211 : Unit *u;
212 :
213 0 : assert(s);
214 :
215 : /* This fills in s->service if it isn't filled in yet. For
216 : * Accept=yes sockets we create the next connection service
217 : * here. For Accept=no this is mostly a NOP since the service
218 : * is figured out at load time anyway. */
219 :
220 0 : if (UNIT_DEREF(s->service))
221 0 : return 0;
222 :
223 0 : if (!s->accept)
224 0 : return 0;
225 :
226 0 : r = unit_name_to_prefix(UNIT(s)->id, &prefix);
227 0 : if (r < 0)
228 0 : return r;
229 :
230 0 : if (asprintf(&name, "%s@%u.service", prefix, s->n_accepted) < 0)
231 0 : return -ENOMEM;
232 :
233 0 : r = manager_load_unit(UNIT(s)->manager, name, NULL, NULL, &u);
234 0 : if (r < 0)
235 0 : return r;
236 :
237 0 : unit_ref_set(&s->service, UNIT(s), u);
238 :
239 0 : return unit_add_two_dependencies(UNIT(s), UNIT_BEFORE, UNIT_TRIGGERS, u, false, UNIT_DEPENDENCY_IMPLICIT);
240 : }
241 :
242 0 : static bool have_non_accept_socket(Socket *s) {
243 : SocketPort *p;
244 :
245 0 : assert(s);
246 :
247 0 : if (!s->accept)
248 0 : return true;
249 :
250 0 : LIST_FOREACH(port, p, s->ports) {
251 :
252 0 : if (p->type != SOCKET_SOCKET)
253 0 : return true;
254 :
255 0 : if (!socket_address_can_accept(&p->address))
256 0 : return true;
257 : }
258 :
259 0 : return false;
260 : }
261 :
262 0 : static int socket_add_mount_dependencies(Socket *s) {
263 : SocketPort *p;
264 : int r;
265 :
266 0 : assert(s);
267 :
268 0 : LIST_FOREACH(port, p, s->ports) {
269 0 : const char *path = NULL;
270 :
271 0 : if (p->type == SOCKET_SOCKET)
272 0 : path = socket_address_get_path(&p->address);
273 0 : else if (IN_SET(p->type, SOCKET_FIFO, SOCKET_SPECIAL, SOCKET_USB_FUNCTION))
274 0 : path = p->path;
275 :
276 0 : if (!path)
277 0 : continue;
278 :
279 0 : r = unit_require_mounts_for(UNIT(s), path, UNIT_DEPENDENCY_FILE);
280 0 : if (r < 0)
281 0 : return r;
282 : }
283 :
284 0 : return 0;
285 : }
286 :
287 0 : static int socket_add_device_dependencies(Socket *s) {
288 : char *t;
289 :
290 0 : assert(s);
291 :
292 0 : if (!s->bind_to_device || streq(s->bind_to_device, "lo"))
293 0 : return 0;
294 :
295 0 : t = strjoina("/sys/subsystem/net/devices/", s->bind_to_device);
296 0 : return unit_add_node_dependency(UNIT(s), t, false, UNIT_BINDS_TO, UNIT_DEPENDENCY_FILE);
297 : }
298 :
299 0 : static int socket_add_default_dependencies(Socket *s) {
300 : int r;
301 0 : assert(s);
302 :
303 0 : if (!UNIT(s)->default_dependencies)
304 0 : return 0;
305 :
306 0 : r = unit_add_dependency_by_name(UNIT(s), UNIT_BEFORE, SPECIAL_SOCKETS_TARGET, true, UNIT_DEPENDENCY_DEFAULT);
307 0 : if (r < 0)
308 0 : return r;
309 :
310 0 : if (MANAGER_IS_SYSTEM(UNIT(s)->manager)) {
311 0 : r = unit_add_two_dependencies_by_name(UNIT(s), UNIT_AFTER, UNIT_REQUIRES, SPECIAL_SYSINIT_TARGET, true, UNIT_DEPENDENCY_DEFAULT);
312 0 : if (r < 0)
313 0 : return r;
314 : }
315 :
316 0 : return unit_add_two_dependencies_by_name(UNIT(s), UNIT_BEFORE, UNIT_CONFLICTS, SPECIAL_SHUTDOWN_TARGET, true, UNIT_DEPENDENCY_DEFAULT);
317 : }
318 :
319 0 : _pure_ static bool socket_has_exec(Socket *s) {
320 : unsigned i;
321 0 : assert(s);
322 :
323 0 : for (i = 0; i < _SOCKET_EXEC_COMMAND_MAX; i++)
324 0 : if (s->exec_command[i])
325 0 : return true;
326 :
327 0 : return false;
328 : }
329 :
330 0 : static int socket_add_extras(Socket *s) {
331 0 : Unit *u = UNIT(s);
332 : int r;
333 :
334 0 : assert(s);
335 :
336 : /* Pick defaults for the trigger limit, if nothing was explicitly configured. We pick a relatively high limit
337 : * in Accept=yes mode, and a lower limit for Accept=no. Reason: in Accept=yes mode we are invoking accept()
338 : * ourselves before the trigger limit can hit, thus incoming connections are taken off the socket queue quickly
339 : * and reliably. This is different for Accept=no, where the spawned service has to take the incoming traffic
340 : * off the queues, which it might not necessarily do. Moreover, while Accept=no services are supposed to
341 : * process whatever is queued in one go, and thus should normally never have to be started frequently. This is
342 : * different for Accept=yes where each connection is processed by a new service instance, and thus frequent
343 : * service starts are typical. */
344 :
345 0 : if (s->trigger_limit.interval == USEC_INFINITY)
346 0 : s->trigger_limit.interval = 2 * USEC_PER_SEC;
347 :
348 0 : if (s->trigger_limit.burst == (unsigned) -1) {
349 0 : if (s->accept)
350 0 : s->trigger_limit.burst = 200;
351 : else
352 0 : s->trigger_limit.burst = 20;
353 : }
354 :
355 0 : if (have_non_accept_socket(s)) {
356 :
357 0 : if (!UNIT_DEREF(s->service)) {
358 : Unit *x;
359 :
360 0 : r = unit_load_related_unit(u, ".service", &x);
361 0 : if (r < 0)
362 0 : return r;
363 :
364 0 : unit_ref_set(&s->service, u, x);
365 : }
366 :
367 0 : r = unit_add_two_dependencies(u, UNIT_BEFORE, UNIT_TRIGGERS, UNIT_DEREF(s->service), true, UNIT_DEPENDENCY_IMPLICIT);
368 0 : if (r < 0)
369 0 : return r;
370 : }
371 :
372 0 : r = socket_add_mount_dependencies(s);
373 0 : if (r < 0)
374 0 : return r;
375 :
376 0 : r = socket_add_device_dependencies(s);
377 0 : if (r < 0)
378 0 : return r;
379 :
380 0 : r = unit_patch_contexts(u);
381 0 : if (r < 0)
382 0 : return r;
383 :
384 0 : if (socket_has_exec(s)) {
385 0 : r = unit_add_exec_dependencies(u, &s->exec_context);
386 0 : if (r < 0)
387 0 : return r;
388 : }
389 :
390 0 : r = unit_set_default_slice(u);
391 0 : if (r < 0)
392 0 : return r;
393 :
394 0 : r = socket_add_default_dependencies(s);
395 0 : if (r < 0)
396 0 : return r;
397 :
398 0 : return 0;
399 : }
400 :
401 0 : static const char *socket_find_symlink_target(Socket *s) {
402 0 : const char *found = NULL;
403 : SocketPort *p;
404 :
405 0 : LIST_FOREACH(port, p, s->ports) {
406 0 : const char *f = NULL;
407 :
408 0 : switch (p->type) {
409 :
410 0 : case SOCKET_FIFO:
411 0 : f = p->path;
412 0 : break;
413 :
414 0 : case SOCKET_SOCKET:
415 0 : f = socket_address_get_path(&p->address);
416 0 : break;
417 :
418 0 : default:
419 0 : break;
420 : }
421 :
422 0 : if (f) {
423 0 : if (found)
424 0 : return NULL;
425 :
426 0 : found = f;
427 : }
428 : }
429 :
430 0 : return found;
431 : }
432 :
433 0 : static int socket_verify(Socket *s) {
434 0 : assert(s);
435 :
436 0 : if (UNIT(s)->load_state != UNIT_LOADED)
437 0 : return 0;
438 :
439 0 : if (!s->ports) {
440 0 : log_unit_error(UNIT(s), "Unit has no Listen setting (ListenStream=, ListenDatagram=, ListenFIFO=, ...). Refusing.");
441 0 : return -ENOEXEC;
442 : }
443 :
444 0 : if (s->accept && have_non_accept_socket(s)) {
445 0 : log_unit_error(UNIT(s), "Unit configured for accepting sockets, but sockets are non-accepting. Refusing.");
446 0 : return -ENOEXEC;
447 : }
448 :
449 0 : if (s->accept && s->max_connections <= 0) {
450 0 : log_unit_error(UNIT(s), "MaxConnection= setting too small. Refusing.");
451 0 : return -ENOEXEC;
452 : }
453 :
454 0 : if (s->accept && UNIT_DEREF(s->service)) {
455 0 : log_unit_error(UNIT(s), "Explicit service configuration for accepting socket units not supported. Refusing.");
456 0 : return -ENOEXEC;
457 : }
458 :
459 0 : if (s->exec_context.pam_name && s->kill_context.kill_mode != KILL_CONTROL_GROUP) {
460 0 : log_unit_error(UNIT(s), "Unit has PAM enabled. Kill mode must be set to 'control-group'. Refusing.");
461 0 : return -ENOEXEC;
462 : }
463 :
464 0 : if (!strv_isempty(s->symlinks) && !socket_find_symlink_target(s)) {
465 0 : log_unit_error(UNIT(s), "Unit has symlinks set but none or more than one node in the file system. Refusing.");
466 0 : return -ENOEXEC;
467 : }
468 :
469 0 : return 0;
470 : }
471 :
472 0 : static void peer_address_hash_func(const SocketPeer *s, struct siphash *state) {
473 0 : assert(s);
474 :
475 0 : if (s->peer.sa.sa_family == AF_INET)
476 0 : siphash24_compress(&s->peer.in.sin_addr, sizeof(s->peer.in.sin_addr), state);
477 0 : else if (s->peer.sa.sa_family == AF_INET6)
478 0 : siphash24_compress(&s->peer.in6.sin6_addr, sizeof(s->peer.in6.sin6_addr), state);
479 0 : else if (s->peer.sa.sa_family == AF_VSOCK)
480 0 : siphash24_compress(&s->peer.vm.svm_cid, sizeof(s->peer.vm.svm_cid), state);
481 : else
482 0 : assert_not_reached("Unknown address family.");
483 0 : }
484 :
485 0 : static int peer_address_compare_func(const SocketPeer *x, const SocketPeer *y) {
486 : int r;
487 :
488 0 : r = CMP(x->peer.sa.sa_family, y->peer.sa.sa_family);
489 0 : if (r != 0)
490 0 : return r;
491 :
492 0 : switch(x->peer.sa.sa_family) {
493 0 : case AF_INET:
494 0 : return memcmp(&x->peer.in.sin_addr, &y->peer.in.sin_addr, sizeof(x->peer.in.sin_addr));
495 0 : case AF_INET6:
496 0 : return memcmp(&x->peer.in6.sin6_addr, &y->peer.in6.sin6_addr, sizeof(x->peer.in6.sin6_addr));
497 0 : case AF_VSOCK:
498 0 : return CMP(x->peer.vm.svm_cid, y->peer.vm.svm_cid);
499 : }
500 0 : assert_not_reached("Black sheep in the family!");
501 : }
502 :
503 : DEFINE_PRIVATE_HASH_OPS(peer_address_hash_ops, SocketPeer, peer_address_hash_func, peer_address_compare_func);
504 :
505 0 : static int socket_load(Unit *u) {
506 0 : Socket *s = SOCKET(u);
507 : int r;
508 :
509 0 : assert(u);
510 0 : assert(u->load_state == UNIT_STUB);
511 :
512 0 : r = set_ensure_allocated(&s->peers_by_address, &peer_address_hash_ops);
513 0 : if (r < 0)
514 0 : return r;
515 :
516 0 : r = unit_load_fragment_and_dropin(u);
517 0 : if (r < 0)
518 0 : return r;
519 :
520 0 : if (u->load_state == UNIT_LOADED) {
521 : /* This is a new unit? Then let's add in some extras */
522 0 : r = socket_add_extras(s);
523 0 : if (r < 0)
524 0 : return r;
525 : }
526 :
527 0 : return socket_verify(s);
528 : }
529 :
530 0 : static SocketPeer *socket_peer_new(void) {
531 : SocketPeer *p;
532 :
533 0 : p = new0(SocketPeer, 1);
534 0 : if (!p)
535 0 : return NULL;
536 :
537 0 : p->n_ref = 1;
538 :
539 0 : return p;
540 : }
541 :
542 0 : static SocketPeer *socket_peer_free(SocketPeer *p) {
543 0 : assert(p);
544 :
545 0 : if (p->socket)
546 0 : set_remove(p->socket->peers_by_address, p);
547 :
548 0 : return mfree(p);
549 : }
550 :
551 46 : DEFINE_TRIVIAL_REF_UNREF_FUNC(SocketPeer, socket_peer, socket_peer_free);
552 :
553 0 : int socket_acquire_peer(Socket *s, int fd, SocketPeer **p) {
554 0 : _cleanup_(socket_peer_unrefp) SocketPeer *remote = NULL;
555 0 : SocketPeer sa = {}, *i;
556 0 : socklen_t salen = sizeof(sa.peer);
557 : int r;
558 :
559 0 : assert(fd >= 0);
560 0 : assert(s);
561 :
562 0 : r = getpeername(fd, &sa.peer.sa, &salen);
563 0 : if (r < 0)
564 0 : return log_unit_error_errno(UNIT(s), errno, "getpeername failed: %m");
565 :
566 0 : if (!IN_SET(sa.peer.sa.sa_family, AF_INET, AF_INET6, AF_VSOCK)) {
567 0 : *p = NULL;
568 0 : return 0;
569 : }
570 :
571 0 : i = set_get(s->peers_by_address, &sa);
572 0 : if (i) {
573 0 : *p = socket_peer_ref(i);
574 0 : return 1;
575 : }
576 :
577 0 : remote = socket_peer_new();
578 0 : if (!remote)
579 0 : return log_oom();
580 :
581 0 : remote->peer = sa.peer;
582 0 : remote->peer_salen = salen;
583 :
584 0 : r = set_put(s->peers_by_address, remote);
585 0 : if (r < 0)
586 0 : return r;
587 :
588 0 : remote->socket = s;
589 :
590 0 : *p = TAKE_PTR(remote);
591 :
592 0 : return 1;
593 : }
594 :
595 0 : _const_ static const char* listen_lookup(int family, int type) {
596 :
597 0 : if (family == AF_NETLINK)
598 0 : return "ListenNetlink";
599 :
600 0 : if (type == SOCK_STREAM)
601 0 : return "ListenStream";
602 0 : else if (type == SOCK_DGRAM)
603 0 : return "ListenDatagram";
604 0 : else if (type == SOCK_SEQPACKET)
605 0 : return "ListenSequentialPacket";
606 :
607 0 : assert_not_reached("Unknown socket type");
608 : return NULL;
609 : }
610 :
611 0 : static void socket_dump(Unit *u, FILE *f, const char *prefix) {
612 : char time_string[FORMAT_TIMESPAN_MAX];
613 : SocketExecCommand c;
614 0 : Socket *s = SOCKET(u);
615 : SocketPort *p;
616 : const char *prefix2, *str;
617 :
618 0 : assert(s);
619 0 : assert(f);
620 :
621 0 : prefix = strempty(prefix);
