diff options
| author | Topi Miettinen <toiwoton@gmail.com> | 2022-05-03 23:43:00 +0300 |
|---|---|---|
| committer | Topi Miettinen <topimiettinen@users.noreply.github.com> | 2022-06-06 18:24:10 +0000 |
| commit | 3cf63830acdef9d8afdc9ef1cf25aa7e85a5e4d5 (patch) | |
| tree | da068c2af170caaba91e6163fdf18a5e21e1fc60 /src/basic/missing_network.h | |
| parent | cc9e3a55d3d3558c309b1ebbde0f2cc26d69ee54 (diff) | |
| download | systemd-3cf63830acdef9d8afdc9ef1cf25aa7e85a5e4d5.tar.gz | |
networkd: NetLabel integration
New directive `NetLabel=` provides a method for integrating dynamic network
configuration into Linux NetLabel subsystem rules, used by Linux security
modules (LSMs) for network access control. The option expects a whitespace
separated list of NetLabel labels. The labels must conform to lexical
restrictions of LSM labels. When an interface is configured with IP addresses,
the addresses and subnetwork masks will be appended to the NetLabel Fallback
Peer Labeling rules. They will be removed when the interface is
deconfigured. Failures to manage the labels will be ignored.
Example:
```
[DHCP]
NetLabel=system_u:object_r:localnet_peer_t:s0
```
With the above rules for interface `eth0`, when the interface is configured with
an IPv4 address of 10.0.0.0/8, `systemd-networkd` performs the equivalent of
`netlabelctl` operation
```
$ sudo netlabelctl unlbl add interface eth0 address:10.0.0.0/8 label:system_u:object_r:localnet_peer_t:s0
```
Result:
```
$ sudo netlabelctl -p unlbl list
...
interface: eth0
address: 10.0.0.0/8
label: "system_u:object_r:localnet_peer_t:s0"
...
```
Diffstat (limited to 'src/basic/missing_network.h')
| -rw-r--r-- | src/basic/missing_network.h | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/src/basic/missing_network.h b/src/basic/missing_network.h index 6e71b26afd..776c7c8375 100644 --- a/src/basic/missing_network.h +++ b/src/basic/missing_network.h @@ -49,3 +49,35 @@ #ifndef IEEE80211_MAX_SSID_LEN #define IEEE80211_MAX_SSID_LEN 32 #endif + +/* Not exposed but defined in include/net/netlabel.h */ +#ifndef NETLBL_NLTYPE_UNLABELED_NAME +#define NETLBL_NLTYPE_UNLABELED_NAME "NLBL_UNLBL" +#endif + +/* Not exposed but defined in net/netlabel/netlabel_unlabeled.h */ +enum { + NLBL_UNLABEL_C_UNSPEC, + NLBL_UNLABEL_C_ACCEPT, + NLBL_UNLABEL_C_LIST, + NLBL_UNLABEL_C_STATICADD, + NLBL_UNLABEL_C_STATICREMOVE, + NLBL_UNLABEL_C_STATICLIST, + NLBL_UNLABEL_C_STATICADDDEF, + NLBL_UNLABEL_C_STATICREMOVEDEF, + NLBL_UNLABEL_C_STATICLISTDEF, + __NLBL_UNLABEL_C_MAX, +}; + +/* Not exposed but defined in net/netlabel/netlabel_unlabeled.h */ +enum { + NLBL_UNLABEL_A_UNSPEC, + NLBL_UNLABEL_A_ACPTFLG, + NLBL_UNLABEL_A_IPV6ADDR, + NLBL_UNLABEL_A_IPV6MASK, + NLBL_UNLABEL_A_IPV4ADDR, + NLBL_UNLABEL_A_IPV4MASK, + NLBL_UNLABEL_A_IFACE, + NLBL_UNLABEL_A_SECCTX, + __NLBL_UNLABEL_A_MAX, +}; |