NetLabel: Add secid token support to the NetLabel secattr struct

This patch adds support to the NetLabel LSM secattr struct for a secid token and a type field, paving the way for full LSM/SELinux context support and "static" or "fallback" labels. In addition, this patch adds a fair amount of documentation to the core NetLabel structures used as part of the NetLabel kernel API. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
author: Paul Moore <paul.moore@hp.com> 2008-01-29 08:37:59 -0500
committer: James Morris <jmorris@namei.org> 2008-01-29 16:17:19 -0500
commit: 16efd45435fa695b501b7f73c3259bd7c77cc12c (patch)
tree: f26eb84f65192eb0a17aca399fd405100e4be974 /include/net
parent: 1c3fad936acaf87b75055b95be781437e97d787f (diff)
1 files changed, 73 insertions, 18 deletions
diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 2e5b2f6f9fa0..18b73cf507df 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -105,17 +105,49 @@ struct netlbl_dom_map;
 /* Domain mapping operations */
 int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info);
-/* LSM security attributes */
+/*
+ * LSM security attributes
+ */
+/**
+ * struct netlbl_lsm_cache - NetLabel LSM security attribute cache
+ * @refcount: atomic reference counter
+ * @free: LSM supplied function to free the cache data
+ * @data: LSM supplied cache data
+ *
+ * Description:
+ * This structure is provided for LSMs which wish to make use of the NetLabel
+ * caching mechanism to store LSM specific data/attributes in the NetLabel
+ * cache.  If the LSM has to perform a lot of translation from the NetLabel
+ * security attributes into it's own internal representation then the cache
+ * mechanism can provide a way to eliminate some or all of that translation
+ * overhead on a cache hit.
+ *
+ */
 struct netlbl_lsm_cache {
        atomic_t refcount;
        void (*free) (const void *data);
        void *data;
 };
-/* The catmap bitmap field MUST be a power of two in length and large
+/**
+ * struct netlbl_lsm_secattr_catmap - NetLabel LSM secattr category bitmap
+ * @startbit: the value of the lowest order bit in the bitmap
+ * @bitmap: the category bitmap
+ * @next: pointer to the next bitmap "node" or NULL
+ *
+ * Description:
+ * This structure is used to represent category bitmaps.  Due to the large
+ * number of categories supported by most labeling protocols it is not
+ * practical to transfer a full bitmap internally so NetLabel adopts a sparse
+ * bitmap structure modeled after SELinux's ebitmap structure.
+ * The catmap bitmap field MUST be a power of two in length and large
 * enough to hold at least 240 bits.  Special care (i.e. check the code!)
 * should be used when changing these values as the LSM implementation
 * probably has functions which rely on the sizes of these types to speed
- * processing. */
+ * processing.
+ *
+ */
 #define NETLBL_CATMAP_MAPTYPE           u64
 #define NETLBL_CATMAP_MAPCNT            4
 #define NETLBL_CATMAP_MAPSIZE           (sizeof(NETLBL_CATMAP_MAPTYPE) * 8)
@@ -127,22 +159,48 @@ struct netlbl_lsm_secattr_catmap {
        NETLBL_CATMAP_MAPTYPE bitmap[NETLBL_CATMAP_MAPCNT];
        struct netlbl_lsm_secattr_catmap *next;
 };
+/**
+ * struct netlbl_lsm_secattr - NetLabel LSM security attributes
+ * @flags: indicate which attributes are contained in this structure
+ * @type: indicate the NLTYPE of the attributes
+ * @domain: the NetLabel LSM domain
+ * @cache: NetLabel LSM specific cache
+ * @attr.mls: MLS sensitivity label
+ * @attr.mls.cat: MLS category bitmap
+ * @attr.mls.lvl: MLS sensitivity level
+ * @attr.secid: LSM specific secid token
+ *
+ * Description:
+ * This structure is used to pass security attributes between NetLabel and the
+ * LSM modules.  The flags field is used to specify which fields within the
+ * struct are valid and valid values can be created by bitwise OR'ing the
+ * NETLBL_SECATTR_* defines.  The domain field is typically set by the LSM to
+ * specify domain specific configuration settings and is not usually used by
+ * NetLabel itself when returning security attributes to the LSM.
