From b2bb289a57fe7be63ebe0d1fe6ff94555bf6c936 Mon Sep 17 00:00:00 2001 From: Joy Latten Date: Wed, 2 Feb 2011 17:31:39 -0600 Subject: [PATCH] xfrm security context support In the Linux kernel, ipsec policy and SAs can include a security context to support MAC networking. This feature is often referred to as "labeled ipsec". This patchset adds security context support into ip xfrm such that a security context can be included when add/delete/display SAs and policies with the ip command. The user provides the security context when adding SAs and policies. If a policy or SA contains a security context, the changes allow the security context to be displayed. For example, ip xfrm state src 10.1.1.6 dst 10.1.1.2 proto esp spi 0x00000301 reqid 0 mode transport replay-window 0 auth hmac(digest_null) 0x3078 enc cbc(des3_ede) 0x6970763672656164796c6f676f33646573636263696e3031 security context root:system_r:unconfined_t:s0 Please let me know if all is ok with the patchset. Thanks!! regards, Joy Signed-off-by: Joy Latten --- ip/ipxfrm.c | 28 ++++++++++++++++++++++++++++ ip/xfrm.h | 3 ++- 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/ip/ipxfrm.c b/ip/ipxfrm.c index 9753822..cc4dc80 100644 --- a/ip/ipxfrm.c +++ b/ip/ipxfrm.c @@ -850,6 +850,20 @@ void xfrm_state_info_print(struct xfrm_usersa_info *xsinfo, xfrm_lifetime_print(&xsinfo->lft, &xsinfo->curlft, fp, buf); xfrm_stats_print(&xsinfo->stats, fp, buf); } + + if (tb[XFRMA_SEC_CTX]) { + struct xfrm_user_sec_ctx *sctx; + + fprintf(fp, "\tsecurity context "); + + if (RTA_PAYLOAD(tb[XFRMA_SEC_CTX]) < sizeof(*sctx)) + fprintf(fp, "(ERROR truncated)"); + + sctx = (struct xfrm_user_sec_ctx *)RTA_DATA(tb[XFRMA_SEC_CTX]); + + fprintf(fp, "%s %s", (char *)(sctx + 1), _SL_); + } + } void xfrm_policy_info_print(struct xfrm_userpolicy_info *xpinfo, @@ -862,6 +876,20 @@ void xfrm_policy_info_print(struct xfrm_userpolicy_info *xpinfo, xfrm_selector_print(&xpinfo->sel, preferred_family, fp, title); + if (tb[XFRMA_SEC_CTX]) { + struct xfrm_user_sec_ctx *sctx; + + fprintf(fp, "\tsecurity context "); + + if (RTA_PAYLOAD(tb[XFRMA_SEC_CTX]) < sizeof(*sctx)) + fprintf(fp, "(ERROR truncated)"); + + sctx = (struct xfrm_user_sec_ctx *)RTA_DATA(tb[XFRMA_SEC_CTX]); + + fprintf(fp, "%s ", (char *)(sctx + 1)); + fprintf(fp, "%s", _SL_); + } + if (prefix) STRBUF_CAT(buf, prefix); STRBUF_CAT(buf, "\t"); diff --git a/ip/xfrm.h b/ip/xfrm.h index d3ca5c5..784a201 100644 --- a/ip/xfrm.h +++ b/ip/xfrm.h @@ -154,5 +154,6 @@ int xfrm_reqid_parse(__u32 *reqid, int *argcp, char ***argvp); int xfrm_selector_parse(struct xfrm_selector *sel, int *argcp, char ***argvp); int xfrm_lifetime_cfg_parse(struct xfrm_lifetime_cfg *lft, int *argcp, char ***argvp); - +int xfrm_sctx_parse(char *ctxstr, char *context, + struct xfrm_user_sec_ctx *sctx); #endif -- 2.39.2