NetLabel: Introduce static network labels for unlabeled connections (8cc44579) · Commits · 戴 / test

include/net/netlabel.h

+5 −1

Original line number	Diff line number	Diff line
		@@ -67,7 +67,11 @@
		* NetLabel NETLINK protocol
		*/

		#define NETLBL_PROTO_VERSION 1
		/* NetLabel NETLINK protocol version
		* 1: initial version
		* 2: added static labels for unlabeled connections
		*/
		#define NETLBL_PROTO_VERSION 2

		/* NetLabel NETLINK types/families */
		#define NETLBL_NLTYPE_NONE 0

net/netlabel/netlabel_kapi.c

+7 −9

Original line number	Diff line number	Diff line
		@@ -312,7 +312,7 @@ socket_setattr_return:
		* @secattr: the security attributes
		*
		* Description:
		* Examines the given sock to see any NetLabel style labeling has been
		* Examines the given sock to see if any NetLabel style labeling has been
		* applied to the sock, if so it parses the socket label and returns the
		* security attributes in @secattr. Returns zero on success, negative values
		* on failure.
		@@ -320,13 +320,7 @@ socket_setattr_return:
		*/
		int netlbl_sock_getattr(struct sock sk, struct netlbl_lsm_secattr secattr)
		{
		int ret_val;

		ret_val = cipso_v4_sock_getattr(sk, secattr);
		if (ret_val == 0)
		return 0;

		return netlbl_unlabel_getattr(secattr);
		return cipso_v4_sock_getattr(sk, secattr);
		}

		/**
		@@ -350,7 +344,7 @@ int netlbl_skbuff_getattr(const struct sk_buff *skb,
		cipso_v4_skbuff_getattr(skb, secattr) == 0)
		return 0;

		return netlbl_unlabel_getattr(secattr);
		return netlbl_unlabel_getattr(skb, family, secattr);
		}

		/**
		@@ -434,6 +428,10 @@ static int __init netlbl_init(void)
		if (ret_val != 0)
		goto init_failure;

		ret_val = netlbl_unlabel_init(NETLBL_UNLHSH_BITSIZE);
		if (ret_val != 0)
		goto init_failure;

		ret_val = netlbl_netlink_init();
		if (ret_val != 0)
		goto init_failure;

net/netlabel/netlabel_unlabeled.c

+1368 −7

File changed.

Preview size limit exceeded, changes collapsed.

