[MPTCP] [PATCH] linux: handle MPTCP consistently with TCP

[MPTCP] [PATCH] linux: handle MPTCP consistently with TCP

[Paolo Abeni]

[-- Attachment #1: Type: text/plain, Size: 1573 bytes --]

The MPTCP protocol uses a specific protocol value, even if
it's an extension to TCP. Additionally, MPTCP sockets
could 'fall-back' to TCP at run-time, depending on peer MPTCP
support and available resources.

As a consequence of the specific protocol number, selinux
applies the raw_socket class to MPTCP sockets.

Existing TCP application converted to MPTCP - or forced to
use MPTCP socket with user-space hacks - will need an
updated policy to run successfully.

This change lets selinux attach the TCP socket class to
MPTCP sockets, too, so that no policy changes are needed in
the above scenario.

Note that the MPTCP is setting, propagating and updating the
security context on all the subflows and related request
socket.

Link: https://lore.kernel.org/linux-security-module/CAHC9VhTaK3xx0hEGByD2zxfF7fadyPP1kb-WeWH_YCyq9X-sRg(a)mail.gmail.com/T/#t
Signed-off-by: Paolo Abeni <pabeni(a)redhat.com>
---
 security/selinux/hooks.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 6fa593006802..451bded67d9c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1120,7 +1120,8 @@ static inline u16 inode_mode_to_security_class(umode_t mode)
 
 static inline int default_protocol_stream(int protocol)
 {
-	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
+	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
+		protocol == IPPROTO_MPTCP);
 }
 
 static inline int default_protocol_dgram(int protocol)
-- 
2.26.2

[PATCH] linux: handle MPTCP consistently with TCP

[Paolo Abeni]

The MPTCP protocol uses a specific protocol value, even if
it's an extension to TCP. Additionally, MPTCP sockets
could 'fall-back' to TCP at run-time, depending on peer MPTCP
support and available resources.

As a consequence of the specific protocol number, selinux
applies the raw_socket class to MPTCP sockets.

Existing TCP application converted to MPTCP - or forced to
use MPTCP socket with user-space hacks - will need an
updated policy to run successfully.

This change lets selinux attach the TCP socket class to
MPTCP sockets, too, so that no policy changes are needed in
the above scenario.

Note that the MPTCP is setting, propagating and updating the
security context on all the subflows and related request
socket.

Link: https://lore.kernel.org/linux-security-module/CAHC9VhTaK3xx0hEGByD2zxfF7fadyPP1kb-WeWH_YCyq9X-sRg@mail.gmail.com/T/#t
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
---
 security/selinux/hooks.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 6fa593006802..451bded67d9c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1120,7 +1120,8 @@ static inline u16 inode_mode_to_security_class(umode_t mode)
 
 static inline int default_protocol_stream(int protocol)
 {
-	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
+	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
+		protocol == IPPROTO_MPTCP);
 }
 
 static inline int default_protocol_dgram(int protocol)
-- 
2.26.2

[MPTCP] Re: [PATCH] linux: handle MPTCP consistently with TCP

[Casey Schaufler]

[-- Attachment #1: Type: text/plain, Size: 1727 bytes --]

On 12/16/2020 3:55 AM, Paolo Abeni wrote:
> The MPTCP protocol uses a specific protocol value, even if
> it's an extension to TCP. Additionally, MPTCP sockets
> could 'fall-back' to TCP at run-time, depending on peer MPTCP
> support and available resources.
>
> As a consequence of the specific protocol number, selinux
> applies the raw_socket class to MPTCP sockets.

Have you looked at the implications for Smack?

