The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
fd_open.c
Go to the documentation of this file.
1/*
2 * This program is is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or (at
5 * your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: de9bf19f03023945b3fa8cca02196fb26d055596 $
19 * @file lib/bio/fd_open.c
20 * @brief BIO abstractions for opening file descriptors
21 *
22 * @copyright 2024 Network RADIUS SAS (legal@networkradius.com)
23 */
24
25#include <freeradius-devel/bio/fd_priv.h>
26#include <freeradius-devel/util/file.h>
27#include <freeradius-devel/util/cap.h>
28#include <freeradius-devel/util/rand.h>
29
30#include <sys/stat.h>
31#include <net/if.h>
32#include <fcntl.h>
33#include <libgen.h>
34#include <netinet/tcp.h>
35#include <netinet/in.h>
36
37/** Initialize common datagram information
38 *
39 */
40static int fr_bio_fd_common_tcp(int fd, UNUSED fr_socket_t const *sock, fr_bio_fd_config_t const *cfg)
41{
42 int on = 1;
43
44#ifdef SO_KEEPALIVE
45 /*
46 * TCP keepalives are always a good idea. Too many people put firewalls between critical
47 * systems, and then the firewalls drop live TCP streams.
48 */
49 if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on)) < 0) {
50 fr_strerror_printf("Failed setting SO_KEEPALIVE: %s", fr_syserror(errno));
51 return -1;
52 }
53#endif
54
55#ifdef TCP_NODELAY
56 /*
57 * Add some defines for *BSD, and Solaris systems.
58 */
59# if !defined(SOL_TCP) && defined(IPPROTO_TCP)
60# define SOL_TCP IPPROTO_TCP
61# endif
62
63 /*
64 * Also set TCP_NODELAY, to force the data to be written quickly.
65 *
66 * We buffer full packets in memory before we write them, so there's no reason for the kernel to
67 * sit around waiting for more data from us.
68 */
69 if (!cfg->tcp_delay) {
70 if (setsockopt(fd, SOL_TCP, TCP_NODELAY, &on, sizeof(on)) < 0) {
71 fr_strerror_printf("Failed setting TCP_NODELAY: %s", fr_syserror(errno));
72 return -1;
73 }
74 }
75#endif
76
77 return 0;
78}
79
80
81/** Initialize common datagram information
82 *
83 */
84static int fr_bio_fd_common_datagram(int fd, UNUSED fr_socket_t const *sock, fr_bio_fd_config_t const *cfg)
85{
86 int on = 1;
87
88#ifdef SO_TIMESTAMPNS
89 /*
90 * Enable receive timestamps, these should reflect
91 * when the packet was received, not when it was read
92 * from the socket.
93 */
94 if (setsockopt(fd, SOL_SOCKET, SO_TIMESTAMPNS, &on, sizeof(int)) < 0) {
95 fr_strerror_printf("Failed setting SO_TIMESTAMPNS: %s", fr_syserror(errno));
96 return -1;
97 }
98
99#elif defined(SO_TIMESTAMP)
100 /*
101 * Enable receive timestamps, these should reflect
102 * when the packet was received, not when it was read
103 * from the socket.
104 */
105 if (setsockopt(fd, SOL_SOCKET, SO_TIMESTAMP, &on, sizeof(int)) < 0) {
106 fr_strerror_printf("Failed setting SO_TIMESTAMP: %s", fr_syserror(errno));
107 return -1;
108 }
109#endif
110
111
112#ifdef SO_RCVBUF
113 if (cfg->recv_buff) {
114 int opt = cfg->recv_buff;
115
116 /*
117 * Clamp value to something reasonable.
118 */
119 if (opt > (1 << 29)) opt = (1 << 29);
120
121 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &opt, sizeof(opt)) < 0) {
122 fr_strerror_printf("Failed setting SO_RCVBUF: %s", fr_syserror(errno));
123 return -1;
124 }
125 }
126#endif
127
128#ifdef SO_SNDBUF
129 if (cfg->send_buff) {
130 int opt = cfg->send_buff;
131
132 /*
133 * Clamp value to something reasonable.
134 */
135 if (opt > (1 << 29)) opt = (1 << 29);
136
137 if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &opt, sizeof(opt)) < 0) {
138 fr_strerror_printf("Failed setting SO_SNDBUF: %s", fr_syserror(errno));
139 return -1;
140 }
141 }
142#endif
143
144 return 0;
145}
146
147/** Initialize a UDP socket.
148 *
149 */
150static int fr_bio_fd_common_udp(int fd, fr_socket_t const *sock, fr_bio_fd_config_t const *cfg)
151{
152#ifdef SO_REUSEPORT
153 /*
154 * Servers re-use ports by default. And clients, too, if they ask nicely.
155 */
156 if (cfg->reuse_port) {
157 int on = 1;
158
159 /*
160 * Set SO_REUSEPORT before bind, so that all sockets can
161 * listen on the same destination IP address.
162 */
163 if (setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, &on, sizeof(on)) < 0) {
164 fr_strerror_printf("Failed setting SO_REUSEPORT: %s", fr_syserror(errno));
165 return -1;
166 }
167 }
168#endif
169
170 /*
171 * IPv4 fragments packets. IPv6 does not.
172 *
173 * Many systems set the "don't fragment" bit by default for IPv4. This setting means that "too
174 * large" packets are silently discarded in the network.
175 *
176 * Many local networks support UDP fragmentation, so we just send packets and hope for the best.
177 * In order to support local networks, we disable the "don't fragment" bit.
178 *
179 * The wider Internet does not support UDP fragmentation. This means that fragmented packets are
180 * silently discarded.
181 *
182 * @todo - add more code to properly handle EMSGSIZE for PMTUD. We can then also do
183 * getsockopt(fd,IP_MTU,&integer) to get the current path MTU. It can only be used after the
184 * socket has been connected. It should also be called after an EMSGSIZE error is returned.
185 *
186 * getsockopt(fd,IP_MTU,&integer) can also be used for unconnected sockets, if we also set
187 * IP_RECVERR. In which case the errors are put into an error queue. This is only for Linux.
188 */
189 if ((sock->af == AF_INET) && cfg->exceed_mtu) {
190#if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
191 /*
192 * Disable PMTU discovery. On Linux, this also makes sure that the "don't
193 * fragment" flag is zero.
194 */
195 {
196 int flag = IP_PMTUDISC_DONT;
197
198 if (setsockopt(fd, IPPROTO_IP, IP_MTU_DISCOVER, &flag, sizeof(flag)) < 0) {
199 fr_strerror_printf("Failed setting IP_MTU_DISCOVER: %s", fr_syserror(errno));
200 return -1;
201 }
202 }
203#endif
204
205#if defined(IP_DONTFRAG)
206 /*
207 * Ensure that the "don't fragment" flag is zero.
208 */
209 {
210 int off = 0;
211
212 if (setsockopt(fd, IPPROTO_IP, IP_DONTFRAG, &off, sizeof(off)) < 0) {
213 fr_strerror_printf("Failed setting IP_DONTFRAG: %s", fr_syserror(errno));
214 return -1;
215 }
216 }
217#endif
218 }
219
220 return fr_bio_fd_common_datagram(fd, sock, cfg);
221}
222
223/** Initialize a TCP server socket.
224 *
225 */
226static int fr_bio_fd_server_tcp(int fd, UNUSED fr_socket_t const *sock)
227{
228 int on = 1;
229
230 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) < 0) {
231 fr_strerror_printf("Failed setting SO_REUSEADDR: %s", fr_syserror(errno));
232 return -1;
233 }
234
235 return 0;
236}
237
238/** Initialize an IPv4 server socket.
239 *
240 */
241static int fr_bio_fd_server_ipv4(int fd, fr_socket_t const *sock, fr_bio_fd_config_t const *cfg)
242{
243 /*
244 * And set up any UDP / TCP specific information.
