| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 02 Feb 2011 17:31:39 -0600
From: Joy Latten <jml@...tin.ibm.com>
To: netdev@...r.kernel.org
Cc: shemminger@...l.org
Subject: [iproute2 PATCH 1/3]: xfrm security context support
In the Linux kernel, ipsec policy and SAs can include a
security context to support MAC networking. This feature
is often referred to as "labeled ipsec".
This patchset adds security context support into ip xfrm
such that a security context can be included when
add/delete/display SAs and policies with the ip command.
The user provides the security context when adding
SAs and policies. If a policy or SA contains a security
context, the changes allow the security context to be displayed.
For example,
ip xfrm state
src 10.1.1.6 dst 10.1.1.2
proto esp spi 0x00000301 reqid 0 mode transport
replay-window 0
auth hmac(digest_null) 0x3078
enc cbc(des3_ede) 0x6970763672656164796c6f676f33646573636263696e3031
security context root:system_r:unconfined_t:s0
Please let me know if all is ok with the patchset.
Thanks!!
regards,
Joy
Signed-off-by: Joy Latten <latten@...tin.ibm.com>
---
ip/ipxfrm.c | 28 ++++++++++++++++++++++++++++
ip/xfrm.h | 3 ++-
2 files changed, 30 insertions(+), 1 deletions(-)
diff --git a/ip/ipxfrm.c b/ip/ipxfrm.c
index 9753822..cc4dc80 100644
--- a/ip/ipxfrm.c
+++ b/ip/ipxfrm.c
@@ -850,6 +850,20 @@ void xfrm_state_info_print(struct xfrm_usersa_info *xsinfo,
xfrm_lifetime_print(&xsinfo->lft, &xsinfo->curlft, fp, buf);
xfrm_stats_print(&xsinfo->stats, fp, buf);
}
+
+ if (tb[XFRMA_SEC_CTX]) {
+ struct xfrm_user_sec_ctx *sctx;
+
+ fprintf(fp, "\tsecurity context ");
+
+ if (RTA_PAYLOAD(tb[XFRMA_SEC_CTX]) < sizeof(*sctx))
+ fprintf(fp, "(ERROR truncated)");
+
+ sctx = (struct xfrm_user_sec_ctx *)RTA_DATA(tb[XFRMA_SEC_CTX]);
+
+ fprintf(fp, "%s %s", (char *)(sctx + 1), _SL_);
+ }
+
}
void xfrm_policy_info_print(struct xfrm_userpolicy_info *xpinfo,
@@ -862,6 +876,20 @@ void xfrm_policy_info_print(struct xfrm_userpolicy_info *xpinfo,
xfrm_selector_print(&xpinfo->sel, preferred_family, fp, title);
+ if (tb[XFRMA_SEC_CTX]) {
+ struct xfrm_user_sec_ctx *sctx;
+
+ fprintf(fp, "\tsecurity context ");
+
+ if (RTA_PAYLOAD(tb[XFRMA_SEC_CTX]) < sizeof(*sctx))
+ fprintf(fp, "(ERROR truncated)");
+
+ sctx = (struct xfrm_user_sec_ctx *)RTA_DATA(tb[XFRMA_SEC_CTX]);
+
+ fprintf(fp, "%s ", (char *)(sctx + 1));
+ fprintf(fp, "%s", _SL_);
+ }
+
if (prefix)
STRBUF_CAT(buf, prefix);
STRBUF_CAT(buf, "\t");
diff --git a/ip/xfrm.h b/ip/xfrm.h
index d3ca5c5..784a201 100644
--- a/ip/xfrm.h
+++ b/ip/xfrm.h
@@ -154,5 +154,6 @@ int xfrm_reqid_parse(__u32 *reqid, int *argcp, char ***argvp);
int xfrm_selector_parse(struct xfrm_selector *sel, int *argcp, char ***argvp);
int xfrm_lifetime_cfg_parse(struct xfrm_lifetime_cfg *lft,
int *argcp, char ***argvp);
-
+int xfrm_sctx_parse(char *ctxstr, char *context,
+ struct xfrm_user_sec_ctx *sctx);
#endif
--
1.5.5.6
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists