1NetLabel Linux Security Module Interface 2============================================================================== 3Paul Moore, paul.moore@hp.com 4 5May 17, 2006 6 7 * Overview 8 9NetLabel is a mechanism which can set and retrieve security attributes from 10network packets. It is intended to be used by LSM developers who want to make 11use of a common code base for several different packet labeling protocols. 12The NetLabel security module API is defined in 'include/net/netlabel.h' but a 13brief overview is given below. 14 15 * NetLabel Security Attributes 16 17Since NetLabel supports multiple different packet labeling protocols and LSMs 18it uses the concept of security attributes to refer to the packet's security 19labels. The NetLabel security attributes are defined by the 20'netlbl_lsm_secattr' structure in the NetLabel header file. Internally the 21NetLabel subsystem converts the security attributes to and from the correct 22low-level packet label depending on the NetLabel build time and run time 23configuration. It is up to the LSM developer to translate the NetLabel 24security attributes into whatever security identifiers are in use for their 25particular LSM. 26 27 * NetLabel LSM Protocol Operations 28 29These are the functions which allow the LSM developer to manipulate the labels 30on outgoing packets as well as read the labels on incoming packets. Functions 31exist to operate both on sockets as well as the sk_buffs directly. These high 32level functions are translated into low level protocol operations based on how 33the administrator has configured the NetLabel subsystem. 34 35 * NetLabel Label Mapping Cache Operations 36 37Depending on the exact configuration, translation between the network packet 38label and the internal LSM security identifier can be time consuming. The 39NetLabel label mapping cache is a caching mechanism which can be used to 40sidestep much of this overhead once a mapping has been established. Once the 41LSM has received a packet, used NetLabel to decode it's security attributes, 42and translated the security attributes into a LSM internal identifier the LSM 43can use the NetLabel caching functions to associate the LSM internal 44identifier with the network packet's label. This means that in the future 45when a incoming packet matches a cached value not only are the internal 46NetLabel translation mechanisms bypassed but the LSM translation mechanisms are 47bypassed as well which should result in a significant reduction in overhead. 48