245 */
246 if (sock->type == SOCK_DGRAM) return fr_bio_fd_common_udp(fd, sock, cfg);
247
248 return fr_bio_fd_server_tcp(fd, sock);
249}
250
251/** Initialize an IPv6 server socket.
252 *
253 */
254static int fr_bio_fd_server_ipv6(int fd, fr_socket_t const *sock, fr_bio_fd_config_t const *cfg)
255{
256#ifdef IPV6_V6ONLY
257 /*
258 * Don't allow v4 packets on v6 connections.
259 */
260 if (IN6_IS_ADDR_UNSPECIFIED(UNCONST(struct in6_addr *, &sock->inet.src_ipaddr.addr.v6))) {
261 int on = 1;
262
263 if (setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, (char *)&on, sizeof(on)) < 0) {
264 fr_strerror_printf("Failed setting IPV6_ONLY: %s", fr_syserror(errno));
265 return -1;
266 }
267 }
268#endif /* IPV6_V6ONLY */
269
270 /*
271 * And set up any UDP / TCP specific information.
272 */
273 if (sock->type == SOCK_DGRAM) return fr_bio_fd_common_udp(fd, sock, cfg);
274
275 return fr_bio_fd_server_tcp(fd, sock);
276}
277
278/** Verify or clean up a pre-existing domain socket.
279 *
280 */
281static int fr_bio_fd_socket_unix_verify(int dirfd, char const *filename, fr_bio_fd_config_t const *cfg)
282{
283 int fd;
284 struct stat buf;
285
286 /*
287 * See if the socket exits. If there's an error opening it, that's an issue.
288 *
289 * If it doesn't exist, that's fine.
290 */
291 if (fstatat(dirfd, filename, &buf, AT_SYMLINK_NOFOLLOW) < 0) {
292 if (errno != ENOENT) {
293 fr_strerror_printf("Failed opening domain socket %s: %s", cfg->path, fr_syserror(errno));
294 return -1;
295 }
296
297 return 0;
298 }
299
300 /*
301 * If it exists, it must be a socket.
302 */
303 if (!S_ISSOCK(buf.st_mode)) {
304 fr_strerror_printf("Failed open domain socket %s: it is not a socket", filename);
305 return -1;
306 }
307
308 /*
309 * Refuse to open sockets not owned by us. This prevents configurations from stomping on each
310 * other.
311 */
312 if (buf.st_uid != cfg->uid) {
313 fr_strerror_printf("Failed opening domain socket %s: incorrect UID", cfg->path);
314 return -1;
315 }
316
317 /*
318 * The file exists,and someone is listening. We can't claim it for ourselves.
319 *
320 * Note that this function calls connect(), but connect() always returns immediately for domain
321 * sockets.
322 *
323 * @todo - redo that function here, with separate checks for permission errors vs anything else.
324 */
325 fd = fr_socket_client_unix(cfg->path, false);
326 if (fd >= 0) {
327 close(fd);
328 fr_strerror_printf("Failed creating domain socket %s: It is currently active", cfg->path);
329 return -1;
330 }
331
332 /*
333 * It exists, but no one is listening. Delete it so that we can re-bind to it.
334 */
335 if (unlinkat(dirfd, filename, 0) < 0) {
336 fr_strerror_printf("Failed removing pre-existing domain socket %s: %s",
337 cfg->path, fr_syserror(errno));
338 return -1;
339 }
340
341 return 0;
342}
343
344/*
345 * We normally can't call fchmod() or fchown() on sockets, as they don't really exist in the file system.
346 * Instead, we enforce those permissions on the parent directory of the socket.
347 */
348static int fr_bio_fd_socket_unix_mkdir(int *dirfd, char const **filename, fr_bio_fd_config_t const *cfg)
349{
350 mode_t perm;
351 int parent_fd, fd;
352 char const *path = cfg->path;
353 char *p, *dir = NULL;
354 char *slashes[2];
355
356 perm = S_IREAD | S_IWRITE | S_IEXEC;
357 perm |= S_IRGRP | S_IWGRP | S_IXGRP;
358
359 /*
360 * The parent directory exists. Ensure that it has the correct ownership and permissions.
361 *
362 * If the parent directory exists, then it enforces access, and we can create the domain socket
363 * within it.
364 */
365 if (fr_dirfd(dirfd, filename, path) == 0) {
366 struct stat buf;
367
368 fr_assert(*filename);
369 fr_assert(*dirfd >= 0);
370
371 if (fstat(*dirfd, &buf) < 0) {
372 fr_strerror_printf("Failed reading parent directory for file %s: %s", path, fr_syserror(errno));
373 fail:
374 talloc_free(dir);
375 close(*dirfd);
376 return -1;
377 }
378
379 if (buf.st_uid != cfg->uid) {
380 fr_strerror_printf("Failed reading parent directory for file %s: Incorrect UID", path);
381 goto fail;
382 }
383
384 if (buf.st_gid != cfg->gid) {
385 fr_strerror_printf("Failed reading parent directory for file %s: Incorrect GID", path);
386 goto fail;
387 }
388
389 /*
390 * We don't have the correct permissions on the directory, so we fix them.
391 *
392 * @todo - allow for "other" to read/write if we do authentication on the socket?
393 */
394 if (fchmod(*dirfd, perm) < 0) {
395 fr_strerror_printf("Failed setting parent directory permissions for file %s: %s", path, fr_syserror(errno));
396 goto fail;
397 }
398
399 return 0;
400 }
401
402 /*
403 * We have to create the directories.
404 */
405 dir = talloc_strdup(NULL, path);
406 if (!dir) goto fail;
407
408 /*
409 * Find the last two directory separators.
410 */
411 slashes[0] = slashes[1] = NULL;
412 for (p = dir; *p != '\0'; p++) {
413 if (*p == '/') {
414 slashes[0] = slashes[1];
415 slashes[1] = p;
416 }
417 }
418
419 /*
420 * There's only one / in the path, we can't do anything.
421 *
422 * Opening 'foo/bar.sock' might be useful, but isn't normally a good idea.
423 */
424 if (!slashes[0]) {
425 fr_strerror_printf("Failed parsing filename %s: it is not absolute", path);
426 goto fail;
427 }
428
429 /*
430 * Ensure that the grandparent directory exists.
431 *
432 * /var/run/radiusd/foo.sock
433 *
434 * slashes[0] points to the slash after 'run'.
435 *
436 * slashes[1] points to the slash after 'radiusd', which doesn't exist.
437 */
438 *slashes[0] = '\0';
439
440 /*
441 * If the grandparent doesn't exist, then we don't create it.
442 *
443 * These checks minimize the possibility that a misconfiguration by user "radiusd" can cause a
444 * suid-root binary top create a directory in the wrong place. These checks are only necessary
445 * if the unix domain socket is opened as root.
446 */
447 parent_fd = open(dir, O_DIRECTORY | O_NOFOLLOW);
448 if (parent_fd < 0) {
449 fr_strerror_printf("Failed opening directory %s: %s", dir, fr_syserror(errno));
450 goto fail;
451 }
452
453 /*
454 * Create the parent directory.
455 */
456 *slashes[0] = '/';
457 *slashes[1] = '\0';
458 if (mkdirat(parent_fd, slashes[0] + 1, 0700) < 0) {
459 fr_strerror_printf("Failed creating directory %s: %s", slashes[0], fr_syserror(errno));
460 close_parent:
461 close(parent_fd);
462 goto fail;
463 }
464
465 fd = openat(parent_fd, slashes[0] + 1, O_DIRECTORY);
466 if (fd < 0) {
467 fr_strerror_printf("Failed opening directory %s: %s", slashes[0] + 1, fr_syserror(errno));
468 goto close_parent;
469 }
470
471 if (fchmod(fd, perm) < 0) {
472 fr_strerror_printf("Failed changing permission for directory %s: %s", dir, fr_syserror(errno));
473 close_fd:
474 close(fd);
475 goto close_parent;
476 }
477
478 /*
479 * This is a NOOP if we're chowning a file owned by ourselves to our own UID / GID.