622 0 : prefix2 = strjoina(prefix, "\t");
623 :
624 0 : fprintf(f,
625 : "%sSocket State: %s\n"
626 : "%sResult: %s\n"
627 : "%sBindIPv6Only: %s\n"
628 : "%sBacklog: %u\n"
629 : "%sSocketMode: %04o\n"
630 : "%sDirectoryMode: %04o\n"
631 : "%sKeepAlive: %s\n"
632 : "%sNoDelay: %s\n"
633 : "%sFreeBind: %s\n"
634 : "%sTransparent: %s\n"
635 : "%sBroadcast: %s\n"
636 : "%sPassCredentials: %s\n"
637 : "%sPassSecurity: %s\n"
638 : "%sTCPCongestion: %s\n"
639 : "%sRemoveOnStop: %s\n"
640 : "%sWritable: %s\n"
641 : "%sFileDescriptorName: %s\n"
642 : "%sSELinuxContextFromNet: %s\n",
643 : prefix, socket_state_to_string(s->state),
644 : prefix, socket_result_to_string(s->result),
645 : prefix, socket_address_bind_ipv6_only_to_string(s->bind_ipv6_only),
646 : prefix, s->backlog,
647 : prefix, s->socket_mode,
648 : prefix, s->directory_mode,
649 0 : prefix, yes_no(s->keep_alive),
650 0 : prefix, yes_no(s->no_delay),
651 0 : prefix, yes_no(s->free_bind),
652 0 : prefix, yes_no(s->transparent),
653 0 : prefix, yes_no(s->broadcast),
654 0 : prefix, yes_no(s->pass_cred),
655 0 : prefix, yes_no(s->pass_sec),
656 0 : prefix, strna(s->tcp_congestion),
657 0 : prefix, yes_no(s->remove_on_stop),
658 0 : prefix, yes_no(s->writable),
659 : prefix, socket_fdname(s),
660 0 : prefix, yes_no(s->selinux_context_from_net));
661 :
662 0 : if (s->control_pid > 0)
663 0 : fprintf(f,
664 : "%sControl PID: "PID_FMT"\n",
665 : prefix, s->control_pid);
666 :
667 0 : if (s->bind_to_device)
668 0 : fprintf(f,
669 : "%sBindToDevice: %s\n",
670 : prefix, s->bind_to_device);
671 :
672 0 : if (s->accept)
673 0 : fprintf(f,
674 : "%sAccepted: %u\n"
675 : "%sNConnections: %u\n"
676 : "%sMaxConnections: %u\n"
677 : "%sMaxConnectionsPerSource: %u\n",
678 : prefix, s->n_accepted,
679 : prefix, s->n_connections,
680 : prefix, s->max_connections,
681 : prefix, s->max_connections_per_source);
682 :
683 0 : if (s->priority >= 0)
684 0 : fprintf(f,
685 : "%sPriority: %i\n",
686 : prefix, s->priority);
687 :
688 0 : if (s->receive_buffer > 0)
689 0 : fprintf(f,
690 : "%sReceiveBuffer: %zu\n",
691 : prefix, s->receive_buffer);
692 :
693 0 : if (s->send_buffer > 0)
694 0 : fprintf(f,
695 : "%sSendBuffer: %zu\n",
696 : prefix, s->send_buffer);
697 :
698 0 : if (s->ip_tos >= 0)
699 0 : fprintf(f,
700 : "%sIPTOS: %i\n",
701 : prefix, s->ip_tos);
702 :
703 0 : if (s->ip_ttl >= 0)
704 0 : fprintf(f,
705 : "%sIPTTL: %i\n",
706 : prefix, s->ip_ttl);
707 :
708 0 : if (s->pipe_size > 0)
709 0 : fprintf(f,
710 : "%sPipeSize: %zu\n",
711 : prefix, s->pipe_size);
712 :
713 0 : if (s->mark >= 0)
714 0 : fprintf(f,
715 : "%sMark: %i\n",
716 : prefix, s->mark);
717 :
718 0 : if (s->mq_maxmsg > 0)
719 0 : fprintf(f,
720 : "%sMessageQueueMaxMessages: %li\n",
721 : prefix, s->mq_maxmsg);
722 :
723 0 : if (s->mq_msgsize > 0)
724 0 : fprintf(f,
725 : "%sMessageQueueMessageSize: %li\n",
726 : prefix, s->mq_msgsize);
727 :
728 0 : if (s->reuse_port)
729 0 : fprintf(f,
730 : "%sReusePort: %s\n",
731 0 : prefix, yes_no(s->reuse_port));
732 :
733 0 : if (s->smack)
734 0 : fprintf(f,
735 : "%sSmackLabel: %s\n",
736 : prefix, s->smack);
737 :
738 0 : if (s->smack_ip_in)
739 0 : fprintf(f,
740 : "%sSmackLabelIPIn: %s\n",
741 : prefix, s->smack_ip_in);
742 :
743 0 : if (s->smack_ip_out)
744 0 : fprintf(f,
745 : "%sSmackLabelIPOut: %s\n",
746 : prefix, s->smack_ip_out);
747 :
748 0 : if (!isempty(s->user) || !isempty(s->group))
749 0 : fprintf(f,
750 : "%sSocketUser: %s\n"
751 : "%sSocketGroup: %s\n",
752 0 : prefix, strna(s->user),
753 0 : prefix, strna(s->group));
754 :
755 0 : if (s->keep_alive_time > 0)
756 0 : fprintf(f,
757 : "%sKeepAliveTimeSec: %s\n",
758 : prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->keep_alive_time, USEC_PER_SEC));
759 :
760 0 : if (s->keep_alive_interval > 0)
761 0 : fprintf(f,
762 : "%sKeepAliveIntervalSec: %s\n",
763 : prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->keep_alive_interval, USEC_PER_SEC));
764 :
765 0 : if (s->keep_alive_cnt > 0)
766 0 : fprintf(f,
767 : "%sKeepAliveProbes: %u\n",
768 : prefix, s->keep_alive_cnt);
769 :
770 0 : if (s->defer_accept > 0)
771 0 : fprintf(f,
772 : "%sDeferAcceptSec: %s\n",
773 : prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->defer_accept, USEC_PER_SEC));
774 :
775 0 : LIST_FOREACH(port, p, s->ports) {
776 :
777 0 : switch (p->type) {
778 0 : case SOCKET_SOCKET: {
779 0 : _cleanup_free_ char *k = NULL;
780 : const char *t;
781 : int r;
782 :
783 0 : r = socket_address_print(&p->address, &k);
784 0 : if (r < 0)
785 0 : t = strerror_safe(r);
786 : else
787 0 : t = k;
788 :
789 0 : fprintf(f, "%s%s: %s\n", prefix, listen_lookup(socket_address_family(&p->address), p->address.type), t);
790 0 : break;
791 : }
792 0 : case SOCKET_SPECIAL:
793 0 : fprintf(f, "%sListenSpecial: %s\n", prefix, p->path);
794 0 : break;
795 0 : case SOCKET_USB_FUNCTION:
796 0 : fprintf(f, "%sListenUSBFunction: %s\n", prefix, p->path);
797 0 : break;
798 0 : case SOCKET_MQUEUE:
799 0 : fprintf(f, "%sListenMessageQueue: %s\n", prefix, p->path);
800 0 : break;
801 0 : default:
802 0 : fprintf(f, "%sListenFIFO: %s\n", prefix, p->path);
803 : }
804 : }
805 :
806 0 : fprintf(f,
807 : "%sTriggerLimitIntervalSec: %s\n"
808 : "%sTriggerLimitBurst: %u\n",
809 : prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->trigger_limit.interval, USEC_PER_SEC),
810 : prefix, s->trigger_limit.burst);
811 :
812 0 : str = ip_protocol_to_name(s->socket_protocol);
813 0 : if (str)
814 0 : fprintf(f, "%sSocketProtocol: %s\n", prefix, str);
815 :
816 0 : if (!strv_isempty(s->symlinks)) {
817 : char **q;
818 :
819 0 : fprintf(f, "%sSymlinks:", prefix);
820 0 : STRV_FOREACH(q, s->symlinks)
821 0 : fprintf(f, " %s", *q);
822 :
823 0 : fprintf(f, "\n");
824 : }
825 :
826 0 : fprintf(f,
827 : "%sTimeoutSec: %s\n",
828 : prefix, format_timespan(time_string, FORMAT_TIMESPAN_MAX, s->timeout_usec, USEC_PER_SEC));
829 :
830 0 : exec_context_dump(&s->exec_context, f, prefix);
831 0 : kill_context_dump(&s->kill_context, f, prefix);
832 :
833 0 : for (c = 0; c < _SOCKET_EXEC_COMMAND_MAX; c++) {
834 0 : if (!s->exec_command[c])
835 0 : continue;
836 :
837 0 : fprintf(f, "%s-> %s:\n",
838 : prefix, socket_exec_command_to_string(c));
839 :
840 0 : exec_command_dump_list(s->exec_command[c], f, prefix2);
841 : }
842 :
843 0 : cgroup_context_dump(&s->cgroup_context, f, prefix);
844 0 : }
845 :
846 0 : static int instance_from_socket(int fd, unsigned nr, char **instance) {
847 : socklen_t l;
848 : char *r;
849 : union sockaddr_union local, remote;
850 :
851 0 : assert(fd >= 0);
852 0 : assert(instance);
853 :
854 0 : l = sizeof(local);
855 0 : if (getsockname(fd, &local.sa, &l) < 0)
856 0 : return -errno;
857 :
858 0 : l = sizeof(remote);
859 0 : if (getpeername(fd, &remote.sa, &l) < 0)
860 0 : return -errno;
861 :
862 0 : switch (local.sa.sa_family) {
863 :
864 0 : case AF_INET: {
865 : uint32_t
866 0 : a = be32toh(local.in.sin_addr.s_addr),
867 0 : b = be32toh(remote.in.sin_addr.s_addr);
868 :
869 0 : if (asprintf(&r,
870 : "%u-%u.%u.%u.%u:%u-%u.%u.%u.%u:%u",
871 : nr,
872 0 : a >> 24, (a >> 16) & 0xFF, (a >> 8) & 0xFF, a & 0xFF,
873 0 : be16toh(local.in.sin_port),
874 0 : b >> 24, (b >> 16) & 0xFF, (b >> 8) & 0xFF, b & 0xFF,
875 0 : be16toh(remote.in.sin_port)) < 0)
876 0 : return -ENOMEM;
877 :
878 0 : break;
879 : }
880 :
881 0 : case AF_INET6: {
882 : static const unsigned char ipv4_prefix[] = {
883 : 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xFF, 0xFF
884 : };
885 :
886 0 : if (memcmp(&local.in6.sin6_addr, ipv4_prefix, sizeof(ipv4_prefix)) == 0 &&
887 0 : memcmp(&remote.in6.sin6_addr, ipv4_prefix, sizeof(ipv4_prefix)) == 0) {
888 : const uint8_t
889 0 : *a = local.in6.sin6_addr.s6_addr+12,
890 0 : *b = remote.in6.sin6_addr.s6_addr+12;
891 :
892 0 : if (asprintf(&r,
893 : "%u-%u.%u.%u.%u:%u-%u.%u.%u.%u:%u",
894 : nr,
895 0 : a[0], a[1], a[2], a[3],
896 0 : be16toh(local.in6.sin6_port),
897 0 : b[0], b[1], b[2], b[3],
898 0 : be16toh(remote.in6.sin6_port)) < 0)
899 0 : return -ENOMEM;
900 : } else {
901 : char a[INET6_ADDRSTRLEN], b[INET6_ADDRSTRLEN];
902 :
903 0 : if (asprintf(&r,
904 : "%u-%s:%u-%s:%u",
905 : nr,
906 : inet_ntop(AF_INET6, &local.in6.sin6_addr, a, sizeof(a)),
907 0 : be16toh(local.in6.sin6_port),
908 : inet_ntop(AF_INET6, &remote.in6.sin6_addr, b, sizeof(b)),
909 0 : be16toh(remote.in6.sin6_port)) < 0)
910 0 : return -ENOMEM;
911 : }
912 :
913 0 : break;
914 : }
915 :
916 0 : case AF_UNIX: {
917 : struct ucred ucred;
918 : int k;
919 :
920 0 : k = getpeercred(fd, &ucred);
921 0 : if (k >= 0) {
922 0 : if (asprintf(&r,
923 : "%u-"PID_FMT"-"UID_FMT,
924 : nr, ucred.pid, ucred.uid) < 0)
925 0 : return -ENOMEM;
926 0 : } else if (k == -ENODATA) {
927 : /* This handles the case where somebody is
928 : * connecting from another pid/uid namespace
929 : * (e.g. from outside of our container). */
930 0 : if (asprintf(&r,
931 : "%u-unknown",
932 : nr) < 0)
933 0 : return -ENOMEM;
934 : } else
935 0 : return k;
936 :
937 0 : break;
938 : }
939 :
940 0 : case AF_VSOCK:
941 0 : if (asprintf(&r,
942 : "%u-%u:%u-%u:%u",
943 : nr,
944 : local.vm.svm_cid, local.vm.svm_port,
945 : remote.vm.svm_cid, remote.vm.svm_port) < 0)
946 0 : return -ENOMEM;
947 :
948 0 : break;
949 :
950 0 : default:
951 0 : assert_not_reached("Unhandled socket type.");
952 : }
953 :
954 0 : *instance = r;
955 0 : return 0;
956 : }
957 :
958 0 : static void socket_close_fds(Socket *s) {
959 : SocketPort *p;
960 : char **i;
961 :
962 0 : assert(s);
963 :
964 0 : LIST_FOREACH(port, p, s->ports) {
965 : bool was_open;
966 :
967 0 : was_open = p->fd >= 0;
968 :
969 0 : p->event_source = sd_event_source_unref(p->event_source);
970 0 : p->fd = safe_close(p->fd);
971 0 : socket_cleanup_fd_list(p);
972 :
973 : /* One little note: we should normally not delete any sockets in the file system here! After all some
974 : * other process we spawned might still have a reference of this fd and wants to continue to use
975 : * it. Therefore we normally delete sockets in the file system before we create a new one, not after we
976 : * stopped using one! That all said, if the user explicitly requested this, we'll delete them here
977 : * anyway, but only then. */
978 :
979 0 : if (!was_open || !s->remove_on_stop)
980 0 : continue;
981 :
982 0 : switch (p->type) {
983 :
984 0 : case SOCKET_FIFO:
985 0 : (void) unlink(p->path);
986 0 : break;
987 :
988 0 : case SOCKET_MQUEUE:
989 0 : (void) mq_unlink(p->path);
990 0 : break;
991 :
992 0 : case SOCKET_SOCKET:
993 0 : (void) socket_address_unlink(&p->address);
994 0 : break;
995 :
996 0 : default:
997 0 : break;
998 : }
999 : }
1000 :
1001 0 : if (s->remove_on_stop)
1002 0 : STRV_FOREACH(i, s->symlinks)
1003 0 : (void) unlink(*i);
1004 0 : }
1005 :
1006 0 : static void socket_apply_socket_options(Socket *s, int fd) {
1007 : int r;
1008 :
1009 0 : assert(s);
1010 0 : assert(fd >= 0);
1011 :
1012 0 : if (s->keep_alive) {
1013 0 : r = setsockopt_int(fd, SOL_SOCKET, SO_KEEPALIVE, true);
1014 0 : if (r < 0)
1015 0 : log_unit_warning_errno(UNIT(s), r, "SO_KEEPALIVE failed: %m");
1016 : }
1017 :
1018 0 : if (s->keep_alive_time > 0) {
1019 0 : r = setsockopt_int(fd, SOL_TCP, TCP_KEEPIDLE, s->keep_alive_time / USEC_PER_SEC);
1020 0 : if (r < 0)
1021 0 : log_unit_warning_errno(UNIT(s), r, "TCP_KEEPIDLE failed: %m");
1022 : }
1023 :
1024 0 : if (s->keep_alive_interval > 0) {
1025 0 : r = setsockopt_int(fd, SOL_TCP, TCP_KEEPINTVL, s->keep_alive_interval / USEC_PER_SEC);
1026 0 : if (r < 0)
1027 0 : log_unit_warning_errno(UNIT(s), r, "TCP_KEEPINTVL failed: %m");
1028 : }
1029 :
1030 0 : if (s->keep_alive_cnt > 0) {
1031 0 : r = setsockopt_int(fd, SOL_TCP, TCP_KEEPCNT, s->keep_alive_cnt);
1032 0 : if (r < 0)
1033 0 : log_unit_warning_errno(UNIT(s), r, "TCP_KEEPCNT failed: %m");
1034 : }
1035 :
1036 0 : if (s->defer_accept > 0) {
1037 0 : r = setsockopt_int(fd, SOL_TCP, TCP_DEFER_ACCEPT, s->defer_accept / USEC_PER_SEC);
1038 0 : if (r < 0)
1039 0 : log_unit_warning_errno(UNIT(s), r, "TCP_DEFER_ACCEPT failed: %m");
1040 : }
1041 :
1042 0 : if (s->no_delay) {
1043 0 : if (s->socket_protocol == IPPROTO_SCTP) {
1044 0 : r = setsockopt_int(fd, SOL_SCTP, SCTP_NODELAY, true);
1045 0 : if (r < 0)
1046 0 : log_unit_warning_errno(UNIT(s), r, "SCTP_NODELAY failed: %m");
1047 : } else {
1048 0 : r = setsockopt_int(fd, SOL_TCP, TCP_NODELAY, true);
1049 0 : if (r < 0)
1050 0 : log_unit_warning_errno(UNIT(s), r, "TCP_NODELAY failed: %m");
1051 : }
1052 : }
1053 :
1054 0 : if (s->broadcast) {
1055 0 : r = setsockopt_int(fd, SOL_SOCKET, SO_BROADCAST, true);
1056 0 : if (r < 0)
1057 0 : log_unit_warning_errno(UNIT(s), r, "SO_BROADCAST failed: %m");
1058 : }
1059 :
1060 0 : if (s->pass_cred) {
1061 0 : r = setsockopt_int(fd, SOL_SOCKET, SO_PASSCRED, true);
1062 0 : if (r < 0)
1063 0 : log_unit_warning_errno(UNIT(s), r, "SO_PASSCRED failed: %m");
1064 : }
1065 :
1066 0 : if (s->pass_sec) {
1067 0 : r = setsockopt_int(fd, SOL_SOCKET, SO_PASSSEC, true);
1068 0 : if (r < 0)
1069 0 : log_unit_warning_errno(UNIT(s), r, "SO_PASSSEC failed: %m");
1070 : }
1071 :
1072 0 : if (s->priority >= 0) {
1073 0 : r = setsockopt_int(fd, SOL_SOCKET, SO_PRIORITY, s->priority);
1074 0 : if (r < 0)
1075 0 : log_unit_warning_errno(UNIT(s), r, "SO_PRIORITY failed: %m");
1076 : }
1077 :
1078 0 : if (s->receive_buffer > 0) {
1079 : /* We first try with SO_RCVBUFFORCE, in case we have the perms for that */
1080 0 : if (setsockopt_int(fd, SOL_SOCKET, SO_RCVBUFFORCE, s->receive_buffer) < 0) {
1081 0 : r = setsockopt_int(fd, SOL_SOCKET, SO_RCVBUF, s->receive_buffer);
1082 0 : if (r < 0)
1083 0 : log_unit_warning_errno(UNIT(s), r, "SO_RCVBUF failed: %m");
1084 : }
1085 : }
1086 :
1087 0 : if (s->send_buffer > 0) {
1088 0 : if (setsockopt_int(fd, SOL_SOCKET, SO_SNDBUFFORCE, s->send_buffer) < 0) {
1089 0 : r = setsockopt_int(fd, SOL_SOCKET, SO_SNDBUF, s->send_buffer);
1090 0 : if (r < 0)
1091 0 : log_unit_warning_errno(UNIT(s), r, "SO_SNDBUF failed: %m");
1092 : }
1093 : }
1094 :
1095 0 : if (s->mark >= 0) {
1096 0 : r = setsockopt_int(fd, SOL_SOCKET, SO_MARK, s->mark);
1097 0 : if (r < 0)
1098 0 : log_unit_warning_errno(UNIT(s), r, "SO_MARK failed: %m");
1099 : }
1100 :
1101 0 : if (s->ip_tos >= 0) {
1102 0 : r = setsockopt_int(fd, IPPROTO_IP, IP_TOS, s->ip_tos);
1103 0 : if (r < 0)
1104 0 : log_unit_warning_errno(UNIT(s), r, "IP_TOS failed: %m");
1105 : }
1106 :
1107 0 : if (s->ip_ttl >= 0) {
1108 : int x;
1109 :
1110 0 : r = setsockopt_int(fd, IPPROTO_IP, IP_TTL, s->ip_ttl);
1111 :
1112 0 : if (socket_ipv6_is_supported())
1113 0 : x = setsockopt_int(fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, s->ip_ttl);
1114 : else
1115 0 : x = -EAFNOSUPPORT;
1116 :
1117 0 : if (r < 0 && x < 0)
1118 0 : log_unit_warning_errno(UNIT(s), r, "IP_TTL/IPV6_UNICAST_HOPS failed: %m");
1119 : }
1120 :
1121 0 : if (s->tcp_congestion)
1122 0 : if (setsockopt(fd, SOL_TCP, TCP_CONGESTION, s->tcp_congestion, strlen(s->tcp_congestion)+1) < 0)
1123 0 : log_unit_warning_errno(UNIT(s), errno, "TCP_CONGESTION failed: %m");
1124 :
1125 0 : if (s->smack_ip_in) {
1126 0 : r = mac_smack_apply_fd(fd, SMACK_ATTR_IPIN, s->smack_ip_in);
1127 0 : if (r < 0)
1128 0 : log_unit_error_errno(UNIT(s), r, "mac_smack_apply_ip_in_fd: %m");
1129 : }
1130 :
1131 0 : if (s->smack_ip_out) {
1132 0 : r = mac_smack_apply_fd(fd, SMACK_ATTR_IPOUT, s->smack_ip_out);
1133 0 : if (r < 0)
1134 0 : log_unit_error_errno(UNIT(s), r, "mac_smack_apply_ip_out_fd: %m");
1135 : }
1136 0 : }
1137 :
1138 0 : static void socket_apply_fifo_options(Socket *s, int fd) {
1139 : int r;
1140 :
1141 0 : assert(s);
1142 0 : assert(fd >= 0);
1143 :
1144 0 : if (s->pipe_size > 0)
1145 0 : if (fcntl(fd, F_SETPIPE_SZ, s->pipe_size) < 0)
1146 0 : log_unit_warning_errno(UNIT(s), errno, "Setting pipe size failed, ignoring: %m");
1147 :
1148 0 : if (s->smack) {
1149 0 : r = mac_smack_apply_fd(fd, SMACK_ATTR_ACCESS, s->smack);
1150 0 : if (r < 0)
1151 0 : log_unit_error_errno(UNIT(s), r, "SMACK relabelling failed, ignoring: %m");
1152 : }
1153 0 : }
1154 :
1155 0 : static int fifo_address_create(
1156 : const char *path,
1157 : mode_t directory_mode,
1158 : mode_t socket_mode) {
1159 :
1160 0 : _cleanup_close_ int fd = -1;
1161 : mode_t old_mask;
1162 : struct stat st;
1163 : int r;
1164 :
1165 0 : assert(path);
1166 :
1167 0 : (void) mkdir_parents_label(path, directory_mode);
1168 :
1169 0 : r = mac_selinux_create_file_prepare(path, S_IFIFO);
1170 0 : if (r < 0)
1171 0 : return r;
1172 :
1173 : /* Enforce the right access mode for the fifo */
1174 0 : old_mask = umask(~socket_mode);
1175 :
1176 : /* Include the original umask in our mask */
1177 0 : (void) umask(~socket_mode | old_mask);
1178 :
1179 0 : r = mkfifo(path, socket_mode);
1180 0 : (void) umask(old_mask);
1181 :
1182 0 : if (r < 0 && errno != EEXIST) {
1183 0 : r = -errno;
1184 0 : goto fail;
1185 : }
1186 :
1187 0 : fd = open(path, O_RDWR | O_CLOEXEC | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW);
1188 0 : if (fd < 0) {
1189 0 : r = -errno;
1190 0 : goto fail;
1191 : }
1192 :
1193 0 : mac_selinux_create_file_clear();
1194 :
1195 0 : if (fstat(fd, &st) < 0) {
1196 0 : r = -errno;
1197 0 : goto fail;
1198 : }
1199 :
1200 0 : if (!S_ISFIFO(st.st_mode) ||
1201 0 : (st.st_mode & 0777) != (socket_mode & ~old_mask) ||
1202 0 : st.st_uid != getuid() ||
1203 0 : st.st_gid != getgid()) {
1204 0 : r = -EEXIST;
1205 0 : goto fail;
1206 : }
1207 :
1208 0 : return TAKE_FD(fd);
1209 :
1210 0 : fail:
1211 0 : mac_selinux_create_file_clear();
1212 0 : return r;
1213 : }
1214 :
1215 0 : static int special_address_create(const char *path, bool writable) {
1216 0 : _cleanup_close_ int fd = -1;
1217 : struct stat st;
1218 :
1219 0 : assert(path);
1220 :
1221 0 : fd = open(path, (writable ? O_RDWR : O_RDONLY)|O_CLOEXEC|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW);
1222 0 : if (fd < 0)
1223 0 : return -errno;
1224 :
1225 0 : if (fstat(fd, &st) < 0)
1226 0 : return -errno;
1227 :
1228 : /* Check whether this is a /proc, /sys or /dev file or char device */
1229 0 : if (!S_ISREG(st.st_mode) && !S_ISCHR(st.st_mode))
1230 0 : return -EEXIST;
1231 :
1232 0 : return TAKE_FD(fd);
1233 : }
1234 :
1235 0 : static int usbffs_address_create(const char *path) {
1236 0 : _cleanup_close_ int fd = -1;
1237 : struct stat st;
1238 :
1239 0 : assert(path);
1240 :
1241 0 : fd = open(path, O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW);
1242 0 : if (fd < 0)
1243 0 : return -errno;
1244 :
1245 0 : if (fstat(fd, &st) < 0)
1246 0 : return -errno;
1247 :
1248 : /* Check whether this is a regular file (ffs endpoint) */
1249 0 : if (!S_ISREG(st.st_mode))
1250 0 : return -EEXIST;
1251 :
1252 0 : return TAKE_FD(fd);
1253 : }
1254 :
1255 0 : static int mq_address_create(
1256 : const char *path,
1257 : mode_t mq_mode,
1258 : long maxmsg,
1259 : long msgsize) {
1260 :
1261 0 : _cleanup_close_ int fd = -1;
1262 : struct stat st;
1263 : mode_t old_mask;
1264 0 : struct mq_attr _attr, *attr = NULL;
1265 :
1266 0 : assert(path);
1267 :
1268 0 : if (maxmsg > 0 && msgsize > 0) {
1269 0 : _attr = (struct mq_attr) {
1270 : .mq_flags = O_NONBLOCK,
1271 : .mq_maxmsg = maxmsg,
1272 : .mq_msgsize = msgsize,
1273 : };
1274 0 : attr = &_attr;
1275 : }
1276 :
1277 : /* Enforce the right access mode for the mq */
1278 0 : old_mask = umask(~mq_mode);
1279 :
1280 : /* Include the original umask in our mask */
1281 0 : (void) umask(~mq_mode | old_mask);
1282 0 : fd = mq_open(path, O_RDONLY|O_CLOEXEC|O_NONBLOCK|O_CREAT, mq_mode, attr);
1283 0 : (void) umask(old_mask);
1284 :
1285 0 : if (fd < 0)
1286 0 : return -errno;
1287 :
1288 0 : if (fstat(fd, &st) < 0)
1289 0 : return -errno;
1290 :
1291 0 : if ((st.st_mode & 0777) != (mq_mode & ~old_mask) ||
1292 0 : st.st_uid != getuid() ||
1293 0 : st.st_gid != getgid())
1294 0 : return -EEXIST;
1295 :
1296 0 : return TAKE_FD(fd);
1297 : }
1298 :
1299 0 : static int socket_symlink(Socket *s) {
1300 : const char *p;
1301 : char **i;
1302 : int r;
1303 :
1304 0 : assert(s);
1305 :
1306 0 : p = socket_find_symlink_target(s);
1307 0 : if (!p)
1308 0 : return 0;
1309 :
1310 0 : STRV_FOREACH(i, s->symlinks) {
1311 0 : (void) mkdir_parents_label(*i, s->directory_mode);
1312 :
1313 0 : r = symlink_idempotent(p, *i, false);
1314 :
1315 0 : if (r == -EEXIST && s->remove_on_stop) {
1316 : /* If there's already something where we want to create the symlink, and the destructive
1317 : * RemoveOnStop= mode is set, then we might as well try to remove what already exists and try
1318 : * again. */
1319 :
1320 0 : if (unlink(*i) >= 0)
1321 0 : r = symlink_idempotent(p, *i, false);
1322 : }
1323 :
1324 0 : if (r < 0)
1325 0 : log_unit_warning_errno(UNIT(s), r, "Failed to create symlink %s → %s, ignoring: %m", p, *i);
1326 : }
1327 :
1328 0 : return 0;
1329 : }
1330 :
1331 0 : static int usbffs_write_descs(int fd, Service *s) {
1332 : int r;
1333 :
1334 0 : if (!s->usb_function_descriptors || !s->usb_function_strings)
1335 0 : return -EINVAL;
1336 :
1337 0 : r = copy_file_fd(s->usb_function_descriptors, fd, 0);
1338 0 : if (r < 0)
1339 0 : return r;
1340 :
1341 0 : return copy_file_fd(s->usb_function_strings, fd, 0);
1342 : }
1343 :
1344 0 : static int usbffs_select_ep(const struct dirent *d) {
1345 0 : return d->d_name[0] != '.' && !streq(d->d_name, "ep0");
1346 : }
1347 :
1348 0 : static int usbffs_dispatch_eps(SocketPort *p) {
1349 0 : _cleanup_free_ struct dirent **ent = NULL;
1350 : size_t n, k, i;
1351 : int r;
1352 :
1353 0 : r = scandir(p->path, &ent, usbffs_select_ep, alphasort);
1354 0 : if (r < 0)
1355 0 : return -errno;
1356 :
1357 0 : n = (size_t) r;
1358 0 : p->auxiliary_fds = new(int, n);
1359 0 : if (!p->auxiliary_fds) {
1360 0 : r = -ENOMEM;
1361 0 : goto clear;
1362 : }
1363 :
1364 0 : p->n_auxiliary_fds = n;
1365 :
1366 0 : k = 0;
1367 0 : for (i = 0; i < n; ++i) {
1368 0 : _cleanup_free_ char *ep = NULL;
1369 :
1370 0 : ep = path_make_absolute(ent[i]->d_name, p->path);
1371 0 : if (!ep) {
1372 0 : r = -ENOMEM;
1373 0 : goto fail;
1374 : }
1375 :
1376 0 : path_simplify(ep, false);
1377 :
1378 0 : r = usbffs_address_create(ep);
1379 0 : if (r < 0)
1380 0 : goto fail;
1381 :
1382 0 : p->auxiliary_fds[k++] = r;
1383 : }
1384 :
1385 0 : r = 0;
1386 0 : goto clear;
1387 :
1388 0 : fail:
1389 0 : close_many(p->auxiliary_fds, k);
1390 0 : p->auxiliary_fds = mfree(p->auxiliary_fds);
1391 0 : p->n_auxiliary_fds = 0;
1392 :
1393 0 : clear:
1394 0 : for (i = 0; i < n; ++i)
1395 0 : free(ent[i]);
1396 :
1397 0 : return r;
1398 : }
1399 :
1400 0 : static int socket_determine_selinux_label(Socket *s, char **ret) {
1401 : Service *service;
1402 : ExecCommand *c;
1403 0 : _cleanup_free_ char *path = NULL;
1404 : int r;
1405 :
1406 0 : assert(s);
1407 0 : assert(ret);
1408 :
1409 0 : if (s->selinux_context_from_net) {
1410 : /* If this is requested, get label from the network label */
1411 :
1412 0 : r = mac_selinux_get_our_label(ret);
1413 0 : if (r == -EOPNOTSUPP)
1414 0 : goto no_label;
1415 :
1416 : } else {
1417 : /* Otherwise, get it from the executable we are about to start */
1418 0 : r = socket_instantiate_service(s);
1419 0 : if (r < 0)
1420 0 : return r;
1421 :
1422 0 : if (!UNIT_ISSET(s->service))
1423 0 : goto no_label;
1424 :
1425 0 : service = SERVICE(UNIT_DEREF(s->service));
1426 0 : c = service->exec_command[SERVICE_EXEC_START];
1427 0 : if (!c)
1428 0 : goto no_label;
1429 :
1430 0 : r = chase_symlinks(c->path, service->exec_context.root_directory, CHASE_PREFIX_ROOT, &path);
1431 0 : if (r < 0)
1432 0 : goto no_label;
1433 :
1434 0 : r = mac_selinux_get_create_label_from_exe(path, ret);
1435 0 : if (IN_SET(r, -EPERM, -EOPNOTSUPP))
1436 0 : goto no_label;
1437 : }
1438 :
1439 0 : return r;
1440 :
1441 0 : no_label:
1442 0 : *ret = NULL;
1443 0 : return 0;
1444 : }
1445 :
1446 0 : static int socket_address_listen_do(
1447 : Socket *s,
1448 : const SocketAddress *address,
1449 : const char *label) {
1450 :
1451 0 : assert(s);
1452 0 : assert(address);
1453 :
1454 0 : return socket_address_listen(
1455 : address,
1456 : SOCK_CLOEXEC|SOCK_NONBLOCK,
1457 0 : s->backlog,
1458 : s->bind_ipv6_only,
1459 0 : s->bind_to_device,
1460 0 : s->reuse_port,
1461 0 : s->free_bind,
1462 0 : s->transparent,
1463 : s->directory_mode,
1464 : s->socket_mode,
1465 : label);
1466 : }
1467 :
1468 : #define log_address_error_errno(u, address, error, fmt) \
1469 : ({ \
1470 : _cleanup_free_ char *_t = NULL; \
1471 : \
1472 : (void) socket_address_print(address, &_t); \
1473 : log_unit_error_errno(u, error, fmt, strna(_t)); \
1474 : })
1475 :
1476 0 : static int fork_needed(const SocketAddress *address, const ExecContext *context) {
1477 : int r;
1478 :
1479 0 : assert(address);
1480 0 : assert(context);
1481 :
1482 : /* Check if we need to do the cgroup or netns stuff. If not we can do things much simpler. */
1483 :
1484 0 : if (IN_SET(address->sockaddr.sa.sa_family, AF_INET, AF_INET6)) {
1485 0 : r = bpf_firewall_supported();
1486 0 : if (r < 0)
1487 0 : return r;
1488 0 : if (r != BPF_FIREWALL_UNSUPPORTED) /* If BPF firewalling isn't supported anyway — there's no point in this forking complexity */
1489 0 : return true;
1490 : }
1491 :
1492 0 : return context->private_network || context->network_namespace_path;
1493 : }
1494 :
1495 0 : static int socket_address_listen_in_cgroup(
1496 : Socket *s,
1497 : const SocketAddress *address,
1498 : const char *label) {
1499 :
1500 0 : _cleanup_close_pair_ int pair[2] = { -1, -1 };
1501 : int fd, r;
1502 : pid_t pid;
1503 :
1504 0 : assert(s);
1505 0 : assert(address);
1506 :
1507 : /* This is a wrapper around socket_address_listen(), that forks off a helper process inside the
1508 : * socket's cgroup and network namespace in which the socket is actually created. This way we ensure
1509 : * the socket is actually properly attached to the unit's cgroup for the purpose of BPF filtering and
1510 : * such. */
1511 :
1512 0 : r = fork_needed(address, &s->exec_context);
1513 0 : if (r < 0)
1514 0 : return r;
1515 0 : if (r == 0) {
1516 : /* Shortcut things... */
1517 0 : fd = socket_address_listen_do(s, address, label);
1518 0 : if (fd < 0)
1519 0 : return log_address_error_errno(UNIT(s), address, fd, "Failed to create listening socket (%s): %m");
1520 :
1521 0 : return fd;
1522 : }
1523 :
1524 0 : r = unit_setup_exec_runtime(UNIT(s));
1525 0 : if (r < 0)
1526 0 : return log_unit_error_errno(UNIT(s), r, "Failed acquire runtime: %m");
1527 :
1528 0 : if (s->exec_context.network_namespace_path &&
1529 0 : s->exec_runtime &&
1530 0 : s->exec_runtime->netns_storage_socket[0] >= 0) {
1531 0 : r = open_netns_path(s->exec_runtime->netns_storage_socket, s->exec_context.network_namespace_path);
1532 0 : if (r < 0)
1533 0 : return log_unit_error_errno(UNIT(s), r, "Failed to open network namespace path %s: %m", s->exec_context.network_namespace_path);
1534 : }
1535 :
1536 0 : if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, pair) < 0)
1537 0 : return log_unit_error_errno(UNIT(s), errno, "Failed to create communication channel: %m");
1538 :
1539 0 : r = unit_fork_helper_process(UNIT(s), "(sd-listen)", &pid);
1540 0 : if (r < 0)
1541 0 : return log_unit_error_errno(UNIT(s), r, "Failed to fork off listener stub process: %m");
1542 0 : if (r == 0) {
1543 : /* Child */
1544 :
1545 0 : pair[0] = safe_close(pair[0]);
1546 :
1547 0 : if ((s->exec_context.private_network || s->exec_context.network_namespace_path) &&
1548 0 : s->exec_runtime &&
1549 0 : s->exec_runtime->netns_storage_socket[0] >= 0) {
1550 :
1551 0 : if (ns_type_supported(NAMESPACE_NET)) {
1552 0 : r = setup_netns(s->exec_runtime->netns_storage_socket);
1553 0 : if (r < 0) {
1554 0 : log_unit_error_errno(UNIT(s), r, "Failed to join network namespace: %m");
1555 0 : _exit(EXIT_NETWORK);
1556 : }
1557 0 : } else if (s->exec_context.network_namespace_path) {
1558 0 : log_unit_error(UNIT(s), "Network namespace path configured but network namespaces not supported.");
1559 0 : _exit(EXIT_NETWORK);
1560 : } else
1561 0 : log_unit_warning(UNIT(s), "PrivateNetwork=yes is configured, but the kernel does not support network namespaces, ignoring.");
1562 : }
1563 :
1564 0 : fd = socket_address_listen_do(s, address, label);
1565 0 : if (fd < 0) {
1566 0 : log_address_error_errno(UNIT(s), address, fd, "Failed to create listening socket (%s): %m");
1567 0 : _exit(EXIT_FAILURE);
1568 : }
1569 :
1570 0 : r = send_one_fd(pair[1], fd, 0);
1571 0 : if (r < 0) {
1572 0 : log_address_error_errno(UNIT(s), address, r, "Failed to send listening socket (%s) to parent: %m");
1573 0 : _exit(EXIT_FAILURE);
1574 : }
1575 :
1576 0 : _exit(EXIT_SUCCESS);
1577 : }
1578 :
1579 0 : pair[1] = safe_close(pair[1]);
1580 0 : fd = receive_one_fd(pair[0], 0);
1581 :
1582 : /* We synchronously wait for the helper, as it shouldn't be slow */
1583 0 : r = wait_for_terminate_and_check("(sd-listen)", pid, WAIT_LOG_ABNORMAL);
1584 0 : if (r < 0) {
1585 0 : safe_close(fd);
1586 0 : return r;
1587 : }
1588 :
1589 0 : if (fd < 0)
1590 0 : return log_address_error_errno(UNIT(s), address, fd, "Failed to receive listening socket (%s): %m");
1591 :
1592 0 : return fd;
1593 : }
1594 :
1595 0 : DEFINE_TRIVIAL_CLEANUP_FUNC(Socket *, socket_close_fds);
1596 :
1597 0 : static int socket_open_fds(Socket *_s) {
1598 0 : _cleanup_(socket_close_fdsp) Socket *s = _s;
1599 0 : _cleanup_(mac_selinux_freep) char *label = NULL;
1600 0 : bool know_label = false;
1601 : SocketPort *p;
1602 : int r;
1603 :
1604 0 : assert(s);
1605 :
1606 0 : LIST_FOREACH(port, p, s->ports) {
1607 :
1608 0 : if (p->fd >= 0)
1609 0 : continue;
1610 :
1611 0 : switch (p->type) {
1612 :
1613 0 : case SOCKET_SOCKET:
1614 :
1615 0 : if (!know_label) {
1616 : /* Figure out label, if we don't it know yet. We do it once, for the first socket where
1617 : * we need this and remember it for the rest. */
1618 :
1619 0 : r = socket_determine_selinux_label(s, &label);
1620 0 : if (r < 0)
1621 0 : return log_unit_error_errno(UNIT(s), r, "Failed to determine SELinux label: %m");
1622 :
1623 0 : know_label = true;
1624 : }
1625 :
1626 : /* Apply the socket protocol */
1627 0 : switch (p->address.type) {
1628 :
1629 0 : case SOCK_STREAM:
1630 : case SOCK_SEQPACKET:
1631 0 : if (s->socket_protocol == IPPROTO_SCTP)
1632 0 : p->address.protocol = s->socket_protocol;
1633 0 : break;
1634 :
1635 0 : case SOCK_DGRAM:
1636 0 : if (s->socket_protocol == IPPROTO_UDPLITE)
1637 0 : p->address.protocol = s->socket_protocol;
1638 0 : break;
1639 : }
1640 :
1641 0 : p->fd = socket_address_listen_in_cgroup(s, &p->address, label);
1642 0 : if (p->fd < 0)
1643 0 : return p->fd;
1644 :
1645 0 : socket_apply_socket_options(s, p->fd);
1646 0 : socket_symlink(s);
1647 0 : break;
1648 :
1649 0 : case SOCKET_SPECIAL:
1650 :
1651 0 : p->fd = special_address_create(p->path, s->writable);
1652 0 : if (p->fd < 0)
1653 0 : return log_unit_error_errno(UNIT(s), p->fd, "Failed to open special file %s: %m", p->path);
1654 0 : break;
1655 :
1656 0 : case SOCKET_FIFO:
1657 :
1658 0 : p->fd = fifo_address_create(
1659 0 : p->path,
1660 0 : s->directory_mode,
1661 0 : s->socket_mode);
1662 0 : if (p->fd < 0)
1663 0 : return log_unit_error_errno(UNIT(s), p->fd, "Failed to open FIFO %s: %m", p->path);
1664 :
1665 0 : socket_apply_fifo_options(s, p->fd);
1666 0 : socket_symlink(s);
1667 0 : break;
1668 :
1669 0 : case SOCKET_MQUEUE:
1670 :
1671 0 : p->fd = mq_address_create(
1672 0 : p->path,
1673 0 : s->socket_mode,
1674 0 : s->mq_maxmsg,
1675 0 : s->mq_msgsize);
1676 0 : if (p->fd < 0)
1677 0 : return log_unit_error_errno(UNIT(s), p->fd, "Failed to open message queue %s: %m", p->path);
1678 0 : break;
1679 :
1680 0 : case SOCKET_USB_FUNCTION: {
1681 0 : _cleanup_free_ char *ep = NULL;
1682 :
1683 0 : ep = path_make_absolute("ep0", p->path);
1684 :
1685 0 : p->fd = usbffs_address_create(ep);
1686 0 : if (p->fd < 0)
1687 0 : return p->fd;
1688 :
1689 0 : r = usbffs_write_descs(p->fd, SERVICE(UNIT_DEREF(s->service)));
1690 0 : if (r < 0)
1691 0 : return r;
1692 :
1693 0 : r = usbffs_dispatch_eps(p);
1694 0 : if (r < 0)
1695 0 : return r;
1696 :
1697 0 : break;
1698 : }
1699 0 : default:
1700 0 : assert_not_reached("Unknown port type");
1701 : }
1702 : }
1703 :
1704 0 : s = NULL;
1705 0 : return 0;
1706 : }
1707 :
1708 0 : static void socket_unwatch_fds(Socket *s) {
1709 : SocketPort *p;
1710 : int r;
1711 :
1712 0 : assert(s);
1713 :
1714 0 : LIST_FOREACH(port, p, s->ports) {
1715 0 : if (p->fd < 0)
1716 0 : continue;
1717 :
1718 0 : if (!p->event_source)
1719 0 : continue;
1720 :
1721 0 : r = sd_event_source_set_enabled(p->event_source, SD_EVENT_OFF);
1722 0 : if (r < 0)
1723 0 : log_unit_debug_errno(UNIT(s), r, "Failed to disable event source: %m");
1724 : }
1725 0 : }
1726 :
1727 0 : static int socket_watch_fds(Socket *s) {
1728 : SocketPort *p;
1729 : int r;
1730 :
1731 0 : assert(s);
1732 :
1733 0 : LIST_FOREACH(port, p, s->ports) {
1734 0 : if (p->fd < 0)
1735 0 : continue;
1736 :
1737 0 : if (p->event_source) {
1738 0 : r = sd_event_source_set_enabled(p->event_source, SD_EVENT_ON);
1739 0 : if (r < 0)
1740 0 : goto fail;
1741 : } else {
1742 0 : r = sd_event_add_io(UNIT(s)->manager->event, &p->event_source, p->fd, EPOLLIN, socket_dispatch_io, p);
1743 0 : if (r < 0)
1744 0 : goto fail;
1745 :
1746 0 : (void) sd_event_source_set_description(p->event_source, "socket-port-io");
1747 : }
1748 : }
1749 :
1750 0 : return 0;
1751 :
1752 0 : fail:
1753 0 : log_unit_warning_errno(UNIT(s), r, "Failed to watch listening fds: %m");
1754 0 : socket_unwatch_fds(s);
1755 0 : return r;
1756 : }
1757 :
1758 : enum {
1759 : SOCKET_OPEN_NONE,
1760 : SOCKET_OPEN_SOME,
1761 : SOCKET_OPEN_ALL,
1762 : };
1763 :
1764 0 : static int socket_check_open(Socket *s) {
1765 0 : bool have_open = false, have_closed = false;
1766 : SocketPort *p;
1767 :
1768 0 : assert(s);
1769 :
1770 0 : LIST_FOREACH(port, p, s->ports) {
1771 0 : if (p->fd < 0)
1772 0 : have_closed = true;
1773 : else
1774 0 : have_open = true;
1775 :
1776 0 : if (have_open && have_closed)
1777 0 : return SOCKET_OPEN_SOME;
1778 : }
1779 :
1780 0 : if (have_open)
1781 0 : return SOCKET_OPEN_ALL;
1782 :
1783 0 : return SOCKET_OPEN_NONE;
1784 : }
1785 :
1786 0 : static void socket_set_state(Socket *s, SocketState state) {
1787 : SocketState old_state;
1788 0 : assert(s);
1789 :
1790 0 : if (s->state != state)
1791 0 : bus_unit_send_pending_change_signal(UNIT(s), false);
1792 :
1793 0 : old_state = s->state;
1794 0 : s->state = state;
1795 :
1796 0 : if (!IN_SET(state,
1797 : SOCKET_START_PRE,
1798 : SOCKET_START_CHOWN,
1799 : SOCKET_START_POST,
1800 : SOCKET_STOP_PRE,
1801 : SOCKET_STOP_PRE_SIGTERM,
1802 : SOCKET_STOP_PRE_SIGKILL,
1803 : SOCKET_STOP_POST,
1804 : SOCKET_FINAL_SIGTERM,
1805 : SOCKET_FINAL_SIGKILL)) {
1806 :
1807 0 : s->timer_event_source = sd_event_source_unref(s->timer_event_source);
1808 0 : socket_unwatch_control_pid(s);
1809 0 : s->control_command = NULL;
1810 0 : s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
1811 : }
1812 :
1813 0 : if (state != SOCKET_LISTENING)
1814 0 : socket_unwatch_fds(s);
1815 :
1816 0 : if (!IN_SET(state,
1817 : SOCKET_START_CHOWN,
1818 : SOCKET_START_POST,
1819 : SOCKET_LISTENING,
1820 : SOCKET_RUNNING,
1821 : SOCKET_STOP_PRE,
1822 : SOCKET_STOP_PRE_SIGTERM,
1823 : SOCKET_STOP_PRE_SIGKILL))
1824 0 : socket_close_fds(s);
1825 :
1826 0 : if (state != old_state)
1827 0 : log_unit_debug(UNIT(s), "Changed %s -> %s", socket_state_to_string(old_state), socket_state_to_string(state));
1828 :
1829 0 : unit_notify(UNIT(s), state_translation_table[old_state], state_translation_table[state], 0);
1830 0 : }
1831 :
1832 0 : static int socket_coldplug(Unit *u) {
1833 0 : Socket *s = SOCKET(u);
1834 : int r;
1835 :
1836 0 : assert(s);
1837 0 : assert(s->state == SOCKET_DEAD);
1838 :
1839 0 : if (s->deserialized_state == s->state)
1840 0 : return 0;
1841 :
1842 0 : if (s->control_pid > 0 &&
1843 0 : pid_is_unwaited(s->control_pid) &&
1844 0 : IN_SET(s->deserialized_state,
1845 : SOCKET_START_PRE,
1846 : SOCKET_START_CHOWN,
1847 : SOCKET_START_POST,
1848 : SOCKET_STOP_PRE,
1849 : SOCKET_STOP_PRE_SIGTERM,
1850 : SOCKET_STOP_PRE_SIGKILL,
1851 : SOCKET_STOP_POST,
1852 : SOCKET_FINAL_SIGTERM,
1853 : SOCKET_FINAL_SIGKILL)) {
1854 :
1855 0 : r = unit_watch_pid(UNIT(s), s->control_pid, false);
1856 0 : if (r < 0)
1857 0 : return r;
1858 :
1859 0 : r = socket_arm_timer(s, usec_add(u->state_change_timestamp.monotonic, s->timeout_usec));
1860 0 : if (r < 0)
1861 0 : return r;
1862 : }
1863 :
1864 0 : if (IN_SET(s->deserialized_state,
1865 : SOCKET_START_CHOWN,
1866 : SOCKET_START_POST,
1867 : SOCKET_LISTENING,
1868 : SOCKET_RUNNING)) {
1869 :
1870 : /* Originally, we used to simply reopen all sockets here that we didn't have file descriptors
1871 : * for. However, this is problematic, as we won't traverse through the SOCKET_START_CHOWN state for
1872 : * them, and thus the UID/GID wouldn't be right. Hence, instead simply check if we have all fds open,
1873 : * and if there's a mismatch, warn loudly. */
1874 :
1875 0 : r = socket_check_open(s);
1876 0 : if (r == SOCKET_OPEN_NONE)
1877 0 : log_unit_warning(UNIT(s),
1878 : "Socket unit configuration has changed while unit has been running, "
1879 : "no open socket file descriptor left. "
1880 : "The socket unit is not functional until restarted.");
1881 0 : else if (r == SOCKET_OPEN_SOME)
1882 0 : log_unit_warning(UNIT(s),
1883 : "Socket unit configuration has changed while unit has been running, "
1884 : "and some socket file descriptors have not been opened yet. "
1885 : "The socket unit is not fully functional until restarted.");
1886 : }
1887 :
1888 0 : if (s->deserialized_state == SOCKET_LISTENING) {
1889 0 : r = socket_watch_fds(s);
1890 0 : if (r < 0)
1891 0 : return r;
1892 : }
1893 :
1894 0 : if (!IN_SET(s->deserialized_state, SOCKET_DEAD, SOCKET_FAILED)) {
1895 0 : (void) unit_setup_dynamic_creds(u);
1896 0 : (void) unit_setup_exec_runtime(u);
1897 : }
1898 :
1899 0 : socket_set_state(s, s->deserialized_state);
1900 0 : return 0;
1901 : }
1902 :
1903 0 : static int socket_spawn(Socket *s, ExecCommand *c, pid_t *_pid) {
1904 :
1905 0 : _cleanup_(exec_params_clear) ExecParameters exec_params = {
1906 : .flags = EXEC_APPLY_SANDBOXING|EXEC_APPLY_CHROOT|EXEC_APPLY_TTY_STDIN,
1907 : .stdin_fd = -1,
1908 : .stdout_fd = -1,
1909 : .stderr_fd = -1,
1910 : .exec_fd = -1,
1911 : };
1912 : pid_t pid;
1913 : int r;
1914 :
1915 0 : assert(s);
1916 0 : assert(c);
1917 0 : assert(_pid);
1918 :
1919 0 : r = unit_prepare_exec(UNIT(s));
1920 0 : if (r < 0)
1921 0 : return r;
1922 :
1923 0 : r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
1924 0 : if (r < 0)
1925 0 : return r;
1926 :
1927 0 : r = unit_set_exec_params(UNIT(s), &exec_params);
1928 0 : if (r < 0)
1929 0 : return r;
1930 :
1931 0 : r = exec_spawn(UNIT(s),
1932 : c,
1933 0 : &s->exec_context,
1934 : &exec_params,
1935 : s->exec_runtime,
1936 : &s->dynamic_creds,
1937 : &pid);
1938 0 : if (r < 0)
1939 0 : return r;
1940 :
1941 0 : r = unit_watch_pid(UNIT(s), pid, true);
1942 0 : if (r < 0)
1943 0 : return r;
1944 :
1945 0 : *_pid = pid;
1946 :
1947 0 : return 0;
1948 : }
1949 :
1950 0 : static int socket_chown(Socket *s, pid_t *_pid) {
1951 : pid_t pid;
1952 : int r;
1953 :
1954 0 : r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
1955 0 : if (r < 0)
1956 0 : goto fail;
1957 :
1958 : /* We have to resolve the user names out-of-process, hence
1959 : * let's fork here. It's messy, but well, what can we do? */
1960 :
1961 0 : r = unit_fork_helper_process(UNIT(s), "(sd-chown)", &pid);
1962 0 : if (r < 0)
1963 0 : return r;
1964 0 : if (r == 0) {
1965 0 : uid_t uid = UID_INVALID;
1966 0 : gid_t gid = GID_INVALID;
1967 : SocketPort *p;
1968 :
1969 : /* Child */
1970 :
1971 0 : if (!isempty(s->user)) {
1972 0 : const char *user = s->user;
1973 :
1974 0 : r = get_user_creds(&user, &uid, &gid, NULL, NULL, 0);
1975 0 : if (r < 0) {
1976 0 : log_unit_error_errno(UNIT(s), r, "Failed to resolve user %s: %m", user);
1977 0 : _exit(EXIT_USER);
1978 : }
1979 : }
1980 :
1981 0 : if (!isempty(s->group)) {
1982 0 : const char *group = s->group;
1983 :
1984 0 : r = get_group_creds(&group, &gid, 0);
1985 0 : if (r < 0) {
1986 0 : log_unit_error_errno(UNIT(s), r, "Failed to resolve group %s: %m", group);
1987 0 : _exit(EXIT_GROUP);
1988 : }
1989 : }
1990 :
1991 0 : LIST_FOREACH(port, p, s->ports) {
1992 0 : const char *path = NULL;
1993 :
1994 0 : if (p->type == SOCKET_SOCKET)
1995 0 : path = socket_address_get_path(&p->address);
1996 0 : else if (p->type == SOCKET_FIFO)
1997 0 : path = p->path;
1998 :
1999 0 : if (!path)
2000 0 : continue;
2001 :
2002 0 : if (chown(path, uid, gid) < 0) {
2003 0 : log_unit_error_errno(UNIT(s), errno, "Failed to chown(): %m");
2004 0 : _exit(EXIT_CHOWN);
2005 : }
2006 : }
2007 :
2008 0 : _exit(EXIT_SUCCESS);
2009 : }
2010 :
2011 0 : r = unit_watch_pid(UNIT(s), pid, true);
2012 0 : if (r < 0)
2013 0 : goto fail;
2014 :
2015 0 : *_pid = pid;
2016 0 : return 0;
2017 :
2018 0 : fail:
2019 0 : s->timer_event_source = sd_event_source_unref(s->timer_event_source);
2020 0 : return r;
2021 : }
2022 :
2023 0 : static void socket_enter_dead(Socket *s, SocketResult f) {
2024 0 : assert(s);
2025 :
2026 0 : if (s->result == SOCKET_SUCCESS)
2027 0 : s->result = f;
2028 :
2029 0 : if (s->result == SOCKET_SUCCESS)
2030 0 : unit_log_success(UNIT(s));
2031 : else
2032 0 : unit_log_failure(UNIT(s), socket_result_to_string(s->result));
2033 :
2034 0 : socket_set_state(s, s->result != SOCKET_SUCCESS ? SOCKET_FAILED : SOCKET_DEAD);
2035 :
2036 0 : s->exec_runtime = exec_runtime_unref(s->exec_runtime, true);
2037 :
2038 0 : exec_context_destroy_runtime_directory(&s->exec_context, UNIT(s)->manager->prefix[EXEC_DIRECTORY_RUNTIME]);
2039 :
2040 0 : unit_unref_uid_gid(UNIT(s), true);
2041 :
2042 0 : dynamic_creds_destroy(&s->dynamic_creds);
2043 0 : }
2044 :
2045 : static void socket_enter_signal(Socket *s, SocketState state, SocketResult f);
2046 :
2047 0 : static void socket_enter_stop_post(Socket *s, SocketResult f) {
2048 : int r;
2049 0 : assert(s);
2050 :
2051 0 : if (s->result == SOCKET_SUCCESS)
2052 0 : s->result = f;
2053 :
2054 0 : socket_unwatch_control_pid(s);
2055 0 : s->control_command_id = SOCKET_EXEC_STOP_POST;
2056 0 : s->control_command = s->exec_command[SOCKET_EXEC_STOP_POST];
2057 :
2058 0 : if (s->control_command) {
2059 0 : r = socket_spawn(s, s->control_command, &s->control_pid);
2060 0 : if (r < 0)
2061 0 : goto fail;
2062 :
2063 0 : socket_set_state(s, SOCKET_STOP_POST);
2064 : } else
2065 0 : socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_SUCCESS);
2066 :
2067 0 : return;
2068 :
2069 0 : fail:
2070 0 : log_unit_warning_errno(UNIT(s), r, "Failed to run 'stop-post' task: %m");
2071 0 : socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_RESOURCES);
2072 : }
2073 :
2074 0 : static void socket_enter_signal(Socket *s, SocketState state, SocketResult f) {
2075 : int r;
2076 :
2077 0 : assert(s);
2078 :
2079 0 : if (s->result == SOCKET_SUCCESS)
2080 0 : s->result = f;
2081 :
2082 0 : r = unit_kill_context(
2083 0 : UNIT(s),
2084 : &s->kill_context,
2085 0 : !IN_SET(state, SOCKET_STOP_PRE_SIGTERM, SOCKET_FINAL_SIGTERM) ?
2086 : KILL_KILL : KILL_TERMINATE,
2087 : -1,
2088 : s->control_pid,
2089 : false);
2090 0 : if (r < 0)
2091 0 : goto fail;
2092 :
2093 0 : if (r > 0) {
2094 0 : r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
2095 0 : if (r < 0)
2096 0 : goto fail;
2097 :
2098 0 : socket_set_state(s, state);
2099 0 : } else if (state == SOCKET_STOP_PRE_SIGTERM)
2100 0 : socket_enter_signal(s, SOCKET_STOP_PRE_SIGKILL, SOCKET_SUCCESS);
2101 0 : else if (state == SOCKET_STOP_PRE_SIGKILL)
2102 0 : socket_enter_stop_post(s, SOCKET_SUCCESS);
2103 0 : else if (state == SOCKET_FINAL_SIGTERM)
2104 0 : socket_enter_signal(s, SOCKET_FINAL_SIGKILL, SOCKET_SUCCESS);
2105 : else
2106 0 : socket_enter_dead(s, SOCKET_SUCCESS);
2107 :
2108 0 : return;
2109 :
2110 0 : fail:
2111 0 : log_unit_warning_errno(UNIT(s), r, "Failed to kill processes: %m");
2112 :
2113 0 : if (IN_SET(state, SOCKET_STOP_PRE_SIGTERM, SOCKET_STOP_PRE_SIGKILL))
2114 0 : socket_enter_stop_post(s, SOCKET_FAILURE_RESOURCES);
2115 : else
2116 0 : socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
2117 : }
2118 :
2119 0 : static void socket_enter_stop_pre(Socket *s, SocketResult f) {
2120 : int r;
2121 0 : assert(s);
2122 :
2123 0 : if (s->result == SOCKET_SUCCESS)
2124 0 : s->result = f;
2125 :
2126 0 : socket_unwatch_control_pid(s);
2127 0 : s->control_command_id = SOCKET_EXEC_STOP_PRE;
2128 0 : s->control_command = s->exec_command[SOCKET_EXEC_STOP_PRE];
2129 :
2130 0 : if (s->control_command) {
2131 0 : r = socket_spawn(s, s->control_command, &s->control_pid);
2132 0 : if (r < 0)
2133 0 : goto fail;
2134 :
2135 0 : socket_set_state(s, SOCKET_STOP_PRE);
2136 : } else
2137 0 : socket_enter_stop_post(s, SOCKET_SUCCESS);
2138 :
2139 0 : return;
2140 :
2141 0 : fail:
2142 0 : log_unit_warning_errno(UNIT(s), r, "Failed to run 'stop-pre' task: %m");
2143 0 : socket_enter_stop_post(s, SOCKET_FAILURE_RESOURCES);
2144 : }
2145 :
2146 0 : static void socket_enter_listening(Socket *s) {
2147 : int r;
2148 0 : assert(s);
2149 :
2150 0 : r = socket_watch_fds(s);
2151 0 : if (r < 0) {
2152 0 : log_unit_warning_errno(UNIT(s), r, "Failed to watch sockets: %m");
2153 0 : goto fail;
2154 : }
2155 :
2156 0 : socket_set_state(s, SOCKET_LISTENING);
2157 0 : return;
2158 :
2159 0 : fail:
2160 0 : socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2161 : }
2162 :
2163 0 : static void socket_enter_start_post(Socket *s) {
2164 : int r;
2165 0 : assert(s);
2166 :
2167 0 : socket_unwatch_control_pid(s);
2168 0 : s->control_command_id = SOCKET_EXEC_START_POST;
2169 0 : s->control_command = s->exec_command[SOCKET_EXEC_START_POST];
2170 :
2171 0 : if (s->control_command) {
2172 0 : r = socket_spawn(s, s->control_command, &s->control_pid);
2173 0 : if (r < 0) {
2174 0 : log_unit_warning_errno(UNIT(s), r, "Failed to run 'start-post' task: %m");
2175 0 : goto fail;
2176 : }
2177 :
2178 0 : socket_set_state(s, SOCKET_START_POST);
2179 : } else
2180 0 : socket_enter_listening(s);
2181 :
2182 0 : return;
2183 :
2184 0 : fail:
2185 0 : socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2186 : }
2187 :
2188 0 : static void socket_enter_start_chown(Socket *s) {
2189 : int r;
2190 :
2191 0 : assert(s);
2192 :
2193 0 : r = socket_open_fds(s);
2194 0 : if (r < 0) {
2195 0 : log_unit_warning_errno(UNIT(s), r, "Failed to listen on sockets: %m");
2196 0 : goto fail;
2197 : }
2198 :
2199 0 : if (!isempty(s->user) || !isempty(s->group)) {
2200 :
2201 0 : socket_unwatch_control_pid(s);
2202 0 : s->control_command_id = SOCKET_EXEC_START_CHOWN;
2203 0 : s->control_command = NULL;
2204 :
2205 0 : r = socket_chown(s, &s->control_pid);
2206 0 : if (r < 0) {
2207 0 : log_unit_warning_errno(UNIT(s), r, "Failed to fork 'start-chown' task: %m");
2208 0 : goto fail;
2209 : }
2210 :
2211 0 : socket_set_state(s, SOCKET_START_CHOWN);
2212 : } else
2213 0 : socket_enter_start_post(s);
2214 :
2215 0 : return;
2216 :
2217 0 : fail:
2218 0 : socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2219 : }
2220 :
2221 0 : static void socket_enter_start_pre(Socket *s) {
2222 : int r;
2223 0 : assert(s);
2224 :
2225 0 : socket_unwatch_control_pid(s);
2226 :
2227 0 : unit_warn_leftover_processes(UNIT(s));
2228 :
2229 0 : s->control_command_id = SOCKET_EXEC_START_PRE;
2230 0 : s->control_command = s->exec_command[SOCKET_EXEC_START_PRE];
2231 :
2232 0 : if (s->control_command) {
2233 0 : r = socket_spawn(s, s->control_command, &s->control_pid);
2234 0 : if (r < 0) {
2235 0 : log_unit_warning_errno(UNIT(s), r, "Failed to run 'start-pre' task: %m");
