Currently, when a socket unit specifies SmackLabel=,
the label is not applied to the underlying Unix socket file or its file
descriptor.
This change ensures that the SMACK label is applied both to the
Unix socket path on the filesystem and to all associated socket FDs
when the socket is created.
Testing:
- Tested on Fedora 43 with kernel 6.17.7 with SMACK enabled.
- Created a systemd socket unit:
[Unit]
Description=UNIX socket
[Socket]
ListenStream=/run/test.sock
SmackLabel=label
[Install]
WantedBy=sockets.target
- Created a corresponding service:
[Unit]
Description=UNIX socket service
Requires=test.socket
[Service]
ExecStart=/usr/bin/socat -v - -
StandardInput=socket
[Install]
WantedBy=multi-user.target
- Verified SMACK labels using getfattr:
- Without SmackLabel:
```
# file: run/test.sock
security.SMACK64="_"
# file: proc/<pid>/fd/*
security.SMACK64="*"
```
- With SmackLabel=label:
```
# file: run/test.sock
security.SMACK64="label"
# file: proc/<pid>/fd/*
security.SMACK64="label"
```
projects / thirdparty / systemd.git / commitdiff
