Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/Documentation/netlabel/lsm_interface.rst 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  1) ========================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  2) NetLabel Linux Security Module Interface
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  3) ========================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  4) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  5) Paul Moore, paul.moore@hp.com
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  6) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  7) May 17, 2006
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  8) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  9) Overview
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) ========
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) NetLabel is a mechanism which can set and retrieve security attributes from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) network packets.  It is intended to be used by LSM developers who want to make
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) use of a common code base for several different packet labeling protocols.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) The NetLabel security module API is defined in 'include/net/netlabel.h' but a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) brief overview is given below.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) NetLabel Security Attributes
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) ============================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) Since NetLabel supports multiple different packet labeling protocols and LSMs
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) it uses the concept of security attributes to refer to the packet's security
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) labels.  The NetLabel security attributes are defined by the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) 'netlbl_lsm_secattr' structure in the NetLabel header file.  Internally the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) NetLabel subsystem converts the security attributes to and from the correct
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) low-level packet label depending on the NetLabel build time and run time
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) configuration.  It is up to the LSM developer to translate the NetLabel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) security attributes into whatever security identifiers are in use for their
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) particular LSM.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) NetLabel LSM Protocol Operations
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) ================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) These are the functions which allow the LSM developer to manipulate the labels
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) on outgoing packets as well as read the labels on incoming packets.  Functions
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) exist to operate both on sockets as well as the sk_buffs directly.  These high
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) level functions are translated into low level protocol operations based on how
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) the administrator has configured the NetLabel subsystem.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) NetLabel Label Mapping Cache Operations
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) =======================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) Depending on the exact configuration, translation between the network packet
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) label and the internal LSM security identifier can be time consuming.  The
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) NetLabel label mapping cache is a caching mechanism which can be used to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) sidestep much of this overhead once a mapping has been established.  Once the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) LSM has received a packet, used NetLabel to decode its security attributes,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) and translated the security attributes into a LSM internal identifier the LSM
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) can use the NetLabel caching functions to associate the LSM internal
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) identifier with the network packet's label.  This means that in the future
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) when a incoming packet matches a cached value not only are the internal
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) NetLabel translation mechanisms bypassed but the LSM translation mechanisms are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) bypassed as well which should result in a significant reduction in overhead.
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.