On Mon, Feb 14, 2022 at 11:13 PM Xin Long <lucien.xin@xxxxxxxxx> wrote: > Looks okay to me. > > The difference from the old one is that: with > selinux_sctp_process_new_assoc() called in > selinux_sctp_assoc_established(), the client sksec->peer_sid is using > the first asoc's peer_secid, instead of the latest asoc's peer_secid. > And not sure if it will cause any problems when doing the extra check > sksec->peer_sid != asoc->peer_secid for the latest asoc and *returns > err*. But I don't know about selinux, I guess there must be a reason > from selinux side. Generally speaking we don't want to change any SELinux socket labels once it has been created. While the peer_sid is a bit different, changing it after userspace has access to the socket could be problematic. In the case where the peer_sid differs between the two we have a permission check which allows policy to control this behavior which seems like the best option at this point. > I will ACK on patch 0/2. Thanks, I'm going to go ahead and merge these two patches into selinux/next right now. -- paul-moore.com