>
> Existing TCP application converted to MPTCP - or forced to
> use MPTCP socket with user-space hacks - will need an
> updated policy to run successfully.
>
> This change lets selinux attach the TCP socket class to
> MPTCP sockets, too, so that no policy changes are needed in
> the above scenario.
>
> Note that the MPTCP is setting, propagating and updating the
> security context on all the subflows and related request
> socket.
>
> Link: https://lore.kernel.org/linux-security-module/CAHC9VhTaK3xx0hEGByD2zxfF7fadyPP1kb-WeWH_YCyq9X-sRg(a)mail.gmail.com/T/#t
> Signed-off-by: Paolo Abeni <pabeni(a)redhat.com>
> ---
>  security/selinux/hooks.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 6fa593006802..451bded67d9c 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -1120,7 +1120,8 @@ static inline u16 inode_mode_to_security_class(umode_t mode)
>  
>  static inline int default_protocol_stream(int protocol)
>  {
> -	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
> +	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
> +		protocol == IPPROTO_MPTCP);
>  }
>  
>  static inline int default_protocol_dgram(int protocol)

Re: [PATCH] linux: handle MPTCP consistently with TCP

[Casey Schaufler]

On 12/16/2020 3:55 AM, Paolo Abeni wrote:
> The MPTCP protocol uses a specific protocol value, even if
> it's an extension to TCP. Additionally, MPTCP sockets
> could 'fall-back' to TCP at run-time, depending on peer MPTCP
> support and available resources.
>
> As a consequence of the specific protocol number, selinux
> applies the raw_socket class to MPTCP sockets.

Have you looked at the implications for Smack?

>
> Existing TCP application converted to MPTCP - or forced to
> use MPTCP socket with user-space hacks - will need an
> updated policy to run successfully.
>
> This change lets selinux attach the TCP socket class to
> MPTCP sockets, too, so that no policy changes are needed in
> the above scenario.
>
> Note that the MPTCP is setting, propagating and updating the
> security context on all the subflows and related request
> socket.
>
> Link: https://lore.kernel.org/linux-security-module/CAHC9VhTaK3xx0hEGByD2zxfF7fadyPP1kb-WeWH_YCyq9X-sRg@mail.gmail.com/T/#t
> Signed-off-by: Paolo Abeni <pabeni@redhat.com>
> ---
>  security/selinux/hooks.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 6fa593006802..451bded67d9c 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -1120,7 +1120,8 @@ static inline u16 inode_mode_to_security_class(umode_t mode)
>  
>  static inline int default_protocol_stream(int protocol)
>  {
> -	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
> +	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
> +		protocol == IPPROTO_MPTCP);
>  }
>  
>  static inline int default_protocol_dgram(int protocol)

[MPTCP] Re: [PATCH] linux: handle MPTCP consistently with TCP

[Paolo Abeni]

[-- Attachment #1: Type: text/plain, Size: 843 bytes --]

Hello,

On Wed, 2020-12-16 at 08:31 -0800, Casey Schaufler wrote:
> On 12/16/2020 3:55 AM, Paolo Abeni wrote:
> > The MPTCP protocol uses a specific protocol value, even if
> > it's an extension to TCP. Additionally, MPTCP sockets
> > could 'fall-back' to TCP at run-time, depending on peer MPTCP
> > support and available resources.
> > 
> > As a consequence of the specific protocol number, selinux
> > applies the raw_socket class to MPTCP sockets.
> 
> Have you looked at the implications for Smack?

AFAICS, the only hooks which can be affected is
smack_socket_post_create() - that is, the only hook with a 'protocol'
argument coming directly from the socket APIs.

If I read the code correctly, such hook behaves independently from
'protocol' value. Overall no changes should be needed for smack.

Thanks!

Paolo

Re: [PATCH] linux: handle MPTCP consistently with TCP

[Paolo Abeni]

Hello,

On Wed, 2020-12-16 at 08:31 -0800, Casey Schaufler wrote:
> On 12/16/2020 3:55 AM, Paolo Abeni wrote:
> > The MPTCP protocol uses a specific protocol value, even if
> > it's an extension to TCP. Additionally, MPTCP sockets
> > could 'fall-back' to TCP at run-time, depending on peer MPTCP
> > support and available resources.
> > 
> > As a consequence of the specific protocol number, selinux
> > applies the raw_socket class to MPTCP sockets.
> 
> Have you looked at the implications for Smack?

AFAICS, the only hooks which can be affected is
smack_socket_post_create() - that is, the only hook with a 'protocol'
argument coming directly from the socket APIs.

If I read the code correctly, such hook behaves independently from
'protocol' value. Overall no changes should be needed for smack.

Thanks!

