From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Thu, 20 Nov 2025 04:23:51 +0000 (+0900)
Subject: core: SMACK label to Unix socket path and FD (#39772)
X-Git-Tag: v259-rc2~70
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=70fa7d4cccfaa7410aed63b97709f6bd19c8371d;p=thirdparty%2Fsystemd.git

core: SMACK label to Unix socket path and FD (#39772)

Currently, when a socket unit specifies SmackLabel=,
the label is not applied to the underlying Unix socket file or its file
descriptor.

This change ensures that the SMACK label is applied both to the
Unix socket path on the filesystem and to all associated socket FDs
when the socket is created.

Testing:

- Tested on Fedora 43 with kernel 6.17.7 with SMACK enabled.
- Created a systemd socket unit:

    [Unit]
    Description=UNIX socket

    [Socket]
    ListenStream=/run/test.sock
    SmackLabel=label

    [Install]
    WantedBy=sockets.target

- Created a corresponding service:

    [Unit]
    Description=UNIX socket service
    Requires=test.socket

    [Service]
    ExecStart=/usr/bin/socat -v - -
    StandardInput=socket

    [Install]
    WantedBy=multi-user.target

- Verified SMACK labels using getfattr:

  - Without SmackLabel:
    ```
    # file: run/test.sock
    security.SMACK64="_"
    # file: proc/<pid>/fd/*
    security.SMACK64="*"
    ```
  - With SmackLabel=label:
    ```
    # file: run/test.sock
    security.SMACK64="label"
    # file: proc/<pid>/fd/*
    security.SMACK64="label"
    ```
---

70fa7d4cccfaa7410aed63b97709f6bd19c8371d