Home Explore Help
Sign In
samsung-sm8650
/
android_kernel_samsung_sm8650_ksu
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 5c86c450e2
Branches Tags
android_kernel_...
/
Documentation
/
netlabel
/
lsm_interface.rst

lsm_interface.rst 2.5 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253 
  1. ========================================
    2. 

  2. NetLabel Linux Security Module Interface
    3. 

  3. ========================================
    4. 

  4. 

  5. Paul Moore, [email protected]
    6. 

  6. 

  7. May 17, 2006
    8. 

  8. 

  9. Overview
    10. 

  10. ========
    11. 

  11. 

  12. NetLabel is a mechanism which can set and retrieve security attributes from
    13. 

  13. network packets.  It is intended to be used by LSM developers who want to make
    14. 

  14. use of a common code base for several different packet labeling protocols.
    15. 

  15. The NetLabel security module API is defined in 'include/net/netlabel.h' but a
    16. 

  16. brief overview is given below.
    17. 

  17. 

  18. NetLabel Security Attributes
    19. 

  19. ============================
    20. 

  20. 

  21. Since NetLabel supports multiple different packet labeling protocols and LSMs
    22. 

  22. it uses the concept of security attributes to refer to the packet's security
    23. 

  23. labels.  The NetLabel security attributes are defined by the
    24. 

  24. 'netlbl_lsm_secattr' structure in the NetLabel header file.  Internally the
    25. 

  25. NetLabel subsystem converts the security attributes to and from the correct
    26. 

  26. low-level packet label depending on the NetLabel build time and run time
    27. 

  27. configuration.  It is up to the LSM developer to translate the NetLabel
    28. 

  28. security attributes into whatever security identifiers are in use for their
    29. 

  29. particular LSM.
    30. 

  30. 

  31. NetLabel LSM Protocol Operations
    32. 

  32. ================================
    33. 

  33. 

  34. These are the functions which allow the LSM developer to manipulate the labels
    35. 

  35. on outgoing packets as well as read the labels on incoming packets.  Functions
    36. 

  36. exist to operate both on sockets as well as the sk_buffs directly.  These high
    37. 

  37. level functions are translated into low level protocol operations based on how
    38. 

  38. the administrator has configured the NetLabel subsystem.
    39. 

  39. 

  40. NetLabel Label Mapping Cache Operations
    41. 

  41. =======================================
    42. 

  42. 

  43. Depending on the exact configuration, translation between the network packet
    44. 

  44. label and the internal LSM security identifier can be time consuming.  The
    45. 

  45. NetLabel label mapping cache is a caching mechanism which can be used to
    46. 

  46. sidestep much of this overhead once a mapping has been established.  Once the
    47. 

  47. LSM has received a packet, used NetLabel to decode its security attributes,
    48. 

  48. and translated the security attributes into a LSM internal identifier the LSM
    49. 

  49. can use the NetLabel caching functions to associate the LSM internal
    50. 

  50. identifier with the network packet's label.  This means that in the future
    51. 

  51. when a incoming packet matches a cached value not only are the internal
    52. 

  52. NetLabel translation mechanisms bypassed but the LSM translation mechanisms are
    53. 

  53. bypassed as well which should result in a significant reduction in overhead.
    54.