aboutsummaryrefslogtreecommitdiffstats
path: root/include/net
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2008-01-29 08:37:59 -0500
committerJames Morris <jmorris@namei.org>2008-01-29 16:17:19 -0500
commit16efd45435fa695b501b7f73c3259bd7c77cc12c (patch)
treef26eb84f65192eb0a17aca399fd405100e4be974 /include/net
parent1c3fad936acaf87b75055b95be781437e97d787f (diff)
NetLabel: Add secid token support to the NetLabel secattr struct
This patch adds support to the NetLabel LSM secattr struct for a secid token and a type field, paving the way for full LSM/SELinux context support and "static" or "fallback" labels. In addition, this patch adds a fair amount of documentation to the core NetLabel structures used as part of the NetLabel kernel API. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'include/net')
-rw-r--r--include/net/netlabel.h91
1 files changed, 73 insertions, 18 deletions
diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 2e5b2f6f9fa0..18b73cf507df 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -105,17 +105,49 @@ struct netlbl_dom_map;
105/* Domain mapping operations */ 105/* Domain mapping operations */
106int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info); 106int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info);
107 107
108/* LSM security attributes */ 108/*
109 * LSM security attributes
110 */
111
112/**
113 * struct netlbl_lsm_cache - NetLabel LSM security attribute cache
114 * @refcount: atomic reference counter
115 * @free: LSM supplied function to free the cache data
116 * @data: LSM supplied cache data
117 *
118 * Description:
119 * This structure is provided for LSMs which wish to make use of the NetLabel
120 * caching mechanism to store LSM specific data/attributes in the NetLabel
121 * cache. If the LSM has to perform a lot of translation from the NetLabel
122 * security attributes into it's own internal representation then the cache
123 * mechanism can provide a way to eliminate some or all of that translation
124 * overhead on a cache hit.
125 *
126 */
109struct netlbl_lsm_cache { 127struct netlbl_lsm_cache {
110 atomic_t refcount; 128 atomic_t refcount;
111 void (*free) (const void *data); 129 void (*free) (const void *data);
112 void *data; 130 void *data;
113}; 131};
114/* The catmap bitmap field MUST be a power of two in length and large 132
133/**
134 * struct netlbl_lsm_secattr_catmap - NetLabel LSM secattr category bitmap
135 * @startbit: the value of the lowest order bit in the bitmap
136 * @bitmap: the category bitmap
137 * @next: pointer to the next bitmap "node" or NULL
138 *
139 * Description:
140 * This structure is used to represent category bitmaps. Due to the large
141 * number of categories supported by most labeling protocols it is not
142 * practical to transfer a full bitmap internally so NetLabel adopts a sparse
143 * bitmap structure modeled after SELinux's ebitmap structure.
144 * The catmap bitmap field MUST be a power of two in length and large
115 * enough to hold at least 240 bits. Special care (i.e. check the code!) 145 * enough to hold at least 240 bits. Special care (i.e. check the code!)
116 * should be used when changing these values as the LSM implementation 146 * should be used when changing these values as the LSM implementation
117 * probably has functions which rely on the sizes of these types to speed 147 * probably has functions which rely on the sizes of these types to speed
118 * processing. */ 148 * processing.
149 *
150 */
119#define NETLBL_CATMAP_MAPTYPE u64 151#define NETLBL_CATMAP_MAPTYPE u64
120#define NETLBL_CATMAP_MAPCNT 4 152#define NETLBL_CATMAP_MAPCNT 4
121#define NETLBL_CATMAP_MAPSIZE (sizeof(NETLBL_CATMAP_MAPTYPE) * 8) 153#define NETLBL_CATMAP_MAPSIZE (sizeof(NETLBL_CATMAP_MAPTYPE) * 8)
@@ -127,22 +159,48 @@ struct netlbl_lsm_secattr_catmap {
127 NETLBL_CATMAP_MAPTYPE bitmap[NETLBL_CATMAP_MAPCNT]; 159 NETLBL_CATMAP_MAPTYPE bitmap[NETLBL_CATMAP_MAPCNT];
128 struct netlbl_lsm_secattr_catmap *next; 160 struct netlbl_lsm_secattr_catmap *next;
129}; 161};
162
163/**
164 * struct netlbl_lsm_secattr - NetLabel LSM security attributes
165 * @flags: indicate which attributes are contained in this structure
166 * @type: indicate the NLTYPE of the attributes
167 * @domain: the NetLabel LSM domain
168 * @cache: NetLabel LSM specific cache
169 * @attr.mls: MLS sensitivity label
170 * @attr.mls.cat: MLS category bitmap
171 * @attr.mls.lvl: MLS sensitivity level
172 * @attr.secid: LSM specific secid token
173 *
174 * Description:
175 * This structure is used to pass security attributes between NetLabel and the
176 * LSM modules. The flags field is used to specify which fields within the
177 * struct are valid and valid values can be created by bitwise OR'ing the
178 * NETLBL_SECATTR_* defines. The domain field is typically set by the LSM to
179 * specify domain specific configuration settings and is not usually used by
180 * NetLabel itself when returning security attributes to the LSM.
