Squash to "security: SELinux/LSM label with MPTCP and accept "

[PATCH mptcp-next 2/2] Squash to "selinux: Implement mptcp_add_subflow hook"
Posted by Matthieu Baerts 1 year, 4 months ago
Apply Paul's comments from [1].

For the commit message:

  > Newly added subflows should inherit the LSM label from the associated
  > msk socket regarless current context.

  "... from the associated main MPTCP socket regardless of the current context."

  Us SELinux folks may not always be able to make the jump from "msk" to
  "main MPTCP socket" when we are looking through the git log in the
  future, let's make it easier on us/me ;)

  > This patch implements the above copying sid and class from the msk
  > context, deleting the existing subflow label, if any, and then

  "... from the main MPTCP socket context, deleting ..."

  > re-creating a new one.

And for security/selinux/hooks.c:

  > +       /* replace the existing subflow label deleting the existing one
  > +        * and re-recrating a new label using the current context

  "... new label using the updated context"

  Let's avoid the phrase "current context" as that could imply the
  current task, which is exactly what we are trying not to do.

Link: https://lore.kernel.org/mptcp/CAHC9VhQz_ZUot1Sxa6zhzXh_ECz+rR=Nq3zzDEEL7GKvzYQziA@mail.gmail.com/ [1]
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
---

Notes:
    to be squashed in "selinux: Implement mptcp_add_subflow hook"

 .topmsg                  | 13 +++++++++----
 security/selinux/hooks.c |  2 +-
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/.topmsg b/.topmsg
index d10caa1fec26..f3b93eefbcf6 100644
--- a/.topmsg
+++ b/.topmsg
@@ -2,11 +2,11 @@ From: Paolo Abeni <pabeni@redhat.com>
 Subject: [PATCH] selinux: Implement mptcp_add_subflow hook
 
 Newly added subflows should inherit the LSM label from the associated
-msk socket regarless current context.
+MPTCP socket regardless of the current context.
 
-This patch implements the above copying sid and class from the msk
-context, deleting the existing subflow label, if any, and then
-re-creating a new one.
+This patch implements the above copying sid and class from the MPTCP
+socket context, deleting the existing subflow label, if any, and then
+re-creating the correct one.
 
 The new helper reuses the selinux_netlbl_sk_security_free() function,
 and the latter can end-up being called multiple times with the same
@@ -14,3 +14,8 @@ argument; we additionally need to make it idempotent.
 
 Signed-off-by: Paolo Abeni <pabeni@redhat.com>
 Acked-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+---
+v2:
+ - Address Paul's comments:
+   - use "MPTCP socket" instead of "msk" in the commit message
+   - "updated" context instead of "current" one in the comment
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 53cfc1cb67d2..67e6cd18ad59 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5485,7 +5485,7 @@ static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
 	ssksec->sid = sksec->sid;
 
 	/* replace the existing subflow label deleting the existing one
-	 * and re-recrating a new label using the current context
+	 * and re-recreating a new label using the updated context
 	 */
 	selinux_netlbl_sk_security_free(ssksec);
 	return selinux_netlbl_socket_post_create(ssk, ssk->sk_family);

base-commit: 3756c91778d89cc8a342ef4dd6df4d93c6a32c2a
-- 
2.39.2
[PATCH mptcp-next 1/2] Squash to "security, lsm: Introduce security_mptcp_add_subflow()"
[PATCH mptcp-next 2/2] Squash to "selinux: Implement mptcp_add_subflow hook"