On Apr 20, 2023 Matthieu Baerts <matthieu.baerts@xxxxxxxxxxxx> wrote: > > Newly added subflows should inherit the LSM label from the associated > MPTCP socket regardless of the current context. > > This patch implements the above copying sid and class from the MPTCP > socket context, deleting the existing subflow label, if any, and then > re-creating the correct one. > > The new helper reuses the selinux_netlbl_sk_security_free() function, > and the latter can end-up being called multiple times with the same > argument; we additionally need to make it idempotent. > > Signed-off-by: Paolo Abeni <pabeni@xxxxxxxxxx> > Acked-by: Matthieu Baerts <matthieu.baerts@xxxxxxxxxxxx> > Signed-off-by: Matthieu Baerts <matthieu.baerts@xxxxxxxxxxxx> > --- > v2: > - Address Paul's comments: > - use "MPTCP socket" instead of "msk" in the commit message > - "updated" context instead of "current" one in the comment > --- > security/selinux/hooks.c | 16 ++++++++++++++++ > security/selinux/netlabel.c | 8 ++++++-- > 2 files changed, 22 insertions(+), 2 deletions(-) Also merged into selinux/next, thanks again. -- paul-moore.com