Paolo

[MPTCP] Re: [PATCH] linux: handle MPTCP consistently with TCP

[Paul Moore]

[-- Attachment #1: Type: text/plain, Size: 2104 bytes --]

On Wed, Dec 16, 2020 at 6:55 AM Paolo Abeni <pabeni(a)redhat.com> wrote:
>
> The MPTCP protocol uses a specific protocol value, even if
> it's an extension to TCP. Additionally, MPTCP sockets
> could 'fall-back' to TCP at run-time, depending on peer MPTCP
> support and available resources.
>
> As a consequence of the specific protocol number, selinux
> applies the raw_socket class to MPTCP sockets.
>
> Existing TCP application converted to MPTCP - or forced to
> use MPTCP socket with user-space hacks - will need an
> updated policy to run successfully.
>
> This change lets selinux attach the TCP socket class to
> MPTCP sockets, too, so that no policy changes are needed in
> the above scenario.
>
> Note that the MPTCP is setting, propagating and updating the
> security context on all the subflows and related request
> socket.
>
> Link: https://lore.kernel.org/linux-security-module/CAHC9VhTaK3xx0hEGByD2zxfF7fadyPP1kb-WeWH_YCyq9X-sRg(a)mail.gmail.com/T/#t
> Signed-off-by: Paolo Abeni <pabeni(a)redhat.com>
> ---
>  security/selinux/hooks.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)

Based on our discussion in the previous thread, the patch below seems
fine, although it needs to wait until after the merge window closes.

Paolo, it sounded like there was at least one other small MPTCP fix
needed, likely in the stack itself and not the LSM/SELinux code, has
that patch been submitted already?

> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 6fa593006802..451bded67d9c 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -1120,7 +1120,8 @@ static inline u16 inode_mode_to_security_class(umode_t mode)
>
>  static inline int default_protocol_stream(int protocol)
>  {
> -       return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
> +       return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
> +               protocol == IPPROTO_MPTCP);
>  }
>
>  static inline int default_protocol_dgram(int protocol)
> --
> 2.26.2

-- 
paul moore
www.paul-moore.com

Re: [PATCH] linux: handle MPTCP consistently with TCP

[Paul Moore]

On Wed, Dec 16, 2020 at 6:55 AM Paolo Abeni <pabeni@redhat.com> wrote:
>
> The MPTCP protocol uses a specific protocol value, even if
> it's an extension to TCP. Additionally, MPTCP sockets
> could 'fall-back' to TCP at run-time, depending on peer MPTCP
> support and available resources.
>
> As a consequence of the specific protocol number, selinux
> applies the raw_socket class to MPTCP sockets.
>
> Existing TCP application converted to MPTCP - or forced to
> use MPTCP socket with user-space hacks - will need an
> updated policy to run successfully.
>
> This change lets selinux attach the TCP socket class to
> MPTCP sockets, too, so that no policy changes are needed in
> the above scenario.
>
> Note that the MPTCP is setting, propagating and updating the
> security context on all the subflows and related request
> socket.
>
> Link: https://lore.kernel.org/linux-security-module/CAHC9VhTaK3xx0hEGByD2zxfF7fadyPP1kb-WeWH_YCyq9X-sRg@mail.gmail.com/T/#t
> Signed-off-by: Paolo Abeni <pabeni@redhat.com>
> ---
>  security/selinux/hooks.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)

Based on our discussion in the previous thread, the patch below seems
fine, although it needs to wait until after the merge window closes.

Paolo, it sounded like there was at least one other small MPTCP fix
needed, likely in the stack itself and not the LSM/SELinux code, has
that patch been submitted already?

> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 6fa593006802..451bded67d9c 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -1120,7 +1120,8 @@ static inline u16 inode_mode_to_security_class(umode_t mode)
>
>  static inline int default_protocol_stream(int protocol)
>  {
> -       return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
> +       return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
> +               protocol == IPPROTO_MPTCP);
>  }
>
>  static inline int default_protocol_dgram(int protocol)
> --
> 2.26.2

-- 
paul moore
www.paul-moore.com

[MPTCP] Re: [PATCH] linux: handle MPTCP consistently with TCP

[Paolo Abeni]

[-- Attachment #1: Type: text/plain, Size: 1863 bytes --]

On Wed, 2020-12-23 at 09:53 -0500, Paul Moore wrote:
> On Wed, Dec 16, 2020 at 6:55 AM Paolo Abeni <pabeni(a)redhat.com> wrote:
> > The MPTCP protocol uses a specific protocol value, even if
> > it's an extension to TCP. Additionally, MPTCP sockets
> > could 'fall-back' to TCP at run-time, depending on peer MPTCP
> > support and available resources.
> > 
> > As a consequence of the specific protocol number, selinux
> > applies the raw_socket class to MPTCP sockets.
> > 
> > Existing TCP application converted to MPTCP - or forced to
> > use MPTCP socket with user-space hacks - will need an
> > updated policy to run successfully.
> > 
> > This change lets selinux attach the TCP socket class to
> > MPTCP sockets, too, so that no policy changes are needed in
> > the above scenario.
> > 
> > Note that the MPTCP is setting, propagating and updating the
> > security context on all the subflows and related request
> > socket.
> > 
> > Link: https://lore.kernel.org/linux-security-module/CAHC9VhTaK3xx0hEGByD2zxfF7fadyPP1kb-WeWH_YCyq9X-sRg(a)mail.gmail.com/T/#t
> > Signed-off-by: Paolo Abeni <pabeni(a)redhat.com>
> > ---
> >  security/selinux/hooks.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> Based on our discussion in the previous thread, the patch below seems
> fine, although it needs to wait until after the merge window closes.
> 
> Paolo, it sounded like there was at least one other small MPTCP fix
> needed, likely in the stack itself and not the LSM/SELinux code, has
> that patch been submitted already?

Yes, it's already in the Linus's tree:

commit 0c14846032f2c0a3b63234e1fc2759f4155b6067
Author: Paolo Abeni <pabeni(a)redhat.com>
Date:   Wed Dec 16 12:48:32 2020 +0100

    mptcp: fix security context on server socket

Thanks for the feedback && happy new year;)

Paolo

Re: [PATCH] linux: handle MPTCP consistently with TCP

[Paolo Abeni]

On Wed, 2020-12-23 at 09:53 -0500, Paul Moore wrote:
> On Wed, Dec 16, 2020 at 6:55 AM Paolo Abeni <pabeni@redhat.com> wrote:
> > The MPTCP protocol uses a specific protocol value, even if
> > it's an extension to TCP. Additionally, MPTCP sockets
> > could 'fall-back' to TCP at run-time, depending on peer MPTCP
> > support and available resources.
> > 
> > As a consequence of the specific protocol number, selinux
> > applies the raw_socket class to MPTCP sockets.
> > 
> > Existing TCP application converted to MPTCP - or forced to
> > use MPTCP socket with user-space hacks - will need an
> > updated policy to run successfully.
> > 
> > This change lets selinux attach the TCP socket class to
> > MPTCP sockets, too, so that no policy changes are needed in
> > the above scenario.
> > 
> > Note that the MPTCP is setting, propagating and updating the
> > security context on all the subflows and related request
> > socket.
> > 
> > Link: https://lore.kernel.org/linux-security-module/CAHC9VhTaK3xx0hEGByD2zxfF7fadyPP1kb-WeWH_YCyq9X-sRg@mail.gmail.com/T/#t
> > Signed-off-by: Paolo Abeni <pabeni@redhat.com>
> > ---
> >  security/selinux/hooks.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> Based on our discussion in the previous thread, the patch below seems
> fine, although it needs to wait until after the merge window closes.
> 
> Paolo, it sounded like there was at least one other small MPTCP fix
> needed, likely in the stack itself and not the LSM/SELinux code, has
> that patch been submitted already?