480 *
481 * Otherwise if we're running as root, it will set ownership to the correct user.
482 */
483 if (fchown(fd, cfg->uid, cfg->gid) < 0) {
484 fr_strerror_printf("Failed changing ownership for directory %s: %s", dir, fr_syserror(errno));
485 goto close_fd;
486 }
487
488 *dirfd = fd;
489 path = strrchr(cfg->path, '/');
490 if (path) path++;
491
492 *filename = path;
493
494 talloc_free(dir);
495 close(parent_fd);
496
497 return 0;
498}
499
500static int fr_bio_fd_unix_shutdown(fr_bio_t *bio)
501{
502 fr_bio_fd_t *my = talloc_get_type_abort(bio, fr_bio_fd_t);
503
504 /*
505 * This is called after fr_bio_fd_close() - which marks the bio state as closed
506 *
507 * Unix domain sockets are deleted when the bio is closed.
508 *
509 * Unix domain sockets are never in the "connecting" state, because connect() always returns
510 * immediately.
511 */
512 fr_assert(my->info.state == FR_BIO_FD_STATE_CLOSED);
513
514 /*
515 * Run the user shutdown before we run ours.
516 */
517 if (my->user_shutdown) {
518 int rcode;
519
520 rcode = my->user_shutdown(bio);
521 if (rcode < 0) return rcode;
522 }
523
524 if (unlink(my->info.socket.unix.path) < 0) return fr_bio_error(GENERIC);
525
526 return 0;
527}
528
529/** Bind to a Unix domain socket.
530 *
531 * @todo - this function only does a tiny bit of what fr_server_domain_socket_peercred() and
532 * fr_server_domain_socket_perm() do. Those functions do a lot more sanity checks.
533 *
534 * The main question is whether or not those checks are useful. In many cases, fchmod() and fchown() are not
535 * possible on Unix sockets, so we shouldn't bother doing them,
536 *
537 * Note that the listeners generally call these functions with wrappers of fr_suid_up() and fr_suid_down().
538 * So these functions are running as "root", and will create files owned as "root".
539 */
540static int fr_bio_fd_socket_bind_unix(fr_bio_fd_t *my, fr_bio_fd_config_t const *cfg)
541{
542 int dirfd, rcode;
543 char const *filename, *p;
544 socklen_t sunlen;
545 struct sockaddr_un sun;
546
547 if (!cfg->path) {
548 fr_strerror_const("Failed to specify path");
549 return -1;
550 }
551
552 /*
553 * The UID and GID should be taken automatically from the "user" and "group" settings in
554 * mainconfig. There is no reason to set them to anything else.
555 */
556 if (cfg->uid == (uid_t) -1) {
557 fr_strerror_printf("Failed opening domain socket %s: no UID specified", cfg->path);
558 return -1;
559 }
560
561 if (cfg->gid == (gid_t) -1) {
562 fr_strerror_printf("Failed opening domain socket %s: no GID specified", cfg->path);
563 return -1;
564 }
565
566 /*
567 * Opening 'foo.sock' is OK.
568 */
569 p = strrchr(cfg->path, '/');
570 if (!p) {
571 dirfd = AT_FDCWD;
572 filename = cfg->path;
573
574 } else if (p == cfg->path) {
575 /*
576 * Opening '/foo.sock' is dumb.
577 */
578 fr_strerror_printf("Failed opening domain socket %s: cannot exist at file system root", p);
579 return -1;
580
581 } else if (fr_bio_fd_socket_unix_mkdir(&dirfd, &filename, cfg) < 0) {
582 return -1;
583 }
584
585 /*
586 * Verify and/or clean up the domain socket.
587 */
588 if (fr_bio_fd_socket_unix_verify(dirfd, filename, cfg) < 0) {
589 fail:
590 if (dirfd != AT_FDCWD) close(dirfd);
591 return -1;
592 }
593
594#ifdef HAVE_BINDAT
595 /*
596 * The best function to use here is bindat(), but only quite recent versions of FreeBSD actually
597 * have it, and it's definitely not POSIX.
598 *
599 * If we use bindat(), we pass a relative pathname.
600 */
601 if (fr_filename_to_sockaddr(&sun, &sunlen, filename) < 0) goto fail;
602
603 rcode = bindat(dirfd, my->info.socket.fd, (struct sockaddr *) &sun, sunlen);
604#else
605 /*
606 * For bind(), we pass the full path.
607 */
608 if (fr_filename_to_sockaddr(&sun, &sunlen, cfg->path) < 0) goto fail;
609
610 rcode = bind(my->info.socket.fd, (struct sockaddr *) &sun, sunlen);
611#endif
612 if (rcode < 0) {
613 /*
614 * @todo - if EADDRINUSE, then the socket exists. Try connect(), and if that fails,
615 * delete the socket and try again. This may be simpler than the checks above.
616 */
617 fr_strerror_printf("Failed binding to domain socket %s: %s", cfg->path, fr_syserror(errno));
618 goto fail;
619 }
620
621#ifdef __linux__
622 /*
623 * Linux supports chown && chmod for sockets.
624 */
625 if (fchmod(my->info.socket.fd, S_IREAD | S_IWRITE | S_IEXEC | S_IRGRP | S_IWGRP | S_IXGRP) < 0) {
626 fr_strerror_printf("Failed changing permission for domain socket %s: %s", cfg->path, fr_syserror(errno));
627 goto fail;
628 }
629
630 /*
631 * This is a NOOP if we're chowning a file owned by ourselves to our own UID / GID.
632 *
633 * Otherwise if we're running as root, it will set ownership to the correct user.
634 */
635 if (fchown(my->info.socket.fd, cfg->uid, cfg->gid) < 0) {
636 fr_strerror_printf("Failed changing ownershipt for domain directory %s: %s", cfg->path, fr_syserror(errno));
637 goto fail;
638 }
639
640#endif
641
642 /*
643 * Socket is open. We need to clean it up on shutdown.
644 */
645 if (my->cb.shutdown) my->user_shutdown = my->cb.shutdown;
646 my->cb.shutdown = fr_bio_fd_unix_shutdown;
647 if (dirfd != AT_FDCWD) close(dirfd);
648
649 return 0;
650}
651
652/*
653 * Use the OSX native versions on OSX.
654 */
655#ifdef __APPLE__
656#undef SO_BINDTODEVICE
657#endif
658
659#ifdef SO_BINDTODEVICE
660/** Linux bind to device by name.
661 *
662 */
663static int fr_bio_fd_socket_bind_to_device(fr_bio_fd_t *my, fr_bio_fd_config_t const *cfg)
664{
665 /*
666 * ifindex isn't set, do nothing.
667 */
668 if (!my->info.socket.inet.ifindex) return 0;
669
670 if (!cfg->interface) return 0;
671
672 /*
673 * The internet hints that CAP_NET_RAW is required to use SO_BINDTODEVICE.
674 *
675 * This function also sets fr_strerror() on failure, which will be seen if the bind fails. If
676 * the bind succeeds, then we don't really care that the capability change has failed. We must
677 * already have that capability.
678 */
679#ifdef HAVE_CAPABILITY_H
680 (void)fr_cap_enable(CAP_NET_RAW, CAP_EFFECTIVE);
681#endif
682
683 if (setsockopt(my->info.socket.fd, SOL_SOCKET, SO_BINDTODEVICE, cfg->interface, strlen(cfg->interface)) < 0) {
684 fr_strerror_printf("Failed setting SO_BINDTODEVICE for %s: %s", cfg->interface, fr_syserror(errno));
685 return -1;
686 }
687
688 return 0;
689}
690
691#elif defined(IP_BOUND_IF) || defined(IPV6_BOUND_IF)
692/** OSX bind to interface by index.
