diff options
author | Paul Moore <paul.moore@hp.com> | 2008-10-10 10:16:32 -0400 |
---|---|---|
committer | Paul Moore <paul.moore@hp.com> | 2008-10-10 10:16:32 -0400 |
commit | 948bf85c1bc9a84754786a9d5dd99b7ecc46451e (patch) | |
tree | a4706be1f4a5a37408774ef3c4cab8cf2e7775b5 /include | |
parent | 63c41688743760631188cf0f4ae986a6793ccb0a (diff) |
netlabel: Add functionality to set the security attributes of a packet
This patch builds upon the new NetLabel address selector functionality by
providing the NetLabel KAPI and CIPSO engine support needed to enable the
new packet-based labeling. The only new addition to the NetLabel KAPI at
this point is shown below:
* int netlbl_skbuff_setattr(skb, family, secattr)
... and is designed to be called from a Netfilter hook after the packet's
IP header has been populated such as in the FORWARD or LOCAL_OUT hooks.
This patch also provides the necessary SELinux hooks to support this new
functionality. Smack support is not currently included due to uncertainty
regarding the permissions needed to expand the Smack network access controls.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Reviewed-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/net/cipso_ipv4.h | 16 | ||||
-rw-r--r-- | include/net/netlabel.h | 9 |
2 files changed, 25 insertions, 0 deletions
diff --git a/include/net/cipso_ipv4.h b/include/net/cipso_ipv4.h index 5fe6556fb3c5..2ce093ba553d 100644 --- a/include/net/cipso_ipv4.h +++ b/include/net/cipso_ipv4.h | |||
@@ -208,6 +208,10 @@ int cipso_v4_sock_setattr(struct sock *sk, | |||
208 | const struct cipso_v4_doi *doi_def, | 208 | const struct cipso_v4_doi *doi_def, |
209 | const struct netlbl_lsm_secattr *secattr); | 209 | const struct netlbl_lsm_secattr *secattr); |
210 | int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr); | 210 | int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr); |
211 | int cipso_v4_skbuff_setattr(struct sk_buff *skb, | ||
212 | const struct cipso_v4_doi *doi_def, | ||
213 | const struct netlbl_lsm_secattr *secattr); | ||
214 | int cipso_v4_skbuff_delattr(struct sk_buff *skb); | ||
211 | int cipso_v4_skbuff_getattr(const struct sk_buff *skb, | 215 | int cipso_v4_skbuff_getattr(const struct sk_buff *skb, |
212 | struct netlbl_lsm_secattr *secattr); | 216 | struct netlbl_lsm_secattr *secattr); |
213 | int cipso_v4_validate(unsigned char **option); | 217 | int cipso_v4_validate(unsigned char **option); |
@@ -232,6 +236,18 @@ static inline int cipso_v4_sock_getattr(struct sock *sk, | |||
232 | return -ENOSYS; | 236 | return -ENOSYS; |
233 | } | 237 | } |
234 | 238 | ||
239 | static inline int cipso_v4_skbuff_setattr(struct sk_buff *skb, | ||
240 | const struct cipso_v4_doi *doi_def, | ||
241 | const struct netlbl_lsm_secattr *secattr) | ||
242 | { | ||
243 | return -ENOSYS; | ||
244 | } | ||
245 | |||
246 | static inline int cipso_v4_skbuff_delattr(struct sk_buff *skb) | ||
247 | { | ||
248 | return -ENOSYS; | ||
249 | } | ||
250 | |||
235 | static inline int cipso_v4_skbuff_getattr(const struct sk_buff *skb, | 251 | static inline int cipso_v4_skbuff_getattr(const struct sk_buff *skb, |
236 | struct netlbl_lsm_secattr *secattr) | 252 | struct netlbl_lsm_secattr *secattr) |
237 | { | 253 | { |
diff --git a/include/net/netlabel.h b/include/net/netlabel.h index 0729f8ce5042..3f67e6d49e40 100644 --- a/include/net/netlabel.h +++ b/include/net/netlabel.h | |||
@@ -382,6 +382,9 @@ int netlbl_sock_setattr(struct sock *sk, | |||
382 | const struct netlbl_lsm_secattr *secattr); | 382 | const struct netlbl_lsm_secattr *secattr); |
383 | int netlbl_sock_getattr(struct sock *sk, | 383 | int netlbl_sock_getattr(struct sock *sk, |
384 | struct netlbl_lsm_secattr *secattr); | 384 | struct netlbl_lsm_secattr *secattr); |
385 | int netlbl_skbuff_setattr(struct sk_buff *skb, | ||
386 | u16 family, | ||
387 | const struct netlbl_lsm_secattr *secattr); | ||
385 | int netlbl_skbuff_getattr(const struct sk_buff *skb, | 388 | int netlbl_skbuff_getattr(const struct sk_buff *skb, |
386 | u16 family, | 389 | u16 family, |
387 | struct netlbl_lsm_secattr *secattr); | 390 | struct netlbl_lsm_secattr *secattr); |
@@ -451,6 +454,12 @@ static inline int netlbl_sock_getattr(struct sock *sk, | |||
451 | { | 454 | { |
452 | return -ENOSYS; | 455 | return -ENOSYS; |
453 | } | 456 | } |
457 | static inline int netlbl_skbuff_setattr(struct sk_buff *skb, | ||
458 | u16 family, | ||
459 | const struct netlbl_lsm_secattr *secattr) | ||
460 | { | ||
461 | return -ENOSYS; | ||
462 | } | ||
454 | static inline int netlbl_skbuff_getattr(const struct sk_buff *skb, | 463 | static inline int netlbl_skbuff_getattr(const struct sk_buff *skb, |
455 | u16 family, | 464 | u16 family, |
456 | struct netlbl_lsm_secattr *secattr) | 465 | struct netlbl_lsm_secattr *secattr) |