About Kernel Documentation Linux Kernel Contact Linux Resources Linux Blog

Documentation / netlabel / lsm_interface.txt


Based on kernel version 4.16.1. Page generated on 2018-04-09 11:53 EST.

1	NetLabel Linux Security Module Interface
2	==============================================================================
3	Paul Moore, paul.moore@hp.com
4	
5	May 17, 2006
6	
7	 * Overview
8	
9	NetLabel is a mechanism which can set and retrieve security attributes from
10	network packets.  It is intended to be used by LSM developers who want to make
11	use of a common code base for several different packet labeling protocols.
12	The NetLabel security module API is defined in 'include/net/netlabel.h' but a
13	brief overview is given below.
14	
15	 * NetLabel Security Attributes
16	
17	Since NetLabel supports multiple different packet labeling protocols and LSMs
18	it uses the concept of security attributes to refer to the packet's security
19	labels.  The NetLabel security attributes are defined by the
20	'netlbl_lsm_secattr' structure in the NetLabel header file.  Internally the
21	NetLabel subsystem converts the security attributes to and from the correct
22	low-level packet label depending on the NetLabel build time and run time
23	configuration.  It is up to the LSM developer to translate the NetLabel
24	security attributes into whatever security identifiers are in use for their
25	particular LSM.
26	
27	 * NetLabel LSM Protocol Operations
28	
29	These are the functions which allow the LSM developer to manipulate the labels
30	on outgoing packets as well as read the labels on incoming packets.  Functions
31	exist to operate both on sockets as well as the sk_buffs directly.  These high
32	level functions are translated into low level protocol operations based on how
33	the administrator has configured the NetLabel subsystem.
34	
35	 * NetLabel Label Mapping Cache Operations
36	
37	Depending on the exact configuration, translation between the network packet
38	label and the internal LSM security identifier can be time consuming.  The
39	NetLabel label mapping cache is a caching mechanism which can be used to
40	sidestep much of this overhead once a mapping has been established.  Once the
41	LSM has received a packet, used NetLabel to decode its security attributes,
42	and translated the security attributes into a LSM internal identifier the LSM
43	can use the NetLabel caching functions to associate the LSM internal
44	identifier with the network packet's label.  This means that in the future
45	when a incoming packet matches a cached value not only are the internal
46	NetLabel translation mechanisms bypassed but the LSM translation mechanisms are
47	bypassed as well which should result in a significant reduction in overhead.
Hide Line Numbers


About Kernel Documentation Linux Kernel Contact Linux Resources Linux Blog