693 *
694 */
695static int fr_bio_fd_socket_bind_to_device(fr_bio_fd_t *my, UNUSED fr_bio_fd_config_t const *cfg)
696{
697 int opt, rcode;
698
699 if (!my->info.socket.inet.ifindex) return 0;
700
701 opt = my->info.socket.inet.ifindex;
702
703 switch (my->info.socket.af) {
704 case AF_INET:
705 rcode = setsockopt(my->info.socket.fd, IPPROTO_IP, IP_BOUND_IF, &opt, sizeof(opt));
706 break;
707
708 case AF_INET6:
709 rcode = setsockopt(my->info.socket.fd, IPPROTO_IPV6, IPV6_BOUND_IF, &opt, sizeof(opt));
710 break;
711
712 default:
713 rcode = -1;
714 errno = EAFNOSUPPORT;
715 break;
716 }
717
718 if (rcode < 0) fr_strerror_printf("Failed setting IP_BOUND_IF: %s", fr_syserror(errno));
719 return rcode;
720}
721#else
722
723/** This system is missing SO_BINDTODEVICE, IP_BOUND_IF, IPV6_BOUND_IF
724 *
725 * @todo - FreeBSD IP_RECVIF and IP_SENDIF
726 *
727 * Except that has to be done in recvmsg() and sendmsg(). And it only works on datagram sockets.
728 *
729 * cmsg_len = sizeof(struct sockaddr_dl)
730 * cmsg_level = IPPROTO_IP
731 * cmsg_type = IP_RECVIF
732 */
733static int fr_bio_fd_socket_bind_to_device(fr_bio_fd_t *my, UNUSED fr_bio_fd_config_t const *cfg)
734{
735 if (!my->info.socket.inet.ifindex) return 0;
736
737 fr_strerror_const("Bind to interface is not supported on this platform");
738 return -1;
739}
740
741/* bind to device */
742#endif
743
744static int fr_bio_fd_socket_bind(fr_bio_fd_t *my, fr_bio_fd_config_t const *cfg)
745{
746 bool do_suid;
747 int rcode;
748 socklen_t salen;
749 struct sockaddr_storage salocal;
750
751 fr_assert((my->info.socket.af == AF_INET) || (my->info.socket.af == AF_INET6));
752
753 /*
754 * Ranges must be a high value.
755 */
756 if (my->info.cfg->src_port_start) {
757 if (my->info.cfg->src_port_start < 1024) {
758 fr_strerror_const("Cannot set src_port_start in the range 1..1023");
759 return -1;
760 }
761
762 if (my->info.cfg->src_port_end <= my->info.cfg->src_port_start) {
763 fr_strerror_const("Invalid range src_port_end <= src_port_start");
764 return -1;
765 }
766 }
767
768 /*
769 * Source port is in the restricted range, and we're not root, update permissions / capabilities
770 * so that the bind is permitted.
771 */
772 do_suid = (my->info.socket.inet.src_port > 0) && (my->info.socket.inet.src_port < 1024) && (geteuid() != 0);
773
774#ifdef HAVE_CAPABILITY_H
775 /*
776 * If we can set the capabilities, then we don't need to do SUID.
777 */
778 if (do_suid) do_suid = (fr_cap_enable(CAP_NET_BIND_SERVICE, CAP_EFFECTIVE) < 0);
779#endif
780
781 /*
782 * SUID up before we bind to the interface. If we can set the capabilities above, then should
783 * also be able to set the capabilities to bind to an interface.
784 */
785 if (do_suid) fr_suid_up();
786
787 if (fr_bio_fd_socket_bind_to_device(my, cfg) < 0) {
788 down:
789 if (do_suid) fr_suid_down();
790 return -1;
791 }
792
793 /*
794 * Get the sockaddr for bind()
795 */
796 if (fr_ipaddr_to_sockaddr(&salocal, &salen, &my->info.socket.inet.src_ipaddr, my->info.socket.inet.src_port) < 0) goto down;
797
798 /*
799 * We don't have a source port range, just bind to whatever source port that we're given.
800 */
801 if (!my->info.cfg->src_port_start) {
802 rcode = bind(my->info.socket.fd, (struct sockaddr *) &salocal, salen);
803 if (do_suid) fr_suid_down();
804
805 if (rcode < 0) {
806 fr_strerror_printf("Failed binding to socket: %s", fr_syserror(errno));
807 return -1;
808 }
809
810 } else {
811 uint16_t src_port, current, range;
812 struct sockaddr_in *sin = (struct sockaddr_in *) &salocal;
813
814 fr_assert(my->info.cfg->src_port_start);
815 fr_assert(my->info.cfg->src_port_end);
816 fr_assert(my->info.cfg->src_port_end >= my->info.cfg->src_port_start);
817
818 range = my->info.cfg->src_port_end - my->info.cfg->src_port_start;
819 src_port = fr_rand() % range;
820
821 /*
822 * We only care about sin_port, which is in the same location for sockaddr_in and sockaddr_in6.
823 */
824 fr_assert(sin->sin_port == 0);
825
826 sin->sin_port = htons(my->info.cfg->src_port_start + src_port);
827
828 /*
829 * We've picked a random port in what is hopefully a large range. If that works, we're
830 * done.
831 */
832 rcode = bind(my->info.socket.fd, (struct sockaddr *) &salocal, salen);
833 if (rcode == 0) {
834 if (do_suid) fr_suid_down();
835 goto done;
836 }
837
838 /*
839 * Hunt & peck. Which is horrible.
840 */
841 current = src_port;
842 while (true) {
843 if (current == range) {
844 current = 0;
845 } else {
846 current++;
847 }
848
849 /*
850 * We've already checked this, so stop.
851 */
852 if (current == src_port) break;
853
854 sin->sin_port = htons(my->info.cfg->src_port_start + current);
855
856 rcode = bind(my->info.socket.fd, (struct sockaddr *) &salocal, salen);
857 if (rcode == 0) {
858 if (do_suid) fr_suid_down();
859 goto done;
860 }
861 }
862
863 /*
864 * The error is a good hint at _why_ we failed to bind.
865 * We expect errno to be EADDRINUSE, anything else is a surprise.
866 */
867 if (do_suid) fr_suid_down();
868 fr_strerror_printf("Failed binding port between 'src_port_start' and 'src_port_end': %s", fr_syserror(errno));
869 return -1;
870 }
871
872 /*
873 * The IP and/or port may have changed, so get the new one.