+ *
+ */
 #define NETLBL_SECATTR_NONE             0x00000000
 #define NETLBL_SECATTR_DOMAIN           0x00000001
 #define NETLBL_SECATTR_CACHE            0x00000002
 #define NETLBL_SECATTR_MLS_LVL          0x00000004
 #define NETLBL_SECATTR_MLS_CAT          0x00000008
+#define NETLBL_SECATTR_SECID            0x00000010
 #define NETLBL_SECATTR_CACHEABLE        (NETLBL_SECATTR_MLS_LVL | \
-                                         NETLBL_SECATTR_MLS_CAT)
+                                         NETLBL_SECATTR_MLS_CAT | \
+                                         NETLBL_SECATTR_SECID)
 struct netlbl_lsm_secattr {
        u32 flags;
+        u32 type;
        char *domain;
-        u32 mls_lvl;
-        struct netlbl_lsm_secattr_catmap *mls_cat;
        struct netlbl_lsm_cache *cache;
+        union {
+                struct {
+                        struct netlbl_lsm_secattr_catmap *cat;
+                        u32 lvl;
+                } mls;
+                u32 secid;
+        } attr;
 };
 /*
@@ -231,10 +289,7 @@ static inline void netlbl_secattr_catmap_free(
 */
 static inline void netlbl_secattr_init(struct netlbl_lsm_secattr *secattr)
 {
-        secattr->flags = 0;
+        memset(secattr, 0, sizeof(*secattr));
-        secattr->domain = NULL;
-        secattr->mls_cat = NULL;
-        secattr->cache = NULL;
 }
 /**
@@ -248,11 +303,11 @@ static inline void netlbl_secattr_init(struct netlbl_lsm_secattr *secattr)
 */
 static inline void netlbl_secattr_destroy(struct netlbl_lsm_secattr *secattr)
 {
-        if (secattr->cache)
-                netlbl_secattr_cache_free(secattr->cache);
        kfree(secattr->domain);
-        if (secattr->mls_cat)
+        if (secattr->flags & NETLBL_SECATTR_CACHE)
-                netlbl_secattr_catmap_free(secattr->mls_cat);
+                netlbl_secattr_cache_free(secattr->cache);
+        if (secattr->flags & NETLBL_SECATTR_MLS_CAT)
+                netlbl_secattr_catmap_free(secattr->attr.mls.cat);
 }
 /**
@@ -300,7 +355,7 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap,
                                 gfp_t flags);
 /*
- * LSM protocol operations
+ * LSM protocol operations (NetLabel LSM/kernel API)
 */
 int netlbl_enabled(void);
 int netlbl_sock_setattr(struct sock *sk,
author	Paul Moore <paul.moore@hp.com>	2008-01-29 08:37:59 -0500
committer	James Morris <jmorris@namei.org>	2008-01-29 16:17:19 -0500
commit	16efd45435fa695b501b7f73c3259bd7c77cc12c (patch)
tree	f26eb84f65192eb0a17aca399fd405100e4be974 /include/net
parent	1c3fad936acaf87b75055b95be781437e97d787f (diff)

diff --git a/include/net/netlabel.h b/include/net/netlabel.h index 2e5b2f6f9fa0..18b73cf507df 100644 --- a/include/net/netlabel.h +++ b/include/net/netlabel.h
@@ -105,17 +105,49 @@ struct netlbl_dom_map;
105	/* Domain mapping operations */	105	/* Domain mapping operations */
106	int netlbl_domhsh_remove(const char domain, struct netlbl_audit audit_info);	106	int netlbl_domhsh_remove(const char domain, struct netlbl_audit audit_info);
107		107
108	/* LSM security attributes */	108	/*
		109	* LSM security attributes
		110	*/
		111
		112	/**
		113	* struct netlbl_lsm_cache - NetLabel LSM security attribute cache
		114	* @refcount: atomic reference counter
		115	* @free: LSM supplied function to free the cache data
		116	* @data: LSM supplied cache data
		117	*
		118	* Description:
		119	* This structure is provided for LSMs which wish to make use of the NetLabel
		120	* caching mechanism to store LSM specific data/attributes in the NetLabel
		121	* cache. If the LSM has to perform a lot of translation from the NetLabel
		122	* security attributes into it's own internal representation then the cache
		123	* mechanism can provide a way to eliminate some or all of that translation
		124	* overhead on a cache hit.
