NetLabel: Introduce static network labels for unlabeled connections

Most trusted OSs, with the exception of Linux, have the ability to specify static security labels for unlabeled networks. This patch adds this ability to the NetLabel packet labeling framework. If the NetLabel subsystem is called to determine the security attributes of an incoming packet it first checks to see if any recognized NetLabel packet labeling protocols are in-use on the packet. If none can be found then the unlabled connection table is queried and based on the packets incoming interface and address it is matched with a security label as configured by the administrator using the netlabel_tools package. The matching security label is returned to the caller just as if the packet was explicitly labeled using a labeling protocol. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
author: Paul Moore <paul.moore@hp.com> 2008-01-29 08:44:21 -0500
committer: James Morris <jmorris@namei.org> 2008-01-29 16:17:28 -0500
commit: 8cc44579d1bd77ba3a32f2cb76fd9669c229c5fd (patch)
tree: 802d46ff2b1b1700a3baa726d2aa4aba320376c9 /net/netlabel/netlabel_unlabeled.h
parent: 5dbe1eb0cfc144a2b0cb1466e22bcb6fc34229a8 (diff)
1 files changed, 144 insertions, 1 deletions
diff --git a/net/netlabel/netlabel_unlabeled.h b/net/netlabel/netlabel_unlabeled.h
index c2917fbb42cf..06b1301ac072 100644
--- a/net/netlabel/netlabel_unlabeled.h
+++ b/net/netlabel/netlabel_unlabeled.h
@@ -36,6 +36,116 @@
 /*
 * The following NetLabel payloads are supported by the Unlabeled subsystem.
 *
+ * o STATICADD
+ *   This message is sent from an application to add a new static label for
+ *   incoming unlabeled connections.
+ *
+ *   Required attributes:
+ *
+ *     NLBL_UNLABEL_A_IFACE
+ *     NLBL_UNLABEL_A_SECCTX
+ *
+ *   If IPv4 is specified the following attributes are required:
+ *
+ *     NLBL_UNLABEL_A_IPV4ADDR
+ *     NLBL_UNLABEL_A_IPV4MASK
+ *
+ *   If IPv6 is specified the following attributes are required:
+ *
+ *     NLBL_UNLABEL_A_IPV6ADDR
+ *     NLBL_UNLABEL_A_IPV6MASK
+ *
+ * o STATICREMOVE
+ *   This message is sent from an application to remove an existing static
+ *   label for incoming unlabeled connections.
+ *
+ *   Required attributes:
+ *
+ *     NLBL_UNLABEL_A_IFACE
+ *
+ *   If IPv4 is specified the following attributes are required:
+ *
+ *     NLBL_UNLABEL_A_IPV4ADDR
+ *     NLBL_UNLABEL_A_IPV4MASK
+ *
+ *   If IPv6 is specified the following attributes are required:
+ *
+ *     NLBL_UNLABEL_A_IPV6ADDR
+ *     NLBL_UNLABEL_A_IPV6MASK
+ *
+ * o STATICLIST
+ *   This message can be sent either from an application or by the kernel in
+ *   response to an application generated STATICLIST message.  When sent by an
+ *   application there is no payload and the NLM_F_DUMP flag should be set.
+ *   The kernel should response with a series of the following messages.
+ *
+ *   Required attributes:
+ *
+ *     NLBL_UNLABEL_A_IFACE
+ *     NLBL_UNLABEL_A_SECCTX
+ *
+ *   If IPv4 is specified the following attributes are required:
+ *
+ *     NLBL_UNLABEL_A_IPV4ADDR
+ *     NLBL_UNLABEL_A_IPV4MASK
+ *
+ *   If IPv6 is specified the following attributes are required:
+ *
+ *     NLBL_UNLABEL_A_IPV6ADDR
+ *     NLBL_UNLABEL_A_IPV6MASK
+ *
+ * o STATICADDDEF
+ *   This message is sent from an application to set the default static
+ *   label for incoming unlabeled connections.
+ *
+ *   Required attribute:
+ *
+ *     NLBL_UNLABEL_A_SECCTX
+ *
+ *   If IPv4 is specified the following attributes are required:
+ *
+ *     NLBL_UNLABEL_A_IPV4ADDR
+ *     NLBL_UNLABEL_A_IPV4MASK
+ *
+ *   If IPv6 is specified the following attributes are required:
+ *
+ *     NLBL_UNLABEL_A_IPV6ADDR
+ *     NLBL_UNLABEL_A_IPV6MASK
+ *
+ * o STATICREMOVEDEF
+ *   This message is sent from an application to remove the existing default
+ *   static label for incoming unlabeled connections.