874 */
875done:
876 return fr_bio_fd_socket_name(my);
877}
878
879/** Set the name of an FD BIO
880 *
881 */
882void fr_bio_fd_name(fr_bio_fd_t *my)
883{
884 fr_bio_fd_config_t const *cfg = my->info.cfg;
885
886 switch (my->info.type) {
887 case FR_BIO_FD_INVALID:
888 return;
889
890 case FR_BIO_FD_UNCONNECTED:
891 fr_assert(cfg->socket_type == SOCK_DGRAM);
892
893 switch (my->info.socket.af) {
894 case AF_INET:
895 case AF_INET6:
896 my->info.name = fr_asprintf(my, "proto udp local %pV port %u",
897 fr_box_ipaddr(my->info.socket.inet.src_ipaddr),
898 my->info.socket.inet.src_port);
899 break;
900
901 case AF_LOCAL:
902 my->info.name = fr_asprintf(my, "proto unix (datagram) filename %s",
903 cfg->path);
904 break;
905
906 default:
907 fr_assert(0);
908 my->info.name = "??? invalid BIO ???";
909 break;
910 }
911 break;
912
913 case FR_BIO_FD_CONNECTED:
914 switch (my->info.socket.af) {
915 case AF_INET:
916 case AF_INET6:
917 my->info.name = fr_asprintf(my, "proto %s local %pV port %u remote %pV port %u",
918 (cfg->socket_type == SOCK_DGRAM) ? "udp" : "tcp",
919 fr_box_ipaddr(my->info.socket.inet.src_ipaddr),
920 my->info.socket.inet.src_port,
921 fr_box_ipaddr(my->info.socket.inet.dst_ipaddr),
922 my->info.socket.inet.dst_port);
923 break;
924
925 case AF_LOCAL:
926 my->info.name = fr_asprintf(my, "proto unix %sfilename %s",
927 (cfg->socket_type == SOCK_DGRAM) ? "(datagram) " : "",
928 cfg->path);
929 break;
930
931 case AF_FILE_BIO:
932 fr_assert(cfg->socket_type == SOCK_STREAM);
933
934 if (cfg->flags == O_RDONLY) {
935 my->info.name = fr_asprintf(my, "proto file (read-only) filename %s ",
936 cfg->filename);
937
938 } else if (cfg->flags == O_WRONLY) {
939 my->info.name = fr_asprintf(my, "proto file (write-only) filename %s",
940 cfg->filename);
941 } else {
942 my->info.name = fr_asprintf(my, "proto file (read-write) filename %s",
943 cfg->filename);
944 }
945 break;
946
947 default:
948 fr_assert(0);
949 my->info.name = "??? invalid BIO ???";
950 break;
951 }
952 break;
953
954 case FR_BIO_FD_LISTEN:
955 switch (my->info.socket.af) {
956 case AF_INET:
957 case AF_INET6:
958 my->info.name = fr_asprintf(my, "proto %s local %pV port %u",
959 (cfg->socket_type == SOCK_DGRAM) ? "udp" : "tcp",
960 fr_box_ipaddr(my->info.socket.inet.src_ipaddr),
961 my->info.socket.inet.src_port);
962 break;
963
964 case AF_LOCAL:
965 my->info.name = fr_asprintf(my, "proto unix filename %s",
966 cfg->path);
967 break;
968
969 default:
970 fr_assert(0);
971 my->info.name = "??? invalid BIO ???";
972 break;
973 }
974 break;
975 }
976}
977
978/** Checks the configuration without modifying anything.
979 *
980 */
981int fr_bio_fd_check_config(fr_bio_fd_config_t const *cfg)
982{
983 /*
984 * Sanitize the IP addresses.
985 *
986 */
987 switch (cfg->type) {
988 case FR_BIO_FD_INVALID:
989 fr_strerror_const("No connection type was specified");
990 return -1;
991
992 case FR_BIO_FD_CONNECTED:
993 /*
994 * Ensure that we have a destination address.
995 */
996 if (cfg->dst_ipaddr.af == AF_UNSPEC) {
997 fr_strerror_const("No destination IP address was specified");
998 return -1;
999 }
1000
1001 if (!cfg->dst_port) {
1002 fr_strerror_const("No destination port was specified");
1003 return -1;
1004 }
1005
1006 /*
1007 * The source IP has to be the same address family as the destination IP.
1008 */
1009 if ((cfg->src_ipaddr.af != AF_UNSPEC) && (cfg->src_ipaddr.af != cfg->dst_ipaddr.af)) {
1010 fr_strerror_printf("Source and destination IP addresses are not from the same IP address family");
1011 return -1;
1012 }
1013 break;
1014
1015 case FR_BIO_FD_LISTEN:
1016 if (!cfg->src_port) {
1017 fr_strerror_const("No source port was specified");
1018 return -1;
1019 }
1020 FALL_THROUGH;
1021
1022 /*
1023 * Unconnected sockets can use a source port, but don't need one.
1024 */
1025 case FR_BIO_FD_UNCONNECTED:
1026 if (cfg->path && cfg->filename) {
1027 fr_strerror_const("Unconnected sockets cannot be used with Unix sockets or files");
1028 return -1;
1029 }
1030
1031 if (cfg->src_ipaddr.af == AF_UNSPEC) {
1032 fr_strerror_const("No source IP address was specified");
1033 return -1;
1034 }
1035 break;
1036 }
1037
1038 return 0;
1039}
1040
1041/** Opens a socket and updates sock->fd
1042 *
1043 * If the socket is asynchronous, it also calls connect()
1044 */
1045int fr_bio_fd_open(fr_bio_t *bio, fr_bio_fd_config_t const *cfg)
1046{
1047 int fd;
1048 int rcode = -1;
1049 fr_bio_fd_t *my = talloc_get_type_abort(bio, fr_bio_fd_t);
1050
1051 fr_strerror_clear();
1052
1053 my->info = (fr_bio_fd_info_t) {
1054 .socket = {
1055 .type = cfg->socket_type,
1056 .fd = -1,
1057 },
1058 .cfg = cfg,
1059 };
1060
1061 if (!cfg->path && !cfg->filename) {
1062 int protocol;
1063
1064 my->info.socket.af = cfg->src_ipaddr.af;
1065 my->info.socket.inet.src_ipaddr = cfg->src_ipaddr;
1066 my->info.socket.inet.dst_ipaddr = cfg->dst_ipaddr;
1067 my->info.socket.inet.src_port = cfg->src_port;
1068 my->info.socket.inet.dst_port = cfg->dst_port;
1069
1070 if (fr_bio_fd_check_config(cfg) < 0) return -1;
1071
1072 /*
1073 * Sanitize the IP addresses.
1074 *
1075 */
1076 switch (cfg->type) {
1077 case FR_BIO_FD_INVALID:
1078 return -1;
1079
1080 case FR_BIO_FD_CONNECTED:
1081 /*
1082 * No source specified, just bootstrap it from the destination.
1083 */
1084 if (my->info.socket.inet.src_ipaddr.af == AF_UNSPEC) {
1085 my->info.socket.inet.src_ipaddr = (fr_ipaddr_t) {
1086 .af = my->info.socket.inet.dst_ipaddr.af,
1087 .prefix = (my->info.socket.inet.dst_ipaddr.af == AF_INET) ? 32 : 128,
1088 };
1089
1090 /*
1091 * Set the main socket AF too.
1092 */
1093 my->info.socket.af = my->info.socket.inet.dst_ipaddr.af;
1094 }
1095
1096 /*
1097 * The source IP has to be the same address family as the destination IP.
1098 */
1099 if (my->info.socket.inet.src_ipaddr.af != my->info.socket.inet.dst_ipaddr.af) {
1100 fr_strerror_const("Source and destination IP addresses are not from the same IP address family");
1101 return -1;
1102 }
1103
1104#ifdef SO_REUSEPORT
1105 /*
1106 * Connected UDP sockets really only matter when writing packets. They allow the
1107 * system to use write() instead of sendto().
1108 *
1109 * However for reading packets, the kernel does NOT check the source IP.
1110 * Instead, it just delivers any packet with the correct dst IP/port. Even
1111 * worse, if multiple sockets re-use the same dst IP/port, packets are delivered
1112 * to a _random_ socket.
1113 *
1114 * As a result, we cannot use wildcard sockets with SO_REUSEPORT, and UDP.
