1 ======================================== 2 NetLabel Linux Security Module Interface 3 ======================================== 4 5 Paul Moore, paul.moore@hp.com 6 7 May 17, 2006 8 9 Overview 10 ======== 11 12 NetLabel is a mechanism which can set and retrieve security attributes from 13 network packets. It is intended to be used by LSM developers who want to make 14 use of a common code base for several different packet labeling protocols. 15 The NetLabel security module API is defined in 'include/net/netlabel.h' but a 16 brief overview is given below. 17 18 NetLabel Security Attributes 19 ============================ 20 21 Since NetLabel supports multiple different packet labeling protocols and LSMs 22 it uses the concept of security attributes to refer to the packet's security 23 labels. The NetLabel security attributes are defined by the 24 'netlbl_lsm_secattr' structure in the NetLabel header file. Internally the 25 NetLabel subsystem converts the security attributes to and from the correct 26 low-level packet label depending on the NetLabel build time and run time 27 configuration. It is up to the LSM developer to translate the NetLabel 28 security attributes into whatever security identifiers are in use for their 29 particular LSM. 30 31 NetLabel LSM Protocol Operations 32 ================================ 33 34 These are the functions which allow the LSM developer to manipulate the labels 35 on outgoing packets as well as read the labels on incoming packets. Functions 36 exist to operate both on sockets as well as the sk_buffs directly. These high 37 level functions are translated into low level protocol operations based on how 38 the administrator has configured the NetLabel subsystem. 39 40 NetLabel Label Mapping Cache Operations 41 ======================================= 42 43 Depending on the exact configuration, translation between the network packet 44 label and the internal LSM security identifier can be time consuming. The 45 NetLabel label mapping cache is a caching mechanism which can be used to 46 sidestep much of this overhead once a mapping has been established. Once the 47 LSM has received a packet, used NetLabel to decode its security attributes, 48 and translated the security attributes into a LSM internal identifier the LSM 49 can use the NetLabel caching functions to associate the LSM internal 50 identifier with the network packet's label. This means that in the future 51 when a incoming packet matches a cached value not only are the internal 52 NetLabel translation mechanisms bypassed but the LSM translation mechanisms are 53 bypassed as well which should result in a significant reduction in overhead.
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.