[PATCH v2 2/2] selinux: Implement mptcp_add_subflow hook

Paul Moore paul at paul-moore.com
Thu May 18 17:12:00 UTC 2023


On Apr 20, 2023 Matthieu Baerts <matthieu.baerts at tessares.net> wrote:
> 
> Newly added subflows should inherit the LSM label from the associated
> MPTCP socket regardless of the current context.
> 
> This patch implements the above copying sid and class from the MPTCP
> socket context, deleting the existing subflow label, if any, and then
> re-creating the correct one.
> 
> The new helper reuses the selinux_netlbl_sk_security_free() function,
> and the latter can end-up being called multiple times with the same
> argument; we additionally need to make it idempotent.
> 
> Signed-off-by: Paolo Abeni <pabeni at redhat.com>
> Acked-by: Matthieu Baerts <matthieu.baerts at tessares.net>
> Signed-off-by: Matthieu Baerts <matthieu.baerts at tessares.net>
> ---
> v2:
>  - Address Paul's comments:
>    - use "MPTCP socket" instead of "msk" in the commit message
>    - "updated" context instead of "current" one in the comment
> ---
>  security/selinux/hooks.c    | 16 ++++++++++++++++
>  security/selinux/netlabel.c |  8 ++++++--
>  2 files changed, 22 insertions(+), 2 deletions(-)

Also merged into selinux/next, thanks again.

--
paul-moore.com



More information about the Linux-security-module-archive mailing list