| Mauro Carvalho Chehab | 593733ab | 2019-06-12 14:52:52 -0300 | [diff] [blame] | 1 | ======================================== |
| Paul Moore | 8802f61 | 2006-08-03 16:45:49 -0700 | [diff] [blame] | 2 | NetLabel Linux Security Module Interface |
| Mauro Carvalho Chehab | 593733ab | 2019-06-12 14:52:52 -0300 | [diff] [blame] | 3 | ======================================== |
| 4 | |
| Paul Moore | 8802f61 | 2006-08-03 16:45:49 -0700 | [diff] [blame] | 5 | Paul Moore, paul.moore@hp.com |
| 6 | |
| 7 | May 17, 2006 |
| 8 | |
| Mauro Carvalho Chehab | 593733ab | 2019-06-12 14:52:52 -0300 | [diff] [blame] | 9 | Overview |
| 10 | ======== |
| Paul Moore | 8802f61 | 2006-08-03 16:45:49 -0700 | [diff] [blame] | 11 | |
| 12 | NetLabel is a mechanism which can set and retrieve security attributes from |
| 13 | network packets. It is intended to be used by LSM developers who want to make |
| 14 | use of a common code base for several different packet labeling protocols. |
| 15 | The NetLabel security module API is defined in 'include/net/netlabel.h' but a |
| 16 | brief overview is given below. |
| 17 | |
| Mauro Carvalho Chehab | 593733ab | 2019-06-12 14:52:52 -0300 | [diff] [blame] | 18 | NetLabel Security Attributes |
| 19 | ============================ |
| Paul Moore | 8802f61 | 2006-08-03 16:45:49 -0700 | [diff] [blame] | 20 | |
| 21 | Since NetLabel supports multiple different packet labeling protocols and LSMs |
| 22 | it uses the concept of security attributes to refer to the packet's security |
| 23 | labels. The NetLabel security attributes are defined by the |
| 24 | 'netlbl_lsm_secattr' structure in the NetLabel header file. Internally the |
| 25 | NetLabel subsystem converts the security attributes to and from the correct |
| 26 | low-level packet label depending on the NetLabel build time and run time |
| 27 | configuration. It is up to the LSM developer to translate the NetLabel |
| 28 | security attributes into whatever security identifiers are in use for their |
| 29 | particular LSM. |
| 30 | |
| Mauro Carvalho Chehab | 593733ab | 2019-06-12 14:52:52 -0300 | [diff] [blame] | 31 | NetLabel LSM Protocol Operations |
| 32 | ================================ |
| Paul Moore | 8802f61 | 2006-08-03 16:45:49 -0700 | [diff] [blame] | 33 | |
| 34 | These are the functions which allow the LSM developer to manipulate the labels |
| 35 | on outgoing packets as well as read the labels on incoming packets. Functions |
| 36 | exist to operate both on sockets as well as the sk_buffs directly. These high |
| 37 | level functions are translated into low level protocol operations based on how |
| 38 | the administrator has configured the NetLabel subsystem. |
| 39 | |
| Mauro Carvalho Chehab | 593733ab | 2019-06-12 14:52:52 -0300 | [diff] [blame] | 40 | NetLabel Label Mapping Cache Operations |
| 41 | ======================================= |
| Paul Moore | 8802f61 | 2006-08-03 16:45:49 -0700 | [diff] [blame] | 42 | |
| 43 | Depending on the exact configuration, translation between the network packet |
| 44 | label and the internal LSM security identifier can be time consuming. The |
| 45 | NetLabel label mapping cache is a caching mechanism which can be used to |
| 46 | sidestep much of this overhead once a mapping has been established. Once the |
| Francis Galiegue | a33f322 | 2010-04-23 00:08:02 +0200 | [diff] [blame] | 47 | LSM has received a packet, used NetLabel to decode its security attributes, |
| Paul Moore | 8802f61 | 2006-08-03 16:45:49 -0700 | [diff] [blame] | 48 | and translated the security attributes into a LSM internal identifier the LSM |
| 49 | can use the NetLabel caching functions to associate the LSM internal |
| 50 | identifier with the network packet's label. This means that in the future |
| 51 | when a incoming packet matches a cached value not only are the internal |
| 52 | NetLabel translation mechanisms bypassed but the LSM translation mechanisms are |
| 53 | bypassed as well which should result in a significant reduction in overhead. |