git.ipfire.org Git - thirdparty/systemd.git/commit

core: SMACK label to Unix socket path and FD (#39772)

Currently, when a socket unit specifies SmackLabel=,
the label is not applied to the underlying Unix socket file or its file
descriptor.

This change ensures that the SMACK label is applied both to the
Unix socket path on the filesystem and to all associated socket FDs
when the socket is created.

Testing:

- Tested on Fedora 43 with kernel 6.17.7 with SMACK enabled.
- Created a systemd socket unit:

    [Unit]
    Description=UNIX socket

    [Socket]
    ListenStream=/run/test.sock
    SmackLabel=label

    [Install]
    WantedBy=sockets.target

- Created a corresponding service:

    [Unit]
    Description=UNIX socket service
    Requires=test.socket

    [Service]
    ExecStart=/usr/bin/socat -v - -
    StandardInput=socket

    [Install]
    WantedBy=multi-user.target

- Verified SMACK labels using getfattr:

  - Without SmackLabel:
    ```
    # file: run/test.sock
    security.SMACK64="_"
    # file: proc/<pid>/fd/*
    security.SMACK64="*"
    ```
  - With SmackLabel=label:
    ```
    # file: run/test.sock
    security.SMACK64="label"
    # file: proc/<pid>/fd/*
    security.SMACK64="label"
    ```

author	Yu Watanabe <watanabe.yu+github@gmail.com>
	Thu, 20 Nov 2025 04:23:51 +0000 (13:23 +0900)
committer	GitHub <noreply@github.com>
	Thu, 20 Nov 2025 04:23:51 +0000 (13:23 +0900)
commit	70fa7d4cccfaa7410aed63b97709f6bd19c8371d
tree	90f936f707feaf21d229b6fa2cac9a81bd476f3f	tree \| snapshot
parent	5de39570c857f5ec2dae19d42ce23450ee0be912	commit \| diff
parent	360f750b01eb713dcf40ac5c3d963b0a6b398e2f	commit \| diff