[PATCH mptcp-next] Squash to "security, lsm: Introduce security_mptcp_add_subflow()"

[PATCH mptcp-next] Squash to "security, lsm: Introduce security_mptcp_add_subflow()"

[Matthieu Baerts]

lsm: move the MPTCP hook comments to security/security.c

This is similar to what has been done in lsm/next, e.g. with
commit 4a49f592e931 ("lsm: move the SCTP hook comments to security/security.c"),
see the link below.

By doing that, the patch can be applied without conflicts in lsm/next
branch.

Link: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git/commit/?h=next&id=4a49f592e931
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
---

Notes:
    to be squashed in "security, lsm: Introduce security_mptcp_add_subflow()"

 include/linux/lsm_hooks.h |  9 ---------
 security/security.c       | 10 ++++++++++
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 333b21095638..6e156d2acffc 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1096,15 +1096,6 @@
  *	@skb pointer to skbuff of association packet.
  *	Return 0 if permission is granted.
  *
- * Security hooks for MPTCP
- *
- * @mptcp_add_subflow
- *	Update the labeling for the given MPTCP subflow, to match to
- *	owning MPTCP socket.
- *	@sk: the owning MPTCP socket
- *	@ssk: the new subflow
- *	Return 0 if successful, otherwise < 0 error code.
- *
  * Security hooks for Infiniband
  *
  * @ib_pkey_access:
diff --git a/security/security.c b/security/security.c
index 4e56893aada5..1e99200ed0c9 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2494,6 +2494,16 @@ int security_sctp_assoc_established(struct sctp_association *asoc,
 }
 EXPORT_SYMBOL(security_sctp_assoc_established);
 
+/**
+ * security_mptcp_add_subflow() - Inherit the LSM label from the MPTCP socket
+ * @sk: the owning MPTCP socket
+ * @ssk: the new subflow
+ *
+ * Update the labeling for the given MPTCP subflow, to match the one of the
+ * owning MPTCP socket.
+ *
+ * Return: Returns 0 on success or a negative error code on failure.
+ */
 int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
 {
 	return call_int_hook(mptcp_add_subflow, 0, sk, ssk);

base-commit: 0eb4d1a28182c9af28ba970a8a899a2be5407867
-- 
2.39.2

Re: Squash to "security, lsm: Introduce security_mptcp_add_subflow()": Tests Results

[MPTCP CI]

Hi Matthieu,

Thank you for your modifications, that's great!

Our CI did some validations and here is its report:

- KVM Validation: normal (except selftest_mptcp_join):
  - Success! ✅:
  - Task: https://cirrus-ci.com/task/6376102365495296
  - Summary: https://api.cirrus-ci.com/v1/artifact/task/6376102365495296/summary/summary.txt

- KVM Validation: debug (except selftest_mptcp_join):
  - Success! ✅:
  - Task: https://cirrus-ci.com/task/6094627388784640
  - Summary: https://api.cirrus-ci.com/v1/artifact/task/6094627388784640/summary/summary.txt

- KVM Validation: normal (only selftest_mptcp_join):
  - Success! ✅:
  - Task: https://cirrus-ci.com/task/4968727481942016
  - Summary: https://api.cirrus-ci.com/v1/artifact/task/4968727481942016/summary/summary.txt

- KVM Validation: debug (only selftest_mptcp_join):
  - Unstable: 1 failed test(s): selftest_mptcp_join 🔴:
  - Task: https://cirrus-ci.com/task/5531677435363328
  - Summary: https://api.cirrus-ci.com/v1/artifact/task/5531677435363328/summary/summary.txt

Initiator: Patchew Applier
Commits: https://github.com/multipath-tcp/mptcp_net-next/commits/4a339f07d719


If there are some issues, you can reproduce them using the same environment as
the one used by the CI thanks to a docker image, e.g.:

    $ cd [kernel source code]
    $ docker run -v "${PWD}:${PWD}:rw" -w "${PWD}" --privileged --rm -it \
        --pull always mptcp/mptcp-upstream-virtme-docker:latest \
        auto-debug

For more details:

    https://github.com/multipath-tcp/mptcp-upstream-virtme-docker


Please note that despite all the efforts that have been already done to have a
stable tests suite when executed on a public CI like here, it is possible some
reported issues are not due to your modifications. Still, do not hesitate to
help us improve that ;-)

Cheers,
MPTCP GH Action bot
Bot operated by Matthieu Baerts (Tessares)

Re: [PATCH mptcp-next] Squash to "security, lsm: Introduce security_mptcp_add_subflow()"

[Matthieu Baerts]

Hello,

On 19/04/2023 12:17, Matthieu Baerts wrote:
> lsm: move the MPTCP hook comments to security/security.c
> 
> This is similar to what has been done in lsm/next, e.g. with
> commit 4a49f592e931 ("lsm: move the SCTP hook comments to security/security.c"),
> see the link below.
> 
> By doing that, the patch can be applied without conflicts in lsm/next
> branch.

I hope that's OK if I apply it to be able to send the patches to LSM
maintainers today. I only moved the comments.

Cheers,
Matt
-- 
Tessares | Belgium | Hybrid Access Solutions
www.tessares.net