netlabel: Add functionality to set the security attributes of a packet

This patch builds upon the new NetLabel address selector functionality by
providing the NetLabel KAPI and CIPSO engine support needed to enable the
new packet-based labeling.  The only new addition to the NetLabel KAPI at
this point is shown below:

 * int netlbl_skbuff_setattr(skb, family, secattr)

... and is designed to be called from a Netfilter hook after the packet's
IP header has been populated such as in the FORWARD or LOCAL_OUT hooks.

This patch also provides the necessary SELinux hooks to support this new
functionality.  Smack support is not currently included due to uncertainty
regarding the permissions needed to expand the Smack network access controls.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Reviewed-by: James Morris <jmorris@namei.org>

1 files changed, 60 insertions, 0 deletions

diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index 8b820dc98060..cc8047d1f505 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -473,6 +473,66 @@ int netlbl_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr)
 }
 
 /**
+ * netlbl_skbuff_setattr - Label a packet using the correct protocol
+ * @skb: the packet
+ * @family: protocol family
+ * @secattr: the security attributes
+ *
+ * Description:
+ * Attach the correct label to the given packet using the security attributes
+ * specified in @secattr.  Returns zero on success, negative values on failure.
+ *
+ */
+int netlbl_skbuff_setattr(struct sk_buff *skb,
+                          u16 family,
+                          const struct netlbl_lsm_secattr *secattr)
+{
+        int ret_val;
+        struct iphdr *hdr4;
+        struct netlbl_domaddr4_map *af4_entry;
+
+        rcu_read_lock();
+        switch (family) {
+        case AF_INET:
+                hdr4 = ip_hdr(skb);
+                af4_entry = netlbl_domhsh_getentry_af4(secattr->domain,
+                                                       hdr4->daddr);
+                if (af4_entry == NULL) {
+                        ret_val = -ENOENT;
+                        goto skbuff_setattr_return;
+                }
+                switch (af4_entry->type) {
+                case NETLBL_NLTYPE_CIPSOV4:
+                        ret_val = cipso_v4_skbuff_setattr(skb,
+                                                   af4_entry->type_def.cipsov4,
+                                                   secattr);
+                        break;
+                case NETLBL_NLTYPE_UNLABELED:
+                        /* just delete the protocols we support for right now
+                         * but we could remove other protocols if needed */
+                        ret_val = cipso_v4_skbuff_delattr(skb);
+                        break;
+                default:
+                        ret_val = -ENOENT;
+                }
+                break;
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+        case AF_INET6:
+                /* since we don't support any IPv6 labeling protocols right
+                 * now we can optimize everything away until we do */
+                ret_val = 0;
+                break;
+#endif /* IPv6 */
+        default:
+                ret_val = 0;
+        }
+
+skbuff_setattr_return:
+        rcu_read_unlock();
+        return ret_val;
+}
+
+/**
  * netlbl_skbuff_getattr - Determine the security attributes of a packet
  * @skb: the packet
  * @family: protocol family