core/socket: use chase_symlinks to find binary inside chroot when looking for SELinux label (#8591)

This is a follow up for this comment from @poettering:
https://github.com/systemd/systemd/pull/8405#discussion_r175719214

This updates PR #8405.

Tested manually using the same commands in
https://lists.freedesktop.org/archives/systemd-devel/2018-March/040478.html.

1 files changed, 5 insertions, 2 deletions

diff --git a/src/core/socket.c b/src/core/socket.c
index eecf6fbe18..6410939dca 100644
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -1426,7 +1426,7 @@ fail:
 static int socket_determine_selinux_label(Socket *s, char **ret) {
         Service *service;
         ExecCommand *c;
-        const char *path;
+        _cleanup_free_ char *path = NULL;
         int r;
 
         assert(s);
@@ -1453,7 +1453,10 @@ static int socket_determine_selinux_label(Socket *s, char **ret) {
                 if (!c)
                         goto no_label;
 
-                path = prefix_roota(service->exec_context.root_directory, c->path);
+                r = chase_symlinks(c->path, service->exec_context.root_directory, CHASE_PREFIX_ROOT, &path);
+                if (r < 0)
+                        goto no_label;
+
                 r = mac_selinux_get_create_label_from_exe(path, ret);
                 if (IN_SET(r, -EPERM, -EOPNOTSUPP))
                         goto no_label;