From: Filipe Brandenburger <filbranden@google.com>
Date: Wed, 28 Mar 2018 07:00:42 +0000 (-0700)
Subject: core/socket: use chase_symlinks to find binary inside chroot when looking for SELinux... 
X-Git-Tag: v239~469
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2ef044ea1ec359d7ffe9c8b3c7c75429186bd8a6;p=thirdparty%2Fsystemd.git

core/socket: use chase_symlinks to find binary inside chroot when looking for SELinux label (#8591)

This is a follow up for this comment from @poettering:
https://github.com/systemd/systemd/pull/8405#discussion_r175719214

This updates PR #8405.

Tested manually using the same commands in
https://lists.freedesktop.org/archives/systemd-devel/2018-March/040478.html.
---

diff --git a/src/core/socket.c b/src/core/socket.c
index eecf6fbe18b..6410939dca2 100644
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -1426,7 +1426,7 @@ fail:
 static int socket_determine_selinux_label(Socket *s, char **ret) {
         Service *service;
         ExecCommand *c;
-        const char *path;
+        _cleanup_free_ char *path = NULL;
         int r;
 
         assert(s);
@@ -1453,7 +1453,10 @@ static int socket_determine_selinux_label(Socket *s, char **ret) {
                 if (!c)
                         goto no_label;
 
-                path = prefix_roota(service->exec_context.root_directory, c->path);
+                r = chase_symlinks(c->path, service->exec_context.root_directory, CHASE_PREFIX_ROOT, &path);
+                if (r < 0)
+                        goto no_label;
+
                 r = mac_selinux_get_create_label_from_exe(path, ret);
                 if (IN_SET(r, -EPERM, -EOPNOTSUPP))
                         goto no_label;