+ *
+ *   If IPv4 is specified the following attributes are required:
+ *
+ *     NLBL_UNLABEL_A_IPV4ADDR
+ *     NLBL_UNLABEL_A_IPV4MASK
+ *
+ *   If IPv6 is specified the following attributes are required:
+ *
+ *     NLBL_UNLABEL_A_IPV6ADDR
+ *     NLBL_UNLABEL_A_IPV6MASK
+ *
+ * o STATICLISTDEF
+ *   This message can be sent either from an application or by the kernel in
+ *   response to an application generated STATICLISTDEF message.  When sent by
+ *   an application there is no payload and the NLM_F_DUMP flag should be set.
+ *   The kernel should response with the following message.
+ *
+ *   Required attribute:
+ *
+ *     NLBL_UNLABEL_A_SECCTX
+ *
+ *   If IPv4 is specified the following attributes are required:
+ *
+ *     NLBL_UNLABEL_A_IPV4ADDR
+ *     NLBL_UNLABEL_A_IPV4MASK
+ *
+ *   If IPv6 is specified the following attributes are required:
+ *
+ *     NLBL_UNLABEL_A_IPV6ADDR
+ *     NLBL_UNLABEL_A_IPV6MASK
+ *
 * o ACCEPT
 *   This message is sent from an application to specify if the kernel should
 *   allow unlabled packets to pass if they do not match any of the static
@@ -62,6 +172,12 @@ enum {
        NLBL_UNLABEL_C_UNSPEC,
        NLBL_UNLABEL_C_ACCEPT,
        NLBL_UNLABEL_C_LIST,
+        NLBL_UNLABEL_C_STATICADD,
+        NLBL_UNLABEL_C_STATICREMOVE,
+        NLBL_UNLABEL_C_STATICLIST,
+        NLBL_UNLABEL_C_STATICADDDEF,
+        NLBL_UNLABEL_C_STATICREMOVEDEF,
+        NLBL_UNLABEL_C_STATICLISTDEF,
        __NLBL_UNLABEL_C_MAX,
 };
 #define NLBL_UNLABEL_C_MAX (__NLBL_UNLABEL_C_MAX - 1)
@@ -73,6 +189,24 @@ enum {
        /* (NLA_U8)
         * if true then unlabeled packets are allowed to pass, else unlabeled
         * packets are rejected */
+        NLBL_UNLABEL_A_IPV6ADDR,
+        /* (NLA_BINARY, struct in6_addr)
+         * an IPv6 address */
+        NLBL_UNLABEL_A_IPV6MASK,
+        /* (NLA_BINARY, struct in6_addr)
+         * an IPv6 address mask */
+        NLBL_UNLABEL_A_IPV4ADDR,
+        /* (NLA_BINARY, struct in_addr)
+         * an IPv4 address */
+        NLBL_UNLABEL_A_IPV4MASK,
+        /* (NLA_BINARY, struct in_addr)
+         * and IPv4 address mask */
+        NLBL_UNLABEL_A_IFACE,
+        /* (NLA_NULL_STRING)
+         * network interface */
+        NLBL_UNLABEL_A_SECCTX,
+        /* (NLA_BINARY)
+         * a LSM specific security context */
        __NLBL_UNLABEL_A_MAX,
 };
 #define NLBL_UNLABEL_A_MAX (__NLBL_UNLABEL_A_MAX - 1)
@@ -80,8 +214,17 @@ enum {
 /* NetLabel protocol functions */
 int netlbl_unlabel_genl_init(void);
+/* Unlabeled connection hash table size */
+/* XXX - currently this number is an uneducated guess */
+#define NETLBL_UNLHSH_BITSIZE       7
+/* General Unlabeled init function */
+int netlbl_unlabel_init(u32 size);
 /* Process Unlabeled incoming network packets */
-int netlbl_unlabel_getattr(struct netlbl_lsm_secattr *secattr);
+int netlbl_unlabel_getattr(const struct sk_buff *skb,
+                           u16 family,
+                           struct netlbl_lsm_secattr *secattr);
 /* Set the default configuration to allow Unlabeled packets */
 int netlbl_unlabel_defconf(void);
author	Paul Moore <paul.moore@hp.com>	2008-01-29 08:44:21 -0500
committer	James Morris <jmorris@namei.org>	2008-01-29 16:17:28 -0500
commit	8cc44579d1bd77ba3a32f2cb76fd9669c229c5fd (patch)
tree	802d46ff2b1b1700a3baa726d2aa4aba320376c9 /net/netlabel/netlabel_unlabeled.h
parent	5dbe1eb0cfc144a2b0cb1466e22bcb6fc34229a8 (diff)

diff --git a/net/netlabel/netlabel_unlabeled.h b/net/netlabel/netlabel_unlabeled.h index c2917fbb42cf..06b1301ac072 100644 --- a/net/netlabel/netlabel_unlabeled.h +++ b/net/netlabel/netlabel_unlabeled.h
@@ -36,6 +36,116 @@
36	/*	36	/*
37	* The following NetLabel payloads are supported by the Unlabeled subsystem.	37	* The following NetLabel payloads are supported by the Unlabeled subsystem.
