18c2ecf20Sopenharmony_ci===================== 28c2ecf20Sopenharmony_ciNetLabel Introduction 38c2ecf20Sopenharmony_ci===================== 48c2ecf20Sopenharmony_ci 58c2ecf20Sopenharmony_ciPaul Moore, paul.moore@hp.com 68c2ecf20Sopenharmony_ci 78c2ecf20Sopenharmony_ciAugust 2, 2006 88c2ecf20Sopenharmony_ci 98c2ecf20Sopenharmony_ciOverview 108c2ecf20Sopenharmony_ci======== 118c2ecf20Sopenharmony_ci 128c2ecf20Sopenharmony_ciNetLabel is a mechanism which can be used by kernel security modules to attach 138c2ecf20Sopenharmony_cisecurity attributes to outgoing network packets generated from user space 148c2ecf20Sopenharmony_ciapplications and read security attributes from incoming network packets. It 158c2ecf20Sopenharmony_ciis composed of three main components, the protocol engines, the communication 168c2ecf20Sopenharmony_cilayer, and the kernel security module API. 178c2ecf20Sopenharmony_ci 188c2ecf20Sopenharmony_ciProtocol Engines 198c2ecf20Sopenharmony_ci================ 208c2ecf20Sopenharmony_ci 218c2ecf20Sopenharmony_ciThe protocol engines are responsible for both applying and retrieving the 228c2ecf20Sopenharmony_cinetwork packet's security attributes. If any translation between the network 238c2ecf20Sopenharmony_cisecurity attributes and those on the host are required then the protocol 248c2ecf20Sopenharmony_ciengine will handle those tasks as well. Other kernel subsystems should 258c2ecf20Sopenharmony_cirefrain from calling the protocol engines directly, instead they should use 268c2ecf20Sopenharmony_cithe NetLabel kernel security module API described below. 278c2ecf20Sopenharmony_ci 288c2ecf20Sopenharmony_ciDetailed information about each NetLabel protocol engine can be found in this 298c2ecf20Sopenharmony_cidirectory. 308c2ecf20Sopenharmony_ci 318c2ecf20Sopenharmony_ciCommunication Layer 328c2ecf20Sopenharmony_ci=================== 338c2ecf20Sopenharmony_ci 348c2ecf20Sopenharmony_ciThe communication layer exists to allow NetLabel configuration and monitoring 358c2ecf20Sopenharmony_cifrom user space. The NetLabel communication layer uses a message based 368c2ecf20Sopenharmony_ciprotocol built on top of the Generic NETLINK transport mechanism. The exact 378c2ecf20Sopenharmony_ciformatting of these NetLabel messages as well as the Generic NETLINK family 388c2ecf20Sopenharmony_cinames can be found in the 'net/netlabel/' directory as comments in the 398c2ecf20Sopenharmony_ciheader files as well as in 'include/net/netlabel.h'. 408c2ecf20Sopenharmony_ci 418c2ecf20Sopenharmony_ciSecurity Module API 428c2ecf20Sopenharmony_ci=================== 438c2ecf20Sopenharmony_ci 448c2ecf20Sopenharmony_ciThe purpose of the NetLabel security module API is to provide a protocol 458c2ecf20Sopenharmony_ciindependent interface to the underlying NetLabel protocol engines. In addition 468c2ecf20Sopenharmony_cito protocol independence, the security module API is designed to be completely 478c2ecf20Sopenharmony_ciLSM independent which should allow multiple LSMs to leverage the same code 488c2ecf20Sopenharmony_cibase. 498c2ecf20Sopenharmony_ci 508c2ecf20Sopenharmony_ciDetailed information about the NetLabel security module API can be found in the 518c2ecf20Sopenharmony_ci'include/net/netlabel.h' header file as well as the 'lsm_interface.txt' file 528c2ecf20Sopenharmony_cifound in this directory. 53