This series is an attempt to solve the LSM labeling breakage reported here: https://lore.kernel.org/linux-security-module/CAHC9VhSQnhH3UL4gqzu+YiA1Q3YyLLCv88gLJOvw-0+uw5Lvkw@xxxxxxxxxxxxxx/ As per previous discussion, a new LSM hook is introduced and invoked by the mptcp code to let LSMs set the appropriate label for the newly created subflow. I'm not sure the chosen hook name is a perfect fit, any suggestion more then welcome. The new hook requires both the mptcp socket reference and the subflow socket reference, even if the provided LSM implementation for selinux ends-up accessing only the subflow socket. Possibly other LSM implementation could need or use the addtional parameter. Paolo Abeni (2): security, lsm: Introduce security_mptcp_add_subflow() selinux: Implement mptcp_add_subflow hook include/linux/lsm_hook_defs.h | 1 + include/linux/lsm_hooks.h | 9 +++++++++ include/linux/security.h | 6 ++++++ net/mptcp/subflow.c | 6 ++++++ security/security.c | 5 +++++ security/selinux/hooks.c | 30 ++++++++++++++++++++++++++++++ 6 files changed, 57 insertions(+) -- 2.38.1
