systemd socket activation selinux context pr review

Ted Toth <txtoth@xxxxxxxxx> · Mon, 10 Oct 2022 12:20:49 -0500

I'd appreciate it if some committers would review this pull request
and add comments as it seems to have stalled.

https://github.com/systemd/systemd/pull/24702

>From 86f28a8638a59cb73800c54b26c0bd5874bc50dc Mon Sep 17 00:00:00 2001
From: "Ted X. Toth" <txtoth@xxxxxxxxxxx>
Date: Tue, 13 Sep 2022 15:27:47 -0700
Subject: [PATCH] Use target process context to set socket context when using
 SELinuxContextFromNet not systemds context

---
 src/core/socket.c | 46 +++++++++++++++++-----------------------------
 1 file changed, 17 insertions(+), 29 deletions(-)

diff --git a/src/core/socket.c b/src/core/socket.c
index f67a79705499..ad0e81607807 100644
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -1409,39 +1409,27 @@ static int
socket_determine_selinux_label(Socket *s, char **ret) {
         assert(s);
         assert(ret);

-        if (s->selinux_context_from_net) {
-                /* If this is requested, get the label from the
network label */
+        Unit *service;
+        ExecCommand *c;
+        _cleanup_free_ char *path = NULL;

-                r = mac_selinux_get_our_label(ret);
-                if (r == -EOPNOTSUPP)
-                        goto no_label;
-
-        } else {
-                /* Otherwise, get it from the executable we are about
to start. */
-
-                Unit *service;
-                ExecCommand *c;
-                _cleanup_free_ char *path = NULL;
-
-                r = socket_load_service_unit(s, -1, &service);
-                if (r == -ENODATA)
-                        goto no_label;
-                if (r < 0)
-                        return r;
-
-                c = SERVICE(service)->exec_command[SERVICE_EXEC_START];
-                if (!c)
-                        goto no_label;
+        r = socket_load_service_unit(s, -1, &service);
+        if (r == -ENODATA)
+                goto no_label;
+        if (r < 0)
+                return r;

-                r = chase_symlinks(c->path,
SERVICE(service)->exec_context.root_directory, CHASE_PREFIX_ROOT,
&path, NULL);
-                if (r < 0)
-                        goto no_label;
+        c = SERVICE(service)->exec_command[SERVICE_EXEC_START];
+        if (!c)
+                goto no_label;

-                r = mac_selinux_get_create_label_from_exe(path, ret);
-                if (IN_SET(r, -EPERM, -EOPNOTSUPP))
-                        goto no_label;
-        }
+        r = chase_symlinks(c->path,
SERVICE(service)->exec_context.root_directory, CHASE_PREFIX_ROOT,
&path, NULL);
+        if (r < 0)
+                goto no_label;

+        r = mac_selinux_get_create_label_from_exe(path, ret);
+        if (IN_SET(r, -EPERM, -EOPNOTSUPP))
+                goto no_label;
         return r;

 no_label:






