12:31 a.m.
On 12/16/2020 3:55 AM, Paolo Abeni wrote:
The MPTCP protocol uses a specific protocol value, even if
it's an extension to TCP. Additionally, MPTCP sockets
could 'fall-back' to TCP at run-time, depending on peer MPTCP
support and available resources.
As a consequence of the specific protocol number, selinux
applies the raw_socket class to MPTCP sockets.
Have you looked at the implications for Smack?
>
> Existing TCP application converted to MPTCP - or forced to
> use MPTCP socket with user-space hacks - will need an
> updated policy to run successfully.
>
> This change lets selinux attach the TCP socket class to
> MPTCP sockets, too, so that no policy changes are needed in
> the above scenario.
>
> Note that the MPTCP is setting, propagating and updating the
> security context on all the subflows and related request
> socket.
>
> Link:
https://lore.kernel.org/linux-security-module/CAHC9VhTaK3xx0hEGByD2zxfF7f...
> Signed-off-by: Paolo Abeni <pabeni(a)redhat.com>
> ---
> security/selinux/hooks.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 6fa593006802..451bded67d9c 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -1120,7 +1120,8 @@ static inline u16 inode_mode_to_security_class(umode_t mode)
>
> static inline int default_protocol_stream(int protocol)
> {
> - return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
> + return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
> + protocol == IPPROTO_MPTCP);
> }
>
> static inline int default_protocol_dgram(int protocol)