On Wed, Apr 19, 2023 at 1:44 PM Matthieu Baerts <matthieu.baerts@xxxxxxxxxxxx> wrote: > > From: Paolo Abeni <pabeni@xxxxxxxxxx> > > MPTCP can create subflows in kernel context, and later indirectly > expose them to user-space, via the owning mptcp socket. > > As discussed in the reported link, the above causes unexpected failures > for server, MPTCP-enabled applications. > > Let's introduce a new LSM hook to allow the security module to relabel > the subflow according to the owing process. "... according to the main MPTCP socket." You might also want to stick with a consistent capitalization of "MPTCP" in the commit description, but that is being *really* nitpicky on my part ;) There is a suggestion for some additional comments in the hook's description below, but otherwise this looks good to me. > Note that the new hook requires both the mptcp socket and the new > subflow. This could allow future extensions, e.g. explicitly validating > the mptcp <-> subflow linkage. > > Link: https://lore.kernel.org/mptcp/CAHC9VhTNh-YwiyTds=P1e3rixEDqbRTFj22bpya=+qJqfcaMfg@xxxxxxxxxxxxxx/ > Signed-off-by: Paolo Abeni <pabeni@xxxxxxxxxx> > Acked-by: Matthieu Baerts <matthieu.baerts@xxxxxxxxxxxx> > Signed-off-by: Matthieu Baerts <matthieu.baerts@xxxxxxxxxxxx> > --- > include/linux/lsm_hook_defs.h | 1 + > include/linux/security.h | 6 ++++++ > net/mptcp/subflow.c | 6 ++++++ > security/security.c | 15 +++++++++++++++ > 4 files changed, 28 insertions(+) ... > diff --git a/security/security.c b/security/security.c > index f4170efcddda..24cf2644a4b9 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -4667,6 +4667,21 @@ int security_sctp_assoc_established(struct sctp_association *asoc, > } > EXPORT_SYMBOL(security_sctp_assoc_established); > > +/** > + * security_mptcp_add_subflow() - Inherit the LSM label from the MPTCP socket > + * @sk: the owning MPTCP socket > + * @ssk: the new subflow > + * > + * Update the labeling for the given MPTCP subflow, to match the one of the > + * owning MPTCP socket. I would add a sentence at the end making it clear that this hook is called after the socket has been created and initialized via the security_socket_create() and security_socket_post_create() LSM hooks. > + * > + * Return: Returns 0 on success or a negative error code on failure. > + */ > +int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk) > +{ > + return call_int_hook(mptcp_add_subflow, 0, sk, ssk); > +} > + > #endif /* CONFIG_SECURITY_NETWORK */ > > #ifdef CONFIG_SECURITY_INFINIBAND > > -- > 2.39.2 -- paul-moore.com
