socket-label: apply SMACK label to socket and its file descriptor

When a socket unit specifies SmackLabel=, the label was previously
not applied to the underlying Unix socket file or its file descriptor.
This change ensures that the SMACK label is applied both to the
socket path on the filesystem and to the opened socket FD.

src/core/socket.c

@@ -1504,7 +1504,7 @@ static int socket_determine_selinux_label(Socket *s, char **ret) {
 static int socket_address_listen_do(
                 Socket *s,
                 const SocketAddress *address,
-                const char *label) {
+                const char *selinux_label) {
 
         assert(s);
         assert(address);
@@ -1520,7 +1520,8 @@ static int socket_address_listen_do(
                         s->transparent,
                         s->directory_mode,
                         s->socket_mode,
-                        label);
+                        selinux_label,
+                        s->smack);
 }
 
 #define log_address_error_errno(u, address, error, fmt)          \

src/shared/socket-label.c

@@ -10,6 +10,7 @@
 #include "mkdir-label.h"
 #include "parse-util.h"
 #include "selinux-util.h"
+#include "smack-util.h"
 #include "socket-label.h"
 #include "socket-util.h"
 #include "string-table.h"
@@ -46,7 +47,8 @@ int socket_address_listen(
                 bool transparent,
                 mode_t directory_mode,
                 mode_t socket_mode,
-                const char *selinux_label) {
+                const char *selinux_label,
+                const char *smack_label) {
 
         _cleanup_close_ int fd = -EBADF;
         const char *p;
@@ -75,6 +77,12 @@ int socket_address_listen(
         if (fd < 0)
                 return fd;
 
+        if (smack_label) {
+                r = mac_smack_apply_fd(fd, SMACK_ATTR_ACCESS, smack_label);
+                if (r < 0)
+                        log_warning_errno(r, "Failed to apply SMACK label for socket FD, ignoring: %m");
+        }
+
         if (socket_address_family(a) == AF_INET6 && only != SOCKET_ADDRESS_DEFAULT) {
                 r = setsockopt_int(fd, IPPROTO_IPV6, IPV6_V6ONLY, only == SOCKET_ADDRESS_IPV6_ONLY);
                 if (r < 0)
@@ -130,6 +138,11 @@ int socket_address_listen(
                         if (r < 0)
                                 return r;
                 }
+                if (smack_label) {
+                        r = mac_smack_apply(p, SMACK_ATTR_ACCESS, smack_label);
+                        if (r < 0)
+                                log_warning_errno(r, "Failed to apply SMACK label for socket path, ignoring: %m");
+                }
         } else {
                 if (bind(fd, &a->sockaddr.sa, a->size) < 0)
                         return -errno;

src/shared/socket-label.h

@@ -26,4 +26,5 @@ int socket_address_listen(
                 bool transparent,
                 mode_t directory_mode,
                 mode_t socket_mode,
-                const char *selinux_label);
+                const char *selinux_label,
+                const char *smack_label);

src/shared/socket-netlink.c

@@ -184,8 +184,18 @@ int make_socket_fd(int log_level, const char* address, int type, int flags) {
 
         a.type = type;
 
-        fd = socket_address_listen(&a, type | flags, SOMAXCONN_DELUXE, SOCKET_ADDRESS_DEFAULT,
-                                   NULL, false, false, false, 0755, 0644, NULL);
+        fd = socket_address_listen(
+                        &a,
+                        type | flags,
+                        SOMAXCONN_DELUXE, SOCKET_ADDRESS_DEFAULT,
+                        /* bind_to_device= */ NULL,
+                        /* reuse_port= */ false,
+                        /* free_bind= */ false,
+                        /* transparent= */ false,
+                        0755,
+                        0644,
+                        /* selinux_label= */ NULL,
+                        /* smack_label= */ NULL);
         if (fd < 0 || log_get_max_level() >= log_level) {
                 _cleanup_free_ char *p = NULL;