1115 */
1116 if (cfg->reuse_port && (cfg->socket_type == SOCK_DGRAM) &&
1117 fr_ipaddr_is_inaddr_any(&my->info.socket.inet.dst_ipaddr)) { /* checks AF, so we're OK */
1118 fr_strerror_const("Cannot set 'reuse_port' for connected UDP sockets with wildcard IP");
1119 return -1;
1120 }
1121#endif
1122
1123 break;
1124
1125 case FR_BIO_FD_UNCONNECTED:
1126 case FR_BIO_FD_LISTEN:
1127 fr_assert(my->info.socket.inet.src_ipaddr.af != AF_UNSPEC);
1128 break;
1129 }
1130
1131 if (cfg->socket_type == SOCK_STREAM) {
1132 protocol = IPPROTO_TCP;
1133 } else {
1134 protocol = IPPROTO_UDP;
1135 }
1136
1137 if (cfg->interface) {
1138 my->info.socket.inet.ifindex = if_nametoindex(cfg->interface);
1139
1140 if (!my->info.socket.inet.ifindex) {
1141 fr_strerror_printf_push("Failed finding interface %s: %s", cfg->interface, fr_syserror(errno));
1142 return -1;
1143 }
1144 }
1145
1146 fd = socket(my->info.socket.af, my->info.socket.type, protocol);
1147 if (fd < 0) {
1148 fr_strerror_printf("Failed opening socket: %s", fr_syserror(errno));
1149 return fr_bio_error(GENERIC);
1150 }
1151
1152 } else if (cfg->path) {
1153 my->info.socket.af = AF_LOCAL;
1154 my->info.socket.type = SOCK_STREAM;
1155 my->info.socket.unix.path = cfg->path;
1156
1157 fd = socket(my->info.socket.af, my->info.socket.type, 0);
1158 if (fd < 0) {
1159 fr_strerror_printf("Failed opening domain socket %s: %s", cfg->path, fr_syserror(errno));
1160 return fr_bio_error(GENERIC);
1161 }
1162
1163 } else {
1164 if (cfg->type != FR_BIO_FD_CONNECTED) {
1165 fr_strerror_printf("Can only use connected sockets for file IO");
1166 return -1;
1167 }
1168
1169 /*
1170 * Filenames overload the #fr_socket_t for now.
1171 */
1172 my->info.socket.af = AF_FILE_BIO;
1173 my->info.socket.type = SOCK_STREAM;
1174 my->info.socket.unix.path = cfg->filename;
1175
1176 /*
1177 * Allow hacks for stdout and stderr
1178 */
1179 if (strcmp(cfg->filename, "/dev/stdout") == 0) {
1180 if (cfg->flags != O_WRONLY) {
1181 fail_dev:
1182 fr_strerror_printf("Cannot read from %s", cfg->filename);
1183 return -1;
1184 }
1185
1186 fd = dup(STDOUT_FILENO);
1187
1188 } else if (strcmp(cfg->filename, "/dev/stderr") == 0) {
1189 if (cfg->flags != O_WRONLY) goto fail_dev;
1190
1191 fd = dup(STDERR_FILENO);
1192
1193 } else if (strcmp(cfg->filename, "/dev/stdin") == 0) {
1194 if (cfg->flags != O_RDONLY) {
1195 fr_strerror_printf("Cannot write to %s", cfg->filename);
1196 return -1;
1197 }
1198
1199 fd = dup(STDIN_FILENO);
1200
1201 } else {
1202 /*
1203 * Minor hacks so that we have only _one_ source of open / mkdir
1204 */
1205 my->info.socket.fd = -1;
1206
1207 fd = fr_bio_fd_reopen(bio);
1208 }
1209 if (fd < 0) {
1210 fr_strerror_printf("Failed opening file %s: %s", cfg->filename, fr_syserror(errno));
1211 return fr_bio_error(GENERIC);
1212 }
1213 }
1214
1215 /*
1216 * Set it to be non-blocking if required.
1217 */
1218 if (cfg->async && (fr_nonblock(fd) < 0)) {
1219 fr_strerror_printf("Failed setting O_NONBLOCK: %s", fr_syserror(errno));
1220 rcode = fr_bio_error(GENERIC);
1221
1222 fail:
1223 my->info.socket = (fr_socket_t) {
1224 .fd = -1,
1225 };
1226 my->info.state = FR_BIO_FD_STATE_CLOSED;
1227 my->info.cfg = NULL;
1228 close(fd);
1229 return rcode;
1230 }
1231
1232 if (fr_cloexec(fd) < 0) goto fail;
1233
1234 /*
1235 * Initialize the bio information before calling the various setup functions.
1236 */
1237 my->info.state = FR_BIO_FD_STATE_CONNECTING;
1238
1239 /*
1240 * Set the FD so that the subsequent calls can use it.
1241 */
1242 my->info.socket.fd = fd;
1243
1244 /*
1245 * Set the type, too.
1246 */
1247 my->info.type = cfg->type;
1248
1249 /*
1250 * Do sanity checks, bootstrap common socket options, bind to the socket, and initialize the read
1251 * / write functions.
1252 */
1253 switch (cfg->type) {
1254 case FR_BIO_FD_INVALID:
1255 goto fail;
1256
1257 /*
1258 * Unconnected UDP or datagram AF_LOCAL server sockets.
1259 */
1260 case FR_BIO_FD_UNCONNECTED:
1261 if (my->info.socket.type != SOCK_DGRAM) {
1262 fr_strerror_const("Failed configuring socket: unconnected sockets must be UDP");
1263 goto fail;
1264 }
1265
1266 switch (my->info.socket.af) {
1267 case AF_INET:
1268 case AF_INET6:
1269 if ((rcode = fr_bio_fd_common_udp(fd, &my->info.socket, cfg)) < 0) goto fail;
1270 break;
1271
1272 case AF_LOCAL:
1273 if ((rcode = fr_bio_fd_common_datagram(fd, &my->info.socket, cfg)) < 0) goto fail;
1274 break;
1275
1276 case AF_FILE_BIO:
1277 fr_strerror_const("Filenames must use the connected API");
1278 goto fail;
1279
1280 default:
1281 fr_strerror_const("Unsupported address family for unconnected sockets");
1282 goto fail;
1283 }
1284
1285 if ((rcode = fr_bio_fd_socket_bind(my, cfg)) < 0) goto fail;
1286
1287 if ((rcode = fr_bio_fd_init_common(my)) < 0) goto fail;
1288 break;
1289
1290 /*
1291 * A connected client: UDP, TCP, AF_LOCAL, or AF_FILE_BIO
1292 */
1293 case FR_BIO_FD_CONNECTED:
1294 if (my->info.socket.type == SOCK_DGRAM) {
1295 switch (my->info.socket.af) {
1296 case AF_INET:
1297 case AF_INET6:
1298 if ((rcode = fr_bio_fd_common_udp(fd, &my->info.socket, cfg)) < 0) goto fail;
1299 break;
1300 default:
1301 if ((rcode = fr_bio_fd_common_datagram(fd, &my->info.socket, cfg)) < 0) goto fail;
1302 break;
1303 }
1304
1305 } else if ((my->info.socket.af == AF_INET) || (my->info.socket.af == AF_INET6)) {
1306 rcode = fr_bio_fd_common_tcp(fd, &my->info.socket, cfg);
1307 if (rcode < 0) goto fail;
1308 }
1309
1310 switch (my->info.socket.af) {
1311 case AF_LOCAL:
1312 if ((rcode = fr_bio_fd_socket_bind_unix(my, cfg)) < 0) goto fail;
1313 break;
1314
1315 case AF_FILE_BIO:
1316 break;
1317
1318 case AF_INET:
1319 case AF_INET6:
1320 if ((rcode = fr_bio_fd_socket_bind(my, cfg)) < 0) goto fail;
1321 break;
1322
1323 default:
1324 goto fail;
1325 }
1326
1327 if ((rcode = fr_bio_fd_init_connected(my)) < 0) goto fail;
1328 break;
1329
1330 /*
1331 * Server socket which listens for new stream connections
1332 */
1333 case FR_BIO_FD_LISTEN:
1334 if ((my->info.socket.type == SOCK_DGRAM) && !cfg->reuse_port) {
1335 fr_strerror_const("reuseport must be set for datagram sockets");
1336 rcode = -1;
1337 goto fail;
1338 }
1339
1340 switch (my->info.socket.af) {
1341 case AF_INET:
1342 if ((rcode = fr_bio_fd_server_ipv4(fd, &my->info.socket, cfg)) < 0) goto fail;
1343
1344 if ((rcode = fr_bio_fd_socket_bind(my, cfg)) < 0) goto fail;
1345 break;
1346
1347 case AF_INET6:
1348 if ((rcode = fr_bio_fd_server_ipv6(fd, &my->info.socket, cfg)) < 0) goto fail;
1349
1350 if ((rcode = fr_bio_fd_socket_bind(my, cfg)) < 0) goto fail;
1351 break;
1352
1353 case AF_LOCAL:
1354 if ((rcode = fr_bio_fd_socket_bind_unix(my, cfg)) < 0) goto fail;
1355 break;
1356
1357 default:
1358 fr_strerror_const("Unsupported address family for accept() socket");
1359 rcode = -1;
1360 goto fail;
1361 }
1362
1363 if ((rcode = fr_bio_fd_init_listen(my)) < 0) goto fail;
1364 break;
1365 }
1366
1367 /*
1368 * Set the name of the BIO.
