* [d-kernel] [PATCH] [6.12] net/netlabel: Add mark s0 flag for NetLabel subsystem
@ 2026-03-03 14:27 Anton Midyukov
0 siblings, 0 replies; only message in thread
From: Anton Midyukov @ 2026-03-03 14:27 UTC (permalink / raw)
To: devel-kernel
This is an adaptation of the original patch by Andriy Stepanov stanv@.
Link: https://git.altlinux.org/people/stanv/packages/?p=kernel-image.git;a=commit;h=8640613b901959a2bc028e97880df7ecf7be81ef
Link: https://www.altlinux.org/Sl#ALT_Linux
Signed-off-by: Anton Midyukov <antohami@altlinux.org>
---
net/netlabel/netlabel_kapi.c | 122 +++++++++++++++++++++++++++++++++
net/netlabel/netlabel_mgmt.c | 127 ++++++++++++++++++++++++++++++++++-
net/netlabel/netlabel_mgmt.h | 8 +++
3 files changed, 256 insertions(+), 1 deletion(-)
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index 33b77084a4e5..99bd464399fe 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -997,6 +997,20 @@ int netlbl_sock_setattr(struct sock *sk,
ret_val = -EDESTADDRREQ;
break;
case NETLBL_NLTYPE_CIPSOV4:
+ /* Our target is skipping marking packets with s0.
+ * If 'map' command doesn't have specified 'address' and 'domain'
+ * then netlabel takes 'default' rule.
+ * Default rule is to mark packets corresponding to socket IP option.
+ * Socket has IP option. Linux's network subsystem automatically assigns
+ * for any packets socket's IP option.
+ */
+ if (!netlbl_mgmt_s0_flg()
+ && secattr->flags & NETLBL_SECATTR_MLS_LVL
+ && !(secattr->flags & NETLBL_SECATTR_MLS_CAT)
+ && secattr->attr.mls.lvl == 0) {
+ ret_val = 0;
+ break;
+ }
ret_val = cipso_v4_sock_setattr(sk,
dom_entry->def.cipso,
secattr, sk_locked);
@@ -1015,6 +1029,20 @@ int netlbl_sock_setattr(struct sock *sk,
ret_val = -EDESTADDRREQ;
break;
case NETLBL_NLTYPE_CALIPSO:
+ /* Our target is skipping marking packets with s0.
+ * If 'map' command doesn't have specified 'address' and 'domain'
+ * then netlabel takes 'default' rule.
+ * Default rule is to mark packets corresponding to socket IP option.
+ * Socket has IP option. Linux's network subsystem automatically assigns
+ * for any packets socket's IP option.
+ */
+ if (!netlbl_mgmt_s0_flg()
+ && secattr->flags & NETLBL_SECATTR_MLS_LVL
+ && !(secattr->flags & NETLBL_SECATTR_MLS_CAT)
+ && secattr->attr.mls.lvl == 0) {
+ ret_val = 0;
+ break;
+ }
ret_val = calipso_sock_setattr(sk,
dom_entry->def.calipso,
secattr);
@@ -1149,6 +1177,23 @@ int netlbl_conn_setattr(struct sock *sk,
}
switch (entry->type) {
case NETLBL_NLTYPE_CIPSOV4:
+ /* Our target is skipping marking packets with s0.
+ * If 'map' command doesn't have specified 'address' and 'domain'
+ * then netlabel takes 'default' rule.
+ * Default rule is to mark packets corresponding to socket IP option.
+ * Socket has IP option. Linux's network subsystem automatically assigns
+ * for any packets socket's IP option.
+ */
+ if (!netlbl_mgmt_s0_flg()
+ && secattr->flags & NETLBL_SECATTR_MLS_LVL
+ && !(secattr->flags & NETLBL_SECATTR_MLS_CAT)
+ && secattr->attr.mls.lvl == 0) {
+ /* just delete the protocols we support for right now
+ * but we could remove other protocols if needed */
+ cipso_v4_sock_delattr(sk);
+ ret_val = 0;
+ break;
+ }
ret_val = cipso_v4_sock_setattr(sk,
entry->cipso, secattr,
netlbl_sk_lock_check(sk));
@@ -1179,6 +1224,23 @@ int netlbl_conn_setattr(struct sock *sk,
}
switch (entry->type) {
case NETLBL_NLTYPE_CALIPSO:
+ /* Our target is skipping marking packets with s0.
