From: Paul Moore <paul at paul-moore.com>
To: mptcp at lists.01.org
Subject: [MPTCP] Re: [PATCH] linux: handle MPTCP consistently with TCP
Date: Wed, 23 Dec 2020 10:28:58 -0500 [thread overview]
Message-ID: <CAHC9VhQxrGNMNj9FN3LYVbqt+Rwgbrv98GySzg4Tzb=jcNWN3g@mail.gmail.com> (raw)
In-Reply-To: 8650019f70725323545e41c5ecf6b1344671b4fa.camel@redhat.com
[-- Attachment #1: Type: text/plain, Size: 2085 bytes --]
On Wed, Dec 23, 2020 at 10:10 AM Paolo Abeni <pabeni(a)redhat.com> wrote:
> On Wed, 2020-12-23 at 09:53 -0500, Paul Moore wrote:
> > On Wed, Dec 16, 2020 at 6:55 AM Paolo Abeni <pabeni(a)redhat.com> wrote:
> > > The MPTCP protocol uses a specific protocol value, even if
> > > it's an extension to TCP. Additionally, MPTCP sockets
> > > could 'fall-back' to TCP at run-time, depending on peer MPTCP
> > > support and available resources.
> > >
> > > As a consequence of the specific protocol number, selinux
> > > applies the raw_socket class to MPTCP sockets.
> > >
> > > Existing TCP application converted to MPTCP - or forced to
> > > use MPTCP socket with user-space hacks - will need an
> > > updated policy to run successfully.
> > >
> > > This change lets selinux attach the TCP socket class to
> > > MPTCP sockets, too, so that no policy changes are needed in
> > > the above scenario.
> > >
> > > Note that the MPTCP is setting, propagating and updating the
> > > security context on all the subflows and related request
> > > socket.
> > >
> > > Link: https://lore.kernel.org/linux-security-module/CAHC9VhTaK3xx0hEGByD2zxfF7fadyPP1kb-WeWH_YCyq9X-sRg(a)mail.gmail.com/T/#t
> > > Signed-off-by: Paolo Abeni <pabeni(a)redhat.com>
> > > ---
> > > security/selinux/hooks.c | 3 ++-
> > > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > Based on our discussion in the previous thread, the patch below seems
> > fine, although it needs to wait until after the merge window closes.
> >
> > Paolo, it sounded like there was at least one other small MPTCP fix
> > needed, likely in the stack itself and not the LSM/SELinux code, has
> > that patch been submitted already?
>
> Yes, it's already in the Linus's tree:
Perfect, thank you.
> commit 0c14846032f2c0a3b63234e1fc2759f4155b6067
> Author: Paolo Abeni <pabeni(a)redhat.com>
> Date: Wed Dec 16 12:48:32 2020 +0100
>
> mptcp: fix security context on server socket
>
> Thanks for the feedback && happy new year;)
Thanks, you too!
--
paul moore
www.paul-moore.com
WARNING: multiple messages have this Message-ID (diff)
From: Paul Moore <paul@paul-moore.com>
To: Paolo Abeni <pabeni@redhat.com>
Cc: selinux@vger.kernel.org, linux-security-module@vger.kernel.org,
mptcp@lists.01.org,
Stephen Smalley <stephen.smalley.work@gmail.com>
Subject: Re: [PATCH] linux: handle MPTCP consistently with TCP
Date: Wed, 23 Dec 2020 10:28:58 -0500 [thread overview]
Message-ID: <CAHC9VhQxrGNMNj9FN3LYVbqt+Rwgbrv98GySzg4Tzb=jcNWN3g@mail.gmail.com> (raw)
In-Reply-To: <8650019f70725323545e41c5ecf6b1344671b4fa.camel@redhat.com>
On Wed, Dec 23, 2020 at 10:10 AM Paolo Abeni <pabeni@redhat.com> wrote:
> On Wed, 2020-12-23 at 09:53 -0500, Paul Moore wrote:
> > On Wed, Dec 16, 2020 at 6:55 AM Paolo Abeni <pabeni@redhat.com> wrote:
> > > The MPTCP protocol uses a specific protocol value, even if
> > > it's an extension to TCP. Additionally, MPTCP sockets
> > > could 'fall-back' to TCP at run-time, depending on peer MPTCP
> > > support and available resources.
> > >
> > > As a consequence of the specific protocol number, selinux
> > > applies the raw_socket class to MPTCP sockets.
> > >
> > > Existing TCP application converted to MPTCP - or forced to
> > > use MPTCP socket with user-space hacks - will need an
> > > updated policy to run successfully.
> > >
> > > This change lets selinux attach the TCP socket class to
> > > MPTCP sockets, too, so that no policy changes are needed in
> > > the above scenario.
> > >
> > > Note that the MPTCP is setting, propagating and updating the
> > > security context on all the subflows and related request
> > > socket.
> > >
> > > Link: https://lore.kernel.org/linux-security-module/CAHC9VhTaK3xx0hEGByD2zxfF7fadyPP1kb-WeWH_YCyq9X-sRg@mail.gmail.com/T/#t
> > > Signed-off-by: Paolo Abeni <pabeni@redhat.com>
> > > ---
> > > security/selinux/hooks.c | 3 ++-
> > > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > Based on our discussion in the previous thread, the patch below seems
> > fine, although it needs to wait until after the merge window closes.
> >
> > Paolo, it sounded like there was at least one other small MPTCP fix
> > needed, likely in the stack itself and not the LSM/SELinux code, has
> > that patch been submitted already?
>
> Yes, it's already in the Linus's tree:
Perfect, thank you.
> commit 0c14846032f2c0a3b63234e1fc2759f4155b6067
> Author: Paolo Abeni <pabeni@redhat.com>
> Date: Wed Dec 16 12:48:32 2020 +0100
>
> mptcp: fix security context on server socket
>
> Thanks for the feedback && happy new year;)
Thanks, you too!
--
paul moore
www.paul-moore.com
next reply other threads:[~2020-12-23 15:28 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-23 15:28 Paul Moore [this message]
2020-12-23 15:28 ` [PATCH] linux: handle MPTCP consistently with TCP Paul Moore
-- strict thread matches above, loose matches on Subject: below --
2021-01-05 0:47 [MPTCP] " Paul Moore
2021-01-05 0:47 ` Paul Moore
2020-12-23 15:10 [MPTCP] " Paolo Abeni
2020-12-23 15:10 ` Paolo Abeni
2020-12-23 14:53 [MPTCP] " Paul Moore
2020-12-23 14:53 ` Paul Moore
2020-12-16 17:22 [MPTCP] " Paolo Abeni
2020-12-16 17:22 ` Paolo Abeni
2020-12-16 16:31 [MPTCP] " Casey Schaufler
2020-12-16 16:31 ` Casey Schaufler
2020-12-16 11:55 [MPTCP] " Paolo Abeni
2020-12-16 11:55 ` Paolo Abeni
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHC9VhQxrGNMNj9FN3LYVbqt+Rwgbrv98GySzg4Tzb=jcNWN3g@mail.gmail.com' \
--to=unknown@example.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.