Yes, it's already in the Linus's tree:

commit 0c14846032f2c0a3b63234e1fc2759f4155b6067
Author: Paolo Abeni <pabeni@redhat.com>
Date:   Wed Dec 16 12:48:32 2020 +0100

    mptcp: fix security context on server socket

Thanks for the feedback && happy new year;)

Paolo

[MPTCP] Re: [PATCH] linux: handle MPTCP consistently with TCP

[Paul Moore]

[-- Attachment #1: Type: text/plain, Size: 2085 bytes --]

On Wed, Dec 23, 2020 at 10:10 AM Paolo Abeni <pabeni(a)redhat.com> wrote:
> On Wed, 2020-12-23 at 09:53 -0500, Paul Moore wrote:
> > On Wed, Dec 16, 2020 at 6:55 AM Paolo Abeni <pabeni(a)redhat.com> wrote:
> > > The MPTCP protocol uses a specific protocol value, even if
> > > it's an extension to TCP. Additionally, MPTCP sockets
> > > could 'fall-back' to TCP at run-time, depending on peer MPTCP
> > > support and available resources.
> > >
> > > As a consequence of the specific protocol number, selinux
> > > applies the raw_socket class to MPTCP sockets.
> > >
> > > Existing TCP application converted to MPTCP - or forced to
> > > use MPTCP socket with user-space hacks - will need an
> > > updated policy to run successfully.
> > >
> > > This change lets selinux attach the TCP socket class to
> > > MPTCP sockets, too, so that no policy changes are needed in
> > > the above scenario.
> > >
> > > Note that the MPTCP is setting, propagating and updating the
> > > security context on all the subflows and related request
> > > socket.
> > >
> > > Link: https://lore.kernel.org/linux-security-module/CAHC9VhTaK3xx0hEGByD2zxfF7fadyPP1kb-WeWH_YCyq9X-sRg(a)mail.gmail.com/T/#t
> > > Signed-off-by: Paolo Abeni <pabeni(a)redhat.com>
> > > ---
> > >  security/selinux/hooks.c | 3 ++-
> > >  1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > Based on our discussion in the previous thread, the patch below seems
> > fine, although it needs to wait until after the merge window closes.
> >
> > Paolo, it sounded like there was at least one other small MPTCP fix
> > needed, likely in the stack itself and not the LSM/SELinux code, has
> > that patch been submitted already?
>
> Yes, it's already in the Linus's tree:

Perfect, thank you.

> commit 0c14846032f2c0a3b63234e1fc2759f4155b6067
> Author: Paolo Abeni <pabeni(a)redhat.com>
> Date:   Wed Dec 16 12:48:32 2020 +0100
>
>     mptcp: fix security context on server socket
>
> Thanks for the feedback && happy new year;)

Thanks, you too!

-- 
paul moore
www.paul-moore.com

Re: [PATCH] linux: handle MPTCP consistently with TCP

[Paul Moore]

On Wed, Dec 23, 2020 at 10:10 AM Paolo Abeni <pabeni@redhat.com> wrote:
> On Wed, 2020-12-23 at 09:53 -0500, Paul Moore wrote:
> > On Wed, Dec 16, 2020 at 6:55 AM Paolo Abeni <pabeni@redhat.com> wrote:
> > > The MPTCP protocol uses a specific protocol value, even if
> > > it's an extension to TCP. Additionally, MPTCP sockets
> > > could 'fall-back' to TCP at run-time, depending on peer MPTCP
> > > support and available resources.
> > >
> > > As a consequence of the specific protocol number, selinux
> > > applies the raw_socket class to MPTCP sockets.
> > >
> > > Existing TCP application converted to MPTCP - or forced to
> > > use MPTCP socket with user-space hacks - will need an
> > > updated policy to run successfully.
> > >
> > > This change lets selinux attach the TCP socket class to
> > > MPTCP sockets, too, so that no policy changes are needed in
> > > the above scenario.
> > >
> > > Note that the MPTCP is setting, propagating and updating the
> > > security context on all the subflows and related request
> > > socket.
> > >
> > > Link: https://lore.kernel.org/linux-security-module/CAHC9VhTaK3xx0hEGByD2zxfF7fadyPP1kb-WeWH_YCyq9X-sRg@mail.gmail.com/T/#t
> > > Signed-off-by: Paolo Abeni <pabeni@redhat.com>
> > > ---
> > >  security/selinux/hooks.c | 3 ++-
> > >  1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > Based on our discussion in the previous thread, the patch below seems
> > fine, although it needs to wait until after the merge window closes.
> >
> > Paolo, it sounded like there was at least one other small MPTCP fix
> > needed, likely in the stack itself and not the LSM/SELinux code, has
> > that patch been submitted already?
>
> Yes, it's already in the Linus's tree:

Perfect, thank you.