+ * If 'map' command doesn't have specified 'address' and 'domain'
+ * then netlabel takes 'default' rule.
+ * Default rule is to mark packets corresponding to socket IP option.
+ * Socket has IP option. Linux's network subsystem automatically assigns
+ * for any packets socket's IP option.
+ */
+ if (!netlbl_mgmt_s0_flg()
+ && secattr->flags & NETLBL_SECATTR_MLS_LVL
+ && !(secattr->flags & NETLBL_SECATTR_MLS_CAT)
+ && secattr->attr.mls.lvl == 0) {
+ /* just delete the protocols we support for right now
+ * but we could remove other protocols if needed */
+ calipso_sock_delattr(sk);
+ ret_val = 0;
+ break;
+ }
ret_val = calipso_sock_setattr(sk,
entry->calipso, secattr);
break;
@@ -1230,6 +1292,23 @@ int netlbl_req_setattr(struct request_sock *req,
}
switch (entry->type) {
case NETLBL_NLTYPE_CIPSOV4:
+ /* Our target is skipping marking packets with s0.
+ * If 'map' command doesn't have specified 'address' and 'domain'
+ * then netlabel takes 'default' rule.
+ * Default rule is to mark packets corresponding to socket IP option.
+ * Socket has IP option. Linux's network subsystem automatically assigns
+ * for any packets socket's IP option.
+ */
+ if (!netlbl_mgmt_s0_flg()
+ && secattr->flags & NETLBL_SECATTR_MLS_LVL
+ && !(secattr->flags & NETLBL_SECATTR_MLS_CAT)
+ && secattr->attr.mls.lvl == 0) {
+ /* just delete the protocols we support for right now
+ * but we could remove other protocols if needed */
+ cipso_v4_req_delattr(req);
+ ret_val = 0;
+ break;
+ }
ret_val = cipso_v4_req_setattr(req,
entry->cipso, secattr);
break;
@@ -1251,6 +1330,23 @@ int netlbl_req_setattr(struct request_sock *req,
}
switch (entry->type) {
case NETLBL_NLTYPE_CALIPSO:
+ /* Our target is skipping marking packets with s0.
+ * If 'map' command doesn't have specified 'address' and 'domain'
+ * then netlabel takes 'default' rule.
+ * Default rule is to mark packets corresponding to socket IP option.
+ * Socket has IP option. Linux's network subsystem automatically assigns
+ * for any packets socket's IP option.
+ */
+ if (!netlbl_mgmt_s0_flg()
+ && secattr->flags & NETLBL_SECATTR_MLS_LVL
+ && !(secattr->flags & NETLBL_SECATTR_MLS_CAT)
+ && secattr->attr.mls.lvl == 0) {
+ /* just delete the protocols we support for right now
+ * but we could remove other protocols if needed */
+ calipso_req_delattr(req);
+ ret_val = 0;
+ break;
+ }
ret_val = calipso_req_setattr(req,
entry->calipso, secattr);
break;
@@ -1328,6 +1424,19 @@ int netlbl_skbuff_setattr(struct sk_buff *skb,
}
switch (entry->type) {
case NETLBL_NLTYPE_CIPSOV4:
+ /* Our target is skipping marking packets with s0.
+ * We can't change function netlbl_domhsh_getentry_af4,
+ * due it is used in other places. Thus, let's place code
+ * just right here. */
+ if (!netlbl_mgmt_s0_flg()
+ && secattr->flags & NETLBL_SECATTR_MLS_LVL
+ && !(secattr->flags & NETLBL_SECATTR_MLS_CAT)
+ && secattr->attr.mls.lvl == 0) {
+ /* just delete the protocols we support for right now
+ * but we could remove other protocols if needed */
+ ret_val = cipso_v4_skbuff_delattr(skb);
+ break;
+ }
ret_val = cipso_v4_skbuff_setattr(skb, entry->cipso,
secattr);
break;
@@ -1351,6 +1460,19 @@ int netlbl_skbuff_setattr(struct sk_buff *skb,
}
switch (entry->type) {
case NETLBL_NLTYPE_CALIPSO:
+ /* Our target is skipping marking packets with s0.
+ * We can't change function netlbl_domhsh_getentry_af4,
+ * due it is used in other places. Thus, let's place code
+ * just right here. */
+ if (!netlbl_mgmt_s0_flg()
+ && secattr->flags & NETLBL_SECATTR_MLS_LVL
+ && !(secattr->flags & NETLBL_SECATTR_MLS_CAT)
+ && secattr->attr.mls.lvl == 0) {
+ /* just delete the protocols we support for right now
+ * but we could remove other protocols if needed */
+ ret_val = calipso_skbuff_delattr(skb);
+ break;
+ }
ret_val = calipso_skbuff_setattr(skb, entry->calipso,
secattr);
break;
diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c
index 689eaa2afbec..8ddd9314a496 100644
--- a/net/netlabel/netlabel_mgmt.c
+++ b/net/netlabel/netlabel_mgmt.c
@@ -45,6 +45,9 @@ struct netlbl_domhsh_walk_arg {
u32 seq;
};
+/* Accept unlabeled packets flag */
+static u8 netlabel_mgmt_s0_flg = 0;
+
/* NetLabel Generic NETLINK CIPSOv4 family */
static struct genl_family netlbl_mgmt_gnl_family;
@@ -56,12 +59,48 @@ static const struct nla_policy netlbl_mgmt_genl_policy[NLBL_MGMT_A_MAX + 1] = {
[NLBL_MGMT_A_CV4DOI] = { .type = NLA_U32 },
[NLBL_MGMT_A_FAMILY] = { .type = NLA_U16 },
[NLBL_MGMT_A_CLPDOI] = { .type = NLA_U32 },
+ [NLBL_MGMT_A_S0] = { .type = NLA_U8 },
};
/*
* Helper Functions
*/
+/**
+ * netlbl_mgmt_s0_flg - Get the state of the s0 mark flag
+ */
+int netlbl_mgmt_s0_flg(void)
+{
+ return netlabel_mgmt_s0_flg;
+}
+
+/**
+ * netlbl_mgmt_s0_update - Set the s0 mark flag
+ * @value: desired value
+ * @audit_info: NetLabel audit information
+ *
+ * Description:
+ * Set the value of the s0 mark flag to @value.
+ *
+ */
+static void netlbl_mgmt_s0_update(u8 value,
+ struct netlbl_audit *audit_info)
+{
+ struct audit_buffer *audit_buf;
+ u8 old_val;
+
+ old_val = netlabel_mgmt_s0_flg;
+ netlabel_mgmt_s0_flg = value;
+ // XXX: change type
+ audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW,
+ audit_info);
+ if (audit_buf != NULL) {
+ audit_log_format(audit_buf,
+ " mark_s0=%u old=%u", value, old_val);
+ audit_log_end(audit_buf);
+ }
+}
+
/**
* netlbl_mgmt_add_common - Handle an ADD message
* @info: the Generic NETLINK info block
@@ -408,6 +447,73 @@ static int netlbl_mgmt_listentry(struct sk_buff *skb,
* NetLabel Command Handlers
*/
+/**
+ * netlbl_mgmt_s0_set - Handle an s0 mark message
+ * @skb: the NETLINK buffer
+ * @info: the Generic NETLINK info block
+ *
+ * Description:
+ * Process a user generated s0 mark message and set the accept flag accordingly.
+ * Returns zero on success, negative values on failure.
+ *
+ */
+static int netlbl_mgmt_s0_set(struct sk_buff *skb, struct genl_info *info)
+{
+ u8 value;
+ struct netlbl_audit audit_info;
+
+ if (info->attrs[NLBL_MGMT_A_S0]) {
+ value = nla_get_u8(info->attrs[NLBL_MGMT_A_S0]);
+ if (value == 1 || value == 0) {
+ netlbl_netlink_auditinfo(&audit_info);
+ netlbl_mgmt_s0_update(value, &audit_info);
+ return 0;
+ }
+ }
+
+ return -EINVAL;
+}
+
+/**
+ * netlbl_mgmt_s0_get - Handle an s0 mark message
+ * @skb: the NETLINK buffer
+ * @info: the Generic NETLINK info block
+ *
+ * Description:
+ * Process a user generated s0 mark message and respond with the current status.
+ * Returns zero on success, negative values on failure.