2236 0 : goto fail;
2237 : }
2238 :
2239 0 : socket_set_state(s, SOCKET_START_PRE);
2240 : } else
2241 0 : socket_enter_start_chown(s);
2242 :
2243 0 : return;
2244 :
2245 0 : fail:
2246 0 : socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
2247 : }
2248 :
2249 0 : static void flush_ports(Socket *s) {
2250 : SocketPort *p;
2251 :
2252 : /* Flush all incoming traffic, regardless if actual bytes or new connections, so that this socket isn't busy
2253 : * anymore */
2254 :
2255 0 : LIST_FOREACH(port, p, s->ports) {
2256 0 : if (p->fd < 0)
2257 0 : continue;
2258 :
2259 0 : (void) flush_accept(p->fd);
2260 0 : (void) flush_fd(p->fd);
2261 : }
2262 0 : }
2263 :
2264 0 : static void socket_enter_running(Socket *s, int cfd) {
2265 0 : _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
2266 : int r;
2267 :
2268 : /* Note that this call takes possession of the connection fd passed. It either has to assign it somewhere or
2269 : * close it. */
2270 :
2271 0 : assert(s);
2272 :
2273 : /* We don't take connections anymore if we are supposed to shut down anyway */
2274 0 : if (unit_stop_pending(UNIT(s))) {
2275 :
2276 0 : log_unit_debug(UNIT(s), "Suppressing connection request since unit stop is scheduled.");
2277 :
2278 0 : if (cfd >= 0)
2279 0 : goto refuse;
2280 : else
2281 0 : flush_ports(s);
2282 :
2283 0 : return;
2284 : }
2285 :
2286 0 : if (!ratelimit_below(&s->trigger_limit)) {
2287 0 : log_unit_warning(UNIT(s), "Trigger limit hit, refusing further activation.");
2288 0 : socket_enter_stop_pre(s, SOCKET_FAILURE_TRIGGER_LIMIT_HIT);
2289 0 : goto refuse;
2290 : }
2291 :
2292 0 : if (cfd < 0) {
2293 0 : bool pending = false;
2294 : Unit *other;
2295 : Iterator i;
2296 : void *v;
2297 :
2298 : /* If there's already a start pending don't bother to
2299 : * do anything */
2300 0 : HASHMAP_FOREACH_KEY(v, other, UNIT(s)->dependencies[UNIT_TRIGGERS], i)
2301 0 : if (unit_active_or_pending(other)) {
2302 0 : pending = true;
2303 0 : break;
2304 : }
2305 :
2306 0 : if (!pending) {
2307 0 : if (!UNIT_ISSET(s->service)) {
2308 0 : log_unit_error(UNIT(s), "Service to activate vanished, refusing activation.");
2309 0 : r = -ENOENT;
2310 0 : goto fail;
2311 : }
2312 :
2313 0 : r = manager_add_job(UNIT(s)->manager, JOB_START, UNIT_DEREF(s->service), JOB_REPLACE, NULL, &error, NULL);
2314 0 : if (r < 0)
2315 0 : goto fail;
2316 : }
2317 :
2318 0 : socket_set_state(s, SOCKET_RUNNING);
2319 : } else {
2320 0 : _cleanup_free_ char *prefix = NULL, *instance = NULL, *name = NULL;
2321 0 : _cleanup_(socket_peer_unrefp) SocketPeer *p = NULL;
2322 : Service *service;
2323 :
2324 0 : if (s->n_connections >= s->max_connections) {
2325 0 : log_unit_warning(UNIT(s), "Too many incoming connections (%u), dropping connection.",
2326 : s->n_connections);
2327 0 : goto refuse;
2328 : }
2329 :
2330 0 : if (s->max_connections_per_source > 0) {
2331 0 : r = socket_acquire_peer(s, cfd, &p);
2332 0 : if (r < 0) {
2333 0 : goto refuse;
2334 0 : } else if (r > 0 && p->n_ref > s->max_connections_per_source) {
2335 0 : _cleanup_free_ char *t = NULL;
2336 :
2337 0 : (void) sockaddr_pretty(&p->peer.sa, p->peer_salen, true, false, &t);
2338 :
2339 0 : log_unit_warning(UNIT(s),
2340 : "Too many incoming connections (%u) from source %s, dropping connection.",
2341 : p->n_ref, strnull(t));
2342 0 : goto refuse;
2343 : }
2344 : }
2345 :
2346 0 : r = socket_instantiate_service(s);
2347 0 : if (r < 0)
2348 0 : goto fail;
2349 :
2350 0 : r = instance_from_socket(cfd, s->n_accepted, &instance);
2351 0 : if (r < 0) {
2352 0 : if (r != -ENOTCONN)
2353 0 : goto fail;
2354 :
2355 : /* ENOTCONN is legitimate if TCP RST was received.
2356 : * This connection is over, but the socket unit lives on. */
2357 0 : log_unit_debug(UNIT(s), "Got ENOTCONN on incoming socket, assuming aborted connection attempt, ignoring.");
2358 0 : goto refuse;
2359 : }
2360 :
2361 0 : r = unit_name_to_prefix(UNIT(s)->id, &prefix);
2362 0 : if (r < 0)
2363 0 : goto fail;
2364 :
2365 0 : r = unit_name_build(prefix, instance, ".service", &name);
2366 0 : if (r < 0)
2367 0 : goto fail;
2368 :
2369 0 : r = unit_add_name(UNIT_DEREF(s->service), name);
2370 0 : if (r < 0)
2371 0 : goto fail;
2372 :
2373 0 : service = SERVICE(UNIT_DEREF(s->service));
2374 0 : unit_ref_unset(&s->service);
2375 :
2376 0 : s->n_accepted++;
2377 0 : unit_choose_id(UNIT(service), name);
2378 :
2379 0 : r = service_set_socket_fd(service, cfd, s, s->selinux_context_from_net);
2380 0 : if (r < 0)
2381 0 : goto fail;
2382 :
2383 0 : cfd = -1; /* We passed ownership of the fd to the service now. Forget it here. */
2384 0 : s->n_connections++;
2385 :
2386 0 : service->peer = TAKE_PTR(p); /* Pass ownership of the peer reference */
2387 :
2388 0 : r = manager_add_job(UNIT(s)->manager, JOB_START, UNIT(service), JOB_REPLACE, NULL, &error, NULL);
2389 0 : if (r < 0) {
2390 : /* We failed to activate the new service, but it still exists. Let's make sure the service
2391 : * closes and forgets the connection fd again, immediately. */
2392 0 : service_close_socket_fd(service);
2393 0 : goto fail;
2394 : }
2395 :
2396 : /* Notify clients about changed counters */
2397 0 : unit_add_to_dbus_queue(UNIT(s));
2398 : }
2399 :
2400 0 : return;
2401 :
2402 0 : refuse:
2403 0 : s->n_refused++;
2404 0 : safe_close(cfd);
2405 0 : return;
2406 :
2407 0 : fail:
2408 0 : log_unit_warning(UNIT(s), "Failed to queue service startup job (Maybe the service file is missing or not a %s unit?): %s",
2409 : cfd >= 0 ? "template" : "non-template",
2410 : bus_error_message(&error, r));
2411 :
2412 0 : socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2413 0 : safe_close(cfd);
2414 : }
2415 :
2416 0 : static void socket_run_next(Socket *s) {
2417 : int r;
2418 :
2419 0 : assert(s);
2420 0 : assert(s->control_command);
2421 0 : assert(s->control_command->command_next);
2422 :
2423 0 : socket_unwatch_control_pid(s);
2424 :
2425 0 : s->control_command = s->control_command->command_next;
2426 :
2427 0 : r = socket_spawn(s, s->control_command, &s->control_pid);
2428 0 : if (r < 0)
2429 0 : goto fail;
2430 :
2431 0 : return;
2432 :
2433 0 : fail:
2434 0 : log_unit_warning_errno(UNIT(s), r, "Failed to run next task: %m");
2435 :
2436 0 : if (s->state == SOCKET_START_POST)
2437 0 : socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
2438 0 : else if (s->state == SOCKET_STOP_POST)
2439 0 : socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
2440 : else
2441 0 : socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_RESOURCES);
2442 : }
2443 :
2444 0 : static int socket_start(Unit *u) {
2445 0 : Socket *s = SOCKET(u);
2446 : int r;
2447 :
2448 0 : assert(s);
2449 :
2450 : /* We cannot fulfill this request right now, try again later
2451 : * please! */
2452 0 : if (IN_SET(s->state,
2453 : SOCKET_STOP_PRE,
2454 : SOCKET_STOP_PRE_SIGKILL,
2455 : SOCKET_STOP_PRE_SIGTERM,
2456 : SOCKET_STOP_POST,
2457 : SOCKET_FINAL_SIGTERM,
2458 : SOCKET_FINAL_SIGKILL))
2459 0 : return -EAGAIN;
2460 :
2461 : /* Already on it! */
2462 0 : if (IN_SET(s->state,
2463 : SOCKET_START_PRE,
2464 : SOCKET_START_CHOWN,
2465 : SOCKET_START_POST))
2466 0 : return 0;
2467 :
2468 : /* Cannot run this without the service being around */
2469 0 : if (UNIT_ISSET(s->service)) {
2470 : Service *service;
2471 :
2472 0 : service = SERVICE(UNIT_DEREF(s->service));
2473 :
2474 0 : if (UNIT(service)->load_state != UNIT_LOADED) {
2475 0 : log_unit_error(u, "Socket service %s not loaded, refusing.", UNIT(service)->id);
2476 0 : return -ENOENT;
2477 : }
2478 :
2479 : /* If the service is already active we cannot start the
2480 : * socket */
2481 0 : if (!IN_SET(service->state, SERVICE_DEAD, SERVICE_FAILED, SERVICE_AUTO_RESTART)) {
2482 0 : log_unit_error(u, "Socket service %s already active, refusing.", UNIT(service)->id);
2483 0 : return -EBUSY;
2484 : }
2485 : }
2486 :
2487 0 : assert(IN_SET(s->state, SOCKET_DEAD, SOCKET_FAILED));
2488 :
2489 0 : r = unit_test_start_limit(u);
2490 0 : if (r < 0) {
2491 0 : socket_enter_dead(s, SOCKET_FAILURE_START_LIMIT_HIT);
2492 0 : return r;
2493 : }
2494 :
2495 0 : r = unit_acquire_invocation_id(u);
2496 0 : if (r < 0)
2497 0 : return r;
2498 :
2499 0 : s->result = SOCKET_SUCCESS;
2500 0 : exec_command_reset_status_list_array(s->exec_command, _SOCKET_EXEC_COMMAND_MAX);
2501 :
2502 0 : u->reset_accounting = true;
2503 :
2504 0 : socket_enter_start_pre(s);
2505 0 : return 1;
2506 : }
2507 :
2508 0 : static int socket_stop(Unit *u) {
2509 0 : Socket *s = SOCKET(u);
2510 :
2511 0 : assert(s);
2512 :
2513 : /* Already on it */
2514 0 : if (IN_SET(s->state,
2515 : SOCKET_STOP_PRE,
2516 : SOCKET_STOP_PRE_SIGTERM,
2517 : SOCKET_STOP_PRE_SIGKILL,
2518 : SOCKET_STOP_POST,
2519 : SOCKET_FINAL_SIGTERM,
2520 : SOCKET_FINAL_SIGKILL))
2521 0 : return 0;
2522 :
2523 : /* If there's already something running we go directly into
2524 : * kill mode. */
2525 0 : if (IN_SET(s->state,
2526 : SOCKET_START_PRE,
2527 : SOCKET_START_CHOWN,
2528 : SOCKET_START_POST)) {
2529 0 : socket_enter_signal(s, SOCKET_STOP_PRE_SIGTERM, SOCKET_SUCCESS);
2530 0 : return -EAGAIN;
2531 : }
2532 :
2533 0 : assert(IN_SET(s->state, SOCKET_LISTENING, SOCKET_RUNNING));
2534 :
2535 0 : socket_enter_stop_pre(s, SOCKET_SUCCESS);
2536 0 : return 1;
2537 : }
2538 :
2539 0 : static int socket_serialize(Unit *u, FILE *f, FDSet *fds) {
2540 0 : Socket *s = SOCKET(u);
2541 : SocketPort *p;
2542 : int r;
2543 :
2544 0 : assert(u);
2545 0 : assert(f);
2546 0 : assert(fds);
2547 :
2548 0 : (void) serialize_item(f, "state", socket_state_to_string(s->state));
2549 0 : (void) serialize_item(f, "result", socket_result_to_string(s->result));
2550 0 : (void) serialize_item_format(f, "n-accepted", "%u", s->n_accepted);
2551 0 : (void) serialize_item_format(f, "n-refused", "%u", s->n_refused);
2552 :
2553 0 : if (s->control_pid > 0)
2554 0 : (void) serialize_item_format(f, "control-pid", PID_FMT, s->control_pid);
2555 :
2556 0 : if (s->control_command_id >= 0)
2557 0 : (void) serialize_item(f, "control-command", socket_exec_command_to_string(s->control_command_id));
2558 :
2559 0 : LIST_FOREACH(port, p, s->ports) {
2560 : int copy;
2561 :
2562 0 : if (p->fd < 0)
2563 0 : continue;
2564 :
2565 0 : copy = fdset_put_dup(fds, p->fd);
2566 0 : if (copy < 0)
2567 0 : return log_unit_warning_errno(u, copy, "Failed to serialize socket fd: %m");
2568 :
2569 0 : if (p->type == SOCKET_SOCKET) {
2570 0 : _cleanup_free_ char *t = NULL;
2571 :
2572 0 : r = socket_address_print(&p->address, &t);
2573 0 : if (r < 0)
2574 0 : return log_unit_error_errno(u, r, "Failed to format socket address: %m");
2575 :
2576 0 : if (socket_address_family(&p->address) == AF_NETLINK)
2577 0 : (void) serialize_item_format(f, "netlink", "%i %s", copy, t);
2578 : else
2579 0 : (void) serialize_item_format(f, "socket", "%i %i %s", copy, p->address.type, t);
2580 0 : } else if (p->type == SOCKET_SPECIAL)
2581 0 : (void) serialize_item_format(f, "special", "%i %s", copy, p->path);
2582 0 : else if (p->type == SOCKET_MQUEUE)
2583 0 : (void) serialize_item_format(f, "mqueue", "%i %s", copy, p->path);
2584 0 : else if (p->type == SOCKET_USB_FUNCTION)
2585 0 : (void) serialize_item_format(f, "ffs", "%i %s", copy, p->path);
2586 : else {
2587 0 : assert(p->type == SOCKET_FIFO);
2588 0 : (void) serialize_item_format(f, "fifo", "%i %s", copy, p->path);
2589 : }
2590 : }
2591 :
2592 0 : return 0;
2593 : }
2594 :
2595 0 : static void socket_port_take_fd(SocketPort *p, FDSet *fds, int fd) {
2596 0 : assert(p);
2597 :
2598 0 : safe_close(p->fd);
2599 0 : p->fd = fdset_remove(fds, fd);
2600 0 : }
2601 :
2602 0 : static int socket_deserialize_item(Unit *u, const char *key, const char *value, FDSet *fds) {
2603 0 : Socket *s = SOCKET(u);
2604 :
2605 0 : assert(u);
2606 0 : assert(key);
2607 0 : assert(value);
2608 :
2609 0 : if (streq(key, "state")) {
2610 : SocketState state;
2611 :
2612 0 : state = socket_state_from_string(value);