> commit 0c14846032f2c0a3b63234e1fc2759f4155b6067
> Author: Paolo Abeni <pabeni@redhat.com>
> Date:   Wed Dec 16 12:48:32 2020 +0100
>
>     mptcp: fix security context on server socket
>
> Thanks for the feedback && happy new year;)

Thanks, you too!

-- 
paul moore
www.paul-moore.com

[MPTCP] Re: [PATCH] linux: handle MPTCP consistently with TCP

[Paul Moore]

[-- Attachment #1: Type: text/plain, Size: 1567 bytes --]

On Wed, Dec 23, 2020 at 9:53 AM Paul Moore <paul(a)paul-moore.com> wrote:
> On Wed, Dec 16, 2020 at 6:55 AM Paolo Abeni <pabeni(a)redhat.com> wrote:
> >
> > The MPTCP protocol uses a specific protocol value, even if
> > it's an extension to TCP. Additionally, MPTCP sockets
> > could 'fall-back' to TCP at run-time, depending on peer MPTCP
> > support and available resources.
> >
> > As a consequence of the specific protocol number, selinux
> > applies the raw_socket class to MPTCP sockets.
> >
> > Existing TCP application converted to MPTCP - or forced to
> > use MPTCP socket with user-space hacks - will need an
> > updated policy to run successfully.
> >
> > This change lets selinux attach the TCP socket class to
> > MPTCP sockets, too, so that no policy changes are needed in
> > the above scenario.
> >
> > Note that the MPTCP is setting, propagating and updating the
> > security context on all the subflows and related request
> > socket.
> >
> > Link: https://lore.kernel.org/linux-security-module/CAHC9VhTaK3xx0hEGByD2zxfF7fadyPP1kb-WeWH_YCyq9X-sRg(a)mail.gmail.com/T/#t
> > Signed-off-by: Paolo Abeni <pabeni(a)redhat.com>
> > ---
> >  security/selinux/hooks.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
>
> Based on our discussion in the previous thread, the patch below seems
> fine, although it needs to wait until after the merge window closes.

I just merged this into my selinux/next tree, you should see it in the
kernel.org repos later tonight.  Thanks!

-- 
paul moore
www.paul-moore.com

Re: [PATCH] linux: handle MPTCP consistently with TCP

[Paul Moore]

On Wed, Dec 23, 2020 at 9:53 AM Paul Moore <paul@paul-moore.com> wrote:
> On Wed, Dec 16, 2020 at 6:55 AM Paolo Abeni <pabeni@redhat.com> wrote:
> >
> > The MPTCP protocol uses a specific protocol value, even if
> > it's an extension to TCP. Additionally, MPTCP sockets
> > could 'fall-back' to TCP at run-time, depending on peer MPTCP
> > support and available resources.
> >
> > As a consequence of the specific protocol number, selinux
> > applies the raw_socket class to MPTCP sockets.
> >
> > Existing TCP application converted to MPTCP - or forced to
> > use MPTCP socket with user-space hacks - will need an
> > updated policy to run successfully.
> >
> > This change lets selinux attach the TCP socket class to
> > MPTCP sockets, too, so that no policy changes are needed in
> > the above scenario.
> >
> > Note that the MPTCP is setting, propagating and updating the
> > security context on all the subflows and related request
> > socket.
> >
> > Link: https://lore.kernel.org/linux-security-module/CAHC9VhTaK3xx0hEGByD2zxfF7fadyPP1kb-WeWH_YCyq9X-sRg@mail.gmail.com/T/#t
> > Signed-off-by: Paolo Abeni <pabeni@redhat.com>
> > ---
> >  security/selinux/hooks.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
>
> Based on our discussion in the previous thread, the patch below seems
> fine, although it needs to wait until after the merge window closes.

I just merged this into my selinux/next tree, you should see it in the
kernel.org repos later tonight.  Thanks!

-- 
paul moore
www.paul-moore.com