[PATCH 0/2] lsm: introduce and use security_mptcp_add_subflow()

Paolo Abeni pabeni at redhat.com
Wed Dec 14 22:13:52 UTC 2022


On Wed, 2022-12-14 at 23:01 +0100, Paolo Abeni wrote:
> This series is an attempt to solve the LSM labeling breakage
> reported here:
> 
> https://lore.kernel.org/linux-security-module/CAHC9VhSQnhH3UL4gqzu+YiA1Q3YyLLCv88gLJOvw-0+uw5Lvkw@mail.gmail.com/
> 
> As per previous discussion, a new LSM hook is introduced and
> invoked by the mptcp code to let LSMs set the appropriate label
> for the newly created subflow.
> 
> I'm not sure the chosen hook name is a perfect fit, any suggestion
> more then welcome.
> The new hook requires both the mptcp socket reference and the
> subflow socket reference, even if the provided LSM implementation
> for selinux ends-up accessing only the subflow socket. Possibly
> other LSM implementation could need or use the addtional parameter.

I forgot to mention this has been tested vs the reproducer described in
the above link and vs the mptcp self-tests.

Cheers,

Paolo



More information about the Linux-security-module-archive mailing list