From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa.local.altlinux.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.1 Message-ID: <49ad3bf0-1889-422c-adfb-6fde75bf5d24@altlinux.org> Date: Wed, 13 May 2026 15:07:25 +0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: devel-kernel@lists.altlinux.org References: <20260303142712.79380-1-antohami@altlinux.org> Content-Language: ru, en-US From: Anton Midyukov In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Subject: Re: [d-kernel] [PATCH] [6.12] net/netlabel: Add mark s0 flag for NetLabel subsystem X-BeenThere: devel-kernel@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux kernel packages development List-Id: ALT Linux kernel packages development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 May 2026 12:07:28 -0000 Archived-At: List-Archive: List-Post: 28.03.2026 05:57, Vitaly Chikunov пишет: > On Tue, Mar 03, 2026 at 05:27:12PM +0300, Anton Midyukov wrote: >> This is an adaptation of the original patch by Andriy Stepanov stanv@. >> Link: https://git.altlinux.org/people/stanv/packages/?p=kernel-image.git;a=commit;h=8640613b901959a2bc028e97880df7ecf7be81ef >> Link: https://www.altlinux.org/Sl#ALT_Linux >> Signed-off-by: Anton Midyukov > > Applied, thanks > Добрый день Можете применить и для ядра 6.18? >> >> --- >> net/netlabel/netlabel_kapi.c | 122 +++++++++++++++++++++++++++++++++ >> net/netlabel/netlabel_mgmt.c | 127 ++++++++++++++++++++++++++++++++++- >> net/netlabel/netlabel_mgmt.h | 8 +++ >> 3 files changed, 256 insertions(+), 1 deletion(-) >> >> diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c >> index 33b77084a4e5..99bd464399fe 100644 >> --- a/net/netlabel/netlabel_kapi.c >> +++ b/net/netlabel/netlabel_kapi.c >> @@ -997,6 +997,20 @@ int netlbl_sock_setattr(struct sock *sk, >> ret_val = -EDESTADDRREQ; >> break; >> case NETLBL_NLTYPE_CIPSOV4: >> + /* Our target is skipping marking packets with s0. >> + * If 'map' command doesn't have specified 'address' and 'domain' >> + * then netlabel takes 'default' rule. >> + * Default rule is to mark packets corresponding to socket IP option. >> + * Socket has IP option. Linux's network subsystem automatically assigns >> + * for any packets socket's IP option. >> + */ >> + if (!netlbl_mgmt_s0_flg() >> + && secattr->flags & NETLBL_SECATTR_MLS_LVL >> + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT) >> + && secattr->attr.mls.lvl == 0) { >> + ret_val = 0; >> + break; >> + } >> ret_val = cipso_v4_sock_setattr(sk, >> dom_entry->def.cipso, >> secattr, sk_locked); >> @@ -1015,6 +1029,20 @@ int netlbl_sock_setattr(struct sock *sk, >> ret_val = -EDESTADDRREQ; >> break; >> case NETLBL_NLTYPE_CALIPSO: >> + /* Our target is skipping marking packets with s0. >> + * If 'map' command doesn't have specified 'address' and 'domain' >> + * then netlabel takes 'default' rule. >> + * Default rule is to mark packets corresponding to socket IP option. >> + * Socket has IP option. Linux's network subsystem automatically assigns >> + * for any packets socket's IP option. >> + */ >> + if (!netlbl_mgmt_s0_flg() >> + && secattr->flags & NETLBL_SECATTR_MLS_LVL >> + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT) >> + && secattr->attr.mls.lvl == 0) { >> + ret_val = 0; >> + break; >> + } >> ret_val = calipso_sock_setattr(sk, >> dom_entry->def.calipso, >> secattr); >> @@ -1149,6 +1177,23 @@ int netlbl_conn_setattr(struct sock *sk, >> } >> switch (entry->type) { >> case NETLBL_NLTYPE_CIPSOV4: >> + /* Our target is skipping marking packets with s0. >> + * If 'map' command doesn't have specified 'address' and 'domain' >> + * then netlabel takes 'default' rule. >> + * Default rule is to mark packets corresponding to socket IP option. >> + * Socket has IP option. Linux's network subsystem automatically assigns >> + * for any packets socket's IP option. >> + */ >> + if (!netlbl_mgmt_s0_flg() >> + && secattr->flags & NETLBL_SECATTR_MLS_LVL >> + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT) >> + && secattr->attr.mls.lvl == 0) { >> + /* just delete the protocols we support for right now >> + * but we could remove other protocols if needed */ >> + cipso_v4_sock_delattr(sk); >> + ret_val = 0; >> + break; >> + } >> ret_val = cipso_v4_sock_setattr(sk, >> entry->cipso, secattr, >> netlbl_sk_lock_check(sk)); >> @@ -1179,6 +1224,23 @@ int netlbl_conn_setattr(struct sock *sk, >> } >> switch (entry->type) { >> case NETLBL_NLTYPE_CALIPSO: >> + /* Our target is skipping marking packets with s0. >> + * If 'map' command doesn't have specified 'address' and 'domain' >> + * then netlabel takes 'default' rule. >> + * Default rule is to mark packets corresponding to socket IP option. >> + * Socket has IP option. Linux's network subsystem automatically assigns >> + * for any packets socket's IP option. >> + */ >> + if (!netlbl_mgmt_s0_flg() >> + && secattr->flags & NETLBL_SECATTR_MLS_LVL >> + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT) >> + && secattr->attr.mls.lvl == 0) { >> + /* just delete the protocols we support for right now >> + * but we could remove other protocols if needed */ >> + calipso_sock_delattr(sk); >> + ret_val = 0; >> + break; >> + } >> ret_val = calipso_sock_setattr(sk, >> entry->calipso, secattr); >> break; >> @@ -1230,6 +1292,23 @@ int netlbl_req_setattr(struct request_sock *req, >> } >> switch (entry->type) { >> case NETLBL_NLTYPE_CIPSOV4: >> + /* Our target is skipping marking packets with s0. >> + * If 'map' command doesn't have specified 'address' and 'domain' >> + * then netlabel takes 'default' rule. >> + * Default rule is to mark packets corresponding to socket IP option. >> + * Socket has IP option. Linux's network subsystem automatically assigns >> + * for any packets socket's IP option. >> + */ >> + if (!netlbl_mgmt_s0_flg() >> + && secattr->flags & NETLBL_SECATTR_MLS_LVL >> + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT) >> + && secattr->attr.mls.lvl == 0) { >> + /* just delete the protocols we support for right now >> + * but we could remove other protocols if needed */ >> + cipso_v4_req_delattr(req); >> + ret_val = 0; >> + break; >> + } >> ret_val = cipso_v4_req_setattr(req, >> entry->cipso, secattr); >> break; >> @@ -1251,6 +1330,23 @@ int netlbl_req_setattr(struct request_sock *req, >> } >> switch (entry->type) { >> case NETLBL_NLTYPE_CALIPSO: >> + /* Our target is skipping marking packets with s0. >> + * If 'map' command doesn't have specified 'address' and 'domain' >> + * then netlabel takes 'default' rule. >> + * Default rule is to mark packets corresponding to socket IP option. >> + * Socket has IP option. Linux's network subsystem automatically assigns >> + * for any packets socket's IP option. >> + */ >> + if (!netlbl_mgmt_s0_flg() >> + && secattr->flags & NETLBL_SECATTR_MLS_LVL >> + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT) >> + && secattr->attr.mls.lvl == 0) { >> + /* just delete the protocols we support for right now >> + * but we could remove other protocols if needed */ >> + calipso_req_delattr(req); >> + ret_val = 0; >> + break; >> + } >> ret_val = calipso_req_setattr(req, >> entry->calipso, secattr); >> break; >> @@ -1328,6 +1424,19 @@ int netlbl_skbuff_setattr(struct sk_buff *skb, >> } >> switch (entry->type) { >> case NETLBL_NLTYPE_CIPSOV4: >> + /* Our target is skipping marking packets with s0. >> + * We can't change function netlbl_domhsh_getentry_af4, >> + * due it is used in other places. Thus, let's place code >> + * just right here. */ >> + if (!netlbl_mgmt_s0_flg() >> + && secattr->flags & NETLBL_SECATTR_MLS_LVL >> + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT) >> + && secattr->attr.mls.lvl == 0) { >> + /* just delete the protocols we support for right now >> + * but we could remove other protocols if needed */ >> + ret_val = cipso_v4_skbuff_delattr(skb); >> + break; >> + } >> ret_val = cipso_v4_skbuff_setattr(skb, entry->cipso, >> secattr); >> break; >> @@ -1351,6 +1460,19 @@ int netlbl_skbuff_setattr(struct sk_buff *skb, >> } >> switch (entry->type) { >> case NETLBL_NLTYPE_CALIPSO: >> + /* Our target is skipping marking packets with s0. >> + * We can't change function netlbl_domhsh_getentry_af4, >> + * due it is used in other places. Thus, let's place code >> + * just right here. */ >> + if (!netlbl_mgmt_s0_flg() >> + && secattr->flags & NETLBL_SECATTR_MLS_LVL >> + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT) >> + && secattr->attr.mls.lvl == 0) { >> + /* just delete the protocols we support for right now >> + * but we could remove other protocols if needed */ >> + ret_val = calipso_skbuff_delattr(skb); >> + break; >> + } >> ret_val = calipso_skbuff_setattr(skb, entry->calipso, >> secattr); >> break; >> diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c >> index 689eaa2afbec..8ddd9314a496 100644 >> --- a/net/netlabel/netlabel_mgmt.c >> +++ b/net/netlabel/netlabel_mgmt.c >> @@ -45,6 +45,9 @@ struct netlbl_domhsh_walk_arg { >> u32 seq; >> }; >> >> +/* Accept unlabeled packets flag */ >> +static u8 netlabel_mgmt_s0_flg = 0; >> + >> /* NetLabel Generic NETLINK CIPSOv4 family */ >> static struct genl_family netlbl_mgmt_gnl_family; >> >> @@ -56,12 +59,48 @@ static const struct nla_policy netlbl_mgmt_genl_policy[NLBL_MGMT_A_MAX + 1] = { >> [NLBL_MGMT_A_CV4DOI] = { .type = NLA_U32 }, >> [NLBL_MGMT_A_FAMILY] = { .type = NLA_U16 }, >> [NLBL_MGMT_A_CLPDOI] = { .type = NLA_U32 }, >> + [NLBL_MGMT_A_S0] = { .type = NLA_U8 }, >> }; >> >> /* >> * Helper Functions >> */ >> >> +/** >> + * netlbl_mgmt_s0_flg - Get the state of the s0 mark flag >> + */ >> +int netlbl_mgmt_s0_flg(void) >> +{ >> + return netlabel_mgmt_s0_flg; >> +} >> + >> +/** >> + * netlbl_mgmt_s0_update - Set the s0 mark flag >> + * @value: desired value >> + * @audit_info: NetLabel audit information >> + * >> + * Description: >> + * Set the value of the s0 mark flag to @value. >> + * >> + */ >> +static void netlbl_mgmt_s0_update(u8 value, >> + struct netlbl_audit *audit_info) >> +{ >> + struct audit_buffer *audit_buf; >> + u8 old_val; >> + >> + old_val = netlabel_mgmt_s0_flg; >> + netlabel_mgmt_s0_flg = value; >> + // XXX: change type >> + audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW, >> + audit_info); >> + if (audit_buf != NULL) { >> + audit_log_format(audit_buf, >> + " mark_s0=%u old=%u", value, old_val); >> + audit_log_end(audit_buf); >> + } >> +} >> + >> /** >> * netlbl_mgmt_add_common - Handle an ADD message >> * @info: the Generic NETLINK info block >> @@ -408,6 +447,73 @@ static int netlbl_mgmt_listentry(struct sk_buff *skb, >> * NetLabel Command Handlers >> */ >> >> +/** >> + * netlbl_mgmt_s0_set - Handle an s0 mark message >> + * @skb: the NETLINK buffer >> + * @info: the Generic NETLINK info block >> + * >> + * Description: >> + * Process a user generated s0 mark message and set the accept flag accordingly. >> + * Returns zero on success, negative values on failure. >> + * >> + */ >> +static int netlbl_mgmt_s0_set(struct sk_buff *skb, struct genl_info *info) >> +{ >> + u8 value; >> + struct netlbl_audit audit_info; >> + >> + if (info->attrs[NLBL_MGMT_A_S0]) { >> + value = nla_get_u8(info->attrs[NLBL_MGMT_A_S0]); >> + if (value == 1 || value == 0) { >> + netlbl_netlink_auditinfo(&audit_info); >> + netlbl_mgmt_s0_update(value, &audit_info); >> + return 