From: Marc-Antoine Riou <marc-antoine.riou@iot.bzh>
Date: Thu, 6 Nov 2025 10:21:12 +0000 (+0000)
Subject: socket-label: apply SMACK label to socket and its file descriptor
X-Git-Tag: v259-rc2~70^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F39772%2Fhead;p=thirdparty%2Fsystemd.git

socket-label: apply SMACK label to socket and its file descriptor

When a socket unit specifies SmackLabel=, the label was previously
not applied to the underlying Unix socket file or its file descriptor.
This change ensures that the SMACK label is applied both to the
socket path on the filesystem and to the opened socket FD.
---

diff --git a/src/core/socket.c b/src/core/socket.c
index c8e737eaa72..3bb0149e625 100644
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -1504,7 +1504,7 @@ static int socket_determine_selinux_label(Socket *s, char **ret) {
 static int socket_address_listen_do(
                 Socket *s,
                 const SocketAddress *address,
-                const char *label) {
+                const char *selinux_label) {
 
         assert(s);
         assert(address);
@@ -1520,7 +1520,8 @@ static int socket_address_listen_do(
                         s->transparent,
                         s->directory_mode,
                         s->socket_mode,
-                        label);
+                        selinux_label,
+                        s->smack);
 }
 
 #define log_address_error_errno(u, address, error, fmt)          \
diff --git a/src/shared/socket-label.c b/src/shared/socket-label.c
index ad64f4f63d2..e16f9537a67 100644
--- a/src/shared/socket-label.c
+++ b/src/shared/socket-label.c
@@ -10,6 +10,7 @@
 #include "mkdir-label.h"
 #include "parse-util.h"
 #include "selinux-util.h"
+#include "smack-util.h"
 #include "socket-label.h"
 #include "socket-util.h"
 #include "string-table.h"
@@ -46,7 +47,8 @@ int socket_address_listen(
                 bool transparent,
                 mode_t directory_mode,
                 mode_t socket_mode,
-                const char *selinux_label) {
+                const char *selinux_label,
+                const char *smack_label) {
 
         _cleanup_close_ int fd = -EBADF;
         const char *p;
@@ -75,6 +77,12 @@ int socket_address_listen(
         if (fd < 0)
                 return fd;
 
+        if (smack_label) {
+                r = mac_smack_apply_fd(fd, SMACK_ATTR_ACCESS, smack_label);
+                if (r < 0)
+                        log_warning_errno(r, "Failed to apply SMACK label for socket FD, ignoring: %m");
+        }
+
         if (socket_address_family(a) == AF_INET6 && only != SOCKET_ADDRESS_DEFAULT) {
                 r = setsockopt_int(fd, IPPROTO_IPV6, IPV6_V6ONLY, only == SOCKET_ADDRESS_IPV6_ONLY);
                 if (r < 0)
@@ -130,6 +138,11 @@ int socket_address_listen(
                         if (r < 0)
                                 return r;
                 }
+                if (smack_label) {
+                        r = mac_smack_apply(p, SMACK_ATTR_ACCESS, smack_label);
+                        if (r < 0)
+                                log_warning_errno(r, "Failed to apply SMACK label for socket path, ignoring: %m");
+                }
         } else {
                 if (bind(fd, &a->sockaddr.sa, a->size) < 0)
                         return -errno;
diff --git a/src/shared/socket-label.h b/src/shared/socket-label.h
index 8d882cb4e28..cfcb20f187e 100644
--- a/src/shared/socket-label.h
+++ b/src/shared/socket-label.h
@@ -26,4 +26,5 @@ int socket_address_listen(
                 bool transparent,
                 mode_t directory_mode,
                 mode_t socket_mode,
-                const char *selinux_label);
+                const char *selinux_label,
+                const char *smack_label);
diff --git a/src/shared/socket-netlink.c b/src/shared/socket-netlink.c
index 060388685f6..885606b6e0d 100644
--- a/src/shared/socket-netlink.c
+++ b/src/shared/socket-netlink.c
@@ -184,8 +184,18 @@ int make_socket_fd(int log_level, const char* address, int type, int flags) {
 
         a.type = type;
 
-        fd = socket_address_listen(&a, type | flags, SOMAXCONN_DELUXE, SOCKET_ADDRESS_DEFAULT,
-                                   NULL, false, false, false, 0755, 0644, NULL);
+        fd = socket_address_listen(
+                        &a,
+                        type | flags,
+                        SOMAXCONN_DELUXE, SOCKET_ADDRESS_DEFAULT,
+                        /* bind_to_device= */ NULL,
+                        /* reuse_port= */ false,
+                        /* free_bind= */ false,
+                        /* transparent= */ false,
+                        0755,
+                        0644,
+                        /* selinux_label= */ NULL,
+                        /* smack_label= */ NULL);
         if (fd < 0 || log_get_max_level() >= log_level) {
                 _cleanup_free_ char *p = NULL;