linux-pinenote/Documentation/netlabel/lsm_interface.txt

NetLabel Linux Security Module Interface
==============================================================================
Paul Moore, paul.moore@hp.com

May 17, 2006

 * Overview

NetLabel is a mechanism which can set and retrieve security attributes from
network packets.  It is intended to be used by LSM developers who want to make
use of a common code base for several different packet labeling protocols.
The NetLabel security module API is defined in 'include/net/netlabel.h' but a
brief overview is given below.

 * NetLabel Security Attributes

Since NetLabel supports multiple different packet labeling protocols and LSMs
it uses the concept of security attributes to refer to the packet's security
labels.  The NetLabel security attributes are defined by the
'netlbl_lsm_secattr' structure in the NetLabel header file.  Internally the
NetLabel subsystem converts the security attributes to and from the correct
low-level packet label depending on the NetLabel build time and run time
configuration.  It is up to the LSM developer to translate the NetLabel
security attributes into whatever security identifiers are in use for their
particular LSM.

 * NetLabel LSM Protocol Operations

These are the functions which allow the LSM developer to manipulate the labels
on outgoing packets as well as read the labels on incoming packets.  Functions
exist to operate both on sockets as well as the sk_buffs directly.  These high
level functions are translated into low level protocol operations based on how
the administrator has configured the NetLabel subsystem.

 * NetLabel Label Mapping Cache Operations

Depending on the exact configuration, translation between the network packet
label and the internal LSM security identifier can be time consuming.  The
NetLabel label mapping cache is a caching mechanism which can be used to
sidestep much of this overhead once a mapping has been established.  Once the
LSM has received a packet, used NetLabel to decode its security attributes,
and translated the security attributes into a LSM internal identifier the LSM
can use the NetLabel caching functions to associate the LSM internal
identifier with the network packet's label.  This means that in the future
when a incoming packet matches a cached value not only are the internal
NetLabel translation mechanisms bypassed but the LSM translation mechanisms are
bypassed as well which should result in a significant reduction in overhead.
[NetLabel]: documentation Documentation for the NetLabel system, this includes a basic overview of how NetLabel works, how LSM developers can integrate it into their favorite LSM, as well as documentation on the CIPSO related sysctl variables. Also, due to the difficulty of finding expired IETF drafts, I am including the IETF CIPSO draft that is the basis of the NetLabel CIPSO implementation. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2006-08-03 16:45:49 -07:00			`NetLabel Linux Security Module Interface`
			`==============================================================================`
			`Paul Moore, paul.moore@hp.com`

			`May 17, 2006`

			`* Overview`

			`NetLabel is a mechanism which can set and retrieve security attributes from`
			`network packets. It is intended to be used by LSM developers who want to make`
			`use of a common code base for several different packet labeling protocols.`
			`The NetLabel security module API is defined in 'include/net/netlabel.h' but a`
			`brief overview is given below.`

			`* NetLabel Security Attributes`

			`Since NetLabel supports multiple different packet labeling protocols and LSMs`
			`it uses the concept of security attributes to refer to the packet's security`
			`labels. The NetLabel security attributes are defined by the`
			`'netlbl_lsm_secattr' structure in the NetLabel header file. Internally the`
			`NetLabel subsystem converts the security attributes to and from the correct`
			`low-level packet label depending on the NetLabel build time and run time`
			`configuration. It is up to the LSM developer to translate the NetLabel`
			`security attributes into whatever security identifiers are in use for their`
			`particular LSM.`

			`* NetLabel LSM Protocol Operations`

			`These are the functions which allow the LSM developer to manipulate the labels`
			`on outgoing packets as well as read the labels on incoming packets. Functions`
			`exist to operate both on sockets as well as the sk_buffs directly. These high`
			`level functions are translated into low level protocol operations based on how`
			`the administrator has configured the NetLabel subsystem.`

			`* NetLabel Label Mapping Cache Operations`

			`Depending on the exact configuration, translation between the network packet`
			`label and the internal LSM security identifier can be time consuming. The`
			`NetLabel label mapping cache is a caching mechanism which can be used to`
			`sidestep much of this overhead once a mapping has been established. Once the`
Documentation/: it's -> its where appropriate Fix obvious cases of "it's" being used when "its" was meant. Signed-off-by: Francis Galiegue <fgaliegue@gmail.com> Acked-by: Randy Dunlap <rdunlap@xenotime.net> Signed-off-by: Jiri Kosina <jkosina@suse.cz> 2010-04-23 00:08:02 +02:00			`LSM has received a packet, used NetLabel to decode its security attributes,`
[NetLabel]: documentation Documentation for the NetLabel system, this includes a basic overview of how NetLabel works, how LSM developers can integrate it into their favorite LSM, as well as documentation on the CIPSO related sysctl variables. Also, due to the difficulty of finding expired IETF drafts, I am including the IETF CIPSO draft that is the basis of the NetLabel CIPSO implementation. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2006-08-03 16:45:49 -07:00			`and translated the security attributes into a LSM internal identifier the LSM`
			`can use the NetLabel caching functions to associate the LSM internal`
			`identifier with the network packet's label. This means that in the future`
			`when a incoming packet matches a cached value not only are the internal`
			`NetLabel translation mechanisms bypassed but the LSM translation mechanisms are`
			`bypassed as well which should result in a significant reduction in overhead.`