Broken SELinux/LSM labeling with MPTCP and accept(2)
Florian Westphal
fw at strlen.de
Fri Dec 2 12:23:32 UTC 2022
Paolo Abeni <pabeni at redhat.com> wrote:
> diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
> index 99f5e51d5ca4..b8095b8df71d 100644
> --- a/net/mptcp/protocol.c
> +++ b/net/mptcp/protocol.c
> @@ -3085,7 +3085,10 @@ struct sock *mptcp_sk_clone(const struct sock *sk,
> /* will be fully established after successful MPC subflow creation */
> inet_sk_state_store(nsk, TCP_SYN_RECV);
>
> - security_inet_csk_clone(nsk, req);
> + /* let's the new socket inherit the security label from the msk
> + * listener, as the TCP reqest socket carries a kernel context
> + */
> + security_sock_graft(nsk, sk->sk_socket);
> bh_unlock_sock(nsk);
FWIW this makes Ondrejs test case work:
before:
mptcp successfully enabled on unit /usr/lib/systemd/system/nginx.service
% Total % Received % Xferd Average Speed Time Time Time % Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (52) Empty reply from server
With above change:
mptcp successfully enabled on unit /usr/lib/systemd/system/nginx.service
% Total % Received % Xferd Average Speed Time Time Time % Current
Dload Upload Total Spent Left Speed 100 5 100 5 0 0 1770 0 --:--:-- --:--:-- --:--:-- 5000
More information about the Linux-security-module-archive
mailing list