From: Paul Moore <paul.moore@hp.com>
To: selinux@tycho.nsa.gov, netdev@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: [PATCH v7 17/17] netlabel: Add configuration support for local labeling
Date: Mon, 06 Oct 2008 15:21:43 -0400 [thread overview]
Message-ID: <20081006192143.15686.12845.stgit@flek.lan> (raw)
In-Reply-To: <20081006191516.15686.80823.stgit@flek.lan>
Add the necessary NetLabel support for the new CIPSO mapping,
CIPSO_V4_MAP_LOCAL, which allows full LSM label/context support.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Reviewed-by: James Morris <jmorris@namei.org>
---
include/net/netlabel.h | 3 ++-
net/netlabel/netlabel_cipso_v4.c | 41 ++++++++++++++++++++++++++++++++++++++
net/netlabel/netlabel_cipso_v4.h | 6 ++++--
net/netlabel/netlabel_kapi.c | 3 +++
4 files changed, 50 insertions(+), 3 deletions(-)
diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index d56517a..17c442a 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -72,7 +72,8 @@ struct cipso_v4_doi;
/* NetLabel NETLINK protocol version
* 1: initial version
* 2: added static labels for unlabeled connections
- * 3: network selectors added to the NetLabel/LSM domain mapping
+ * 3: network selectors added to the NetLabel/LSM domain mapping and the
+ * CIPSO_V4_MAP_LOCAL CIPSO mapping was added
*/
#define NETLBL_PROTO_VERSION 3
diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c
index db83a67..fff32b7 100644
--- a/net/netlabel/netlabel_cipso_v4.c
+++ b/net/netlabel/netlabel_cipso_v4.c
@@ -365,6 +365,43 @@ add_pass_failure:
}
/**
+ * netlbl_cipsov4_add_local - Adds a CIPSO V4 DOI definition
+ * @info: the Generic NETLINK info block
+ *
+ * Description:
+ * Create a new CIPSO_V4_MAP_LOCAL DOI definition based on the given ADD
+ * message and add it to the CIPSO V4 engine. Return zero on success and
+ * non-zero on error.
+ *
+ */
+static int netlbl_cipsov4_add_local(struct genl_info *info)
+{
+ int ret_val;
+ struct cipso_v4_doi *doi_def = NULL;
+
+ if (!info->attrs[NLBL_CIPSOV4_A_TAGLST])
+ return -EINVAL;
+
+ doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL);
+ if (doi_def == NULL)
+ return -ENOMEM;
+ doi_def->type = CIPSO_V4_MAP_LOCAL;
+
+ ret_val = netlbl_cipsov4_add_common(info, doi_def);
+ if (ret_val != 0)
+ goto add_local_failure;
+
+ ret_val = cipso_v4_doi_add(doi_def);
+ if (ret_val != 0)
+ goto add_local_failure;
+ return 0;
+
+add_local_failure:
+ cipso_v4_doi_free(doi_def);
+ return ret_val;
+}
+
+/**
* netlbl_cipsov4_add - Handle an ADD message
* @skb: the NETLINK buffer
* @info: the Generic NETLINK info block
@@ -401,6 +438,10 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info)
type_str = "pass";
ret_val = netlbl_cipsov4_add_pass(info);
break;
+ case CIPSO_V4_MAP_LOCAL:
+ type_str = "local";
+ ret_val = netlbl_cipsov4_add_local(info);
+ break;
}
if (ret_val == 0)
atomic_inc(&netlabel_mgmt_protocount);
diff --git a/net/netlabel/netlabel_cipso_v4.h b/net/netlabel/netlabel_cipso_v4.h
index fb3957f..c8a4079 100644
--- a/net/netlabel/netlabel_cipso_v4.h
+++ b/net/netlabel/netlabel_cipso_v4.h
@@ -50,7 +50,8 @@
* NLBL_CIPSOV4_A_MLSLVLLST
* NLBL_CIPSOV4_A_MLSCATLST
*
- * If using CIPSO_V4_MAP_PASS no additional attributes are required.
+ * If using CIPSO_V4_MAP_PASS or CIPSO_V4_MAP_LOCAL no additional attributes
+ * are required.
*
* o REMOVE:
* Sent by an application to remove a specific DOI mapping table from the
@@ -81,7 +82,8 @@
* NLBL_CIPSOV4_A_MLSLVLLST
* NLBL_CIPSOV4_A_MLSCATLST
*
- * If using CIPSO_V4_MAP_PASS no additional attributes are required.
+ * If using CIPSO_V4_MAP_PASS or CIPSO_V4_MAP_LOCAL no additional attributes
+ * are required.
*
* o LISTALL:
* This message is sent by an application to list the valid DOIs on the
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index 8435b15..b32eceb 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -163,6 +163,9 @@ cfg_cipsov4_add_map_return:
case CIPSO_V4_MAP_PASS:
type_str = "pass";
break;
+ case CIPSO_V4_MAP_LOCAL:
+ type_str = "local";
+ break;
default:
type_str = "(unknown)";
}
prev parent reply other threads:[~2008-10-06 19:21 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-06 19:19 [PATCH v7 00/17] Labeled networking patches for 2.6.28 Paul Moore
2008-10-06 19:19 ` [PATCH v7 01/17] netlabel: Fix some sparse warnings Paul Moore
2008-10-10 21:45 ` James Morris
2008-10-06 19:19 ` [PATCH v7 02/17] selinux: Cleanup the NetLabel glue code Paul Moore
2008-10-06 19:20 ` [PATCH v7 03/17] selinux: Correctly handle IPv4 packets on IPv6 sockets in all cases Paul Moore
2008-10-06 19:20 ` [PATCH v7 04/17] netlabel: Remove unneeded in-kernel API functions Paul Moore
2008-10-06 19:20 ` [PATCH v7 05/17] selinux: Better local/forward check in selinux_ip_postroute() Paul Moore
2008-10-06 19:20 ` [PATCH v7 06/17] selinux: Fix a problem in security_netlbl_sid_to_secattr() Paul Moore
2008-10-06 19:20 ` [PATCH v7 07/17] selinux: Fix missing calls to netlbl_skbuff_err() Paul Moore
2008-10-06 19:20 ` [PATCH v7 08/17] smack: " Paul Moore
2008-10-06 19:20 ` [PATCH v7 09/17] netlabel: Replace protocol/NetLabel linking with refrerence counts Paul Moore
2008-10-06 19:20 ` [PATCH v7 10/17] netlabel: Add a generic way to create ordered linked lists of network addrs Paul Moore
2008-10-06 19:20 ` [PATCH v7 11/17] netlabel: Add network address selectors to the NetLabel/LSM domain mapping Paul Moore
2008-10-06 19:21 ` [PATCH v7 12/17] netlabel: Add functionality to set the security attributes of a packet Paul Moore
2008-10-06 19:21 ` [PATCH v7 13/17] selinux: Set socket NetLabel based on connection endpoint Paul Moore
2008-10-06 19:21 ` [PATCH v7 14/17] selinux: Cache NetLabel secattrs in the socket's security struct Paul Moore
2008-10-06 19:21 ` [PATCH v7 15/17] netlabel: Changes to the NetLabel security attributes to allow LSMs to pass full contexts Paul Moore
2008-10-06 19:21 ` [PATCH v7 16/17] cipso: Add support for native local labeling and fixup mapping names Paul Moore
2008-10-06 19:21 ` Paul Moore [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081006192143.15686.12845.stgit@flek.lan \
--to=paul.moore@hp.com \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).