diff --git a/src/core/socket.c b/src/core/socket.c index c8e737eaa7..3bb0149e62 100644 --- a/src/core/socket.c +++ b/src/core/socket.c @@ -1504,7 +1504,7 @@ static int socket_determine_selinux_label(Socket *s, char **ret) { static int socket_address_listen_do( Socket *s, const SocketAddress *address, - const char *label) { + const char *selinux_label) { assert(s); assert(address); @@ -1520,7 +1520,8 @@ static int socket_address_listen_do( s->transparent, s->directory_mode, s->socket_mode, - label); + selinux_label, + s->smack); } #define log_address_error_errno(u, address, error, fmt) \ diff --git a/src/shared/socket-label.c b/src/shared/socket-label.c index ad64f4f63d..e16f9537a6 100644 --- a/src/shared/socket-label.c +++ b/src/shared/socket-label.c @@ -10,6 +10,7 @@ #include "mkdir-label.h" #include "parse-util.h" #include "selinux-util.h" +#include "smack-util.h" #include "socket-label.h" #include "socket-util.h" #include "string-table.h" @@ -46,7 +47,8 @@ int socket_address_listen( bool transparent, mode_t directory_mode, mode_t socket_mode, - const char *selinux_label) { + const char *selinux_label, + const char *smack_label) { _cleanup_close_ int fd = -EBADF; const char *p; @@ -75,6 +77,12 @@ int socket_address_listen( if (fd < 0) return fd; + if (smack_label) { + r = mac_smack_apply_fd(fd, SMACK_ATTR_ACCESS, smack_label); + if (r < 0) + log_warning_errno(r, "Failed to apply SMACK label for socket FD, ignoring: %m"); + } + if (socket_address_family(a) == AF_INET6 && only != SOCKET_ADDRESS_DEFAULT) { r = setsockopt_int(fd, IPPROTO_IPV6, IPV6_V6ONLY, only == SOCKET_ADDRESS_IPV6_ONLY); if (r < 0) @@ -130,6 +138,11 @@ int socket_address_listen( if (r < 0) return r; } + if (smack_label) { + r = mac_smack_apply(p, SMACK_ATTR_ACCESS, smack_label); + if (r < 0) + log_warning_errno(r, "Failed to apply SMACK label for socket path, ignoring: %m"); + } } else { if (bind(fd, &a->sockaddr.sa, a->size) < 0) return -errno; diff --git a/src/shared/socket-label.h b/src/shared/socket-label.h index 8d882cb4e2..cfcb20f187 100644 --- a/src/shared/socket-label.h +++ b/src/shared/socket-label.h @@ -26,4 +26,5 @@ int socket_address_listen( bool transparent, mode_t directory_mode, mode_t socket_mode, - const char *selinux_label); + const char *selinux_label, + const char *smack_label); diff --git a/src/shared/socket-netlink.c b/src/shared/socket-netlink.c index 060388685f..885606b6e0 100644 --- a/src/shared/socket-netlink.c +++ b/src/shared/socket-netlink.c @@ -184,8 +184,18 @@ int make_socket_fd(int log_level, const char* address, int type, int flags) { a.type = type; - fd = socket_address_listen(&a, type | flags, SOMAXCONN_DELUXE, SOCKET_ADDRESS_DEFAULT, - NULL, false, false, false, 0755, 0644, NULL); + fd = socket_address_listen( + &a, + type | flags, + SOMAXCONN_DELUXE, SOCKET_ADDRESS_DEFAULT, + /* bind_to_device= */ NULL, + /* reuse_port= */ false, + /* free_bind= */ false, + /* transparent= */ false, + 0755, + 0644, + /* selinux_label= */ NULL, + /* smack_label= */ NULL); if (fd < 0 || log_get_max_level() >= log_level) { _cleanup_free_ char *p = NULL;