1369 */
1370 fr_bio_fd_name(my);
1371
1372 return 0;
1373}
1374
1375/** Reopen a file BIO
1376 *
1377 * e.g. for log files.
1378 */
1379int fr_bio_fd_reopen(fr_bio_t *bio)
1380{
1381 fr_bio_fd_t *my = talloc_get_type_abort(bio, fr_bio_fd_t);
1382 fr_bio_fd_config_t const *cfg = my->info.cfg;
1383 int fd, flags;
1384
1385 if (my->info.socket.af != AF_FILE_BIO) {
1386 fr_strerror_const("Cannot reopen a non-file BIO");
1387 return -1;
1388 }
1389
1390 /*
1391 * Create it if necessary.
1392 */
1393 flags = cfg->flags;
1394 if (flags != O_RDONLY) flags |= O_CREAT;
1395
1396 if (!cfg->mkdir) {
1397 /*
1398 * Client BIOs writing to a file, and therefore need to create it.
1399 */
1400 do_open:
1401 fd = open(cfg->filename, flags, cfg->perm);
1402 if (fd < 0) {
1403 failed_open:
1404 fr_strerror_printf("Failed opening file %s: %s", cfg->filename, fr_syserror(errno));
1405 return -1;
1406 }
1407
1408 } else {
1409 /*
1410 * We make the parent directory if told to, AND if there's a '/' in the path.
1411 */
1412 char *p = strrchr(cfg->filename, '/');
1413 int dir_fd;
1414
1415 if (!p) goto do_open;
1416
1417 if (fr_mkdir(&dir_fd, cfg->filename, (size_t) (p - cfg->filename), cfg->perm, fr_mkdir_chown,
1418 &(fr_mkdir_chown_t) {
1419 .uid = cfg->uid,
1420 .gid = cfg->gid,
1421 }) < 0) {
1422 return -1;
1423 }
1424
1425 fd = openat(dir_fd, p + 1, flags, cfg->perm);
1426 if (fd < 0) {
1427 close(dir_fd);
1428 goto failed_open;
1429 }
1430
1431 close(dir_fd);
1432 }
1433
1434 /*
1435 * We're boot-strapping, just set the new FD and return.
1436 */
1437 if (my->info.socket.fd < 0) {
1438 return fd;
1439 }
1440
1441 /*
1442 * Replace the FD rather than swapping it out with a new one. This is potentially more
1443 * thread-safe.
1444 */
1445 if (dup2(fd, my->info.socket.fd) < 0) {
1446 close(fd);
1447 fr_strerror_printf("Failed reopening file - %s", fr_syserror(errno));
1448 return -1;
1449 }
1450
1451 close(fd);
1452 return my->info.socket.fd;
1453}
fr_bio_error
#define fr_bio_error(_x)
Definition base.h:200
fr_bio_s
Definition base.h:113
UNCONST
#define UNCONST(_type, _ptr)
Remove const qualification from a pointer.
Definition build.h:167
FALL_THROUGH
#define FALL_THROUGH
clang 10 doesn't recognised the FALL-THROUGH comment anymore
Definition build.h:324
UNUSED
#define UNUSED
Definition build.h:317
CAP_EFFECTIVE
#define CAP_EFFECTIVE
Definition cap.h:49
fr_bio_fd_socket_name
int fr_bio_fd_socket_name(fr_bio_fd_t *my)
Definition fd.c:659
fr_bio_fd_init_connected
int fr_bio_fd_init_connected(fr_bio_fd_t *my)
Definition fd.c:817
fr_filename_to_sockaddr
int fr_filename_to_sockaddr(struct sockaddr_un *sun, socklen_t *sunlen, char const *filename)
Definition fd.c:641
fr_bio_fd_init_listen
int fr_bio_fd_init_listen(fr_bio_fd_t *my)
Definition fd.c:921
fr_bio_fd_init_common
int fr_bio_fd_init_common(fr_bio_fd_t *my)
Definition fd.c:880
fr_bio_fd_config_t::src_port
uint16_t src_port
our port
Definition fd.h:91
FR_BIO_FD_CONNECTED
@ FR_BIO_FD_CONNECTED
connected client sockets (UDP or TCP)
Definition fd.h:68
FR_BIO_FD_INVALID
@ FR_BIO_FD_INVALID
not set
Definition fd.h:64
FR_BIO_FD_UNCONNECTED
@ FR_BIO_FD_UNCONNECTED
unconnected UDP / datagram only
Definition fd.h:65
FR_BIO_FD_LISTEN
@ FR_BIO_FD_LISTEN
returns new fd in buffer on fr_bio_read() or fr_bio_fd_accept()
Definition fd.h:69
fr_bio_fd_config_t::recv_buff
uint32_t recv_buff
How big the kernel's receive buffer should be.
Definition fd.h:101
fr_bio_fd_config_t::mkdir
bool mkdir
make intermediate directories
Definition fd.h:108
FR_BIO_FD_STATE_CLOSED
@ FR_BIO_FD_STATE_CLOSED
Definition fd.h:58
FR_BIO_FD_STATE_CONNECTING
@ FR_BIO_FD_STATE_CONNECTING
Definition fd.h:60
fr_bio_fd_config_t::dst_ipaddr
fr_ipaddr_t dst_ipaddr
their IP address
Definition fd.h:89
fr_bio_fd_config_t::type
fr_bio_fd_type_t type
accept, connected, unconnected, etc.
Definition fd.h:81
fr_bio_fd_config_t::path
char const * path
for Unix domain sockets
Definition fd.h:104
fr_bio_fd_config_t::send_buff
uint32_t send_buff
How big the kernel's send buffer should be.
Definition fd.h:102
fr_bio_fd_config_t::filename
char const * filename
for files
Definition fd.h:110
fr_bio_fd_config_t::uid
uid_t uid
who owns the socket
Definition fd.h:106
fr_bio_fd_config_t::gid
gid_t gid
who owns the socket
Definition fd.h:107
fr_bio_fd_config_t::interface
char const * interface
for binding to an interface
Definition fd.h:97
fr_bio_fd_config_t::perm
mode_t perm
permissions for domain sockets
Definition fd.h:105
AF_FILE_BIO
#define AF_FILE_BIO
Definition fd.h:40
fr_bio_fd_config_t::socket_type
int socket_type
SOCK_STREAM or SOCK_DGRAM.
Definition fd.h:83
fr_bio_fd_config_t::dst_port
uint16_t dst_port
their port
Definition fd.h:92
fr_bio_fd_config_t::tcp_delay
bool tcp_delay
We do tcp_nodelay by default.