		125	*
		126	*/
109	struct netlbl_lsm_cache {	127	struct netlbl_lsm_cache {
110	atomic_t refcount;	128	atomic_t refcount;
111	void (free) (const void data);	129	void (free) (const void data);
112	void *data;	130	void *data;
113	};	131	};
114	/* The catmap bitmap field MUST be a power of two in length and large	132
		133	/**
		134	* struct netlbl_lsm_secattr_catmap - NetLabel LSM secattr category bitmap
		135	* @startbit: the value of the lowest order bit in the bitmap
		136	* @bitmap: the category bitmap
		137	* @next: pointer to the next bitmap "node" or NULL
		138	*
		139	* Description:
		140	* This structure is used to represent category bitmaps. Due to the large
		141	* number of categories supported by most labeling protocols it is not
		142	* practical to transfer a full bitmap internally so NetLabel adopts a sparse
		143	* bitmap structure modeled after SELinux's ebitmap structure.
		144	* The catmap bitmap field MUST be a power of two in length and large
115	* enough to hold at least 240 bits. Special care (i.e. check the code!)	145	* enough to hold at least 240 bits. Special care (i.e. check the code!)
116	* should be used when changing these values as the LSM implementation	146	* should be used when changing these values as the LSM implementation
117	* probably has functions which rely on the sizes of these types to speed	147	* probably has functions which rely on the sizes of these types to speed
118	* processing. */	148	* processing.
		149	*
		150	*/
119	#define NETLBL_CATMAP_MAPTYPE u64	151	#define NETLBL_CATMAP_MAPTYPE u64
120	#define NETLBL_CATMAP_MAPCNT 4	152	#define NETLBL_CATMAP_MAPCNT 4
121	#define NETLBL_CATMAP_MAPSIZE (sizeof(NETLBL_CATMAP_MAPTYPE) * 8)	153	#define NETLBL_CATMAP_MAPSIZE (sizeof(NETLBL_CATMAP_MAPTYPE) * 8)
@@ -127,22 +159,48 @@ struct netlbl_lsm_secattr_catmap {
127	NETLBL_CATMAP_MAPTYPE bitmap[NETLBL_CATMAP_MAPCNT];	159	NETLBL_CATMAP_MAPTYPE bitmap[NETLBL_CATMAP_MAPCNT];
128	struct netlbl_lsm_secattr_catmap *next;	160	struct netlbl_lsm_secattr_catmap *next;
129	};	161	};
		162
		163	/**
		164	* struct netlbl_lsm_secattr - NetLabel LSM security attributes
		165	* @flags: indicate which attributes are contained in this structure
		166	* @type: indicate the NLTYPE of the attributes
		167	* @domain: the NetLabel LSM domain
		168	* @cache: NetLabel LSM specific cache
		169	* @attr.mls: MLS sensitivity label
		170	* @attr.mls.cat: MLS category bitmap
		171	* @attr.mls.lvl: MLS sensitivity level
		172	* @attr.secid: LSM specific secid token
		173	*
		174	* Description:
		175	* This structure is used to pass security attributes between NetLabel and the
		176	* LSM modules. The flags field is used to specify which fields within the
		177	* struct are valid and valid values can be created by bitwise OR'ing the
		178	* NETLBL_SECATTR_* defines. The domain field is typically set by the LSM to
		179	* specify domain specific configuration settings and is not usually used by
		180	* NetLabel itself when returning security attributes to the LSM.
