xfrm security context support

In the Linux kernel, ipsec policy and SAs can include a security context to support MAC networking. This feature is often referred to as "labeled ipsec". This patchset adds security context support into ip xfrm such that a security context can be included when add/delete/display SAs and policies with the ip command. The user provides the security context when adding SAs and policies. If a policy or SA contains a security context, the changes allow the security context to be displayed. For example, ip xfrm state src 10.1.1.6 dst 10.1.1.2 proto esp spi 0x00000301 reqid 0 mode transport replay-window 0 auth hmac(digest_null) 0x3078 enc cbc(des3_ede) 0x6970763672656164796c6f676f33646573636263696e3031 security context root:system_r:unconfined_t:s0 Please let me know if all is ok with the patchset. Thanks!! regards, Joy Signed-off-by: Joy Latten <latten@austin.ibm.com>

xfrm security context support
In the Linux kernel, ipsec policy and SAs can include a security context to support MAC networking. This feature is often referred to as "labeled ipsec". This patchset adds security context support into ip xfrm such that a security context can be included when add/delete/display SAs and policies with the ip command. The user provides the security context when adding SAs and policies. If a policy or SA contains a security context, the changes allow the security context to be displayed. For example, ip xfrm state src 10.1.1.6 dst 10.1.1.2 proto esp spi 0x00000301 reqid 0 mode transport replay-window 0 auth hmac(digest_null) 0x3078 enc cbc(des3_ede) 0x6970763672656164796c6f676f33646573636263696e3031 security context root:system_r:unconfined_t:s0 Please let me know if all is ok with the patchset. Thanks!! regards, Joy Signed-off-by: Joy Latten <latten@austin.ibm.com>
2c319e1a · Joy Latten · Stephen Hemminger · f0612d56 · 2c319e1a · 2c319e1a
Commit 2c319e1a authored Feb 02, 2011 by Joy Latten Committed by Stephen Hemminger Mar 17, 2011
Hide whitespace changes
Inline Side-by-side

Showing with 30 additions and 1 deletion

ip/ipxfrm.c ip/ipxfrm.c +28 -0

ip/xfrm.h ip/xfrm.h +2 -1

No files found.
--- a/ip/ipxfrm.c
+++ b/ip/ipxfrm.c
@@ -850,6 +850,20 @@ void xfrm_state_info_print(struct xfrm_usersa_info *xsinfo,
 		xfrm_lifetime_print(&xsinfo->lft, &xsinfo->curlft, fp, buf);
 		xfrm_stats_print(&xsinfo->stats, fp, buf);
 	}
+
+	if (tb[XFRMA_SEC_CTX]) {
+		struct xfrm_user_sec_ctx *sctx;
+
+		fprintf(fp, "\tsecurity context ");
+
+		if (RTA_PAYLOAD(tb[XFRMA_SEC_CTX]) < sizeof(*sctx))
+			fprintf(fp, "(ERROR truncated)");
+
+		sctx = (struct xfrm_user_sec_ctx *)RTA_DATA(tb[XFRMA_SEC_CTX]);
+
+		fprintf(fp, "%s %s", (char *)(sctx + 1), _SL_);
+	}
+
 }

 void xfrm_policy_info_print(struct xfrm_userpolicy_info *xpinfo,
@@ -862,6 +876,20 @@ void xfrm_policy_info_print(struct xfrm_userpolicy_info *xpinfo,

 	xfrm_selector_print(&xpinfo->sel, preferred_family, fp, title);

+	if (tb[XFRMA_SEC_CTX]) {
+		struct xfrm_user_sec_ctx *sctx;
+
+		fprintf(fp, "\tsecurity context ");
+
+		if (RTA_PAYLOAD(tb[XFRMA_SEC_CTX]) < sizeof(*sctx))
+			fprintf(fp, "(ERROR truncated)");
+
+		sctx = (struct xfrm_user_sec_ctx *)RTA_DATA(tb[XFRMA_SEC_CTX]);
+
+		fprintf(fp, "%s ", (char *)(sctx + 1));
+		fprintf(fp, "%s", _SL_);
+	}
+
 	if (prefix)
 		STRBUF_CAT(buf, prefix);
 	STRBUF_CAT(buf, "\t");

--- a/ip/xfrm.h
+++ b/ip/xfrm.h
@@ -154,5 +154,6 @@ int xfrm_reqid_parse(__u32 *reqid, int *argcp, char ***argvp);
 int xfrm_selector_parse(struct xfrm_selector *sel, int *argcp, char ***argvp);
 int xfrm_lifetime_cfg_parse(struct xfrm_lifetime_cfg *lft,
 			    int *argcp, char ***argvp);
-
+int xfrm_sctx_parse(char *ctxstr, char *context,
+		    struct xfrm_user_sec_ctx *sctx);
 #endif