162306a36Sopenharmony_ci===================== 262306a36Sopenharmony_ciNetLabel Introduction 362306a36Sopenharmony_ci===================== 462306a36Sopenharmony_ci 562306a36Sopenharmony_ciPaul Moore, paul.moore@hp.com 662306a36Sopenharmony_ci 762306a36Sopenharmony_ciAugust 2, 2006 862306a36Sopenharmony_ci 962306a36Sopenharmony_ciOverview 1062306a36Sopenharmony_ci======== 1162306a36Sopenharmony_ci 1262306a36Sopenharmony_ciNetLabel is a mechanism which can be used by kernel security modules to attach 1362306a36Sopenharmony_cisecurity attributes to outgoing network packets generated from user space 1462306a36Sopenharmony_ciapplications and read security attributes from incoming network packets. It 1562306a36Sopenharmony_ciis composed of three main components, the protocol engines, the communication 1662306a36Sopenharmony_cilayer, and the kernel security module API. 1762306a36Sopenharmony_ci 1862306a36Sopenharmony_ciProtocol Engines 1962306a36Sopenharmony_ci================ 2062306a36Sopenharmony_ci 2162306a36Sopenharmony_ciThe protocol engines are responsible for both applying and retrieving the 2262306a36Sopenharmony_cinetwork packet's security attributes. If any translation between the network 2362306a36Sopenharmony_cisecurity attributes and those on the host are required then the protocol 2462306a36Sopenharmony_ciengine will handle those tasks as well. Other kernel subsystems should 2562306a36Sopenharmony_cirefrain from calling the protocol engines directly, instead they should use 2662306a36Sopenharmony_cithe NetLabel kernel security module API described below. 2762306a36Sopenharmony_ci 2862306a36Sopenharmony_ciDetailed information about each NetLabel protocol engine can be found in this 2962306a36Sopenharmony_cidirectory. 3062306a36Sopenharmony_ci 3162306a36Sopenharmony_ciCommunication Layer 3262306a36Sopenharmony_ci=================== 3362306a36Sopenharmony_ci 3462306a36Sopenharmony_ciThe communication layer exists to allow NetLabel configuration and monitoring 3562306a36Sopenharmony_cifrom user space. The NetLabel communication layer uses a message based 3662306a36Sopenharmony_ciprotocol built on top of the Generic NETLINK transport mechanism. The exact 3762306a36Sopenharmony_ciformatting of these NetLabel messages as well as the Generic NETLINK family 3862306a36Sopenharmony_cinames can be found in the 'net/netlabel/' directory as comments in the 3962306a36Sopenharmony_ciheader files as well as in 'include/net/netlabel.h'. 4062306a36Sopenharmony_ci 4162306a36Sopenharmony_ciSecurity Module API 4262306a36Sopenharmony_ci=================== 4362306a36Sopenharmony_ci 4462306a36Sopenharmony_ciThe purpose of the NetLabel security module API is to provide a protocol 4562306a36Sopenharmony_ciindependent interface to the underlying NetLabel protocol engines. In addition 4662306a36Sopenharmony_cito protocol independence, the security module API is designed to be completely 4762306a36Sopenharmony_ciLSM independent which should allow multiple LSMs to leverage the same code 4862306a36Sopenharmony_cibase. 4962306a36Sopenharmony_ci 5062306a36Sopenharmony_ciDetailed information about the NetLabel security module API can be found in the 5162306a36Sopenharmony_ci'include/net/netlabel.h' header file as well as the 'lsm_interface.txt' file 5262306a36Sopenharmony_cifound in this directory. 53