[PATCH] linux: handle MPTCP consistently with TCP

Paul Moore paul at paul-moore.com
Tue Jan 5 00:47:07 UTC 2021


On Wed, Dec 23, 2020 at 9:53 AM Paul Moore <paul at paul-moore.com> wrote:
> On Wed, Dec 16, 2020 at 6:55 AM Paolo Abeni <pabeni at redhat.com> wrote:
> >
> > The MPTCP protocol uses a specific protocol value, even if
> > it's an extension to TCP. Additionally, MPTCP sockets
> > could 'fall-back' to TCP at run-time, depending on peer MPTCP
> > support and available resources.
> >
> > As a consequence of the specific protocol number, selinux
> > applies the raw_socket class to MPTCP sockets.
> >
> > Existing TCP application converted to MPTCP - or forced to
> > use MPTCP socket with user-space hacks - will need an
> > updated policy to run successfully.
> >
> > This change lets selinux attach the TCP socket class to
> > MPTCP sockets, too, so that no policy changes are needed in
> > the above scenario.
> >
> > Note that the MPTCP is setting, propagating and updating the
> > security context on all the subflows and related request
> > socket.
> >
> > Link: https://lore.kernel.org/linux-security-module/CAHC9VhTaK3xx0hEGByD2zxfF7fadyPP1kb-WeWH_YCyq9X-sRg@mail.gmail.com/T/#t
> > Signed-off-by: Paolo Abeni <pabeni at redhat.com>
> > ---
> >  security/selinux/hooks.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
>
> Based on our discussion in the previous thread, the patch below seems
> fine, although it needs to wait until after the merge window closes.

I just merged this into my selinux/next tree, you should see it in the
kernel.org repos later tonight.  Thanks!

-- 
paul moore
www.paul-moore.com



More information about the Linux-security-module-archive mailing list