[PATCH] linux: handle MPTCP consistently with TCP

Paolo Abeni pabeni at redhat.com
Wed Dec 23 15:10:21 UTC 2020


On Wed, 2020-12-23 at 09:53 -0500, Paul Moore wrote:
> On Wed, Dec 16, 2020 at 6:55 AM Paolo Abeni <pabeni at redhat.com> wrote:
> > The MPTCP protocol uses a specific protocol value, even if
> > it's an extension to TCP. Additionally, MPTCP sockets
> > could 'fall-back' to TCP at run-time, depending on peer MPTCP
> > support and available resources.
> > 
> > As a consequence of the specific protocol number, selinux
> > applies the raw_socket class to MPTCP sockets.
> > 
> > Existing TCP application converted to MPTCP - or forced to
> > use MPTCP socket with user-space hacks - will need an
> > updated policy to run successfully.
> > 
> > This change lets selinux attach the TCP socket class to
> > MPTCP sockets, too, so that no policy changes are needed in
> > the above scenario.
> > 
> > Note that the MPTCP is setting, propagating and updating the
> > security context on all the subflows and related request
> > socket.
> > 
> > Link: https://lore.kernel.org/linux-security-module/CAHC9VhTaK3xx0hEGByD2zxfF7fadyPP1kb-WeWH_YCyq9X-sRg@mail.gmail.com/T/#t
> > Signed-off-by: Paolo Abeni <pabeni at redhat.com>
> > ---
> >  security/selinux/hooks.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> Based on our discussion in the previous thread, the patch below seems
> fine, although it needs to wait until after the merge window closes.
> 
> Paolo, it sounded like there was at least one other small MPTCP fix
> needed, likely in the stack itself and not the LSM/SELinux code, has
> that patch been submitted already?

Yes, it's already in the Linus's tree:

commit 0c14846032f2c0a3b63234e1fc2759f4155b6067
Author: Paolo Abeni <pabeni at redhat.com>
Date:   Wed Dec 16 12:48:32 2020 +0100

    mptcp: fix security context on server socket

Thanks for the feedback && happy new year;)

Paolo



More information about the Linux-security-module-archive mailing list