From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Sat, 28 Mar 2026 05:57:48 +0300 From: Vitaly Chikunov To: ALT Linux kernel packages development Message-ID: References: <20260303142712.79380-1-antohami@altlinux.org> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20260303142712.79380-1-antohami@altlinux.org> Subject: Re: [d-kernel] [PATCH] [6.12] net/netlabel: Add mark s0 flag for NetLabel subsystem X-BeenThere: devel-kernel@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux kernel packages development List-Id: ALT Linux kernel packages development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Mar 2026 02:57:48 -0000 Archived-At: List-Archive: List-Post: On Tue, Mar 03, 2026 at 05:27:12PM +0300, Anton Midyukov wrote: > This is an adaptation of the original patch by Andriy Stepanov stanv@. > Link: https://git.altlinux.org/people/stanv/packages/?p=kernel-image.git;a=commit;h=8640613b901959a2bc028e97880df7ecf7be81ef > Link: https://www.altlinux.org/Sl#ALT_Linux > Signed-off-by: Anton Midyukov Applied, thanks > > --- > net/netlabel/netlabel_kapi.c | 122 +++++++++++++++++++++++++++++++++ > net/netlabel/netlabel_mgmt.c | 127 ++++++++++++++++++++++++++++++++++- > net/netlabel/netlabel_mgmt.h | 8 +++ > 3 files changed, 256 insertions(+), 1 deletion(-) > > diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c > index 33b77084a4e5..99bd464399fe 100644 > --- a/net/netlabel/netlabel_kapi.c > +++ b/net/netlabel/netlabel_kapi.c > @@ -997,6 +997,20 @@ int netlbl_sock_setattr(struct sock *sk, > ret_val = -EDESTADDRREQ; > break; > case NETLBL_NLTYPE_CIPSOV4: > + /* Our target is skipping marking packets with s0. > + * If 'map' command doesn't have specified 'address' and 'domain' > + * then netlabel takes 'default' rule. > + * Default rule is to mark packets corresponding to socket IP option. > + * Socket has IP option. Linux's network subsystem automatically assigns > + * for any packets socket's IP option. > + */ > + if (!netlbl_mgmt_s0_flg() > + && secattr->flags & NETLBL_SECATTR_MLS_LVL > + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT) > + && secattr->attr.mls.lvl == 0) { > + ret_val = 0; > + break; > + } > ret_val = cipso_v4_sock_setattr(sk, > dom_entry->def.cipso, > secattr, sk_locked); > @@ -1015,6 +1029,20 @@ int netlbl_sock_setattr(struct sock *sk, > ret_val = -EDESTADDRREQ; > break; > case NETLBL_NLTYPE_CALIPSO: > + /* Our target is skipping marking packets with s0. > + * If 'map' command doesn't have specified 'address' and 'domain' > + * then netlabel takes 'default' rule. > + * Default rule is to mark packets corresponding to socket IP option. > + * Socket has IP option. Linux's network subsystem automatically assigns > + * for any packets socket's IP option. > + */ > + if (!netlbl_mgmt_s0_flg() > + && secattr->flags & NETLBL_SECATTR_MLS_LVL > + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT) > + && secattr->attr.mls.lvl == 0) { > + ret_val = 0; > + break; > + } > ret_val = calipso_sock_setattr(sk, > dom_entry->def.calipso, > secattr); > @@ -1149,6 +1177,23 @@ int netlbl_conn_setattr(struct sock *sk, > } > switch (entry->type) { > case NETLBL_NLTYPE_CIPSOV4: > + /* Our target is skipping marking packets with s0. > + * If 'map' command doesn't have specified 'address' and 'domain' > + * then netlabel takes 'default' rule. > + * Default rule is to mark packets corresponding to socket IP option. > + * Socket has IP option. Linux's network subsystem automatically assigns > + * for any packets socket's IP option. > + */ > + if (!netlbl_mgmt_s0_flg() > + && secattr->flags & NETLBL_SECATTR_MLS_LVL > + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT) > + && secattr->attr.mls.lvl == 0) { > + /* just delete the protocols we support for right now > + * but we could remove other protocols if needed */ > + cipso_v4_sock_delattr(sk); > + ret_val = 0; > + break; > + } > ret_val = cipso_v4_sock_setattr(sk, > entry->cipso, secattr, > netlbl_sk_lock_check(sk)); > @@ -1179,6 +1224,23 @@ int netlbl_conn_setattr(struct sock *sk, > } > switch (entry->type) { > case NETLBL_NLTYPE_CALIPSO: > + /* Our target is skipping marking packets with s0. > + * If 'map' command doesn't have specified 'address' and 'domain' > + * then netlabel takes 'default' rule. > + * Default rule is to mark packets corresponding to socket IP option. > + * Socket has IP option. Linux's network subsystem automatically assigns > + * for any packets socket's IP option. > + */ > + if (!netlbl_mgmt_s0_flg() > + && secattr->flags & NETLBL_SECATTR_MLS_LVL > + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT) > + && secattr->attr.mls.lvl == 0) { > + /* just delete the protocols we support for right now > + * but we could remove other protocols if needed */ > + calipso_sock_delattr(sk); > + ret_val = 0; > + break; > + } > ret_val = calipso_sock_setattr(sk, > entry->calipso, secattr); > break; > @@ -1230,6 +1292,23 @@ int netlbl_req_setattr(struct request_sock *req, > } > switch (entry->type) { > case NETLBL_NLTYPE_CIPSOV4: > + /* Our target is skipping marking packets with s0. > + * If 'map' command doesn't have specified 'address' and 'domain' > + * then netlabel takes 'default' rule. > + * Default rule is to mark packets corresponding to socket IP option. > + * Socket has IP option. Linux's network subsystem automatically assigns > + * for any packets socket's IP option. > + */ > + if (!netlbl_mgmt_s0_flg() > + && secattr->flags & NETLBL_SECATTR_MLS_LVL > + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT) > + && secattr->attr.mls.lvl == 0) { > + /* just delete the protocols we support for right now > + * but we could remove other protocols if needed */ > + cipso_v4_req_delattr(req); > + ret_val = 0; > + break; > + } > ret_val = cipso_v4_req_setattr(req, > entry->cipso, secattr); > break; > @@ -1251,6 +1330,23 @@ int netlbl_req_setattr(struct request_sock *req, > } > switch (entry->type) { > case NETLBL_NLTYPE_CALIPSO: > + /* Our target is skipping marking packets with s0. > + * If 'map' command doesn't have specified 'address' and 'domain' > + * then netlabel takes 'default' rule. > + * Default rule is to mark packets corresponding to socket IP option. > + * Socket has IP option. Linux's network subsystem automatically assigns > + * for any packets socket's IP option. > + */ > + if (!netlbl_mgmt_s0_flg() > + && secattr->flags & NETLBL_SECATTR_MLS_LVL > + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT) > + && secattr->attr.mls.lvl == 0) { > + /* just delete the protocols we support for right now > + * but we could remove other protocols if needed */ > + calipso_req_delattr(req); > + ret_val = 0; > + break; > + } > ret_val = calipso_req_setattr(req, > entry->calipso, secattr); > break; > @@ -1328,6 +1424,19 @@ int netlbl_skbuff_setattr(struct sk_buff *skb, > } > switch (entry->type) { > case NETLBL_NLTYPE_CIPSOV4: > + /* Our target is skipping marking packets with s0. > + * We can't change function netlbl_domhsh_getentry_af4, > + * due it is used in other places. Thus, let's place code > + * just right here. */ > + if (!netlbl_mgmt_s0_flg() > + && secattr->flags & NETLBL_SECATTR_MLS_LVL > + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT) > + && secattr->attr.mls.lvl == 0) { > + /* just delete the protocols we support for right now > + * but we could remove other protocols if needed */ > + ret_val = cipso_v4_skbuff_delattr(skb); > + break; > + } > ret_val = cipso_v4_skbuff_setattr(skb, entry->cipso, > secattr); > break; > @@ -1351,6 +1460,19 @@ int netlbl_skbuff_setattr(struct sk_buff *skb, > } > switch (entry->type) { > case NETLBL_NLTYPE_CALIPSO: > + /* Our target is skipping marking packets with s0. > + * We can't change function netlbl_domhsh_getentry_af4, > + * due it is used in other places. Thus, let's place code > + * just right here. */ > + if (!netlbl_mgmt_s0_flg() > + && secattr->flags & NETLBL_SECATTR_MLS_LVL > + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT) > + && secattr->attr.mls.lvl == 0) { > + /* just delete the protocols we support for right now > + * but we could remove other protocols if needed */ > + ret_val = calipso_skbuff_delattr(skb); > + break; > + } > ret_val = calipso_skbuff_setattr(skb, entry->calipso, > secattr); > break; > diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c > index 689eaa2afbec..8ddd9314a496 100644 > --- a/net/netlabel/netlabel_mgmt.c > +++ b/net/netlabel/netlabel_mgmt.c > @@ -45,6 +45,9 @@ struct netlbl_domhsh_walk_arg { > u32 seq; > }; > > +/* Accept unlabeled packets flag */ > +static u8 netlabel_mgmt_s0_flg = 0; > + > /* NetLabel Generic NETLINK CIPSOv4 family */ > static struct genl_family netlbl_mgmt_gnl_family; > > @@ -56,12 +59,48 @@ static const struct nla_policy netlbl_mgmt_genl_policy[NLBL_MGMT_A_MAX + 1] = { > [NLBL_MGMT_A_CV4DOI] = { .type = NLA_U32 }, > [NLBL_MGMT_A_FAMILY] = { .type = NLA_U16 }, > [NLBL_MGMT_A_CLPDOI] = { .type = NLA_U32 }, > + [NLBL_MGMT_A_S0] = { .type = NLA_U8 }, > }; > > /* > * Helper Functions > */ > > +/** > + * netlbl_mgmt_s0_flg - Get the state of the s0 mark flag > + */ > +int netlbl_mgmt_s0_flg(void) > +{ > + return netlabel_mgmt_s0_flg; > +} > + > +/** > + * netlbl_mgmt_s0_update - Set the s0 mark flag > + * @value: desired value > + * @audit_info: NetLabel audit information > + * > + * Description: > + * Set the value of the s0 mark flag to @value. > + * > + */ > +static void netlbl_mgmt_s0_update(u8 value, > + struct netlbl_audit *audit_info) > +{ > + struct audit_buffer *audit_buf; > + u8 old_val; > + > + old_val = netlabel_mgmt_s0_flg; > + netlabel_mgmt_s0_flg = value; > + // XXX: change type > + audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW, > + audit_info); > + if (audit_buf != NULL) { > + audit_log_format(audit_buf, > + " mark_s0=%u old=%u", value, old_val); > + audit_log_end(audit_buf); > + } > +} > + > /** > * netlbl_mgmt_add_common - Handle an ADD message > * @info: the Generic NETLINK info block > @@ -408,6 +447,73 @@ static int netlbl_mgmt_listentry(struct sk_buff *skb, > * NetLabel Command Handlers > */ > > +/** > + * netlbl_mgmt_s0_set - Handle an s0 mark message > + * @skb: the NETLINK buffer > + * @info: the Generic NETLINK info block > + * > + * Description: > + * Process a user generated s0 mark message and set the accept flag accordingly. > + * Returns zero on success, negative values on failure. > + * > + */ > +static int netlbl_mgmt_s0_set(struct sk_buff *skb, struct genl_info *info) > +{ > + u8 value; > + struct netlbl_audit audit_info; > + > + if (info->attrs[NLBL_MGMT_A_S0]) { > + value = nla_get_u8(info->attrs[NLBL_MGMT_A_S0]); > + if (value == 1 || value == 0) { > + netlbl_netlink_auditinfo(&audit_info); > + netlbl_mgmt_s0_update(value, &audit_info); > + return 0; > + } > + } > + > + return -EINVAL; > +} > + > +/** > + * netlbl_mgmt_s0_get - Handle an s0 mark message > + * @skb: the NETLINK buffer > + * @info: the Generic NETLINK info block > + * > + * Description: > + * Process a user generated s0 mark message and respond with the current status. > + * Returns zero on success, negative values on failure. > + * > + */ > +static int netlbl_mgmt_s0_get(struct sk_buff *skb, struct genl_info *info) > +{ > + int ret_val = -EINVAL; > + struct sk_buff *ans_skb; > + void *data; > + > + ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); > + if (ans_skb == NULL) > + goto list_failure; > + data = genlmsg_put_reply(ans_skb, info, &netlbl_mgmt_gnl_family, > + 0, NLBL_MGMT_C_S0_GET); > + if (data == NULL) { > + ret_val = -ENOMEM; > + goto list_failure; > + } > + > + ret_val = nla_put_u8(ans_skb, > + NLBL_MGMT_A_S0, > + netlabel_mgmt_s0_flg); > + if (ret_val != 0) > + goto list_failure; > + > + genlmsg_end(ans_skb, data); > + return genlmsg_reply(ans_skb, info); > + > +list_failure: > + kfree_skb(ans_skb); > + return ret_val; > +} > + > /** > * netlbl_mgmt_add - Handle an ADD message > * @skb: the NETLINK buffer > @@ -815,6 +921,20 @@ static const struct genl_small_ops netlbl_mgmt_genl_ops[] = { > .doit = netlbl_mgmt_version, > .dumpit = NULL, > }, > + { > + .cmd = NLBL_MGMT_C_S0_GET, > + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, > + .flags = 0, > + .doit = netlbl_mgmt_s0_get, > + .dumpit = NULL, > + }, > + { > + .cmd = NLBL_MGMT_C_S0_SET, > + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, > + .flags = GENL_ADMIN_PERM, > + .doit = netlbl_mgmt_s0_set, > + .dumpit = NULL, > + }, > }; > > static struct genl_family netlbl_mgmt_gnl_family __ro_after_init = { > @@ -826,7 +946,7 @@ static struct genl_family netlbl_mgmt_gnl_family __ro_after_init = { > .module = THIS_MODULE, > .small_ops = netlbl_mgmt_genl_ops, > .n_small_ops = ARRAY_SIZE(netlbl_mgmt_genl_ops), > - .resv_start_op = NLBL_MGMT_C_VERSION + 1, > + .resv_start_op = NLBL_MGMT_C_S0_GET + 1, > }; > > /* > @@ -843,5 +963,10 @@ static struct genl_family netlbl_mgmt_gnl_family __ro_after_init = { > */ > int __init netlbl_mgmt_genl_init(void) > { > + struct netlbl_audit audit_info; > + > + /* set default s0 mark flag */ > + netlbl_mgmt_s0_update(1, &audit_info); > + > return genl_register_family(&netlbl_mgmt_gnl_family); > } > diff --git a/net/netlabel/netlabel_mgmt.h b/net/netlabel/netlabel_mgmt.h > index db20dfbbd8c4..db53cd1c132c 100644 > --- a/net/netlabel/netlabel_mgmt.h > +++ b/net/netlabel/netlabel_mgmt.h > @@ -167,6 +167,8 @@ enum { > NLBL_MGMT_C_LISTDEF, > NLBL_MGMT_C_PROTOCOLS, > NLBL_MGMT_C_VERSION, > + NLBL_MGMT_C_S0_SET, > + NLBL_MGMT_C_S0_GET, > __NLBL_MGMT_C_MAX, > }; > > @@ -212,6 +214,9 @@ enum { > NLBL_MGMT_A_CLPDOI, > /* (NLA_U32) > * the CALIPSO DOI value */ > + NLBL_MGMT_A_S0, > + /* (NLA_U8) > + * if true then S0 packets are not marked, else marked */ > __NLBL_MGMT_A_MAX, > }; > #define NLBL_MGMT_A_MAX (__NLBL_MGMT_A_MAX - 1) > @@ -222,4 +227,7 @@ int netlbl_mgmt_genl_init(void); > /* NetLabel configured protocol reference counter */ > extern atomic_t netlabel_mgmt_protocount; > > +/* Status of markup s0 packets flag. */ > +int netlbl_mgmt_s0_flg(void); > + > #endif > -- > 2.50.1 > > _______________________________________________ > devel-kernel mailing list > devel-kernel@lists.altlinux.org > https://lists.altlinux.org/mailman/listinfo/devel-kernel