38	*	38	*
		39	* o STATICADD
		40	* This message is sent from an application to add a new static label for
		41	* incoming unlabeled connections.
		42	*
		43	* Required attributes:
		44	*
		45	* NLBL_UNLABEL_A_IFACE
		46	* NLBL_UNLABEL_A_SECCTX
		47	*
		48	* If IPv4 is specified the following attributes are required:
		49	*
		50	* NLBL_UNLABEL_A_IPV4ADDR
		51	* NLBL_UNLABEL_A_IPV4MASK
		52	*
		53	* If IPv6 is specified the following attributes are required:
		54	*
		55	* NLBL_UNLABEL_A_IPV6ADDR
		56	* NLBL_UNLABEL_A_IPV6MASK
		57	*
		58	* o STATICREMOVE
		59	* This message is sent from an application to remove an existing static
		60	* label for incoming unlabeled connections.
		61	*
		62	* Required attributes:
		63	*
		64	* NLBL_UNLABEL_A_IFACE
		65	*
		66	* If IPv4 is specified the following attributes are required:
		67	*
		68	* NLBL_UNLABEL_A_IPV4ADDR
		69	* NLBL_UNLABEL_A_IPV4MASK
		70	*
		71	* If IPv6 is specified the following attributes are required:
		72	*
		73	* NLBL_UNLABEL_A_IPV6ADDR
		74	* NLBL_UNLABEL_A_IPV6MASK
		75	*
		76	* o STATICLIST
		77	* This message can be sent either from an application or by the kernel in
		78	* response to an application generated STATICLIST message. When sent by an
		79	* application there is no payload and the NLM_F_DUMP flag should be set.
		80	* The kernel should response with a series of the following messages.
		81	*
		82	* Required attributes:
		83	*
		84	* NLBL_UNLABEL_A_IFACE
		85	* NLBL_UNLABEL_A_SECCTX
		86	*
		87	* If IPv4 is specified the following attributes are required:
		88	*
		89	* NLBL_UNLABEL_A_IPV4ADDR
		90	* NLBL_UNLABEL_A_IPV4MASK
		91	*
		92	* If IPv6 is specified the following attributes are required:
		93	*
		94	* NLBL_UNLABEL_A_IPV6ADDR
		95	* NLBL_UNLABEL_A_IPV6MASK
		96	*
		97	* o STATICADDDEF
		98	* This message is sent from an application to set the default static
		99	* label for incoming unlabeled connections.
		100	*
		101	* Required attribute:
		102	*
		103	* NLBL_UNLABEL_A_SECCTX
		104	*
		105	* If IPv4 is specified the following attributes are required:
		106	*
		107	* NLBL_UNLABEL_A_IPV4ADDR
		108	* NLBL_UNLABEL_A_IPV4MASK
		109	*
		110	* If IPv6 is specified the following attributes are required:
		111	*
		112	* NLBL_UNLABEL_A_IPV6ADDR
		113	* NLBL_UNLABEL_A_IPV6MASK
		114	*
		115	* o STATICREMOVEDEF
		116	* This message is sent from an application to remove the existing default
		117	* static label for incoming unlabeled connections.
		118	*
		119	* If IPv4 is specified the following attributes are required:
		120	*
		121	* NLBL_UNLABEL_A_IPV4ADDR
		122	* NLBL_UNLABEL_A_IPV4MASK
		123	*
		124	* If IPv6 is specified the following attributes are required:
		125	*
		126	* NLBL_UNLABEL_A_IPV6ADDR
		127	* NLBL_UNLABEL_A_IPV6MASK
		128	*
		129	* o STATICLISTDEF
		130	* This message can be sent either from an application or by the kernel in
		131	* response to an application generated STATICLISTDEF message. When sent by
		132	* an application there is no payload and the NLM_F_DUMP flag should be set.
		133	* The kernel should response with the following message.
