On 12/16/2020 3:55 AM, Paolo Abeni wrote: > The MPTCP protocol uses a specific protocol value, even if > it's an extension to TCP. Additionally, MPTCP sockets > could 'fall-back' to TCP at run-time, depending on peer MPTCP > support and available resources. > > As a consequence of the specific protocol number, selinux > applies the raw_socket class to MPTCP sockets. Have you looked at the implications for Smack? > > Existing TCP application converted to MPTCP - or forced to > use MPTCP socket with user-space hacks - will need an > updated policy to run successfully. > > This change lets selinux attach the TCP socket class to > MPTCP sockets, too, so that no policy changes are needed in > the above scenario. > > Note that the MPTCP is setting, propagating and updating the > security context on all the subflows and related request > socket. > > Link: https://lore.kernel.org/linux-security-module/CAHC9VhTaK3xx0hEGByD2zxfF7fadyPP1kb-WeWH_YCyq9X-sRg@xxxxxxxxxxxxxx/T/#t > Signed-off-by: Paolo Abeni <pabeni@xxxxxxxxxx> > --- > security/selinux/hooks.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 6fa593006802..451bded67d9c 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -1120,7 +1120,8 @@ static inline u16 inode_mode_to_security_class(umode_t mode) > > static inline int default_protocol_stream(int protocol) > { > - return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); > + return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP || > + protocol == IPPROTO_MPTCP); > } > > static inline int default_protocol_dgram(int protocol)
