Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 446fda4f authored by Paul Moore's avatar Paul Moore Committed by David S. Miller
Browse files

[NetLabel]: CIPSOv4 engine 



Add support for the Commercial IP Security Option (CIPSO) to the IPv4
network stack.  CIPSO has become a de-facto standard for
trusted/labeled networking amongst existing Trusted Operating Systems
such as Trusted Solaris, HP-UX CMW, etc.  This implementation is
designed to be used with the NetLabel subsystem to provide explicit
packet labeling to LSM developers.

The CIPSO/IPv4 packet labeling works by the LSM calling a NetLabel API
function which attaches a CIPSO label (IPv4 option) to a given socket;
this in turn attaches the CIPSO label to every packet leaving the
socket without any extra processing on the outbound side.  On the
inbound side the individual packet's sk_buff is examined through a
call to a NetLabel API function to determine if a CIPSO/IPv4 label is
present and if so the security attributes of the CIPSO label are
returned to the caller of the NetLabel API function.

Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 11a03f78

include/linux/sysctl.h

+4 −0
Original line number Diff line number Diff line
@@ -411,6 +411,10 @@ enum 
	NET_IPV4_TCP_WORKAROUND_SIGNED_WINDOWS=115,

	NET_TCP_DMA_COPYBREAK=116,

	NET_TCP_SLOW_START_AFTER_IDLE=117,

	NET_CIPSOV4_CACHE_ENABLE=118,

	NET_CIPSOV4_CACHE_BUCKET_SIZE=119,

	NET_CIPSOV4_RBM_OPTFMT=120,

	NET_CIPSOV4_RBM_STRICTVALID=121,

};



enum {

net/ipv4/Makefile

+1 −0
Original line number Diff line number Diff line
@@ -47,6 +47,7 @@ obj-$(CONFIG_TCP_CONG_VEGAS) += tcp_vegas.o 
obj-$(CONFIG_TCP_CONG_VENO) += tcp_veno.o

obj-$(CONFIG_TCP_CONG_SCALABLE) += tcp_scalable.o

obj-$(CONFIG_TCP_CONG_LP) += tcp_lp.o

obj-$(CONFIG_NETLABEL) += cipso_ipv4.o



obj-$(CONFIG_XFRM) += xfrm4_policy.o xfrm4_state.o xfrm4_input.o \

		      xfrm4_output.o

net/ipv4/cipso_ipv4.c

0 → 100644
+1607 −0

File added.

Preview size limit exceeded, changes collapsed.

net/ipv4/sysctl_net_ipv4.c

+35 −0
Original line number Diff line number Diff line
@@ -17,6 +17,7 @@ 
#include <net/ip.h>

#include <net/route.h>

#include <net/tcp.h>

#include <net/cipso_ipv4.h>



/* From af_inet.c */

extern int sysctl_ip_nonlocal_bind;
@@ -697,6 +698,40 @@ ctl_table ipv4_table[] = { 
		.mode		= 0644,

		.proc_handler	= &proc_dointvec

	},

#ifdef CONFIG_NETLABEL

	{

		.ctl_name	= NET_CIPSOV4_CACHE_ENABLE,

		.procname	= "cipso_cache_enable",

		.data		= &cipso_v4_cache_enabled,

		.maxlen		= sizeof(int),

		.mode		= 0644,

		.proc_handler	= &proc_dointvec,

	},

	{

		.ctl_name	= NET_CIPSOV4_CACHE_BUCKET_SIZE,

		.procname	= "cipso_cache_bucket_size",

		.data		= &cipso_v4_cache_bucketsize,

		.maxlen		= sizeof(int),

		.mode		= 0644,

		.proc_handler	= &proc_dointvec,

	},

	{

		.ctl_name	= NET_CIPSOV4_RBM_OPTFMT,

		.procname	= "cipso_rbm_optfmt",

		.data		= &cipso_v4_rbm_optfmt,

		.maxlen		= sizeof(int),

		.mode		= 0644,

		.proc_handler	= &proc_dointvec,

	},

	{

		.ctl_name	= NET_CIPSOV4_RBM_STRICTVALID,

		.procname	= "cipso_rbm_strictvalid",

		.data		= &cipso_v4_rbm_strictvalid,

		.maxlen		= sizeof(int),

		.mode		= 0644,

		.proc_handler	= &proc_dointvec,

	},

#endif /* CONFIG_NETLABEL */

	{ .ctl_name = 0 }

};