• C
    smack: Add support for unlabeled network hosts and networks · 6d3dc07c
    Casey Schaufler 提交于
    Add support for unlabeled network hosts and networks.
    Relies heavily on Paul Moore's netlabel support.
    
    Creates a new entry in /smack called netlabel. Writes to /smack/netlabel
    take the form:
    
        A.B.C.D LABEL
    or
        A.B.C.D/N LABEL
    
    where A.B.C.D is a network address, N is an integer between 0-32,
    and LABEL is the Smack label to be used. If /N is omitted /32 is
    assumed. N designates the netmask for the address. Entries are
    matched by the most specific address/mask pair. 0.0.0.0/0 will
    match everything, while 192.168.1.117/32 will match exactly one
    host.
    
    A new system label "@", pronounced "web", is defined. Processes
    can not be assigned the web label. An address assigned the web
    label can be written to by any process, and packets coming from
    a web address can be written to any socket. Use of the web label
    is a violation of any strict MAC policy, but the web label has
    been requested many times.
    
    The nltype entry has been removed from /smack. It did not work right
    and the netlabel interface can be used to specify that all hosts
    be treated as unlabeled.
    
    CIPSO labels on incoming packets will be honored, even from designated
    single label hosts. Single label hosts can only be written to by
    processes with labels that can write to the label of the host.
    Packets sent to single label hosts will always be unlabeled.
    
    Once added a single label designation cannot be removed, however
    the label may be changed.
    
    The behavior of the ambient label remains unchanged.
    Signed-off-by: NCasey Schaufler <casey@schaufler-ca.com>
    Signed-off-by: NPaul Moore <paul.moore@hp.com>
    6d3dc07c
smack_access.c 9.6 KB