		134	*
		135	* Required attribute:
		136	*
		137	* NLBL_UNLABEL_A_SECCTX
		138	*
		139	* If IPv4 is specified the following attributes are required:
		140	*
		141	* NLBL_UNLABEL_A_IPV4ADDR
		142	* NLBL_UNLABEL_A_IPV4MASK
		143	*
		144	* If IPv6 is specified the following attributes are required:
		145	*
		146	* NLBL_UNLABEL_A_IPV6ADDR
		147	* NLBL_UNLABEL_A_IPV6MASK
		148	*
39	* o ACCEPT	149	* o ACCEPT
40	* This message is sent from an application to specify if the kernel should	150	* This message is sent from an application to specify if the kernel should
41	* allow unlabled packets to pass if they do not match any of the static	151	* allow unlabled packets to pass if they do not match any of the static
@@ -62,6 +172,12 @@ enum {
62	NLBL_UNLABEL_C_UNSPEC,	172	NLBL_UNLABEL_C_UNSPEC,
63	NLBL_UNLABEL_C_ACCEPT,	173	NLBL_UNLABEL_C_ACCEPT,
64	NLBL_UNLABEL_C_LIST,	174	NLBL_UNLABEL_C_LIST,
		175	NLBL_UNLABEL_C_STATICADD,
		176	NLBL_UNLABEL_C_STATICREMOVE,
		177	NLBL_UNLABEL_C_STATICLIST,
		178	NLBL_UNLABEL_C_STATICADDDEF,
		179	NLBL_UNLABEL_C_STATICREMOVEDEF,
		180	NLBL_UNLABEL_C_STATICLISTDEF,
65	__NLBL_UNLABEL_C_MAX,	181	__NLBL_UNLABEL_C_MAX,
66	};	182	};
67	#define NLBL_UNLABEL_C_MAX (__NLBL_UNLABEL_C_MAX - 1)	183	#define NLBL_UNLABEL_C_MAX (__NLBL_UNLABEL_C_MAX - 1)
@@ -73,6 +189,24 @@ enum {
73	/* (NLA_U8)	189	/* (NLA_U8)
74	* if true then unlabeled packets are allowed to pass, else unlabeled	190	* if true then unlabeled packets are allowed to pass, else unlabeled
75	* packets are rejected */	191	* packets are rejected */
		192	NLBL_UNLABEL_A_IPV6ADDR,
		193	/* (NLA_BINARY, struct in6_addr)
		194	* an IPv6 address */
		195	NLBL_UNLABEL_A_IPV6MASK,
		196	/* (NLA_BINARY, struct in6_addr)
		197	* an IPv6 address mask */
		198	NLBL_UNLABEL_A_IPV4ADDR,
		199	/* (NLA_BINARY, struct in_addr)
		200	* an IPv4 address */
		201	NLBL_UNLABEL_A_IPV4MASK,
		202	/* (NLA_BINARY, struct in_addr)
		203	* and IPv4 address mask */
		204	NLBL_UNLABEL_A_IFACE,
		205	/* (NLA_NULL_STRING)
		206	* network interface */
		207	NLBL_UNLABEL_A_SECCTX,
		208	/* (NLA_BINARY)
		209	* a LSM specific security context */
76	__NLBL_UNLABEL_A_MAX,	210	__NLBL_UNLABEL_A_MAX,
77	};	211	};
78	#define NLBL_UNLABEL_A_MAX (__NLBL_UNLABEL_A_MAX - 1)	212	#define NLBL_UNLABEL_A_MAX (__NLBL_UNLABEL_A_MAX - 1)
@@ -80,8 +214,17 @@ enum {
80	/* NetLabel protocol functions */	214	/* NetLabel protocol functions */
81	int netlbl_unlabel_genl_init(void);	215	int netlbl_unlabel_genl_init(void);
82		216
		217	/* Unlabeled connection hash table size */
		218	/* XXX - currently this number is an uneducated guess */
		219	#define NETLBL_UNLHSH_BITSIZE 7
		220
		221	/* General Unlabeled init function */
		222	int netlbl_unlabel_init(u32 size);
		223
83	/* Process Unlabeled incoming network packets */	224	/* Process Unlabeled incoming network packets */
84	int netlbl_unlabel_getattr(struct netlbl_lsm_secattr *secattr);	225	int netlbl_unlabel_getattr(const struct sk_buff *skb,
		226	u16 family,
		227	struct netlbl_lsm_secattr *secattr);
85		228
86	/* Set the default configuration to allow Unlabeled packets */	229	/* Set the default configuration to allow Unlabeled packets */
87	int netlbl_unlabel_defconf(void);	230	int netlbl_unlabel_defconf(void);