2613 0 : if (state < 0)
2614 0 : log_unit_debug(u, "Failed to parse state value: %s", value);
2615 : else
2616 0 : s->deserialized_state = state;
2617 0 : } else if (streq(key, "result")) {
2618 : SocketResult f;
2619 :
2620 0 : f = socket_result_from_string(value);
2621 0 : if (f < 0)
2622 0 : log_unit_debug(u, "Failed to parse result value: %s", value);
2623 0 : else if (f != SOCKET_SUCCESS)
2624 0 : s->result = f;
2625 :
2626 0 : } else if (streq(key, "n-accepted")) {
2627 : unsigned k;
2628 :
2629 0 : if (safe_atou(value, &k) < 0)
2630 0 : log_unit_debug(u, "Failed to parse n-accepted value: %s", value);
2631 : else
2632 0 : s->n_accepted += k;
2633 0 : } else if (streq(key, "n-refused")) {
2634 : unsigned k;
2635 :
2636 0 : if (safe_atou(value, &k) < 0)
2637 0 : log_unit_debug(u, "Failed to parse n-refused value: %s", value);
2638 : else
2639 0 : s->n_refused += k;
2640 0 : } else if (streq(key, "control-pid")) {
2641 : pid_t pid;
2642 :
2643 0 : if (parse_pid(value, &pid) < 0)
2644 0 : log_unit_debug(u, "Failed to parse control-pid value: %s", value);
2645 : else
2646 0 : s->control_pid = pid;
2647 0 : } else if (streq(key, "control-command")) {
2648 : SocketExecCommand id;
2649 :
2650 0 : id = socket_exec_command_from_string(value);
2651 0 : if (id < 0)
2652 0 : log_unit_debug(u, "Failed to parse exec-command value: %s", value);
2653 : else {
2654 0 : s->control_command_id = id;
2655 0 : s->control_command = s->exec_command[id];
2656 : }
2657 0 : } else if (streq(key, "fifo")) {
2658 0 : int fd, skip = 0;
2659 : SocketPort *p;
2660 :
2661 0 : if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2662 0 : log_unit_debug(u, "Failed to parse fifo value: %s", value);
2663 : else
2664 0 : LIST_FOREACH(port, p, s->ports)
2665 0 : if (p->type == SOCKET_FIFO &&
2666 0 : path_equal_or_files_same(p->path, value+skip, 0)) {
2667 0 : socket_port_take_fd(p, fds, fd);
2668 0 : break;
2669 : }
2670 :
2671 0 : } else if (streq(key, "special")) {
2672 0 : int fd, skip = 0;
2673 : SocketPort *p;
2674 :
2675 0 : if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2676 0 : log_unit_debug(u, "Failed to parse special value: %s", value);
2677 : else
2678 0 : LIST_FOREACH(port, p, s->ports)
2679 0 : if (p->type == SOCKET_SPECIAL &&
2680 0 : path_equal_or_files_same(p->path, value+skip, 0)) {
2681 0 : socket_port_take_fd(p, fds, fd);
2682 0 : break;
2683 : }
2684 :
2685 0 : } else if (streq(key, "mqueue")) {
2686 0 : int fd, skip = 0;
2687 : SocketPort *p;
2688 :
2689 0 : if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2690 0 : log_unit_debug(u, "Failed to parse mqueue value: %s", value);
2691 : else
2692 0 : LIST_FOREACH(port, p, s->ports)
2693 0 : if (p->type == SOCKET_MQUEUE &&
2694 0 : streq(p->path, value+skip)) {
2695 0 : socket_port_take_fd(p, fds, fd);
2696 0 : break;
2697 : }
2698 :
2699 0 : } else if (streq(key, "socket")) {
2700 0 : int fd, type, skip = 0;
2701 : SocketPort *p;
2702 :
2703 0 : if (sscanf(value, "%i %i %n", &fd, &type, &skip) < 2 || fd < 0 || type < 0 || !fdset_contains(fds, fd))
2704 0 : log_unit_debug(u, "Failed to parse socket value: %s", value);
2705 : else
2706 0 : LIST_FOREACH(port, p, s->ports)
2707 0 : if (socket_address_is(&p->address, value+skip, type)) {
2708 0 : socket_port_take_fd(p, fds, fd);
2709 0 : break;
2710 : }
2711 :
2712 0 : } else if (streq(key, "netlink")) {
2713 0 : int fd, skip = 0;
2714 : SocketPort *p;
2715 :
2716 0 : if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2717 0 : log_unit_debug(u, "Failed to parse socket value: %s", value);
2718 : else
2719 0 : LIST_FOREACH(port, p, s->ports)
2720 0 : if (socket_address_is_netlink(&p->address, value+skip)) {
2721 0 : socket_port_take_fd(p, fds, fd);
2722 0 : break;
2723 : }
2724 :
2725 0 : } else if (streq(key, "ffs")) {
2726 0 : int fd, skip = 0;
2727 : SocketPort *p;
2728 :
2729 0 : if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
2730 0 : log_unit_debug(u, "Failed to parse ffs value: %s", value);
2731 : else
2732 0 : LIST_FOREACH(port, p, s->ports)
2733 0 : if (p->type == SOCKET_USB_FUNCTION &&
2734 0 : path_equal_or_files_same(p->path, value+skip, 0)) {
2735 0 : socket_port_take_fd(p, fds, fd);
2736 0 : break;
2737 : }
2738 :
2739 : } else
2740 0 : log_unit_debug(UNIT(s), "Unknown serialization key: %s", key);
2741 :
2742 0 : return 0;
2743 : }
2744 :
2745 0 : static void socket_distribute_fds(Unit *u, FDSet *fds) {
2746 0 : Socket *s = SOCKET(u);
2747 : SocketPort *p;
2748 :
2749 0 : assert(u);
2750 :
2751 0 : LIST_FOREACH(port, p, s->ports) {
2752 : Iterator i;
2753 : int fd;
2754 :
2755 0 : if (p->type != SOCKET_SOCKET)
2756 0 : continue;
2757 :
2758 0 : if (p->fd >= 0)
2759 0 : continue;
2760 :
2761 0 : FDSET_FOREACH(fd, fds, i) {
2762 0 : if (socket_address_matches_fd(&p->address, fd)) {
2763 0 : p->fd = fdset_remove(fds, fd);
2764 0 : s->deserialized_state = SOCKET_LISTENING;
2765 0 : break;
2766 : }
2767 : }
2768 : }
2769 0 : }
2770 :
2771 0 : _pure_ static UnitActiveState socket_active_state(Unit *u) {
2772 0 : assert(u);
2773 :
2774 0 : return state_translation_table[SOCKET(u)->state];
2775 : }
2776 :
2777 0 : _pure_ static const char *socket_sub_state_to_string(Unit *u) {
2778 0 : assert(u);
2779 :
2780 0 : return socket_state_to_string(SOCKET(u)->state);
2781 : }
2782 :
2783 0 : const char* socket_port_type_to_string(SocketPort *p) {
2784 :
2785 0 : assert(p);
2786 :
2787 0 : switch (p->type) {
2788 :
2789 0 : case SOCKET_SOCKET:
2790 :
2791 0 : switch (p->address.type) {
2792 :
2793 0 : case SOCK_STREAM:
2794 0 : return "Stream";
2795 :
2796 0 : case SOCK_DGRAM:
2797 0 : return "Datagram";
2798 :
2799 0 : case SOCK_SEQPACKET:
2800 0 : return "SequentialPacket";
2801 :
2802 0 : case SOCK_RAW:
2803 0 : if (socket_address_family(&p->address) == AF_NETLINK)
2804 0 : return "Netlink";
2805 :
2806 : _fallthrough_;
2807 : default:
2808 0 : return NULL;
2809 : }
2810 :
2811 0 : case SOCKET_SPECIAL:
2812 0 : return "Special";
2813 :
2814 0 : case SOCKET_MQUEUE:
2815 0 : return "MessageQueue";
2816 :
2817 0 : case SOCKET_FIFO:
2818 0 : return "FIFO";
2819 :
2820 0 : case SOCKET_USB_FUNCTION:
2821 0 : return "USBFunction";
2822 :
2823 0 : default:
2824 0 : return NULL;
2825 : }
2826 : }
2827 :
2828 0 : SocketType socket_port_type_from_string(const char *s) {
2829 0 : assert(s);
2830 :
2831 0 : if (STR_IN_SET(s, "Stream", "Datagram", "SequentialPacket", "Netlink"))
2832 0 : return SOCKET_SOCKET;
2833 0 : else if (streq(s, "Special"))
2834 0 : return SOCKET_SPECIAL;
2835 0 : else if (streq(s, "MessageQueue"))
2836 0 : return SOCKET_MQUEUE;
2837 0 : else if (streq(s, "FIFO"))
2838 0 : return SOCKET_FIFO;
2839 0 : else if (streq(s, "USBFunction"))
2840 0 : return SOCKET_USB_FUNCTION;
2841 : else
2842 0 : return _SOCKET_TYPE_INVALID;
2843 : }
2844 :
2845 0 : _pure_ static bool socket_may_gc(Unit *u) {
2846 0 : Socket *s = SOCKET(u);
2847 :
2848 0 : assert(u);
2849 :
2850 0 : return s->n_connections == 0;
2851 : }
2852 :
2853 0 : static int socket_accept_do(Socket *s, int fd) {
2854 : int cfd;
2855 :
2856 0 : assert(s);
2857 0 : assert(fd >= 0);
2858 :
2859 0 : cfd = accept4(fd, NULL, NULL, SOCK_NONBLOCK|SOCK_CLOEXEC);
2860 0 : if (cfd < 0)
2861 : /* Convert transient network errors into clean and well-defined EAGAIN */
2862 0 : return ERRNO_IS_ACCEPT_AGAIN(errno) ? -EAGAIN : -errno;
2863 :
2864 0 : return cfd;
2865 : }
2866 :
2867 0 : static int socket_accept_in_cgroup(Socket *s, SocketPort *p, int fd) {
2868 0 : _cleanup_close_pair_ int pair[2] = { -1, -1 };
2869 : int cfd, r;
2870 : pid_t pid;
2871 :
2872 0 : assert(s);
2873 0 : assert(p);
2874 0 : assert(fd >= 0);
2875 :
2876 : /* Similar to socket_address_listen_in_cgroup(), but for accept() rather than socket(): make sure that any
2877 : * connection socket is also properly associated with the cgroup. */
2878 :
2879 0 : if (!IN_SET(p->address.sockaddr.sa.sa_family, AF_INET, AF_INET6))
2880 0 : goto shortcut;
2881 :
2882 0 : r = bpf_firewall_supported();
2883 0 : if (r < 0)
2884 0 : return r;
2885 0 : if (r == BPF_FIREWALL_UNSUPPORTED)
2886 0 : goto shortcut;
2887 :
2888 0 : if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, pair) < 0)
2889 0 : return log_unit_error_errno(UNIT(s), errno, "Failed to create communication channel: %m");
2890 :
2891 0 : r = unit_fork_helper_process(UNIT(s), "(sd-accept)", &pid);
2892 0 : if (r < 0)
2893 0 : return log_unit_error_errno(UNIT(s), r, "Failed to fork off accept stub process: %m");
2894 0 : if (r == 0) {
2895 : /* Child */
2896 :
2897 0 : pair[0] = safe_close(pair[0]);
2898 :
2899 0 : cfd = socket_accept_do(s, fd);
2900 0 : if (cfd == -EAGAIN) /* spurious accept() */
2901 0 : _exit(EXIT_SUCCESS);
2902 0 : if (cfd < 0) {
2903 0 : log_unit_error_errno(UNIT(s), cfd, "Failed to accept connection socket: %m");
2904 0 : _exit(EXIT_FAILURE);
2905 : }
2906 :
2907 0 : r = send_one_fd(pair[1], cfd, 0);
2908 0 : if (r < 0) {
2909 0 : log_unit_error_errno(UNIT(s), r, "Failed to send connection socket to parent: %m");
2910 0 : _exit(EXIT_FAILURE);
2911 : }
2912 :
2913 0 : _exit(EXIT_SUCCESS);
2914 : }
2915 :
2916 0 : pair[1] = safe_close(pair[1]);
2917 0 : cfd = receive_one_fd(pair[0], 0);
2918 :
2919 : /* We synchronously wait for the helper, as it shouldn't be slow */
2920 0 : r = wait_for_terminate_and_check("(sd-accept)", pid, WAIT_LOG_ABNORMAL);
2921 0 : if (r < 0) {
2922 0 : safe_close(cfd);
2923 0 : return r;
2924 : }
2925 :
2926 : /* If we received no fd, we got EIO here. If this happens with a process exit code of EXIT_SUCCESS
2927 : * this is a spurious accept(), let's convert that back to EAGAIN here. */
2928 0 : if (cfd == -EIO)
2929 0 : return -EAGAIN;
2930 0 : if (cfd < 0)
2931 0 : return log_unit_error_errno(UNIT(s), cfd, "Failed to receive connection socket: %m");
2932 :
2933 0 : return cfd;
2934 :
2935 0 : shortcut:
2936 0 : cfd = socket_accept_do(s, fd);
2937 0 : if (cfd == -EAGAIN) /* spurious accept(), skip it silently */
2938 0 : return -EAGAIN;
2939 0 : if (cfd < 0)
2940 0 : return log_unit_error_errno(UNIT(s), cfd, "Failed to accept connection socket: %m");
2941 :
2942 0 : return cfd;
2943 : }
2944 :
2945 0 : static int socket_dispatch_io(sd_event_source *source, int fd, uint32_t revents, void *userdata) {
2946 0 : SocketPort *p = userdata;
2947 0 : int cfd = -1;
2948 :
2949 0 : assert(p);
2950 0 : assert(fd >= 0);
2951 :
2952 0 : if (p->socket->state != SOCKET_LISTENING)
2953 0 : return 0;
2954 :
2955 0 : log_unit_debug(UNIT(p->socket), "Incoming traffic");
2956 :
2957 0 : if (revents != EPOLLIN) {
2958 0 : if (revents & EPOLLHUP)
2959 0 : log_unit_error(UNIT(p->socket), "Got POLLHUP on a listening socket. The service probably invoked shutdown() on it, and should better not do that.");
2960 : else
2961 0 : log_unit_error(UNIT(p->socket), "Got unexpected poll event (0x%x) on socket.", revents);
2962 0 : goto fail;
2963 : }
2964 :
2965 0 : if (p->socket->accept &&
2966 0 : p->type == SOCKET_SOCKET &&
2967 0 : socket_address_can_accept(&p->address)) {
2968 :
2969 0 : cfd = socket_accept_in_cgroup(p->socket, p, fd);
2970 0 : if (cfd == -EAGAIN) /* Spurious accept() */
2971 0 : return 0;
2972 0 : if (cfd < 0)
2973 0 : goto fail;
2974 :
2975 0 : socket_apply_socket_options(p->socket, cfd);
2976 : }
2977 :
2978 0 : socket_enter_running(p->socket, cfd);
2979 0 : return 0;
2980 :
2981 0 : fail:
2982 0 : socket_enter_stop_pre(p->socket, SOCKET_FAILURE_RESOURCES);
2983 0 : return 0;
2984 : }
2985 :
2986 0 : static void socket_sigchld_event(Unit *u, pid_t pid, int code, int status) {
2987 0 : Socket *s = SOCKET(u);
2988 : SocketResult f;
2989 :
2990 0 : assert(s);
2991 0 : assert(pid >= 0);
2992 :
2993 0 : if (pid != s->control_pid)
2994 0 : return;
2995 :
2996 0 : s->control_pid = 0;
2997 :
2998 0 : if (is_clean_exit(code, status, EXIT_CLEAN_COMMAND, NULL))
2999 0 : f = SOCKET_SUCCESS;
3000 0 : else if (code == CLD_EXITED)
3001 0 : f = SOCKET_FAILURE_EXIT_CODE;
