Blame view

kernel/linux-rt-4.4.41/Documentation/netlabel/lsm_interface.txt 2.38 KB
5113f6f70   김현기   kernel add
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
  NetLabel Linux Security Module Interface
  ==============================================================================
  Paul Moore, paul.moore@hp.com
  
  May 17, 2006
  
   * Overview
  
  NetLabel is a mechanism which can set and retrieve security attributes from
  network packets.  It is intended to be used by LSM developers who want to make
  use of a common code base for several different packet labeling protocols.
  The NetLabel security module API is defined in 'include/net/netlabel.h' but a
  brief overview is given below.
  
   * NetLabel Security Attributes
  
  Since NetLabel supports multiple different packet labeling protocols and LSMs
  it uses the concept of security attributes to refer to the packet's security
  labels.  The NetLabel security attributes are defined by the
  'netlbl_lsm_secattr' structure in the NetLabel header file.  Internally the
  NetLabel subsystem converts the security attributes to and from the correct
  low-level packet label depending on the NetLabel build time and run time
  configuration.  It is up to the LSM developer to translate the NetLabel
  security attributes into whatever security identifiers are in use for their
  particular LSM.
  
   * NetLabel LSM Protocol Operations
  
  These are the functions which allow the LSM developer to manipulate the labels
  on outgoing packets as well as read the labels on incoming packets.  Functions
  exist to operate both on sockets as well as the sk_buffs directly.  These high
  level functions are translated into low level protocol operations based on how
  the administrator has configured the NetLabel subsystem.
  
   * NetLabel Label Mapping Cache Operations
  
  Depending on the exact configuration, translation between the network packet
  label and the internal LSM security identifier can be time consuming.  The
  NetLabel label mapping cache is a caching mechanism which can be used to
  sidestep much of this overhead once a mapping has been established.  Once the
  LSM has received a packet, used NetLabel to decode its security attributes,
  and translated the security attributes into a LSM internal identifier the LSM
  can use the NetLabel caching functions to associate the LSM internal
  identifier with the network packet's label.  This means that in the future
  when a incoming packet matches a cached value not only are the internal
  NetLabel translation mechanisms bypassed but the LSM translation mechanisms are
  bypassed as well which should result in a significant reduction in overhead.