mbox series

[v2,0/2] lsm: introduce and use security_mptcp_add_subflow()

Message ID cover.1671469167.git.pabeni@redhat.com (mailing list archive)
Headers show
Series lsm: introduce and use security_mptcp_add_subflow() | expand

Message

Paolo Abeni Dec. 19, 2022, 5:33 p.m. UTC 
This series is an attempt to solve the LSM labeling breakage
reported here:

https://lore.kernel.org/linux-security-module/CAHC9VhSQnhH3UL4gqzu+YiA1Q3YyLLCv88gLJOvw-0+uw5Lvkw@mail.gmail.com/

As per previous discussion, a new LSM hook is introduced and
invoked by the mptcp code to let LSMs set the appropriate label
for the newly created subflow.

I'm not sure the chosen hook name is a perfect fit, any suggestion
more then welcome.
The new hook requires both the mptcp socket reference and the
subflow socket reference, even if the provided LSM implementation
for selinux ends-up accessing only the subflow socket. Possibly
other LSM implementation could need or use the addtional parameter.

Tested vs the issue reproducer and mptcp self-tests.

v1 -> v2:
 - fix a few build issues with unusual configurations reported
   by bots

Paolo Abeni (2):
  security, lsm: Introduce security_mptcp_add_subflow()
  selinux: Implement mptcp_add_subflow hook

 include/linux/lsm_hook_defs.h |  1 +
 include/linux/lsm_hooks.h     |  9 +++++++++
 include/linux/security.h      |  6 ++++++
 net/mptcp/subflow.c           |  6 ++++++
 security/security.c           |  5 +++++
 security/selinux/hooks.c      | 27 +++++++++++++++++++++++++++
 security/selinux/netlabel.c   |  4 +++-
 7 files changed, 57 insertions(+), 1 deletion(-)