0; >> + } >> + } >> + >> + return -EINVAL; >> +} >> + >> +/** >> + * netlbl_mgmt_s0_get - Handle an s0 mark message >> + * @skb: the NETLINK buffer >> + * @info: the Generic NETLINK info block >> + * >> + * Description: >> + * Process a user generated s0 mark message and respond with the current status. >> + * Returns zero on success, negative values on failure. >> + * >> + */ >> +static int netlbl_mgmt_s0_get(struct sk_buff *skb, struct genl_info *info) >> +{ >> + int ret_val = -EINVAL; >> + struct sk_buff *ans_skb; >> + void *data; >> + >> + ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); >> + if (ans_skb == NULL) >> + goto list_failure; >> + data = genlmsg_put_reply(ans_skb, info, &netlbl_mgmt_gnl_family, >> + 0, NLBL_MGMT_C_S0_GET); >> + if (data == NULL) { >> + ret_val = -ENOMEM; >> + goto list_failure; >> + } >> + >> + ret_val = nla_put_u8(ans_skb, >> + NLBL_MGMT_A_S0, >> + netlabel_mgmt_s0_flg); >> + if (ret_val != 0) >> + goto list_failure; >> + >> + genlmsg_end(ans_skb, data); >> + return genlmsg_reply(ans_skb, info); >> + >> +list_failure: >> + kfree_skb(ans_skb); >> + return ret_val; >> +} >> + >> /** >> * netlbl_mgmt_add - Handle an ADD message >> * @skb: the NETLINK buffer >> @@ -815,6 +921,20 @@ static const struct genl_small_ops netlbl_mgmt_genl_ops[] = { >> .doit = netlbl_mgmt_version, >> .dumpit = NULL, >> }, >> + { >> + .cmd = NLBL_MGMT_C_S0_GET, >> + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, >> + .flags = 0, >> + .doit = netlbl_mgmt_s0_get, >> + .dumpit = NULL, >> + }, >> + { >> + .cmd = NLBL_MGMT_C_S0_SET, >> + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, >> + .flags = GENL_ADMIN_PERM, >> + .doit = netlbl_mgmt_s0_set, >> + .dumpit = NULL, >> + }, >> }; >> >> static struct genl_family netlbl_mgmt_gnl_family __ro_after_init = { >> @@ -826,7 +946,7 @@ static struct genl_family netlbl_mgmt_gnl_family __ro_after_init = { >> .module = THIS_MODULE, >> .small_ops = netlbl_mgmt_genl_ops, >> .n_small_ops = ARRAY_SIZE(netlbl_mgmt_genl_ops), >> - .resv_start_op = NLBL_MGMT_C_VERSION + 1, >> + .resv_start_op = NLBL_MGMT_C_S0_GET + 1, >> }; >> >> /* >> @@ -843,5 +963,10 @@ static struct genl_family netlbl_mgmt_gnl_family __ro_after_init = { >> */ >> int __init netlbl_mgmt_genl_init(void) >> { >> + struct netlbl_audit audit_info; >> + >> + /* set default s0 mark flag */ >> + netlbl_mgmt_s0_update(1, &audit_info); >> + >> return genl_register_family(&netlbl_mgmt_gnl_family); >> } >> diff --git a/net/netlabel/netlabel_mgmt.h b/net/netlabel/netlabel_mgmt.h >> index db20dfbbd8c4..db53cd1c132c 100644 >> --- a/net/netlabel/netlabel_mgmt.h >> +++ b/net/netlabel/netlabel_mgmt.h >> @@ -167,6 +167,8 @@ enum { >> NLBL_MGMT_C_LISTDEF, >> NLBL_MGMT_C_PROTOCOLS, >> NLBL_MGMT_C_VERSION, >> + NLBL_MGMT_C_S0_SET, >> + NLBL_MGMT_C_S0_GET, >> __NLBL_MGMT_C_MAX, >> }; >> >> @@ -212,6 +214,9 @@ enum { >> NLBL_MGMT_A_CLPDOI, >> /* (NLA_U32) >> * the CALIPSO DOI value */ >> + NLBL_MGMT_A_S0, >> + /* (NLA_U8) >> + * if true then S0 packets are not marked, else marked */ >> __NLBL_MGMT_A_MAX, >> }; >> #define NLBL_MGMT_A_MAX (__NLBL_MGMT_A_MAX - 1) >> @@ -222,4 +227,7 @@ int netlbl_mgmt_genl_init(void); >> /* NetLabel configured protocol reference counter */ >> extern atomic_t netlabel_mgmt_protocount; >> >> +/* Status of markup s0 packets flag. */ >> +int netlbl_mgmt_s0_flg(void); >> + >> #endif >> -- >> 2.50.1 >> >> _______________________________________________ >> devel-kernel mailing list >> devel-kernel@lists.altlinux.org >> https://lists.altlinux.org/mailman/listinfo/devel-kernel > _______________________________________________ > devel-kernel mailing list > devel-kernel@lists.altlinux.org > https://lists.altlinux.org/mailman/listinfo/devel-kernel -- best regards, Anton Midyukov