3002 0 : else if (code == CLD_KILLED)
3003 0 : f = SOCKET_FAILURE_SIGNAL;
3004 0 : else if (code == CLD_DUMPED)
3005 0 : f = SOCKET_FAILURE_CORE_DUMP;
3006 : else
3007 0 : assert_not_reached("Unknown sigchld code");
3008 :
3009 0 : if (s->control_command) {
3010 0 : exec_status_exit(&s->control_command->exec_status, &s->exec_context, pid, code, status);
3011 :
3012 0 : if (s->control_command->flags & EXEC_COMMAND_IGNORE_FAILURE)
3013 0 : f = SOCKET_SUCCESS;
3014 : }
3015 :
3016 0 : unit_log_process_exit(
3017 : u,
3018 : "Control process",
3019 : socket_exec_command_to_string(s->control_command_id),
3020 : f == SOCKET_SUCCESS,
3021 : code, status);
3022 :
3023 0 : if (s->result == SOCKET_SUCCESS)
3024 0 : s->result = f;
3025 :
3026 0 : if (s->control_command &&
3027 0 : s->control_command->command_next &&
3028 : f == SOCKET_SUCCESS) {
3029 :
3030 0 : log_unit_debug(u, "Running next command for state %s", socket_state_to_string(s->state));
3031 0 : socket_run_next(s);
3032 : } else {
3033 0 : s->control_command = NULL;
3034 0 : s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
3035 :
3036 : /* No further commands for this step, so let's figure
3037 : * out what to do next */
3038 :
3039 0 : log_unit_debug(u, "Got final SIGCHLD for state %s", socket_state_to_string(s->state));
3040 :
3041 0 : switch (s->state) {
3042 :
3043 0 : case SOCKET_START_PRE:
3044 0 : if (f == SOCKET_SUCCESS)
3045 0 : socket_enter_start_chown(s);
3046 : else
3047 0 : socket_enter_signal(s, SOCKET_FINAL_SIGTERM, f);
3048 0 : break;
3049 :
3050 0 : case SOCKET_START_CHOWN:
3051 0 : if (f == SOCKET_SUCCESS)
3052 0 : socket_enter_start_post(s);
3053 : else
3054 0 : socket_enter_stop_pre(s, f);
3055 0 : break;
3056 :
3057 0 : case SOCKET_START_POST:
3058 0 : if (f == SOCKET_SUCCESS)
3059 0 : socket_enter_listening(s);
3060 : else
3061 0 : socket_enter_stop_pre(s, f);
3062 0 : break;
3063 :
3064 0 : case SOCKET_STOP_PRE:
3065 : case SOCKET_STOP_PRE_SIGTERM:
3066 : case SOCKET_STOP_PRE_SIGKILL:
3067 0 : socket_enter_stop_post(s, f);
3068 0 : break;
3069 :
3070 0 : case SOCKET_STOP_POST:
3071 : case SOCKET_FINAL_SIGTERM:
3072 : case SOCKET_FINAL_SIGKILL:
3073 0 : socket_enter_dead(s, f);
3074 0 : break;
3075 :
3076 0 : default:
3077 0 : assert_not_reached("Uh, control process died at wrong time.");
3078 : }
3079 : }
3080 :
3081 : /* Notify clients about changed exit status */
3082 0 : unit_add_to_dbus_queue(u);
3083 : }
3084 :
3085 0 : static int socket_dispatch_timer(sd_event_source *source, usec_t usec, void *userdata) {
3086 0 : Socket *s = SOCKET(userdata);
3087 :
3088 0 : assert(s);
3089 0 : assert(s->timer_event_source == source);
3090 :
3091 0 : switch (s->state) {
3092 :
3093 0 : case SOCKET_START_PRE:
3094 0 : log_unit_warning(UNIT(s), "Starting timed out. Terminating.");
3095 0 : socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_TIMEOUT);
3096 0 : break;
3097 :
3098 0 : case SOCKET_START_CHOWN:
3099 : case SOCKET_START_POST:
3100 0 : log_unit_warning(UNIT(s), "Starting timed out. Stopping.");
3101 0 : socket_enter_stop_pre(s, SOCKET_FAILURE_TIMEOUT);
3102 0 : break;
3103 :
3104 0 : case SOCKET_STOP_PRE:
3105 0 : log_unit_warning(UNIT(s), "Stopping timed out. Terminating.");
3106 0 : socket_enter_signal(s, SOCKET_STOP_PRE_SIGTERM, SOCKET_FAILURE_TIMEOUT);
3107 0 : break;
3108 :
3109 0 : case SOCKET_STOP_PRE_SIGTERM:
3110 0 : if (s->kill_context.send_sigkill) {
3111 0 : log_unit_warning(UNIT(s), "Stopping timed out. Killing.");
3112 0 : socket_enter_signal(s, SOCKET_STOP_PRE_SIGKILL, SOCKET_FAILURE_TIMEOUT);
3113 : } else {
3114 0 : log_unit_warning(UNIT(s), "Stopping timed out. Skipping SIGKILL. Ignoring.");
3115 0 : socket_enter_stop_post(s, SOCKET_FAILURE_TIMEOUT);
3116 : }
3117 0 : break;
3118 :
3119 0 : case SOCKET_STOP_PRE_SIGKILL:
3120 0 : log_unit_warning(UNIT(s), "Processes still around after SIGKILL. Ignoring.");
3121 0 : socket_enter_stop_post(s, SOCKET_FAILURE_TIMEOUT);
3122 0 : break;
3123 :
3124 0 : case SOCKET_STOP_POST:
3125 0 : log_unit_warning(UNIT(s), "Stopping timed out (2). Terminating.");
3126 0 : socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_TIMEOUT);
3127 0 : break;
3128 :
3129 0 : case SOCKET_FINAL_SIGTERM:
3130 0 : if (s->kill_context.send_sigkill) {
3131 0 : log_unit_warning(UNIT(s), "Stopping timed out (2). Killing.");
3132 0 : socket_enter_signal(s, SOCKET_FINAL_SIGKILL, SOCKET_FAILURE_TIMEOUT);
3133 : } else {
3134 0 : log_unit_warning(UNIT(s), "Stopping timed out (2). Skipping SIGKILL. Ignoring.");
3135 0 : socket_enter_dead(s, SOCKET_FAILURE_TIMEOUT);
3136 : }
3137 0 : break;
3138 :
3139 0 : case SOCKET_FINAL_SIGKILL:
3140 0 : log_unit_warning(UNIT(s), "Still around after SIGKILL (2). Entering failed mode.");
3141 0 : socket_enter_dead(s, SOCKET_FAILURE_TIMEOUT);
3142 0 : break;
3143 :
3144 0 : default:
3145 0 : assert_not_reached("Timeout at wrong time.");
3146 : }
3147 :
3148 0 : return 0;
3149 : }
3150 :
3151 0 : int socket_collect_fds(Socket *s, int **fds) {
3152 0 : size_t k = 0, n = 0;
3153 : SocketPort *p;
3154 : int *rfds;
3155 :
3156 0 : assert(s);
3157 0 : assert(fds);
3158 :
3159 : /* Called from the service code for requesting our fds */
3160 :
3161 0 : LIST_FOREACH(port, p, s->ports) {
3162 0 : if (p->fd >= 0)
3163 0 : n++;
3164 0 : n += p->n_auxiliary_fds;
3165 : }
3166 :
3167 0 : if (n <= 0) {
3168 0 : *fds = NULL;
3169 0 : return 0;
3170 : }
3171 :
3172 0 : rfds = new(int, n);
3173 0 : if (!rfds)
3174 0 : return -ENOMEM;
3175 :
3176 0 : LIST_FOREACH(port, p, s->ports) {
3177 : size_t i;
3178 :
3179 0 : if (p->fd >= 0)
3180 0 : rfds[k++] = p->fd;
3181 0 : for (i = 0; i < p->n_auxiliary_fds; ++i)
3182 0 : rfds[k++] = p->auxiliary_fds[i];
3183 : }
3184 :
3185 0 : assert(k == n);
3186 :
3187 0 : *fds = rfds;
3188 0 : return (int) n;
3189 : }
3190 :
3191 0 : static void socket_reset_failed(Unit *u) {
3192 0 : Socket *s = SOCKET(u);
3193 :
3194 0 : assert(s);
3195 :
3196 0 : if (s->state == SOCKET_FAILED)
3197 0 : socket_set_state(s, SOCKET_DEAD);
3198 :
3199 0 : s->result = SOCKET_SUCCESS;
3200 0 : }
3201 :
3202 0 : void socket_connection_unref(Socket *s) {
3203 0 : assert(s);
3204 :
3205 : /* The service is dead. Yay!
3206 : *
3207 : * This is strictly for one-instance-per-connection
3208 : * services. */
3209 :
3210 0 : assert(s->n_connections > 0);
3211 0 : s->n_connections--;
3212 :
3213 0 : log_unit_debug(UNIT(s), "One connection closed, %u left.", s->n_connections);
3214 0 : }
3215 :
3216 0 : static void socket_trigger_notify(Unit *u, Unit *other) {
3217 0 : Socket *s = SOCKET(u);
3218 :
3219 0 : assert(u);
3220 0 : assert(other);
3221 :
3222 : /* Filter out invocations with bogus state */
3223 0 : if (other->load_state != UNIT_LOADED || other->type != UNIT_SERVICE)
3224 0 : return;
3225 :
3226 : /* Don't propagate state changes from the service if we are already down */
3227 0 : if (!IN_SET(s->state, SOCKET_RUNNING, SOCKET_LISTENING))
3228 0 : return;
3229 :
3230 : /* We don't care for the service state if we are in Accept=yes mode */
3231 0 : if (s->accept)
3232 0 : return;
3233 :
3234 : /* Propagate start limit hit state */
3235 0 : if (other->start_limit_hit) {
3236 0 : socket_enter_stop_pre(s, SOCKET_FAILURE_SERVICE_START_LIMIT_HIT);
3237 0 : return;
3238 : }
3239 :
3240 : /* Don't propagate anything if there's still a job queued */
3241 0 : if (other->job)
3242 0 : return;
3243 :
3244 0 : if (IN_SET(SERVICE(other)->state,
3245 : SERVICE_DEAD, SERVICE_FAILED,
3246 : SERVICE_FINAL_SIGTERM, SERVICE_FINAL_SIGKILL,
3247 : SERVICE_AUTO_RESTART))
3248 0 : socket_enter_listening(s);
3249 :
3250 0 : if (SERVICE(other)->state == SERVICE_RUNNING)
3251 0 : socket_set_state(s, SOCKET_RUNNING);
3252 : }
3253 :
3254 0 : static int socket_kill(Unit *u, KillWho who, int signo, sd_bus_error *error) {
3255 0 : return unit_kill_common(u, who, signo, -1, SOCKET(u)->control_pid, error);
3256 : }
3257 :
3258 0 : static int socket_get_timeout(Unit *u, usec_t *timeout) {
3259 0 : Socket *s = SOCKET(u);
3260 : usec_t t;
3261 : int r;
3262 :
3263 0 : if (!s->timer_event_source)
3264 0 : return 0;
3265 :
3266 0 : r = sd_event_source_get_time(s->timer_event_source, &t);
3267 0 : if (r < 0)
3268 0 : return r;
3269 0 : if (t == USEC_INFINITY)
3270 0 : return 0;
3271 :
3272 0 : *timeout = t;
3273 0 : return 1;
3274 : }
3275 :
3276 0 : char *socket_fdname(Socket *s) {
3277 0 : assert(s);
3278 :
3279 : /* Returns the name to use for $LISTEN_NAMES. If the user
3280 : * didn't specify anything specifically, use the socket unit's
3281 : * name as fallback. */
3282 :
3283 0 : return s->fdname ?: UNIT(s)->id;
3284 : }
3285 :
3286 0 : static int socket_control_pid(Unit *u) {
3287 0 : Socket *s = SOCKET(u);
3288 :
3289 0 : assert(s);
3290 :
3291 0 : return s->control_pid;
3292 : }
3293 :
3294 : static const char* const socket_exec_command_table[_SOCKET_EXEC_COMMAND_MAX] = {
3295 : [SOCKET_EXEC_START_PRE] = "ExecStartPre",
3296 : [SOCKET_EXEC_START_CHOWN] = "ExecStartChown",
3297 : [SOCKET_EXEC_START_POST] = "ExecStartPost",
3298 : [SOCKET_EXEC_STOP_PRE] = "ExecStopPre",
3299 : [SOCKET_EXEC_STOP_POST] = "ExecStopPost"
3300 : };
3301 :
3302 14 : DEFINE_STRING_TABLE_LOOKUP(socket_exec_command, SocketExecCommand);
3303 :
3304 : static const char* const socket_result_table[_SOCKET_RESULT_MAX] = {
3305 : [SOCKET_SUCCESS] = "success",
3306 : [SOCKET_FAILURE_RESOURCES] = "resources",
3307 : [SOCKET_FAILURE_TIMEOUT] = "timeout",
3308 : [SOCKET_FAILURE_EXIT_CODE] = "exit-code",
3309 : [SOCKET_FAILURE_SIGNAL] = "signal",
3310 : [SOCKET_FAILURE_CORE_DUMP] = "core-dump",
3311 : [SOCKET_FAILURE_START_LIMIT_HIT] = "start-limit-hit",
3312 : [SOCKET_FAILURE_TRIGGER_LIMIT_HIT] = "trigger-limit-hit",
3313 : [SOCKET_FAILURE_SERVICE_START_LIMIT_HIT] = "service-start-limit-hit"
3314 : };
3315 :
3316 22 : DEFINE_STRING_TABLE_LOOKUP(socket_result, SocketResult);
3317 :
3318 : const UnitVTable socket_vtable = {
3319 : .object_size = sizeof(Socket),
3320 : .exec_context_offset = offsetof(Socket, exec_context),
3321 : .cgroup_context_offset = offsetof(Socket, cgroup_context),
3322 : .kill_context_offset = offsetof(Socket, kill_context),
3323 : .exec_runtime_offset = offsetof(Socket, exec_runtime),
3324 : .dynamic_creds_offset = offsetof(Socket, dynamic_creds),
3325 :
3326 : .sections =
3327 : "Unit\0"
3328 : "Socket\0"
3329 : "Install\0",
3330 : .private_section = "Socket",
3331 :
3332 : .can_transient = true,
3333 :
3334 : .init = socket_init,
3335 : .done = socket_done,
3336 : .load = socket_load,
3337 :
3338 : .coldplug = socket_coldplug,
3339 :
3340 : .dump = socket_dump,
3341 :
3342 : .start = socket_start,
3343 : .stop = socket_stop,
3344 :
3345 : .kill = socket_kill,
3346 :
3347 : .get_timeout = socket_get_timeout,
3348 :
3349 : .serialize = socket_serialize,
3350 : .deserialize_item = socket_deserialize_item,
3351 : .distribute_fds = socket_distribute_fds,
3352 :
3353 : .active_state = socket_active_state,
3354 : .sub_state_to_string = socket_sub_state_to_string,
3355 :
3356 : .may_gc = socket_may_gc,
3357 :
3358 : .sigchld_event = socket_sigchld_event,
3359 :
3360 : .trigger_notify = socket_trigger_notify,
3361 :
3362 : .reset_failed = socket_reset_failed,
3363 :
3364 : .control_pid = socket_control_pid,
3365 :
3366 : .bus_vtable = bus_socket_vtable,
3367 : .bus_set_property = bus_socket_set_property,
3368 : .bus_commit_properties = bus_socket_commit_properties,
3369 :
3370 : .status_message_formats = {
3371 : /*.starting_stopping = {
3372 : [0] = "Starting socket %s...",
3373 : [1] = "Stopping socket %s...",
3374 : },*/
3375 : .finished_start_job = {
3376 : [JOB_DONE] = "Listening on %s.",
3377 : [JOB_FAILED] = "Failed to listen on %s.",
3378 : [JOB_TIMEOUT] = "Timed out starting %s.",
3379 : },
3380 : .finished_stop_job = {
3381 : [JOB_DONE] = "Closed %s.",
3382 : [JOB_FAILED] = "Failed stopping %s.",
3383 : [JOB_TIMEOUT] = "Timed out stopping %s.",
3384 : },
3385 : },
3386 : };
|
