]>
Commit | Line | Data |
---|---|---|
593733ab | 1 | ===================== |
8802f616 | 2 | NetLabel Introduction |
593733ab MCC |
3 | ===================== |
4 | ||
8802f616 PM |
5 | Paul Moore, paul.moore@hp.com |
6 | ||
7 | August 2, 2006 | |
8 | ||
593733ab MCC |
9 | Overview |
10 | ======== | |
8802f616 PM |
11 | |
12 | NetLabel is a mechanism which can be used by kernel security modules to attach | |
13 | security attributes to outgoing network packets generated from user space | |
14 | applications and read security attributes from incoming network packets. It | |
15 | is composed of three main components, the protocol engines, the communication | |
16 | layer, and the kernel security module API. | |
17 | ||
593733ab MCC |
18 | Protocol Engines |
19 | ================ | |
8802f616 PM |
20 | |
21 | The protocol engines are responsible for both applying and retrieving the | |
22 | network packet's security attributes. If any translation between the network | |
23 | security attributes and those on the host are required then the protocol | |
24 | engine will handle those tasks as well. Other kernel subsystems should | |
25 | refrain from calling the protocol engines directly, instead they should use | |
26 | the NetLabel kernel security module API described below. | |
27 | ||
28 | Detailed information about each NetLabel protocol engine can be found in this | |
a7ddcea5 | 29 | directory. |
8802f616 | 30 | |
593733ab MCC |
31 | Communication Layer |
32 | =================== | |
8802f616 PM |
33 | |
34 | The communication layer exists to allow NetLabel configuration and monitoring | |
35 | from user space. The NetLabel communication layer uses a message based | |
36 | protocol built on top of the Generic NETLINK transport mechanism. The exact | |
37 | formatting of these NetLabel messages as well as the Generic NETLINK family | |
59c51591 | 38 | names can be found in the 'net/netlabel/' directory as comments in the |
8802f616 PM |
39 | header files as well as in 'include/net/netlabel.h'. |
40 | ||
593733ab MCC |
41 | Security Module API |
42 | =================== | |
8802f616 PM |
43 | |
44 | The purpose of the NetLabel security module API is to provide a protocol | |
45 | independent interface to the underlying NetLabel protocol engines. In addition | |
46 | to protocol independence, the security module API is designed to be completely | |
47 | LSM independent which should allow multiple LSMs to leverage the same code | |
48 | base. | |
49 | ||
50 | Detailed information about the NetLabel security module API can be found in the | |
51 | 'include/net/netlabel.h' header file as well as the 'lsm_interface.txt' file | |
52 | found in this directory. |