selinux: support infering SELinux label also from socket not connected to stdin

Fixes #19918
2024-10-14 20:17:52 +00:00 · 2021-06-29 17:10:27 +02:00 · 2021-06-29 17:10:27 +02:00 · 49590d67c9
parent 7e4dcd2d1f
commit 49590d67c9
2 changed files with 22 additions and 9 deletions
--- a/man/systemd.socket.xml
+++ b/man/systemd.socket.xml
@ -629,10 +629,12 @@
         resulting SELinux context originate from either the target
         binary that is effectively triggered by socket unit or from
         the value of the <varname>SELinuxContext=</varname> option.
-         This configuration option only affects sockets with
-         <varname>Accept=</varname> mode set to
-         <literal>yes</literal>. Also note that this option is useful
-         only when MLS/MCS SELinux policy is deployed. Defaults to
+         This configuration option applies only when activated service
+         is passed in single socket file descriptor, i.e. service
+         instances that have standard input connected to a socket or
+         services triggered by exactly one socket unit. Also note
+         that this option is useful only when MLS/MCS SELinux policy
+         is deployed. Defaults to
         <literal>false</literal>. </para></listitem>
      </varlistentry>

--- a/src/core/execute.c
+++ b/src/core/execute.c
@ -4345,11 +4345,22 @@ static int exec_child(
        }

 #if HAVE_SELINUX
-        if (needs_sandboxing && use_selinux && params->selinux_context_net && socket_fd >= 0) {
-                r = mac_selinux_get_child_mls_label(socket_fd, executable, context->selinux_context, &mac_selinux_context_net);
-                if (r < 0) {
-                        *exit_status = EXIT_SELINUX_CONTEXT;
-                        return log_unit_error_errno(unit, r, "Failed to determine SELinux context: %m");
+        if (needs_sandboxing && use_selinux && params->selinux_context_net) {
+                int fd = -1;
+
+                if (socket_fd >= 0)
+                        fd = socket_fd;
+                else if (params->n_socket_fds == 1)
+                        /* If stdin is not connected to a socket but we are triggered by exactly one socket unit then we
+                         * use context from that fd to compute the label. */
+                        fd = params->fds[0];
+
+                if (fd >= 0) {
+                        r = mac_selinux_get_child_mls_label(fd, executable, context->selinux_context, &mac_selinux_context_net);
+                        if (r < 0) {
+                                *exit_status = EXIT_SELINUX_CONTEXT;
+                                return log_unit_error_errno(unit, r, "Failed to determine SELinux context: %m");
+                        }
                }
        }
 #endif