181 *
182 */
130#define NETLBL_SECATTR_NONE 0x00000000 183#define NETLBL_SECATTR_NONE 0x00000000
131#define NETLBL_SECATTR_DOMAIN 0x00000001 184#define NETLBL_SECATTR_DOMAIN 0x00000001
132#define NETLBL_SECATTR_CACHE 0x00000002 185#define NETLBL_SECATTR_CACHE 0x00000002
133#define NETLBL_SECATTR_MLS_LVL 0x00000004 186#define NETLBL_SECATTR_MLS_LVL 0x00000004
134#define NETLBL_SECATTR_MLS_CAT 0x00000008 187#define NETLBL_SECATTR_MLS_CAT 0x00000008
188#define NETLBL_SECATTR_SECID 0x00000010
135#define NETLBL_SECATTR_CACHEABLE (NETLBL_SECATTR_MLS_LVL | \ 189#define NETLBL_SECATTR_CACHEABLE (NETLBL_SECATTR_MLS_LVL | \
136 NETLBL_SECATTR_MLS_CAT) 190 NETLBL_SECATTR_MLS_CAT | \
191 NETLBL_SECATTR_SECID)
137struct netlbl_lsm_secattr { 192struct netlbl_lsm_secattr {
138 u32 flags; 193 u32 flags;
139 194 u32 type;
140 char *domain; 195 char *domain;
141
142 u32 mls_lvl;
143 struct netlbl_lsm_secattr_catmap *mls_cat;
144
145 struct netlbl_lsm_cache *cache; 196 struct netlbl_lsm_cache *cache;
197 union {
198 struct {
199 struct netlbl_lsm_secattr_catmap *cat;
200 u32 lvl;
201 } mls;
202 u32 secid;
203 } attr;
146}; 204};
147 205
148/* 206/*
@@ -231,10 +289,7 @@ static inline void netlbl_secattr_catmap_free(
231 */ 289 */
232static inline void netlbl_secattr_init(struct netlbl_lsm_secattr *secattr) 290static inline void netlbl_secattr_init(struct netlbl_lsm_secattr *secattr)
233{ 291{
234 secattr->flags = 0; 292 memset(secattr, 0, sizeof(*secattr));
235 secattr->domain = NULL;
236 secattr->mls_cat = NULL;
237 secattr->cache = NULL;
238} 293}
239 294
240/** 295/**
@@ -248,11 +303,11 @@ static inline void netlbl_secattr_init(struct netlbl_lsm_secattr *secattr)
248 */ 303 */
249static inline void netlbl_secattr_destroy(struct netlbl_lsm_secattr *secattr) 304static inline void netlbl_secattr_destroy(struct netlbl_lsm_secattr *secattr)
250{ 305{
251 if (secattr->cache)
252 netlbl_secattr_cache_free(secattr->cache);
253 kfree(secattr->domain); 306 kfree(secattr->domain);
254 if (secattr->mls_cat) 307 if (secattr->flags & NETLBL_SECATTR_CACHE)
255 netlbl_secattr_catmap_free(secattr->mls_cat); 308 netlbl_secattr_cache_free(secattr->cache);
309 if (secattr->flags & NETLBL_SECATTR_MLS_CAT)
310 netlbl_secattr_catmap_free(secattr->attr.mls.cat);
256} 311}
257 312
258/** 313/**
@@ -300,7 +355,7 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap,
300 gfp_t flags); 355 gfp_t flags);
301 356
302/* 357/*
303 * LSM protocol operations 358 * LSM protocol operations (NetLabel LSM/kernel API)
304 */ 359 */
305int netlbl_enabled(void); 360int netlbl_enabled(void);
306int netlbl_sock_setattr(struct sock *sk, 361int netlbl_sock_setattr(struct sock *sk,