| Mauro Carvalho Chehab | 593733ab | 2019-06-12 14:52:52 -0300 | [diff] [blame] | 1 | ===================== |
| Paul Moore | 8802f61 | 2006-08-03 16:45:49 -0700 | [diff] [blame] | 2 | NetLabel Introduction |
| Mauro Carvalho Chehab | 593733ab | 2019-06-12 14:52:52 -0300 | [diff] [blame] | 3 | ===================== |
| 4 | |
| Paul Moore | 8802f61 | 2006-08-03 16:45:49 -0700 | [diff] [blame] | 5 | Paul Moore, paul.moore@hp.com |
| 6 | |
| 7 | August 2, 2006 |
| 8 | |
| Mauro Carvalho Chehab | 593733ab | 2019-06-12 14:52:52 -0300 | [diff] [blame] | 9 | Overview |
| 10 | ======== |
| Paul Moore | 8802f61 | 2006-08-03 16:45:49 -0700 | [diff] [blame] | 11 | |
| 12 | NetLabel is a mechanism which can be used by kernel security modules to attach |
| 13 | security attributes to outgoing network packets generated from user space |
| 14 | applications and read security attributes from incoming network packets. It |
| 15 | is composed of three main components, the protocol engines, the communication |
| 16 | layer, and the kernel security module API. |
| 17 | |
| Mauro Carvalho Chehab | 593733ab | 2019-06-12 14:52:52 -0300 | [diff] [blame] | 18 | Protocol Engines |
| 19 | ================ |
| Paul Moore | 8802f61 | 2006-08-03 16:45:49 -0700 | [diff] [blame] | 20 | |
| 21 | The protocol engines are responsible for both applying and retrieving the |
| 22 | network packet's security attributes. If any translation between the network |
| 23 | security attributes and those on the host are required then the protocol |
| 24 | engine will handle those tasks as well. Other kernel subsystems should |
| 25 | refrain from calling the protocol engines directly, instead they should use |
| 26 | the NetLabel kernel security module API described below. |
| 27 | |
| 28 | Detailed information about each NetLabel protocol engine can be found in this |
| Henrik Austad | a7ddcea | 2018-09-04 00:15:23 +0200 | [diff] [blame] | 29 | directory. |
| Paul Moore | 8802f61 | 2006-08-03 16:45:49 -0700 | [diff] [blame] | 30 | |
| Mauro Carvalho Chehab | 593733ab | 2019-06-12 14:52:52 -0300 | [diff] [blame] | 31 | Communication Layer |
| 32 | =================== |
| Paul Moore | 8802f61 | 2006-08-03 16:45:49 -0700 | [diff] [blame] | 33 | |
| 34 | The communication layer exists to allow NetLabel configuration and monitoring |
| 35 | from user space. The NetLabel communication layer uses a message based |
| 36 | protocol built on top of the Generic NETLINK transport mechanism. The exact |
| 37 | formatting of these NetLabel messages as well as the Generic NETLINK family |
| Michael Opdenacker | 59c5159 | 2007-05-09 08:57:56 +0200 | [diff] [blame] | 38 | names can be found in the 'net/netlabel/' directory as comments in the |
| Paul Moore | 8802f61 | 2006-08-03 16:45:49 -0700 | [diff] [blame] | 39 | header files as well as in 'include/net/netlabel.h'. |
| 40 | |
| Mauro Carvalho Chehab | 593733ab | 2019-06-12 14:52:52 -0300 | [diff] [blame] | 41 | Security Module API |
| 42 | =================== |
| Paul Moore | 8802f61 | 2006-08-03 16:45:49 -0700 | [diff] [blame] | 43 | |
| 44 | The purpose of the NetLabel security module API is to provide a protocol |
| 45 | independent interface to the underlying NetLabel protocol engines. In addition |
| 46 | to protocol independence, the security module API is designed to be completely |
| 47 | LSM independent which should allow multiple LSMs to leverage the same code |
| 48 | base. |
| 49 | |
| 50 | Detailed information about the NetLabel security module API can be found in the |
| 51 | 'include/net/netlabel.h' header file as well as the 'lsm_interface.txt' file |
| 52 | found in this directory. |