[MPTCP] Re: [PATCH] linux: handle MPTCP consistently with TCP

On Wed, Dec 16, 2020 at 6:55 AM Paolo Abeni <pabeni(a)redhat.com&gt; wrote: > The MPTCP protocol uses a specific protocol value, even if > it's an extension to TCP. Additionally, MPTCP sockets > could 'fall-back' to TCP at run-time, depending on peer MPTCP > support and available resources. > > As a consequence of the specific protocol number, selinux > applies the raw_socket class to MPTCP sockets. > > Existing TCP application converted to MPTCP - or forced to > use MPTCP socket with user-space hacks - will need an > updated policy to run successfully. > > This change lets selinux attach the TCP socket class to > MPTCP sockets, too, so that no policy changes are needed in > the above scenario. > > Note that the MPTCP is setting, propagating and updating the > security context on all the subflows and related request > socket. > > Link: https://lore.kernel.org/linux-security-module/CAHC9VhTaK3xx0hEGByD2zxfF7f... > Signed-off-by: Paolo Abeni <pabeni(a)redhat.com&gt; > --- > security/selinux/hooks.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) Based on our discussion in the previous thread, the patch below seems fine, although it needs to wait until after the merge window closes. Paolo, it sounded like there was at least one other small MPTCP fix needed, likely in the stack itself and not the LSM/SELinux code, has that patch been submitted already?