calipso: Allow the lsm to label the skbuff directly.

In some cases, the lsm needs to add the label to the skbuff directly.
A NF_INET_LOCAL_OUT IPv6 hook is added to selinux to match the IPv4
behaviour.  This allows selinux to label the skbuffs that it requires.

Signed-off-by: Huw Davies <huw@codeweavers.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

1 files changed, 11 insertions, 0 deletions

diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index a2408c30a7f7..e0e4ce8f22af 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -231,6 +231,10 @@ struct netlbl_lsm_secattr {
  * @sock_delattr: remove the socket's attr
  * @req_setattr: set the req socket's attr
  * @req_delattr: remove the req socket's attr
+ * @opt_getattr: retrieve attr from memory block
+ * @skbuff_optptr: find option in packet
+ * @skbuff_setattr: set the skbuff's attr
+ * @skbuff_delattr: remove the skbuff's attr
  *
  * Description:
  * This structure is filled out by the CALIPSO engine and passed
@@ -258,6 +262,13 @@ struct netlbl_calipso_ops {
                            const struct calipso_doi *doi_def,
                            const struct netlbl_lsm_secattr *secattr);
         void (*req_delattr)(struct request_sock *req);
+        int (*opt_getattr)(const unsigned char *calipso,
+                           struct netlbl_lsm_secattr *secattr);
+        unsigned char *(*skbuff_optptr)(const struct sk_buff *skb);
+        int (*skbuff_setattr)(struct sk_buff *skb,
+                              const struct calipso_doi *doi_def,
+                              const struct netlbl_lsm_secattr *secattr);
+        int (*skbuff_delattr)(struct sk_buff *skb);
 };
 
 /*