xfrm security context support

In the Linux kernel, ipsec policy and SAs can include a security context to support MAC networking. This feature is often referred to as "labeled ipsec". This patchset adds security context support into ip xfrm such that a security context can be included when add/delete/display SAs and policies with the ip command. The user provides the security context when adding SAs and policies. If a policy or SA contains a security context, the changes allow the security context to be displayed. For example, ip xfrm state src 10.1.1.6 dst 10.1.1.2 proto esp spi 0x00000301 reqid 0 mode transport replay-window 0 auth hmac(digest_null) 0x3078 enc cbc(des3_ede) 0x6970763672656164796c6f676f33646573636263696e3031 security context root:system_r:unconfined_t:s0 Please let me know if all is ok with the patchset. Thanks!! regards, Joy Signed-off-by: Joy Latten <latten@austin.ibm.com>
2011-02-02 17:31:39 -06:00 · 2011-02-02 17:31:39 -06:00 · b2bb289a57
parent db02608b6f
commit b2bb289a57
2 changed files with 30 additions and 1 deletions
--- a/ip/ipxfrm.c
+++ b/ip/ipxfrm.c
@ -850,6 +850,20 @@ void xfrm_state_info_print(struct xfrm_usersa_info *xsinfo,
 		xfrm_lifetime_print(&xsinfo->lft, &xsinfo->curlft, fp, buf);
 		xfrm_stats_print(&xsinfo->stats, fp, buf);
 	}
+
+	if (tb[XFRMA_SEC_CTX]) {
+		struct xfrm_user_sec_ctx *sctx;
+
+		fprintf(fp, "\tsecurity context ");
+
+		if (RTA_PAYLOAD(tb[XFRMA_SEC_CTX]) < sizeof(*sctx))
+			fprintf(fp, "(ERROR truncated)");
+
+		sctx = (struct xfrm_user_sec_ctx *)RTA_DATA(tb[XFRMA_SEC_CTX]);
+
+		fprintf(fp, "%s %s", (char *)(sctx + 1), _SL_);
+	}
+
 }

 void xfrm_policy_info_print(struct xfrm_userpolicy_info *xpinfo,
@ -862,6 +876,20 @@ void xfrm_policy_info_print(struct xfrm_userpolicy_info *xpinfo,

 	xfrm_selector_print(&xpinfo->sel, preferred_family, fp, title);

+	if (tb[XFRMA_SEC_CTX]) {
+		struct xfrm_user_sec_ctx *sctx;
+
+		fprintf(fp, "\tsecurity context ");
+
+		if (RTA_PAYLOAD(tb[XFRMA_SEC_CTX]) < sizeof(*sctx))
+			fprintf(fp, "(ERROR truncated)");
+
+		sctx = (struct xfrm_user_sec_ctx *)RTA_DATA(tb[XFRMA_SEC_CTX]);
+
+		fprintf(fp, "%s ", (char *)(sctx + 1));
+		fprintf(fp, "%s", _SL_);
+	}
+
 	if (prefix)
 		STRBUF_CAT(buf, prefix);
 	STRBUF_CAT(buf, "\t");
--- a/ip/xfrm.h
+++ b/ip/xfrm.h
@ -154,5 +154,6 @@ int xfrm_reqid_parse(__u32 *reqid, int *argcp, char ***argvp);
 int xfrm_selector_parse(struct xfrm_selector *sel, int *argcp, char ***argvp);
 int xfrm_lifetime_cfg_parse(struct xfrm_lifetime_cfg *lft,
 			    int *argcp, char ***argvp);
-
+int xfrm_sctx_parse(char *ctxstr, char *context,
+		    struct xfrm_user_sec_ctx *sctx);
 #endif