From: Paolo Abeni <pabeni@redhat.com>
To: linux-security-module@vger.kernel.org
Cc: Paul Moore <paul@paul-moore.com>,
selinux@vger.kernel.org, mptcp@lists.linux.dev
Subject: [PATCH v2 0/2] lsm: introduce and use security_mptcp_add_subflow()
Date: Mon, 19 Dec 2022 18:33:47 +0100 [thread overview]
Message-ID: <cover.1671469167.git.pabeni@redhat.com> (raw)
This series is an attempt to solve the LSM labeling breakage
reported here:
https://lore.kernel.org/linux-security-module/CAHC9VhSQnhH3UL4gqzu+YiA1Q3YyLLCv88gLJOvw-0+uw5Lvkw@mail.gmail.com/
As per previous discussion, a new LSM hook is introduced and
invoked by the mptcp code to let LSMs set the appropriate label
for the newly created subflow.
I'm not sure the chosen hook name is a perfect fit, any suggestion
more then welcome.
The new hook requires both the mptcp socket reference and the
subflow socket reference, even if the provided LSM implementation
for selinux ends-up accessing only the subflow socket. Possibly
other LSM implementation could need or use the addtional parameter.
Tested vs the issue reproducer and mptcp self-tests.
v1 -> v2:
- fix a few build issues with unusual configurations reported
by bots
Paolo Abeni (2):
security, lsm: Introduce security_mptcp_add_subflow()
selinux: Implement mptcp_add_subflow hook
include/linux/lsm_hook_defs.h | 1 +
include/linux/lsm_hooks.h | 9 +++++++++
include/linux/security.h | 6 ++++++
net/mptcp/subflow.c | 6 ++++++
security/security.c | 5 +++++
security/selinux/hooks.c | 27 +++++++++++++++++++++++++++
security/selinux/netlabel.c | 4 +++-
7 files changed, 57 insertions(+), 1 deletion(-)
--
2.38.1
next reply other threads:[~2022-12-19 17:34 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-19 17:33 Paolo Abeni [this message]
2022-12-19 17:33 ` [PATCH v2 1/2] security, lsm: Introduce security_mptcp_add_subflow() Paolo Abeni
2022-12-19 20:48 ` Mat Martineau
2022-12-19 17:33 ` [PATCH v2 2/2] selinux: Implement mptcp_add_subflow hook Paolo Abeni
2022-12-20 22:07 ` Paul Moore
2022-12-21 19:23 ` Paolo Abeni
2022-12-22 1:21 ` Paul Moore
2022-12-22 15:57 ` Paolo Abeni
2022-12-23 17:11 ` Paul Moore
2023-01-09 10:31 ` Paolo Abeni
2023-01-11 23:17 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1671469167.git.pabeni@redhat.com \
--to=pabeni@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=mptcp@lists.linux.dev \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).