1========================================
2NetLabel Linux Security Module Interface
3========================================
4
5Paul Moore, paul.moore@hp.com
6
7May 17, 2006
8
9Overview
10========
11
12NetLabel is a mechanism which can set and retrieve security attributes from
13network packets.  It is intended to be used by LSM developers who want to make
14use of a common code base for several different packet labeling protocols.
15The NetLabel security module API is defined in 'include/net/netlabel.h' but a
16brief overview is given below.
17
18NetLabel Security Attributes
19============================
20
21Since NetLabel supports multiple different packet labeling protocols and LSMs
22it uses the concept of security attributes to refer to the packet's security
23labels.  The NetLabel security attributes are defined by the
24'netlbl_lsm_secattr' structure in the NetLabel header file.  Internally the
25NetLabel subsystem converts the security attributes to and from the correct
26low-level packet label depending on the NetLabel build time and run time
27configuration.  It is up to the LSM developer to translate the NetLabel
28security attributes into whatever security identifiers are in use for their
29particular LSM.
30
31NetLabel LSM Protocol Operations
32================================
33
34These are the functions which allow the LSM developer to manipulate the labels
35on outgoing packets as well as read the labels on incoming packets.  Functions
36exist to operate both on sockets as well as the sk_buffs directly.  These high
37level functions are translated into low level protocol operations based on how
38the administrator has configured the NetLabel subsystem.
39
40NetLabel Label Mapping Cache Operations
41=======================================
42
43Depending on the exact configuration, translation between the network packet
44label and the internal LSM security identifier can be time consuming.  The
45NetLabel label mapping cache is a caching mechanism which can be used to
46sidestep much of this overhead once a mapping has been established.  Once the
47LSM has received a packet, used NetLabel to decode its security attributes,
48and translated the security attributes into a LSM internal identifier the LSM
49can use the NetLabel caching functions to associate the LSM internal
50identifier with the network packet's label.  This means that in the future
51when a incoming packet matches a cached value not only are the internal
52NetLabel translation mechanisms bypassed but the LSM translation mechanisms are
53bypassed as well which should result in a significant reduction in overhead.
54