On Wed, Dec 16, 2020 at 6:55 AM Paolo Abeni <pabeni(a)redhat.com>
> The MPTCP protocol uses a specific protocol value, even if
> it's an extension to TCP. Additionally, MPTCP sockets
> could 'fall-back' to TCP at run-time, depending on peer MPTCP
> support and available resources.
> As a consequence of the specific protocol number, selinux
> applies the raw_socket class to MPTCP sockets.
> Existing TCP application converted to MPTCP - or forced to
> use MPTCP socket with user-space hacks - will need an
> updated policy to run successfully.
> This change lets selinux attach the TCP socket class to
> MPTCP sockets, too, so that no policy changes are needed in
> the above scenario.
> Note that the MPTCP is setting, propagating and updating the
> security context on all the subflows and related request
> Signed-off-by: Paolo Abeni <pabeni(a)redhat.com>
> security/selinux/hooks.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
Based on our discussion in the previous thread, the patch below seems
fine, although it needs to wait until after the merge window closes.
repos later tonight. Thanks!