b11b5f
From 1f408c8d9739b1038012eeec7bf0f918c8095bc4 Mon Sep 17 00:00:00 2001
b11b5f
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
b11b5f
Date: Fri, 23 Sep 2022 19:00:22 +0200
b11b5f
Subject: [PATCH] core: respect SELinuxContext= for socket creation
b11b5f
b11b5f
On socket creation respect the SELinuxContext= setting of the associated
b11b5f
service, such that the initial created socket has the same label as the
b11b5f
future process accepting the connection (since w.r.t SELinux sockets
b11b5f
normally have the same label as the owning process).
b11b5f
b11b5f
Triggered by #24702
b11b5f
b11b5f
(cherry picked from commit 599b384924bbef9f8f7fa5700c6fa35a404d9a98)
b11b5f
b11b5f
Related: #2136738
b11b5f
---
b11b5f
 src/core/socket.c | 15 ++++++++++++++-
b11b5f
 1 file changed, 14 insertions(+), 1 deletion(-)
b11b5f
b11b5f
diff --git a/src/core/socket.c b/src/core/socket.c
b11b5f
index 9d47ca2616..d1ca0a07c5 100644
b11b5f
--- a/src/core/socket.c
b11b5f
+++ b/src/core/socket.c
b11b5f
@@ -1427,6 +1427,7 @@ fail:
b11b5f
 static int socket_determine_selinux_label(Socket *s, char **ret) {
b11b5f
         Service *service;
b11b5f
         ExecCommand *c;
b11b5f
+        const char *exec_context;
b11b5f
         _cleanup_free_ char *path = NULL;
b11b5f
         int r;
b11b5f
 
b11b5f
@@ -1448,8 +1449,20 @@ static int socket_determine_selinux_label(Socket *s, char **ret) {
b11b5f
 
b11b5f
                 if (!UNIT_ISSET(s->service))
b11b5f
                         goto no_label;
b11b5f
-
b11b5f
                 service = SERVICE(UNIT_DEREF(s->service));
b11b5f
+
b11b5f
+                exec_context = service->exec_context.selinux_context;
b11b5f
+                if (exec_context) {
b11b5f
+                        char *con;
b11b5f
+
b11b5f
+                        con = strdup(exec_context);
b11b5f
+                        if (!con)
b11b5f
+                                return -ENOMEM;
b11b5f
+
b11b5f
+                        *ret = TAKE_PTR(con);
b11b5f
+                        return 0;
b11b5f
+                }
b11b5f
+
b11b5f
                 c = service->exec_command[SERVICE_EXEC_START];
b11b5f
                 if (!c)
b11b5f
                         goto no_label;