Re: [PATCH] selinux: check connect-related permissions on TCP Fast Open

Linux Security Modules development
 help / color / mirror / Atom feed

* Re: [PATCH] selinux: check connect-related permissions on TCP Fast Open
       [not found] <20260618175513.112443-2-stephen.smalley.work@gmail.com>
@ 2026-06-25  1:50 ` Bryam Vargas
  0 siblings, 0 replies; only message in thread
From: Bryam Vargas @ 2026-06-25  1:50 UTC (permalink / raw)
  To: Paul Moore, Stephen Smalley
  Cc: Ondrej Mosnacek, selinux, linux-security-module, linux-kernel,
	Matthieu Buffet, Mikhail Ivanov

Tested this on x86-64. I built mainline with and without the patch and ran it
under a SELinux domain (enforcing) that lacks the tcp_socket connect permission.

Unpatched, connect(2) is denied but sendto(MSG_FASTOPEN) still reaches the
listener. With the patch the fastopen send is denied too, and the AVC shows the
connect check firing on the sendmsg path. Same for TCP, TCP6 and MPTCP. The
TCP_FASTOPEN_CONNECT path was already mediated at connect(2), and a domain that
allows connect is unaffected.

A/B logs on request.

Tested-by: Bryam Vargas <hexlabsecurity@proton.me>

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2026-06-25  1:50 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20260618175513.112443-2-stephen.smalley.work@gmail.com>
2026-06-25  1:50 ` [PATCH] selinux: check connect-related permissions on TCP Fast Open Bryam Vargas

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox