Overview¶

NetLabel is a mechanism which can be used by kernel security modules to attachsecurity attributes to outgoing network packets generated from user spaceapplications and read security attributes from incoming network packets. Itis composed of three main components, the protocol engines, the communicationlayer, and the kernel security module API.

Protocol Engines¶

The protocol engines are responsible for both applying and retrieving thenetwork packet’s security attributes. If any translation between the networksecurity attributes and those on the host are required then the protocolengine will handle those tasks as well. Other kernel subsystems shouldrefrain from calling the protocol engines directly, instead they should usethe NetLabel kernel security module API described below.

Detailed information about each NetLabel protocol engine can be found in thisdirectory.

Communication Layer¶

The communication layer exists to allow NetLabel configuration and monitoringfrom user space. The NetLabel communication layer uses a message basedprotocol built on top of the Generic NETLINK transport mechanism. The exactformatting of these NetLabel messages as well as the Generic NETLINK familynames can be found in the ‘net/netlabel/’ directory as comments in theheader files as well as in ‘include/net/netlabel.h’.

Security Module API¶

The purpose of the NetLabel security module API is to provide a protocolindependent interface to the underlying NetLabel protocol engines. In additionto protocol independence, the security module API is designed to be completelyLSM independent which should allow multiple LSMs to leverage the same codebase.

Detailed information about the NetLabel security module API can be found in the‘include/net/netlabel.h’ header file as well as the ‘lsm_interface.txt’ filefound in this directory.