LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Kernel page

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

NetLabel/CIPSO prototype patch [0/4]

From:  Paul Moore <paul.moore@hp.com>
To:  linux-security-module@vger.kernel.org
Subject:  [RFC][PATCH] NetLabel/CIPSO prototype patch [0/4]
Date:  Thu, 04 May 2006 17:51:07 -0400
Archive-link:  Article, Thread 

Over the past few months I have been working on a mechanism to implement 
the CIPSO protocol for Linux/SELinux.  So far the development has 
occurred on the RedHat LSPP list, which can be found here:

  * https://www.redhat.com/mailman/listinfo/redhat-lspp

... however, it has recently come to my attention that ISSI is working 
on porting their CIPSO stack to Linux using their own LSM.  I'm not sure 
if this is the appropriate forum to talk about it, but it sounds like 
some discussion would be a good thing.  With that in mind, here is a bit 
about my efforts at CIPSO for Linux ...

I have been working on a new mechanism called NetLabel which provides 
support for explicit packet labeling protocols such as CIPSO and RIPSO 
(only CIPSO is currently supported).  While the development so far has 
been focused on SELinux as a LSM it would be fairly easy to support 
other LSMs as NetLabel tries to tread as lightly on the network stack 
and LSM code as possible.  Unfortunately the patch appears to be too big 
for the 100k character limit so I am chopping it up and sending it out 
piecemeal.  More information and user space configuration tools can be 
found here:

  * http://free.linux.hp.com/~pmoore/projects/linux_cipso

I still consider the patch to be in the prototype stage as there is 
still work to be done, edges to smooth, etc. but it runs and is fairly 
usable.  If you want to try this patch out you should do the following 
(order is important as I still haven't fixed the Makefile/Kconfig stuff 
yet):

  1. Obtain the kernel sources for 2.6.16-1.2181.2.1_FC6.lspp.20
     from http://people.redhat.com/sgrubb/files/lspp
  2. Configure the kernel to taste
  3. Apply the patch
  4. Build the kernel

An overview of the changes:

  Makefile                            |    2
  include/linux/ip.h                  |    1
  include/linux/netlink.h             |    1
  include/net/cipso_ipv4.h            |  174 +++
  include/net/inet_sock.h             |    2
  include/net/netlabel.h              |  659 +++++++++++
  net/Makefile                        |    2
  net/ipv4/Makefile                   |    3
  net/ipv4/cipso_ipv4.c               | 1619 ++++++++++++++++++++++++++++
  net/ipv4/ip_options.c               |   15
  net/netlabel/Kconfig                |    9
  net/netlabel/Makefile               |    7
  net/netlabel/netlabel_cipso_v4.c    |  491 ++++++++
  net/netlabel/netlabel_domainhash.c  |  603 ++++++++++
  net/netlabel/netlabel_domainhash.h  |   46
  net/netlabel/netlabel_kapi.c        |  336 +++++
  net/netlabel/netlabel_mgmt.c        |  685 +++++++++++
  net/netlabel/netlabel_types.h       |   54
  net/netlabel/netlabel_unlabeled.c   |  242 ++++
  net/netlabel/netlabel_unlabeled.h   |   37
  net/netlabel/netlabel_user.c        |  163 ++
  net/netlabel/netlabel_user.h        |   40
  security/selinux/hooks.c            |   35
  security/selinux/include/security.h |    5
  security/selinux/ss/ebitmap.c       |  151 ++
  security/selinux/ss/ebitmap.h       |    2
  security/selinux/ss/mls.c           |  158 ++
  security/selinux/ss/mls.h           |   21
  security/selinux/ss/services.c      |  179 +++
  security/selinux/ss/services.h      |    4
  security/selinux/xfrm.c             |   23
  31 files changed, 5746 insertions(+), 23 deletions(-)

Thanks.

-- 
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds