From: Vitaly Chikunov <vt@altlinux.org>
To: ALT Linux kernel packages development <devel-kernel@lists.altlinux.org>
Subject: Re: [d-kernel] [PATCH] [6.12] net/netlabel: Add mark s0 flag for NetLabel subsystem
Date: Sat, 28 Mar 2026 05:57:48 +0300
Message-ID: <acdDhSxi7oHMstNy@altlinux.org> (raw)
In-Reply-To: <20260303142712.79380-1-antohami@altlinux.org>
On Tue, Mar 03, 2026 at 05:27:12PM +0300, Anton Midyukov wrote:
> This is an adaptation of the original patch by Andriy Stepanov stanv@.
> Link: https://git.altlinux.org/people/stanv/packages/?p=kernel-image.git;a=commit;h=8640613b901959a2bc028e97880df7ecf7be81ef
> Link: https://www.altlinux.org/Sl#ALT_Linux
> Signed-off-by: Anton Midyukov <antohami@altlinux.org>
Applied, thanks
>
> ---
> net/netlabel/netlabel_kapi.c | 122 +++++++++++++++++++++++++++++++++
> net/netlabel/netlabel_mgmt.c | 127 ++++++++++++++++++++++++++++++++++-
> net/netlabel/netlabel_mgmt.h | 8 +++
> 3 files changed, 256 insertions(+), 1 deletion(-)
>
> diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
> index 33b77084a4e5..99bd464399fe 100644
> --- a/net/netlabel/netlabel_kapi.c
> +++ b/net/netlabel/netlabel_kapi.c
> @@ -997,6 +997,20 @@ int netlbl_sock_setattr(struct sock *sk,
> ret_val = -EDESTADDRREQ;
> break;
> case NETLBL_NLTYPE_CIPSOV4:
> + /* Our target is skipping marking packets with s0.
> + * If 'map' command doesn't have specified 'address' and 'domain'
> + * then netlabel takes 'default' rule.
> + * Default rule is to mark packets corresponding to socket IP option.
> + * Socket has IP option. Linux's network subsystem automatically assigns
> + * for any packets socket's IP option.
> + */
> + if (!netlbl_mgmt_s0_flg()
> + && secattr->flags & NETLBL_SECATTR_MLS_LVL
> + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT)
> + && secattr->attr.mls.lvl == 0) {
> + ret_val = 0;
> + break;
> + }
> ret_val = cipso_v4_sock_setattr(sk,
> dom_entry->def.cipso,
> secattr, sk_locked);
> @@ -1015,6 +1029,20 @@ int netlbl_sock_setattr(struct sock *sk,
> ret_val = -EDESTADDRREQ;
> break;
> case NETLBL_NLTYPE_CALIPSO:
> + /* Our target is skipping marking packets with s0.
> + * If 'map' command doesn't have specified 'address' and 'domain'
> + * then netlabel takes 'default' rule.
> + * Default rule is to mark packets corresponding to socket IP option.
> + * Socket has IP option. Linux's network subsystem automatically assigns
> + * for any packets socket's IP option.
> + */
> + if (!netlbl_mgmt_s0_flg()
> + && secattr->flags & NETLBL_SECATTR_MLS_LVL
> + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT)
> + && secattr->attr.mls.lvl == 0) {
> + ret_val = 0;
> + break;
> + }
> ret_val = calipso_sock_setattr(sk,
> dom_entry->def.calipso,
> secattr);
> @@ -1149,6 +1177,23 @@ int netlbl_conn_setattr(struct sock *sk,
> }
> switch (entry->type) {
> case NETLBL_NLTYPE_CIPSOV4:
> + /* Our target is skipping marking packets with s0.
> + * If 'map' command doesn't have specified 'address' and 'domain'
> + * then netlabel takes 'default' rule.
> + * Default rule is to mark packets corresponding to socket IP option.
> + * Socket has IP option. Linux's network subsystem automatically assigns
> + * for any packets socket's IP option.
> + */
> + if (!netlbl_mgmt_s0_flg()
> + && secattr->flags & NETLBL_SECATTR_MLS_LVL
> + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT)
> + && secattr->attr.mls.lvl == 0) {
> + /* just delete the protocols we support for right now
> + * but we could remove other protocols if needed */
> + cipso_v4_sock_delattr(sk);
> + ret_val = 0;
> + break;
> + }
> ret_val = cipso_v4_sock_setattr(sk,
> entry->cipso, secattr,
> netlbl_sk_lock_check(sk));
> @@ -1179,6 +1224,23 @@ int netlbl_conn_setattr(struct sock *sk,
> }
> switch (entry->type) {
> case NETLBL_NLTYPE_CALIPSO:
> + /* Our target is skipping marking packets with s0.
> + * If 'map' command doesn't have specified 'address' and 'domain'
> + * then netlabel takes 'default' rule.
> + * Default rule is to mark packets corresponding to socket IP option.
> + * Socket has IP option. Linux's network subsystem automatically assigns
> + * for any packets socket's IP option.
> + */
> + if (!netlbl_mgmt_s0_flg()
> + && secattr->flags & NETLBL_SECATTR_MLS_LVL
> + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT)
> + && secattr->attr.mls.lvl == 0) {
> + /* just delete the protocols we support for right now
> + * but we could remove other protocols if needed */
> + calipso_sock_delattr(sk);
> + ret_val = 0;
> + break;
> + }
> ret_val = calipso_sock_setattr(sk,
> entry->calipso, secattr);
> break;
> @@ -1230,6 +1292,23 @@ int netlbl_req_setattr(struct request_sock *req,
> }
> switch (entry->type) {
> case NETLBL_NLTYPE_CIPSOV4:
> + /* Our target is skipping marking packets with s0.
> + * If 'map' command doesn't have specified 'address' and 'domain'
> + * then netlabel takes 'default' rule.
> + * Default rule is to mark packets corresponding to socket IP option.
> + * Socket has IP option. Linux's network subsystem automatically assigns
> + * for any packets socket's IP option.
> + */
> + if (!netlbl_mgmt_s0_flg()
> + && secattr->flags & NETLBL_SECATTR_MLS_LVL
> + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT)
> + && secattr->attr.mls.lvl == 0) {
> + /* just delete the protocols we support for right now
> + * but we could remove other protocols if needed */
> + cipso_v4_req_delattr(req);
> + ret_val = 0;
> + break;
> + }
> ret_val = cipso_v4_req_setattr(req,
> entry->cipso, secattr);
> break;
> @@ -1251,6 +1330,23 @@ int netlbl_req_setattr(struct request_sock *req,
> }
> switch (entry->type) {
> case NETLBL_NLTYPE_CALIPSO:
> + /* Our target is skipping marking packets with s0.
> + * If 'map' command doesn't have specified 'address' and 'domain'
> + * then netlabel takes 'default' rule.
> + * Default rule is to mark packets corresponding to socket IP option.
> + * Socket has IP option. Linux's network subsystem automatically assigns
> + * for any packets socket's IP option.
> + */
> + if (!netlbl_mgmt_s0_flg()
> + && secattr->flags & NETLBL_SECATTR_MLS_LVL
> + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT)
> + && secattr->attr.mls.lvl == 0) {
> + /* just delete the protocols we support for right now
> + * but we could remove other protocols if needed */
> + calipso_req_delattr(req);
> + ret_val = 0;
> + break;
> + }
> ret_val = calipso_req_setattr(req,
> entry->calipso, secattr);
> break;
> @@ -1328,6 +1424,19 @@ int netlbl_skbuff_setattr(struct sk_buff *skb,
> }
> switch (entry->type) {
> case NETLBL_NLTYPE_CIPSOV4:
> + /* Our target is skipping marking packets with s0.
> + * We can't change function netlbl_domhsh_getentry_af4,
> + * due it is used in other places. Thus, let's place code
> + * just right here. */
> + if (!netlbl_mgmt_s0_flg()
> + && secattr->flags & NETLBL_SECATTR_MLS_LVL
> + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT)
> + && secattr->attr.mls.lvl == 0) {
> + /* just delete the protocols we support for right now
> + * but we could remove other protocols if needed */
> + ret_val = cipso_v4_skbuff_delattr(skb);
> + break;
> + }
> ret_val = cipso_v4_skbuff_setattr(skb, entry->cipso,
> secattr);
> break;
> @@ -1351,6 +1460,19 @@ int netlbl_skbuff_setattr(struct sk_buff *skb,
> }
> switch (entry->type) {
> case NETLBL_NLTYPE_CALIPSO:
> + /* Our target is skipping marking packets with s0.
> + * We can't change function netlbl_domhsh_getentry_af4,
> + * due it is used in other places. Thus, let's place code
> + * just right here. */
> + if (!netlbl_mgmt_s0_flg()
> + && secattr->flags & NETLBL_SECATTR_MLS_LVL
> + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT)
> + && secattr->attr.mls.lvl == 0) {
> + /* just delete the protocols we support for right now
> + * but we could remove other protocols if needed */
> + ret_val = calipso_skbuff_delattr(skb);
> + break;
> + }
> ret_val = calipso_skbuff_setattr(skb, entry->calipso,
> secattr);
> break;
> diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c
> index 689eaa2afbec..8ddd9314a496 100644
> --- a/net/netlabel/netlabel_mgmt.c
> +++ b/net/netlabel/netlabel_mgmt.c
> @@ -45,6 +45,9 @@ struct netlbl_domhsh_walk_arg {
> u32 seq;
> };
>
> +/* Accept unlabeled packets flag */
> +static u8 netlabel_mgmt_s0_flg = 0;
> +
> /* NetLabel Generic NETLINK CIPSOv4 family */
> static struct genl_family netlbl_mgmt_gnl_family;
>
> @@ -56,12 +59,48 @@ static const struct nla_policy netlbl_mgmt_genl_policy[NLBL_MGMT_A_MAX + 1] = {
> [NLBL_MGMT_A_CV4DOI] = { .type = NLA_U32 },
> [NLBL_MGMT_A_FAMILY] = { .type = NLA_U16 },
> [NLBL_MGMT_A_CLPDOI] = { .type = NLA_U32 },
> + [NLBL_MGMT_A_S0] = { .type = NLA_U8 },
> };
>
> /*
> * Helper Functions
> */
>
> +/**
> + * netlbl_mgmt_s0_flg - Get the state of the s0 mark flag
> + */
> +int netlbl_mgmt_s0_flg(void)
> +{
> + return netlabel_mgmt_s0_flg;
> +}
> +
> +/**
> + * netlbl_mgmt_s0_update - Set the s0 mark flag
> + * @value: desired value
> + * @audit_info: NetLabel audit information
> + *
> + * Description:
> + * Set the value of the s0 mark flag to @value.
> + *
> + */
> +static void netlbl_mgmt_s0_update(u8 value,
> + struct netlbl_audit *audit_info)
> +{
> + struct audit_buffer *audit_buf;
> + u8 old_val;
> +
> + old_val = netlabel_mgmt_s0_flg;
> + netlabel_mgmt_s0_flg = value;
> + // XXX: change type
> + audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW,
> + audit_info);
> + if (audit_buf != NULL) {
> + audit_log_format(audit_buf,
> + " mark_s0=%u old=%u", value, old_val);
> + audit_log_end(audit_buf);
> + }
> +}
> +
> /**
> * netlbl_mgmt_add_common - Handle an ADD message
> * @info: the Generic NETLINK info block
> @@ -408,6 +447,73 @@ static int netlbl_mgmt_listentry(struct sk_buff *skb,
> * NetLabel Command Handlers
> */
>
> +/**
> + * netlbl_mgmt_s0_set - Handle an s0 mark message
> + * @skb: the NETLINK buffer
> + * @info: the Generic NETLINK info block
> + *
> + * Description:
> + * Process a user generated s0 mark message and set the accept flag accordingly.
> + * Returns zero on success, negative values on failure.
> + *
> + */
> +static int netlbl_mgmt_s0_set(struct sk_buff *skb, struct genl_info *info)
> +{
> + u8 value;
> + struct netlbl_audit audit_info;
> +
> + if (info->attrs[NLBL_MGMT_A_S0]) {
> + value = nla_get_u8(info->attrs[NLBL_MGMT_A_S0]);
> + if (value == 1 || value == 0) {
> + netlbl_netlink_auditinfo(&audit_info);
> + netlbl_mgmt_s0_update(value, &audit_info);
> + return 0;
> + }
> + }
> +
> + return -EINVAL;
> +}
> +
> +/**
> + * netlbl_mgmt_s0_get - Handle an s0 mark message
> + * @skb: the NETLINK buffer
> + * @info: the Generic NETLINK info block
> + *
> + * Description:
> + * Process a user generated s0 mark message and respond with the current status.
> + * Returns zero on success, negative values on failure.
> + *
> + */
> +static int netlbl_mgmt_s0_get(struct sk_buff *skb, struct genl_info *info)
> +{
> + int ret_val = -EINVAL;
> + struct sk_buff *ans_skb;
> + void *data;
> +
> + ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
> + if (ans_skb == NULL)
> + goto list_failure;
> + data = genlmsg_put_reply(ans_skb, info, &netlbl_mgmt_gnl_family,
> + 0, NLBL_MGMT_C_S0_GET);
> + if (data == NULL) {
> + ret_val = -ENOMEM;
> + goto list_failure;
> + }
> +
> + ret_val = nla_put_u8(ans_skb,
> + NLBL_MGMT_A_S0,
> + netlabel_mgmt_s0_flg);
> + if (ret_val != 0)
> + goto list_failure;
> +
> + genlmsg_end(ans_skb, data);
> + return genlmsg_reply(ans_skb, info);
> +
> +list_failure:
> + kfree_skb(ans_skb);
> + return ret_val;
> +}
> +
> /**
> * netlbl_mgmt_add - Handle an ADD message
> * @skb: the NETLINK buffer
> @@ -815,6 +921,20 @@ static const struct genl_small_ops netlbl_mgmt_genl_ops[] = {
> .doit = netlbl_mgmt_version,
> .dumpit = NULL,
> },
> + {
> + .cmd = NLBL_MGMT_C_S0_GET,
> + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
> + .flags = 0,
> + .doit = netlbl_mgmt_s0_get,
> + .dumpit = NULL,
> + },
> + {
> + .cmd = NLBL_MGMT_C_S0_SET,
> + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
> + .flags = GENL_ADMIN_PERM,
> + .doit = netlbl_mgmt_s0_set,
> + .dumpit = NULL,
> + },
> };
>
> static struct genl_family netlbl_mgmt_gnl_family __ro_after_init = {
> @@ -826,7 +946,7 @@ static struct genl_family netlbl_mgmt_gnl_family __ro_after_init = {
> .module = THIS_MODULE,
> .small_ops = netlbl_mgmt_genl_ops,
> .n_small_ops = ARRAY_SIZE(netlbl_mgmt_genl_ops),
> - .resv_start_op = NLBL_MGMT_C_VERSION + 1,
> + .resv_start_op = NLBL_MGMT_C_S0_GET + 1,
> };
>
> /*
> @@ -843,5 +963,10 @@ static struct genl_family netlbl_mgmt_gnl_family __ro_after_init = {
> */
> int __init netlbl_mgmt_genl_init(void)
> {
> + struct netlbl_audit audit_info;
> +
> + /* set default s0 mark flag */
> + netlbl_mgmt_s0_update(1, &audit_info);
> +
> return genl_register_family(&netlbl_mgmt_gnl_family);
> }
> diff --git a/net/netlabel/netlabel_mgmt.h b/net/netlabel/netlabel_mgmt.h
> index db20dfbbd8c4..db53cd1c132c 100644
> --- a/net/netlabel/netlabel_mgmt.h
> +++ b/net/netlabel/netlabel_mgmt.h
> @@ -167,6 +167,8 @@ enum {
> NLBL_MGMT_C_LISTDEF,
> NLBL_MGMT_C_PROTOCOLS,
> NLBL_MGMT_C_VERSION,
> + NLBL_MGMT_C_S0_SET,
> + NLBL_MGMT_C_S0_GET,
> __NLBL_MGMT_C_MAX,
> };
>
> @@ -212,6 +214,9 @@ enum {
> NLBL_MGMT_A_CLPDOI,
> /* (NLA_U32)
> * the CALIPSO DOI value */
> + NLBL_MGMT_A_S0,
> + /* (NLA_U8)
> + * if true then S0 packets are not marked, else marked */
> __NLBL_MGMT_A_MAX,
> };
> #define NLBL_MGMT_A_MAX (__NLBL_MGMT_A_MAX - 1)
> @@ -222,4 +227,7 @@ int netlbl_mgmt_genl_init(void);
> /* NetLabel configured protocol reference counter */
> extern atomic_t netlabel_mgmt_protocount;
>
> +/* Status of markup s0 packets flag. */
> +int netlbl_mgmt_s0_flg(void);
> +
> #endif
> --
> 2.50.1
>
> _______________________________________________
> devel-kernel mailing list
> devel-kernel@lists.altlinux.org
> https://lists.altlinux.org/mailman/listinfo/devel-kernel
prev parent reply other threads:[~2026-03-28 2:57 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-03 14:27 Anton Midyukov
2026-03-28 2:57 ` Vitaly Chikunov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=acdDhSxi7oHMstNy@altlinux.org \
--to=vt@altlinux.org \
--cc=devel-kernel@lists.altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux kernel packages development
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/devel-kernel/0 devel-kernel/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 devel-kernel devel-kernel/ http://lore.altlinux.org/devel-kernel \
devel-kernel@altlinux.org devel-kernel@altlinux.ru devel-kernel@altlinux.com
public-inbox-index devel-kernel
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.devel-kernel
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git