+static bool network_is_online(void) {
+ _cleanup_free_ char *state = NULL;
+ int r;
+
+ r = sd_network_get_operational_state(&state);
+ if (r >= 0 && STR_IN_SET(state, "routable", "degraded"))
+ return true;
+
+ return false;
+}
+
+static int manager_network_event_handler(sd_event_source *s, int fd, uint32_t revents,
+ void *userdata) {
+ Manager *m = userdata;
+ bool connected, online;
+ int r;
+
+ assert(m);
+
+ /* check if the machine is online */
+ online = network_is_online();
+
+ /* check if the client is currently connected */
+ connected = (m->server_socket != -1);
+
+ if (connected && !online) {
+ log_info("No network connectivity, watching for changes.");
+ manager_disconnect(m);
+ } else if (!connected && online) {
+ log_info("Network configuration changed, trying to establish connection.");
+ if (m->current_server_address) {
+ r = manager_begin(m);
+ if (r < 0)
+ return r;
+ } else {
+ r = manager_connect(m);
+ if (r < 0)
+ return r;
+ }
+ }
+
+ sd_network_monitor_flush(m->network_monitor);
+
+ return 0;
+}
+
+static int manager_network_monitor_listen(Manager *m) {
+ _cleanup_event_source_unref_ sd_event_source *event_source = NULL;
+ _cleanup_network_monitor_unref_ sd_network_monitor *monitor = NULL;
+ int r, fd, events;
+
+ r = sd_network_monitor_new(NULL, &monitor);
+ if (r < 0)
+ return r;
+
+ fd = sd_network_monitor_get_fd(monitor);
+ if (fd < 0)
+ return fd;
+
+ events = sd_network_monitor_get_events(monitor);
+ if (events < 0)
+ return events;
+
+ r = sd_event_add_io(m->event, &event_source, fd, events,
+ &manager_network_event_handler, m);
+ if (r < 0)
+ return r;
+
+ m->network_monitor = monitor;
+ m->network_event_source = event_source;
+ monitor = NULL;
+ event_source = NULL;
+
+ return 0;
+}
+
+static int drop_privileges(uid_t uid, gid_t gid) {
+
+ static const cap_value_t bits[] = {
+ CAP_SYS_TIME,
+ };
+
+ _cleanup_cap_free_ cap_t d = NULL;
+ int r;
+
+ /* Unfortunately we cannot leave privilege dropping to PID 1
+ * here, since we want to run as user but want to keep te
+ * CAP_SYS_TIME capability. Since file capabilities have been
+ * introduced this cannot be done across exec() anymore,
+ * unless our binary has the capability configured in the file
+ * system, which we want to avoid. */
+
+ if (setresgid(gid, gid, gid) < 0) {
+ log_error("Failed change group ID: %m");
+ return -errno;
+ }
+
+ if (setgroups(0, NULL) < 0) {
+ log_error("Failed to drop auxiliary groups list: %m");
+ return -errno;
+ }
+
+ if (prctl(PR_SET_KEEPCAPS, 1) < 0) {
+ log_error("Failed to enable keep capabilities flag: %m");
+ return -errno;
+ }
+
+ r = setresuid(uid, uid, uid);
+ if (r < 0) {
+ log_error("Failed change user ID: %m");
+ return -errno;
+ }
+
+ if (prctl(PR_SET_KEEPCAPS, 0) < 0) {
+ log_error("Failed to disable keep capabilities flag: %m");
+ return -errno;
+ }
+
+ r = capability_bounding_set_drop(~(1ULL << CAP_SYS_TIME), true);
+ if (r < 0) {
+ log_error("Failed to drop capabilities: %s", strerror(-r));
+ return r;
+ }
+
+ d = cap_init();
+ if (!d)
+ return log_oom();
+
+ if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 ||
+ cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0) {
+ log_error("Failed to enable capabilities bits: %m");
+ return -errno;
+ }
+
+ if (cap_set_proc(d) < 0) {
+ log_error("Failed to increase capabilities: %m");
+ return -errno;
+ }
+
+ return 0;
+}
+