Commit b2bb289a authored by Joy Latten's avatar Joy Latten Committed by Stephen Hemminger

xfrm security context support

In the Linux kernel, ipsec policy and SAs can include a
security context to support MAC networking. This feature
is often referred to as "labeled ipsec".

This patchset adds security context support into ip xfrm
such that a security context can be included when
add/delete/display SAs and policies with the ip command.
The user provides the security context when adding
SAs and policies. If a policy or SA contains a security
context, the changes allow the security context to be displayed.

For example,
ip xfrm state
src 10.1.1.6 dst 10.1.1.2
	proto esp spi 0x00000301 reqid 0 mode transport
	replay-window 0
	auth hmac(digest_null) 0x3078
	enc cbc(des3_ede) 0x6970763672656164796c6f676f33646573636263696e3031
	security context root:system_r:unconfined_t:s0

Please  let me know if all is ok with the patchset.
Thanks!!

regards,
Joy
Signed-off-by: default avatarJoy Latten <latten@austin.ibm.com>
parent db02608b
...@@ -850,6 +850,20 @@ void xfrm_state_info_print(struct xfrm_usersa_info *xsinfo, ...@@ -850,6 +850,20 @@ void xfrm_state_info_print(struct xfrm_usersa_info *xsinfo,
xfrm_lifetime_print(&xsinfo->lft, &xsinfo->curlft, fp, buf); xfrm_lifetime_print(&xsinfo->lft, &xsinfo->curlft, fp, buf);
xfrm_stats_print(&xsinfo->stats, fp, buf); xfrm_stats_print(&xsinfo->stats, fp, buf);
} }
if (tb[XFRMA_SEC_CTX]) {
struct xfrm_user_sec_ctx *sctx;
fprintf(fp, "\tsecurity context ");
if (RTA_PAYLOAD(tb[XFRMA_SEC_CTX]) < sizeof(*sctx))
fprintf(fp, "(ERROR truncated)");
sctx = (struct xfrm_user_sec_ctx *)RTA_DATA(tb[XFRMA_SEC_CTX]);
fprintf(fp, "%s %s", (char *)(sctx + 1), _SL_);
}
} }
void xfrm_policy_info_print(struct xfrm_userpolicy_info *xpinfo, void xfrm_policy_info_print(struct xfrm_userpolicy_info *xpinfo,
...@@ -862,6 +876,20 @@ void xfrm_policy_info_print(struct xfrm_userpolicy_info *xpinfo, ...@@ -862,6 +876,20 @@ void xfrm_policy_info_print(struct xfrm_userpolicy_info *xpinfo,
xfrm_selector_print(&xpinfo->sel, preferred_family, fp, title); xfrm_selector_print(&xpinfo->sel, preferred_family, fp, title);
if (tb[XFRMA_SEC_CTX]) {
struct xfrm_user_sec_ctx *sctx;
fprintf(fp, "\tsecurity context ");
if (RTA_PAYLOAD(tb[XFRMA_SEC_CTX]) < sizeof(*sctx))
fprintf(fp, "(ERROR truncated)");
sctx = (struct xfrm_user_sec_ctx *)RTA_DATA(tb[XFRMA_SEC_CTX]);
fprintf(fp, "%s ", (char *)(sctx + 1));
fprintf(fp, "%s", _SL_);
}
if (prefix) if (prefix)
STRBUF_CAT(buf, prefix); STRBUF_CAT(buf, prefix);
STRBUF_CAT(buf, "\t"); STRBUF_CAT(buf, "\t");
......
...@@ -154,5 +154,6 @@ int xfrm_reqid_parse(__u32 *reqid, int *argcp, char ***argvp); ...@@ -154,5 +154,6 @@ int xfrm_reqid_parse(__u32 *reqid, int *argcp, char ***argvp);
int xfrm_selector_parse(struct xfrm_selector *sel, int *argcp, char ***argvp); int xfrm_selector_parse(struct xfrm_selector *sel, int *argcp, char ***argvp);
int xfrm_lifetime_cfg_parse(struct xfrm_lifetime_cfg *lft, int xfrm_lifetime_cfg_parse(struct xfrm_lifetime_cfg *lft,
int *argcp, char ***argvp); int *argcp, char ***argvp);
int xfrm_sctx_parse(char *ctxstr, char *context,
struct xfrm_user_sec_ctx *sctx);
#endif #endif
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment