diff options
| author | Paul Moore <paul.moore@hp.com> | 2006-08-03 19:48:06 -0400 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2006-09-22 17:53:33 -0400 |
| commit | 446fda4f26822b2d42ab3396aafcedf38a9ff2b6 (patch) | |
| tree | 1e095b7f705fafe0e301b7ce0c61a1f92a2a6a8d /net/ipv4/sysctl_net_ipv4.c | |
| parent | 11a03f78fbf15a866ba3bf6359a75cdfd1ced703 (diff) | |
[NetLabel]: CIPSOv4 engine
Add support for the Commercial IP Security Option (CIPSO) to the IPv4
network stack. CIPSO has become a de-facto standard for
trusted/labeled networking amongst existing Trusted Operating Systems
such as Trusted Solaris, HP-UX CMW, etc. This implementation is
designed to be used with the NetLabel subsystem to provide explicit
packet labeling to LSM developers.
The CIPSO/IPv4 packet labeling works by the LSM calling a NetLabel API
function which attaches a CIPSO label (IPv4 option) to a given socket;
this in turn attaches the CIPSO label to every packet leaving the
socket without any extra processing on the outbound side. On the
inbound side the individual packet's sk_buff is examined through a
call to a NetLabel API function to determine if a CIPSO/IPv4 label is
present and if so the security attributes of the CIPSO label are
returned to the caller of the NetLabel API function.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/sysctl_net_ipv4.c')
| -rw-r--r-- | net/ipv4/sysctl_net_ipv4.c | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c index 70cea9d08a38..19b2071ff319 100644 --- a/net/ipv4/sysctl_net_ipv4.c +++ b/net/ipv4/sysctl_net_ipv4.c | |||
| @@ -17,6 +17,7 @@ | |||
| 17 | #include <net/ip.h> | 17 | #include <net/ip.h> |
| 18 | #include <net/route.h> | 18 | #include <net/route.h> |
| 19 | #include <net/tcp.h> | 19 | #include <net/tcp.h> |
| 20 | #include <net/cipso_ipv4.h> | ||
| 20 | 21 | ||
| 21 | /* From af_inet.c */ | 22 | /* From af_inet.c */ |
| 22 | extern int sysctl_ip_nonlocal_bind; | 23 | extern int sysctl_ip_nonlocal_bind; |
| @@ -697,6 +698,40 @@ ctl_table ipv4_table[] = { | |||
| 697 | .mode = 0644, | 698 | .mode = 0644, |
| 698 | .proc_handler = &proc_dointvec | 699 | .proc_handler = &proc_dointvec |
| 699 | }, | 700 | }, |
| 701 | #ifdef CONFIG_NETLABEL | ||
| 702 | { | ||
| 703 | .ctl_name = NET_CIPSOV4_CACHE_ENABLE, | ||
| 704 | .procname = "cipso_cache_enable", | ||
| 705 | .data = &cipso_v4_cache_enabled, | ||
| 706 | .maxlen = sizeof(int), | ||
| 707 | .mode = 0644, | ||
| 708 | .proc_handler = &proc_dointvec, | ||
| 709 | }, | ||
| 710 | { | ||
| 711 | .ctl_name = NET_CIPSOV4_CACHE_BUCKET_SIZE, | ||
| 712 | .procname = "cipso_cache_bucket_size", | ||
| 713 | .data = &cipso_v4_cache_bucketsize, | ||
| 714 | .maxlen = sizeof(int), | ||
| 715 | .mode = 0644, | ||
| 716 | .proc_handler = &proc_dointvec, | ||
| 717 | }, | ||
| 718 | { | ||
| 719 | .ctl_name = NET_CIPSOV4_RBM_OPTFMT, | ||
| 720 | .procname = "cipso_rbm_optfmt", | ||
| 721 | .data = &cipso_v4_rbm_optfmt, | ||
| 722 | .maxlen = sizeof(int), | ||
| 723 | .mode = 0644, | ||
| 724 | .proc_handler = &proc_dointvec, | ||
| 725 | }, | ||
| 726 | { | ||
| 727 | .ctl_name = NET_CIPSOV4_RBM_STRICTVALID, | ||
| 728 | .procname = "cipso_rbm_strictvalid", | ||
| 729 | .data = &cipso_v4_rbm_strictvalid, | ||
| 730 | .maxlen = sizeof(int), | ||
| 731 | .mode = 0644, | ||
| 732 | .proc_handler = &proc_dointvec, | ||
| 733 | }, | ||
| 734 | #endif /* CONFIG_NETLABEL */ | ||
| 700 | { .ctl_name = 0 } | 735 | { .ctl_name = 0 } |
| 701 | }; | 736 | }; |
| 702 | 737 | ||