On Wed, 2020-12-23 at 09:53 -0500, Paul Moore wrote: > On Wed, Dec 16, 2020 at 6:55 AM Paolo Abeni <pabeni@xxxxxxxxxx> wrote: > > The MPTCP protocol uses a specific protocol value, even if > > it's an extension to TCP. Additionally, MPTCP sockets > > could 'fall-back' to TCP at run-time, depending on peer MPTCP > > support and available resources. > > > > As a consequence of the specific protocol number, selinux > > applies the raw_socket class to MPTCP sockets. > > > > Existing TCP application converted to MPTCP - or forced to > > use MPTCP socket with user-space hacks - will need an > > updated policy to run successfully. > > > > This change lets selinux attach the TCP socket class to > > MPTCP sockets, too, so that no policy changes are needed in > > the above scenario. > > > > Note that the MPTCP is setting, propagating and updating the > > security context on all the subflows and related request > > socket. > > > > Link: https://lore.kernel.org/linux-security-module/CAHC9VhTaK3xx0hEGByD2zxfF7fadyPP1kb-WeWH_YCyq9X-sRg@xxxxxxxxxxxxxx/T/#t > > Signed-off-by: Paolo Abeni <pabeni@xxxxxxxxxx> > > --- > > security/selinux/hooks.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > Based on our discussion in the previous thread, the patch below seems > fine, although it needs to wait until after the merge window closes. > > Paolo, it sounded like there was at least one other small MPTCP fix > needed, likely in the stack itself and not the LSM/SELinux code, has > that patch been submitted already? Yes, it's already in the Linus's tree: commit 0c14846032f2c0a3b63234e1fc2759f4155b6067 Author: Paolo Abeni <pabeni@xxxxxxxxxx> Date: Wed Dec 16 12:48:32 2020 +0100 mptcp: fix security context on server socket Thanks for the feedback && happy new year;) Paolo