		181	*
		182	*/
130	#define NETLBL_SECATTR_NONE 0x00000000	183	#define NETLBL_SECATTR_NONE 0x00000000
131	#define NETLBL_SECATTR_DOMAIN 0x00000001	184	#define NETLBL_SECATTR_DOMAIN 0x00000001
132	#define NETLBL_SECATTR_CACHE 0x00000002	185	#define NETLBL_SECATTR_CACHE 0x00000002
133	#define NETLBL_SECATTR_MLS_LVL 0x00000004	186	#define NETLBL_SECATTR_MLS_LVL 0x00000004
134	#define NETLBL_SECATTR_MLS_CAT 0x00000008	187	#define NETLBL_SECATTR_MLS_CAT 0x00000008
		188	#define NETLBL_SECATTR_SECID 0x00000010
135	#define NETLBL_SECATTR_CACHEABLE (NETLBL_SECATTR_MLS_LVL \| \	189	#define NETLBL_SECATTR_CACHEABLE (NETLBL_SECATTR_MLS_LVL \| \
136	NETLBL_SECATTR_MLS_CAT)	190	NETLBL_SECATTR_MLS_CAT \| \
		191	NETLBL_SECATTR_SECID)
137	struct netlbl_lsm_secattr {	192	struct netlbl_lsm_secattr {
138	u32 flags;	193	u32 flags;
139		194	u32 type;
140	char *domain;	195	char *domain;
141
142	u32 mls_lvl;
143	struct netlbl_lsm_secattr_catmap *mls_cat;
144
145	struct netlbl_lsm_cache *cache;	196	struct netlbl_lsm_cache *cache;
		197	union {
		198	struct {
		199	struct netlbl_lsm_secattr_catmap *cat;
		200	u32 lvl;
		201	} mls;
		202	u32 secid;
		203	} attr;
146	};	204	};
147		205
148	/*	206	/*
@@ -231,10 +289,7 @@ static inline void netlbl_secattr_catmap_free(
231	*/	289	*/
232	static inline void netlbl_secattr_init(struct netlbl_lsm_secattr *secattr)	290	static inline void netlbl_secattr_init(struct netlbl_lsm_secattr *secattr)
233	{	291	{
234	secattr->flags = 0;	292	memset(secattr, 0, sizeof(*secattr));
235	secattr->domain = NULL;
236	secattr->mls_cat = NULL;
237	secattr->cache = NULL;
238	}	293	}
239		294
240	/**	295	/**
@@ -248,11 +303,11 @@ static inline void netlbl_secattr_init(struct netlbl_lsm_secattr *secattr)
248	*/	303	*/
249	static inline void netlbl_secattr_destroy(struct netlbl_lsm_secattr *secattr)	304	static inline void netlbl_secattr_destroy(struct netlbl_lsm_secattr *secattr)
250	{	305	{
251	if (secattr->cache)
252	netlbl_secattr_cache_free(secattr->cache);
253	kfree(secattr->domain);	306	kfree(secattr->domain);
254	if (secattr->mls_cat)	307	if (secattr->flags & NETLBL_SECATTR_CACHE)
255	netlbl_secattr_catmap_free(secattr->mls_cat);	308	netlbl_secattr_cache_free(secattr->cache);
		309	if (secattr->flags & NETLBL_SECATTR_MLS_CAT)
		310	netlbl_secattr_catmap_free(secattr->attr.mls.cat);
256	}	311	}
257		312
258	/**	313	/**
@@ -300,7 +355,7 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap,
300	gfp_t flags);	355	gfp_t flags);
301		356
302	/*	357	/*
303	* LSM protocol operations	358	* LSM protocol operations (NetLabel LSM/kernel API)
304	*/	359	*/
305	int netlbl_enabled(void);	360	int netlbl_enabled(void);
306	int netlbl_sock_setattr(struct sock *sk,	361	int netlbl_sock_setattr(struct sock *sk,