core: disallow using '-.service' as a service name

-.service.d will become a special top level drop in so don't let it be a
usable service name (otherwise the interaction gets complicated).

src/basic/special.h

@@ -105,3 +105,7 @@
 
 /* The root directory. */
 #define SPECIAL_ROOT_MOUNT "-.mount"
+
+/* Used to apply settings to all services through drop-ins.
+ * Should not exist as an actual service. */
+#define SPECIAL_ROOT_SERVICE "-.service"

src/basic/unit-name.c

@@ -665,6 +665,31 @@ good:
         return 0;
 }
 
+bool service_unit_name_is_valid(const char *name) {
+        _cleanup_free_ char *prefix = NULL, *s = NULL;
+        const char *e, *service_name = name;
+
+        if (!unit_name_is_valid(name, UNIT_NAME_ANY))
+                return false;
+
+        e = endswith(name, ".service");
+        if (!e)
+                return false;
+
+        /* If it's a template or instance, get the prefix as a service name. */
+        if (unit_name_is_valid(name, UNIT_NAME_INSTANCE|UNIT_NAME_TEMPLATE)) {
+                assert_se(unit_name_to_prefix(name, &prefix) == 0);
+                assert_se(s = strjoin(prefix, ".service"));
+                service_name = s;
+        }
+
+        /* Reject reserved service name(s). */
+        if (streq(service_name, SPECIAL_ROOT_SERVICE))
+                return false;
+
+        return true;
+}
+
 int slice_build_parent_slice(const char *slice, char **ret) {
         char *s, *dash;
         int r;

src/basic/unit-name.h

@@ -58,6 +58,8 @@ static inline int unit_name_mangle(const char *name, UnitNameMangle flags, char
         return unit_name_mangle_with_suffix(name, flags, ".service", ret);
 }
 
+bool service_unit_name_is_valid(const char *name);
+
 int slice_build_parent_slice(const char *slice, char **ret);
 int slice_build_subslice(const char *slice, const char *name, char **subslice);
 bool slice_name_is_valid(const char *name);

src/core/service.c

@@ -552,6 +552,11 @@ static int service_verify(Service *s) {
         if (UNIT(s)->load_state != UNIT_LOADED)
                 return 0;
 
+        if (!service_unit_name_is_valid(UNIT(s)->id)) {
+                log_unit_error(UNIT(s), "Service name is invalid or reserved. Refusing.");
+                return -ENOEXEC;
+        }
+
         if (!s->exec_command[SERVICE_EXEC_START] && !s->exec_command[SERVICE_EXEC_STOP]
             && UNIT(s)->success_action == EMERGENCY_ACTION_NONE) {
                 /* FailureAction= only makes sense if one of the start or stop commands is specified.

src/test/test-unit-name.c

@@ -355,6 +355,24 @@ static void test_unit_name_build(void) {
         free(t);
 }
 
+static void test_service_unit_name_is_valid(void) {
+        assert_se(service_unit_name_is_valid("foo.service"));
+        assert_se(service_unit_name_is_valid("foo@bar.service"));
+        assert_se(service_unit_name_is_valid("foo@bar@bar.service"));
+        assert_se(service_unit_name_is_valid("--.service"));
+        assert_se(service_unit_name_is_valid(".-.service"));
+        assert_se(service_unit_name_is_valid("-foo-bar.service"));
+        assert_se(service_unit_name_is_valid("-foo-bar-.service"));
+        assert_se(service_unit_name_is_valid("foo-bar-.service"));
+
+        assert_se(!service_unit_name_is_valid("-.service"));
+        assert_se(!service_unit_name_is_valid(""));
+        assert_se(!service_unit_name_is_valid("foo.slice"));
+        assert_se(!service_unit_name_is_valid("@.service"));
+        assert_se(!service_unit_name_is_valid("@bar.service"));
+        assert_se(!service_unit_name_is_valid("-@.service"));
+}
+
 static void test_slice_name_is_valid(void) {
         assert_se( slice_name_is_valid(SPECIAL_ROOT_SLICE));
         assert_se( slice_name_is_valid("foo.slice"));
@@ -840,6 +858,7 @@ int main(int argc, char* argv[]) {
         test_unit_prefix_is_valid();
         test_unit_name_change_suffix();
         test_unit_name_build();
+        test_service_unit_name_is_valid();
         test_slice_name_is_valid();
         test_build_subslice();
         test_build_parent_slice();