[PATCH v2 2/2] selinux: Implement mptcp_add_subflow hook
Paul Moore
paul at paul-moore.com
Thu May 18 17:12:00 UTC 2023
On Apr 20, 2023 Matthieu Baerts <matthieu.baerts at tessares.net> wrote:
>
> Newly added subflows should inherit the LSM label from the associated
> MPTCP socket regardless of the current context.
>
> This patch implements the above copying sid and class from the MPTCP
> socket context, deleting the existing subflow label, if any, and then
> re-creating the correct one.
>
> The new helper reuses the selinux_netlbl_sk_security_free() function,
> and the latter can end-up being called multiple times with the same
> argument; we additionally need to make it idempotent.
>
> Signed-off-by: Paolo Abeni <pabeni at redhat.com>
> Acked-by: Matthieu Baerts <matthieu.baerts at tessares.net>
> Signed-off-by: Matthieu Baerts <matthieu.baerts at tessares.net>
> ---
> v2:
> - Address Paul's comments:
> - use "MPTCP socket" instead of "msk" in the commit message
> - "updated" context instead of "current" one in the comment
> ---
> security/selinux/hooks.c | 16 ++++++++++++++++
> security/selinux/netlabel.c | 8 ++++++--
> 2 files changed, 22 insertions(+), 2 deletions(-)
Also merged into selinux/next, thanks again.
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list