From 360f750b01eb713dcf40ac5c3d963b0a6b398e2f Mon Sep 17 00:00:00 2001
From: Marc-Antoine Riou <marc-antoine.riou@iot.bzh>
Date: Thu, 6 Nov 2025 10:21:12 +0000
Subject: [PATCH] socket-label: apply SMACK label to socket and its file
 descriptor

When a socket unit specifies SmackLabel=, the label was previously
not applied to the underlying Unix socket file or its file descriptor.
This change ensures that the SMACK label is applied both to the
socket path on the filesystem and to the opened socket FD.
---
 src/core/socket.c           |  5 +++--
 src/shared/socket-label.c   | 15 ++++++++++++++-
 src/shared/socket-label.h   |  3 ++-
 src/shared/socket-netlink.c | 14 ++++++++++++--
 4 files changed, 31 insertions(+), 6 deletions(-)

diff --git a/src/core/socket.c b/src/core/socket.c
index c8e737eaa7..3bb0149e62 100644
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -1504,7 +1504,7 @@ static int socket_determine_selinux_label(Socket *s, char **ret) {
 static int socket_address_listen_do(
                 Socket *s,
                 const SocketAddress *address,
-                const char *label) {
+                const char *selinux_label) {
 
         assert(s);
         assert(address);
@@ -1520,7 +1520,8 @@ static int socket_address_listen_do(
                         s->transparent,
                         s->directory_mode,
                         s->socket_mode,
-                        label);
+                        selinux_label,
+                        s->smack);
 }
 
 #define log_address_error_errno(u, address, error, fmt)          \
diff --git a/src/shared/socket-label.c b/src/shared/socket-label.c
index ad64f4f63d..e16f9537a6 100644
--- a/src/shared/socket-label.c
+++ b/src/shared/socket-label.c
@@ -10,6 +10,7 @@
 #include "mkdir-label.h"
 #include "parse-util.h"
 #include "selinux-util.h"
+#include "smack-util.h"
 #include "socket-label.h"
 #include "socket-util.h"
 #include "string-table.h"
@@ -46,7 +47,8 @@ int socket_address_listen(
                 bool transparent,
                 mode_t directory_mode,
                 mode_t socket_mode,
-                const char *selinux_label) {
+                const char *selinux_label,
+                const char *smack_label) {
 
         _cleanup_close_ int fd = -EBADF;
         const char *p;
@@ -75,6 +77,12 @@ int socket_address_listen(
         if (fd < 0)
                 return fd;
 
+        if (smack_label) {
+                r = mac_smack_apply_fd(fd, SMACK_ATTR_ACCESS, smack_label);
+                if (r < 0)
+                        log_warning_errno(r, "Failed to apply SMACK label for socket FD, ignoring: %m");
+        }
+
         if (socket_address_family(a) == AF_INET6 && only != SOCKET_ADDRESS_DEFAULT) {
                 r = setsockopt_int(fd, IPPROTO_IPV6, IPV6_V6ONLY, only == SOCKET_ADDRESS_IPV6_ONLY);
                 if (r < 0)
@@ -130,6 +138,11 @@ int socket_address_listen(
                         if (r < 0)
                                 return r;
                 }
+                if (smack_label) {
+                        r = mac_smack_apply(p, SMACK_ATTR_ACCESS, smack_label);
+                        if (r < 0)
+                                log_warning_errno(r, "Failed to apply SMACK label for socket path, ignoring: %m");
+                }
         } else {
                 if (bind(fd, &a->sockaddr.sa, a->size) < 0)
                         return -errno;
diff --git a/src/shared/socket-label.h b/src/shared/socket-label.h
index 8d882cb4e2..cfcb20f187 100644
--- a/src/shared/socket-label.h
+++ b/src/shared/socket-label.h
@@ -26,4 +26,5 @@ int socket_address_listen(
                 bool transparent,
                 mode_t directory_mode,
                 mode_t socket_mode,
-                const char *selinux_label);
+                const char *selinux_label,
+                const char *smack_label);
diff --git a/src/shared/socket-netlink.c b/src/shared/socket-netlink.c
index 060388685f..885606b6e0 100644
--- a/src/shared/socket-netlink.c
+++ b/src/shared/socket-netlink.c
@@ -184,8 +184,18 @@ int make_socket_fd(int log_level, const char* address, int type, int flags) {
 
         a.type = type;
 
-        fd = socket_address_listen(&a, type | flags, SOMAXCONN_DELUXE, SOCKET_ADDRESS_DEFAULT,
-                                   NULL, false, false, false, 0755, 0644, NULL);
+        fd = socket_address_listen(
+                        &a,
+                        type | flags,
+                        SOMAXCONN_DELUXE, SOCKET_ADDRESS_DEFAULT,
+                        /* bind_to_device= */ NULL,
+                        /* reuse_port= */ false,
+                        /* free_bind= */ false,
+                        /* transparent= */ false,
+                        0755,
+                        0644,
+                        /* selinux_label= */ NULL,
+                        /* smack_label= */ NULL);
         if (fd < 0 || log_get_max_level() >= log_level) {
                 _cleanup_free_ char *p = NULL;