diff options
| author | Paul Moore <paul.moore@hp.com> | 2008-01-29 08:44:21 -0500 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2008-01-29 16:17:28 -0500 |
| commit | 8cc44579d1bd77ba3a32f2cb76fd9669c229c5fd (patch) | |
| tree | 802d46ff2b1b1700a3baa726d2aa4aba320376c9 /net/netlabel/netlabel_kapi.c | |
| parent | 5dbe1eb0cfc144a2b0cb1466e22bcb6fc34229a8 (diff) | |
NetLabel: Introduce static network labels for unlabeled connections
Most trusted OSs, with the exception of Linux, have the ability to specify
static security labels for unlabeled networks. This patch adds this ability to
the NetLabel packet labeling framework.
If the NetLabel subsystem is called to determine the security attributes of an
incoming packet it first checks to see if any recognized NetLabel packet
labeling protocols are in-use on the packet. If none can be found then the
unlabled connection table is queried and based on the packets incoming
interface and address it is matched with a security label as configured by the
administrator using the netlabel_tools package. The matching security label is
returned to the caller just as if the packet was explicitly labeled using a
labeling protocol.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'net/netlabel/netlabel_kapi.c')
| -rw-r--r-- | net/netlabel/netlabel_kapi.c | 16 |
1 files changed, 7 insertions, 9 deletions
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c index 49146153f235..c69e3e1f05c3 100644 --- a/net/netlabel/netlabel_kapi.c +++ b/net/netlabel/netlabel_kapi.c | |||
| @@ -312,7 +312,7 @@ socket_setattr_return: | |||
| 312 | * @secattr: the security attributes | 312 | * @secattr: the security attributes |
| 313 | * | 313 | * |
| 314 | * Description: | 314 | * Description: |
| 315 | * Examines the given sock to see any NetLabel style labeling has been | 315 | * Examines the given sock to see if any NetLabel style labeling has been |
| 316 | * applied to the sock, if so it parses the socket label and returns the | 316 | * applied to the sock, if so it parses the socket label and returns the |
| 317 | * security attributes in @secattr. Returns zero on success, negative values | 317 | * security attributes in @secattr. Returns zero on success, negative values |
| 318 | * on failure. | 318 | * on failure. |
| @@ -320,13 +320,7 @@ socket_setattr_return: | |||
| 320 | */ | 320 | */ |
| 321 | int netlbl_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr) | 321 | int netlbl_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr) |
| 322 | { | 322 | { |
| 323 | int ret_val; | 323 | return cipso_v4_sock_getattr(sk, secattr); |
| 324 | |||
| 325 | ret_val = cipso_v4_sock_getattr(sk, secattr); | ||
| 326 | if (ret_val == 0) | ||
| 327 | return 0; | ||
| 328 | |||
| 329 | return netlbl_unlabel_getattr(secattr); | ||
| 330 | } | 324 | } |
| 331 | 325 | ||
| 332 | /** | 326 | /** |
| @@ -350,7 +344,7 @@ int netlbl_skbuff_getattr(const struct sk_buff *skb, | |||
| 350 | cipso_v4_skbuff_getattr(skb, secattr) == 0) | 344 | cipso_v4_skbuff_getattr(skb, secattr) == 0) |
| 351 | return 0; | 345 | return 0; |
| 352 | 346 | ||
| 353 | return netlbl_unlabel_getattr(secattr); | 347 | return netlbl_unlabel_getattr(skb, family, secattr); |
| 354 | } | 348 | } |
| 355 | 349 | ||
| 356 | /** | 350 | /** |
| @@ -434,6 +428,10 @@ static int __init netlbl_init(void) | |||
| 434 | if (ret_val != 0) | 428 | if (ret_val != 0) |
| 435 | goto init_failure; | 429 | goto init_failure; |
| 436 | 430 | ||
| 431 | ret_val = netlbl_unlabel_init(NETLBL_UNLHSH_BITSIZE); | ||
| 432 | if (ret_val != 0) | ||
| 433 | goto init_failure; | ||
| 434 | |||
| 437 | ret_val = netlbl_netlink_init(); | 435 | ret_val = netlbl_netlink_init(); |
| 438 | if (ret_val != 0) | 436 | if (ret_val != 0) |
| 439 | goto init_failure; | 437 | goto init_failure; |