net/netlabel/netlabel_unlabeled.h

+144 −1

Original line number	Diff line number	Diff line
		@@ -36,6 +36,116 @@
		/*
		* The following NetLabel payloads are supported by the Unlabeled subsystem.
		*
		* o STATICADD
		* This message is sent from an application to add a new static label for
		* incoming unlabeled connections.
		*
		* Required attributes:
		*
		* NLBL_UNLABEL_A_IFACE
		* NLBL_UNLABEL_A_SECCTX
		*
		* If IPv4 is specified the following attributes are required:
		*
		* NLBL_UNLABEL_A_IPV4ADDR
		* NLBL_UNLABEL_A_IPV4MASK
		*
		* If IPv6 is specified the following attributes are required:
		*
		* NLBL_UNLABEL_A_IPV6ADDR
		* NLBL_UNLABEL_A_IPV6MASK
		*
		* o STATICREMOVE
		* This message is sent from an application to remove an existing static
		* label for incoming unlabeled connections.
		*
		* Required attributes:
		*
		* NLBL_UNLABEL_A_IFACE
		*
		* If IPv4 is specified the following attributes are required:
		*
		* NLBL_UNLABEL_A_IPV4ADDR
		* NLBL_UNLABEL_A_IPV4MASK
		*
		* If IPv6 is specified the following attributes are required:
		*
		* NLBL_UNLABEL_A_IPV6ADDR
		* NLBL_UNLABEL_A_IPV6MASK
		*
		* o STATICLIST
		* This message can be sent either from an application or by the kernel in
		* response to an application generated STATICLIST message. When sent by an
		* application there is no payload and the NLM_F_DUMP flag should be set.
		* The kernel should response with a series of the following messages.
		*
		* Required attributes:
		*
		* NLBL_UNLABEL_A_IFACE
		* NLBL_UNLABEL_A_SECCTX
		*
		* If IPv4 is specified the following attributes are required:
		*
		* NLBL_UNLABEL_A_IPV4ADDR
		* NLBL_UNLABEL_A_IPV4MASK
		*
		* If IPv6 is specified the following attributes are required:
		*
		* NLBL_UNLABEL_A_IPV6ADDR
		* NLBL_UNLABEL_A_IPV6MASK
		*
		* o STATICADDDEF
		* This message is sent from an application to set the default static
		* label for incoming unlabeled connections.
		*
		* Required attribute:
		*
		* NLBL_UNLABEL_A_SECCTX
		*
		* If IPv4 is specified the following attributes are required:
		*
		* NLBL_UNLABEL_A_IPV4ADDR
		* NLBL_UNLABEL_A_IPV4MASK
		*
		* If IPv6 is specified the following attributes are required:
		*
		* NLBL_UNLABEL_A_IPV6ADDR
		* NLBL_UNLABEL_A_IPV6MASK
		*
		* o STATICREMOVEDEF
		* This message is sent from an application to remove the existing default
		* static label for incoming unlabeled connections.
		*
		* If IPv4 is specified the following attributes are required:
		*
		* NLBL_UNLABEL_A_IPV4ADDR
		* NLBL_UNLABEL_A_IPV4MASK
		*
		* If IPv6 is specified the following attributes are required:
		*
		* NLBL_UNLABEL_A_IPV6ADDR
		* NLBL_UNLABEL_A_IPV6MASK
		*
		* o STATICLISTDEF
		* This message can be sent either from an application or by the kernel in
		* response to an application generated STATICLISTDEF message. When sent by
		* an application there is no payload and the NLM_F_DUMP flag should be set.
		* The kernel should response with the following message.
		*
		* Required attribute:
		*
		* NLBL_UNLABEL_A_SECCTX
		*
		* If IPv4 is specified the following attributes are required:
		*
		* NLBL_UNLABEL_A_IPV4ADDR
		* NLBL_UNLABEL_A_IPV4MASK
		*
		* If IPv6 is specified the following attributes are required:
		*
		* NLBL_UNLABEL_A_IPV6ADDR
		* NLBL_UNLABEL_A_IPV6MASK
		*
		* o ACCEPT
		* This message is sent from an application to specify if the kernel should
		* allow unlabled packets to pass if they do not match any of the static
		@@ -62,6 +172,12 @@ enum {
		NLBL_UNLABEL_C_UNSPEC,
		NLBL_UNLABEL_C_ACCEPT,
		NLBL_UNLABEL_C_LIST,
		NLBL_UNLABEL_C_STATICADD,
		NLBL_UNLABEL_C_STATICREMOVE,
		NLBL_UNLABEL_C_STATICLIST,
		NLBL_UNLABEL_C_STATICADDDEF,
		NLBL_UNLABEL_C_STATICREMOVEDEF,
		NLBL_UNLABEL_C_STATICLISTDEF,
		__NLBL_UNLABEL_C_MAX,
		};
		#define NLBL_UNLABEL_C_MAX (__NLBL_UNLABEL_C_MAX - 1)
		@@ -73,6 +189,24 @@ enum {
		/* (NLA_U8)
		* if true then unlabeled packets are allowed to pass, else unlabeled
		* packets are rejected */
		NLBL_UNLABEL_A_IPV6ADDR,
		/* (NLA_BINARY, struct in6_addr)
		* an IPv6 address */
		NLBL_UNLABEL_A_IPV6MASK,
		/* (NLA_BINARY, struct in6_addr)
		* an IPv6 address mask */
		NLBL_UNLABEL_A_IPV4ADDR,
		/* (NLA_BINARY, struct in_addr)
		* an IPv4 address */
		NLBL_UNLABEL_A_IPV4MASK,
		/* (NLA_BINARY, struct in_addr)
		* and IPv4 address mask */
		NLBL_UNLABEL_A_IFACE,
		/* (NLA_NULL_STRING)
		* network interface */
		NLBL_UNLABEL_A_SECCTX,
		/* (NLA_BINARY)
		* a LSM specific security context */
		__NLBL_UNLABEL_A_MAX,
		};
		#define NLBL_UNLABEL_A_MAX (__NLBL_UNLABEL_A_MAX - 1)
		@@ -80,8 +214,17 @@ enum {
		/* NetLabel protocol functions */
		int netlbl_unlabel_genl_init(void);

		/* Unlabeled connection hash table size */
		/* XXX - currently this number is an uneducated guess */
		#define NETLBL_UNLHSH_BITSIZE 7

		/* General Unlabeled init function */
		int netlbl_unlabel_init(u32 size);

		/* Process Unlabeled incoming network packets */
		int netlbl_unlabel_getattr(struct netlbl_lsm_secattr *secattr);
		int netlbl_unlabel_getattr(const struct sk_buff *skb,
		u16 family,
		struct netlbl_lsm_secattr *secattr);

		/* Set the default configuration to allow Unlabeled packets */
		int netlbl_unlabel_defconf(void);

Admin message