Definition fd.h:114
fr_bio_fd_config_t::reuse_port
bool reuse_port
whether or not we re-use the same destination port for datagram sockets
Definition fd.h:86
fr_bio_fd_config_t::exceed_mtu
bool exceed_mtu
Whether we allow packets which exceed the local MTU.
Definition fd.h:115
fr_bio_fd_config_t::async
bool async
is it async
Definition fd.h:113
fr_bio_fd_config_t::flags
int flags
O_RDONLY, etc.
Definition fd.h:111
fr_bio_fd_config_t::src_ipaddr
fr_ipaddr_t src_ipaddr
our IP address
Definition fd.h:88
fr_bio_fd_config_t
Configuration for sockets.
Definition fd.h:80
fr_bio_fd_info_t
Run-time status of the socket.
Definition fd.h:131
my
void fr_bio_shutdown & my
Definition fd_errno.h:70
fr_bio_fd_socket_unix_mkdir
static int fr_bio_fd_socket_unix_mkdir(int *dirfd, char const **filename, fr_bio_fd_config_t const *cfg)
Definition fd_open.c:348
fr_bio_fd_socket_bind_to_device
static int fr_bio_fd_socket_bind_to_device(fr_bio_fd_t *my, UNUSED fr_bio_fd_config_t const *cfg)
This system is missing SO_BINDTODEVICE, IP_BOUND_IF, IPV6_BOUND_IF.
Definition fd_open.c:733
fr_bio_fd_socket_unix_verify
static int fr_bio_fd_socket_unix_verify(int dirfd, char const *filename, fr_bio_fd_config_t const *cfg)
Verify or clean up a pre-existing domain socket.
Definition fd_open.c:281
fr_bio_fd_server_ipv6
static int fr_bio_fd_server_ipv6(int fd, fr_socket_t const *sock, fr_bio_fd_config_t const *cfg)
Initialize an IPv6 server socket.
Definition fd_open.c:254
fr_bio_fd_common_udp
static int fr_bio_fd_common_udp(int fd, fr_socket_t const *sock, fr_bio_fd_config_t const *cfg)
Initialize a UDP socket.
Definition fd_open.c:150
fr_bio_fd_reopen
int fr_bio_fd_reopen(fr_bio_t *bio)
Reopen a file BIO.
Definition fd_open.c:1379
fr_bio_fd_server_tcp
static int fr_bio_fd_server_tcp(int fd, UNUSED fr_socket_t const *sock)
Initialize a TCP server socket.
Definition fd_open.c:226
fr_bio_fd_socket_bind_unix
static int fr_bio_fd_socket_bind_unix(fr_bio_fd_t *my, fr_bio_fd_config_t const *cfg)
Bind to a Unix domain socket.
Definition fd_open.c:540
fr_bio_fd_name
void fr_bio_fd_name(fr_bio_fd_t *my)
Set the name of an FD BIO.
Definition fd_open.c:882
fr_bio_fd_socket_bind
static int fr_bio_fd_socket_bind(fr_bio_fd_t *my, fr_bio_fd_config_t const *cfg)
Definition fd_open.c:744
fr_bio_fd_server_ipv4
static int fr_bio_fd_server_ipv4(int fd, fr_socket_t const *sock, fr_bio_fd_config_t const *cfg)
Initialize an IPv4 server socket.
Definition fd_open.c:241
fr_bio_fd_common_tcp
static int fr_bio_fd_common_tcp(int fd, UNUSED fr_socket_t const *sock, fr_bio_fd_config_t const *cfg)
Initialize common datagram information.
Definition fd_open.c:40
fr_bio_fd_unix_shutdown
static int fr_bio_fd_unix_shutdown(fr_bio_t *bio)
Definition fd_open.c:500
fr_bio_fd_open
int fr_bio_fd_open(fr_bio_t *bio, fr_bio_fd_config_t const *cfg)
Opens a socket and updates sock->fd.
Definition fd_open.c:1045
fr_bio_fd_check_config
int fr_bio_fd_check_config(fr_bio_fd_config_t const *cfg)
Checks the configuration without modifying anything.
Definition fd_open.c:981
fr_bio_fd_common_datagram
static int fr_bio_fd_common_datagram(int fd, UNUSED fr_socket_t const *sock, fr_bio_fd_config_t const *cfg)
Initialize common datagram information.
Definition fd_open.c:84
fr_bio_fd_s
Our FD bio structure.
Definition fd_priv.h:35
talloc_free
talloc_free(hp)
fr_ipaddr_is_inaddr_any
int fr_ipaddr_is_inaddr_any(fr_ipaddr_t const *ipaddr)
Determine if an address is the INADDR_ANY address for its address family.
Definition inet.c:63
fr_ipaddr_to_sockaddr
int fr_ipaddr_to_sockaddr(struct sockaddr_storage *sa, socklen_t *salen, fr_ipaddr_t const *ipaddr, uint16_t port)
Convert our internal ip address representation to a sockaddr.
Definition inet.c:1400
fr_ipaddr_t::af
int af
Address family.
Definition inet.h:64
fr_ipaddr_t
IPv4/6 prefix.
Definition merged_model.c:266
fr_mkdir
ssize_t fr_mkdir(int *fd_out, char const *path, ssize_t len, mode_t mode, fr_mkdir_func_t func, void *uctx)
Create directories that are missing in the specified path.
Definition file.c:219
fr_mkdir_chown
int fr_mkdir_chown(int fd, char const *path, void *uctx)
Callback for the common case of chown() of the directory.
Definition file.c:39
fr_dirfd
int fr_dirfd(int *dirfd, char const **filename, char const *pathname)
From a pathname, return fd and filename needed for *at() functions.
Definition file.c:412
fr_mkdir_chown_t
Definition file.h:55
uint16_t
unsigned short uint16_t
Definition merged_model.c:31
mode_t
unsigned int mode_t
Definition merged_model.c:21
fr_nonblock
int fr_nonblock(UNUSED int fd)
Definition misc.c:294
fr_suid_up
fr_suid_t fr_suid_up
Definition misc.c:569
fr_cloexec
int fr_cloexec(UNUSED int fd)
Definition misc.c:332
fr_suid_down
fr_suid_t fr_suid_down
Definition misc.c:570
fr_asprintf
char * fr_asprintf(TALLOC_CTX *ctx, char const *fmt,...)
Special version of asprintf which implements custom format specifiers.
Definition print.c:883
fr_assert
#define fr_assert(_expr)
Definition rad_assert.h:38
done
static bool done
Definition radclient.c:83
fr_rand
uint32_t fr_rand(void)
Return a 32-bit random number.
Definition rand.c:105
fr_socket_client_unix
int fr_socket_client_unix(UNUSED char const *path, UNUSED bool async)
Definition socket.c:543
fr_syserror
char const * fr_syserror(int num)
Guaranteed to be thread-safe version of strerror.
Definition syserror.c:243
talloc_strdup
#define talloc_strdup(_ctx, _str)
Definition talloc.h:145
fr_socket_t::af
int af
AF_INET, AF_INET6, or AF_UNIX.
Definition socket.h:78
fr_socket_t::type
int type
SOCK_STREAM, SOCK_DGRAM, etc.
Definition socket.h:79
fr_socket_t
Holds information necessary for binding or connecting to a socket.
Definition socket.h:63
fr_strerror_clear
void fr_strerror_clear(void)
Clears all pending messages from the talloc pools.
Definition strerror.c:576
fr_strerror_printf
#define fr_strerror_printf(_fmt,...)
Log to thread local error buffer.
Definition strerror.h:64
fr_strerror_printf_push
#define fr_strerror_printf_push(_fmt,...)
Add a message to an existing stack of messages at the tail.
Definition strerror.h:84
fr_strerror_const
#define fr_strerror_const(_msg)
Definition strerror.h:223
fr_box_ipaddr
#define fr_box_ipaddr(_val)
Definition value.h:317
Generated by   doxygen 1.9.8