From bdfe5e97cd3389b87ae94a0f6a848609559e7a88 Mon Sep 17 00:00:00 2001
From: naglis <827324+naglis@users.noreply.github.com>
Date: Fri, 15 Sep 2023 22:27:19 +0300
Subject: [PATCH] systemd: base "RestrictAddressFamilies" on build options

This allows to not allow `AF_NETLINK` if `smbclient` is not enabled.
---
 systemd/meson.build           | 7 +++++++
 systemd/system/mpd.service.in | 3 +--
 systemd/user/mpd.service.in   | 3 +--
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/systemd/meson.build b/systemd/meson.build
index 9f81d3ffd..1ae36c0ff 100644
--- a/systemd/meson.build
+++ b/systemd/meson.build
@@ -1,6 +1,13 @@
 systemd_unit_conf = configuration_data()
 systemd_unit_conf.set('prefix', get_option('prefix'))
 
+address_families = ['AF_INET', 'AF_INET6', 'AF_UNIX']
+if get_option('smbclient').enabled()
+  # AF_NETLINK is required by libsmbclient, or it will exit() .. *sigh*
+  address_families += 'AF_NETLINK'
+endif
+systemd_unit_conf.set('address_families', ' '.join(address_families))
+
 systemd_socket_conf = configuration_data()
 listen_streams = []
 if get_option('local_socket')
diff --git a/systemd/system/mpd.service.in b/systemd/system/mpd.service.in
index 87bc88942..fcb4b52c1 100644
--- a/systemd/system/mpd.service.in
+++ b/systemd/system/mpd.service.in
@@ -27,8 +27,7 @@ NoNewPrivileges=yes
 ProtectKernelTunables=yes
 ProtectControlGroups=yes
 ProtectKernelModules=yes
-# AF_NETLINK is required by libsmbclient, or it will exit() .. *sigh*
-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
+RestrictAddressFamilies=@address_families@
 RestrictNamespaces=yes
 
 [Install]
diff --git a/systemd/user/mpd.service.in b/systemd/user/mpd.service.in
index 91b24dc5f..16ad03b0d 100644
--- a/systemd/user/mpd.service.in
+++ b/systemd/user/mpd.service.in
@@ -28,8 +28,7 @@ ProtectSystem=yes
 NoNewPrivileges=yes
 ProtectKernelTunables=yes
 ProtectControlGroups=yes
-# AF_NETLINK is required by libsmbclient, or it will exit() .. *sigh*
-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
+RestrictAddressFamilies=@address_families@
 RestrictNamespaces=yes
 
 # Note that "ProtectKernelModules=yes" is missing in the user unit