+ *
+ */
+static int netlbl_mgmt_s0_get(struct sk_buff *skb, struct genl_info *info)
+{
+ int ret_val = -EINVAL;
+ struct sk_buff *ans_skb;
+ void *data;
+
+ ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+ if (ans_skb == NULL)
+ goto list_failure;
+ data = genlmsg_put_reply(ans_skb, info, &netlbl_mgmt_gnl_family,
+ 0, NLBL_MGMT_C_S0_GET);
+ if (data == NULL) {
+ ret_val = -ENOMEM;
+ goto list_failure;
+ }
+
+ ret_val = nla_put_u8(ans_skb,
+ NLBL_MGMT_A_S0,
+ netlabel_mgmt_s0_flg);
+ if (ret_val != 0)
+ goto list_failure;
+
+ genlmsg_end(ans_skb, data);
+ return genlmsg_reply(ans_skb, info);
+
+list_failure:
+ kfree_skb(ans_skb);
+ return ret_val;
+}
+
/**
* netlbl_mgmt_add - Handle an ADD message
* @skb: the NETLINK buffer
@@ -815,6 +921,20 @@ static const struct genl_small_ops netlbl_mgmt_genl_ops[] = {
.doit = netlbl_mgmt_version,
.dumpit = NULL,
},
+ {
+ .cmd = NLBL_MGMT_C_S0_GET,
+ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+ .flags = 0,
+ .doit = netlbl_mgmt_s0_get,
+ .dumpit = NULL,
+ },
+ {
+ .cmd = NLBL_MGMT_C_S0_SET,
+ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+ .flags = GENL_ADMIN_PERM,
+ .doit = netlbl_mgmt_s0_set,
+ .dumpit = NULL,
+ },
};
static struct genl_family netlbl_mgmt_gnl_family __ro_after_init = {
@@ -826,7 +946,7 @@ static struct genl_family netlbl_mgmt_gnl_family __ro_after_init = {
.module = THIS_MODULE,
.small_ops = netlbl_mgmt_genl_ops,
.n_small_ops = ARRAY_SIZE(netlbl_mgmt_genl_ops),
- .resv_start_op = NLBL_MGMT_C_VERSION + 1,
+ .resv_start_op = NLBL_MGMT_C_S0_GET + 1,
};
/*
@@ -843,5 +963,10 @@ static struct genl_family netlbl_mgmt_gnl_family __ro_after_init = {
*/
int __init netlbl_mgmt_genl_init(void)
{
+ struct netlbl_audit audit_info;
+
+ /* set default s0 mark flag */
+ netlbl_mgmt_s0_update(1, &audit_info);
+
return genl_register_family(&netlbl_mgmt_gnl_family);
}
diff --git a/net/netlabel/netlabel_mgmt.h b/net/netlabel/netlabel_mgmt.h
index db20dfbbd8c4..db53cd1c132c 100644
--- a/net/netlabel/netlabel_mgmt.h
+++ b/net/netlabel/netlabel_mgmt.h
@@ -167,6 +167,8 @@ enum {
NLBL_MGMT_C_LISTDEF,
NLBL_MGMT_C_PROTOCOLS,
NLBL_MGMT_C_VERSION,
+ NLBL_MGMT_C_S0_SET,
+ NLBL_MGMT_C_S0_GET,
__NLBL_MGMT_C_MAX,
};
@@ -212,6 +214,9 @@ enum {
NLBL_MGMT_A_CLPDOI,
/* (NLA_U32)
* the CALIPSO DOI value */
+ NLBL_MGMT_A_S0,
+ /* (NLA_U8)
+ * if true then S0 packets are not marked, else marked */
__NLBL_MGMT_A_MAX,
};
#define NLBL_MGMT_A_MAX (__NLBL_MGMT_A_MAX - 1)
@@ -222,4 +227,7 @@ int netlbl_mgmt_genl_init(void);
/* NetLabel configured protocol reference counter */
extern atomic_t netlabel_mgmt_protocount;
+/* Status of markup s0 packets flag. */
+int netlbl_mgmt_s0_flg(void);
+
#endif
--
2.50.1
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-03-03 14:27 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-03-03 14:27 [d-kernel] [PATCH] [6.12] net/netlabel: Add mark s0 flag for NetLabel subsystem Anton Midyukov
ALT Linux kernel packages development
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/devel-kernel/0 devel-kernel/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 devel-kernel devel-kernel/ http://lore.altlinux.org/devel-kernel \
devel-kernel@altlinux.org devel-kernel@altlinux.ru devel-kernel@altlinux.com
public-inbox-index devel-kernel
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.devel-kernel
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git