[d-kernel] [PATCH] [6.12] net/netlabel: Add mark s0 flag for NetLabel subsystem
Anton Midyukov
antohami на altlinux.org
Ср Май 13 15:07:25 MSK 2026
28.03.2026 05:57, Vitaly Chikunov пишет:
> On Tue, Mar 03, 2026 at 05:27:12PM +0300, Anton Midyukov wrote:
>> This is an adaptation of the original patch by Andriy Stepanov stanv на .
>> Link: https://git.altlinux.org/people/stanv/packages/?p=kernel-image.git;a=commit;h=8640613b901959a2bc028e97880df7ecf7be81ef
>> Link: https://www.altlinux.org/Sl#ALT_Linux
>> Signed-off-by: Anton Midyukov <antohami на altlinux.org>
>
> Applied, thanks
>
Добрый день
Можете применить и для ядра 6.18?
>>
>> ---
>> net/netlabel/netlabel_kapi.c | 122 +++++++++++++++++++++++++++++++++
>> net/netlabel/netlabel_mgmt.c | 127 ++++++++++++++++++++++++++++++++++-
>> net/netlabel/netlabel_mgmt.h | 8 +++
>> 3 files changed, 256 insertions(+), 1 deletion(-)
>>
>> diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
>> index 33b77084a4e5..99bd464399fe 100644
>> --- a/net/netlabel/netlabel_kapi.c
>> +++ b/net/netlabel/netlabel_kapi.c
>> @@ -997,6 +997,20 @@ int netlbl_sock_setattr(struct sock *sk,
>> ret_val = -EDESTADDRREQ;
>> break;
>> case NETLBL_NLTYPE_CIPSOV4:
>> + /* Our target is skipping marking packets with s0.
>> + * If 'map' command doesn't have specified 'address' and 'domain'
>> + * then netlabel takes 'default' rule.
>> + * Default rule is to mark packets corresponding to socket IP option.
>> + * Socket has IP option. Linux's network subsystem automatically assigns
>> + * for any packets socket's IP option.
>> + */
>> + if (!netlbl_mgmt_s0_flg()
>> + && secattr->flags & NETLBL_SECATTR_MLS_LVL
>> + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT)
>> + && secattr->attr.mls.lvl == 0) {
>> + ret_val = 0;
>> + break;
>> + }
>> ret_val = cipso_v4_sock_setattr(sk,
>> dom_entry->def.cipso,
>> secattr, sk_locked);
>> @@ -1015,6 +1029,20 @@ int netlbl_sock_setattr(struct sock *sk,
>> ret_val = -EDESTADDRREQ;
>> break;
>> case NETLBL_NLTYPE_CALIPSO:
>> + /* Our target is skipping marking packets with s0.
>> + * If 'map' command doesn't have specified 'address' and 'domain'
>> + * then netlabel takes 'default' rule.
>> + * Default rule is to mark packets corresponding to socket IP option.
>> + * Socket has IP option. Linux's network subsystem automatically assigns
>> + * for any packets socket's IP option.
>> + */
>> + if (!netlbl_mgmt_s0_flg()
>> + && secattr->flags & NETLBL_SECATTR_MLS_LVL
>> + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT)
>> + && secattr->attr.mls.lvl == 0) {
>> + ret_val = 0;
>> + break;
>> + }
>> ret_val = calipso_sock_setattr(sk,
>> dom_entry->def.calipso,
>> secattr);
>> @@ -1149,6 +1177,23 @@ int netlbl_conn_setattr(struct sock *sk,
>> }
>> switch (entry->type) {
>> case NETLBL_NLTYPE_CIPSOV4:
>> + /* Our target is skipping marking packets with s0.
>> + * If 'map' command doesn't have specified 'address' and 'domain'
>> + * then netlabel takes 'default' rule.
>> + * Default rule is to mark packets corresponding to socket IP option.
>> + * Socket has IP option. Linux's network subsystem automatically assigns
>> + * for any packets socket's IP option.
>> + */
>> + if (!netlbl_mgmt_s0_flg()
>> + && secattr->flags & NETLBL_SECATTR_MLS_LVL
>> + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT)
>> + && secattr->attr.mls.lvl == 0) {
>> + /* just delete the protocols we support for right now
>> + * but we could remove other protocols if needed */
>> + cipso_v4_sock_delattr(sk);
>> + ret_val = 0;
>> + break;
>> + }
>> ret_val = cipso_v4_sock_setattr(sk,
>> entry->cipso, secattr,
>> netlbl_sk_lock_check(sk));
>> @@ -1179,6 +1224,23 @@ int netlbl_conn_setattr(struct sock *sk,
>> }
>> switch (entry->type) {
>> case NETLBL_NLTYPE_CALIPSO:
>> + /* Our target is skipping marking packets with s0.
>> + * If 'map' command doesn't have specified 'address' and 'domain'
>> + * then netlabel takes 'default' rule.
>> + * Default rule is to mark packets corresponding to socket IP option.
>> + * Socket has IP option. Linux's network subsystem automatically assigns
>> + * for any packets socket's IP option.
>> + */
>> + if (!netlbl_mgmt_s0_flg()
>> + && secattr->flags & NETLBL_SECATTR_MLS_LVL
>> + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT)
>> + && secattr->attr.mls.lvl == 0) {
>> + /* just delete the protocols we support for right now
>> + * but we could remove other protocols if needed */
>> + calipso_sock_delattr(sk);
>> + ret_val = 0;
>> + break;
>> + }
>> ret_val = calipso_sock_setattr(sk,
>> entry->calipso, secattr);
>> break;
>> @@ -1230,6 +1292,23 @@ int netlbl_req_setattr(struct request_sock *req,
>> }
>> switch (entry->type) {
>> case NETLBL_NLTYPE_CIPSOV4:
>> + /* Our target is skipping marking packets with s0.
>> + * If 'map' command doesn't have specified 'address' and 'domain'
>> + * then netlabel takes 'default' rule.
>> + * Default rule is to mark packets corresponding to socket IP option.
>> + * Socket has IP option. Linux's network subsystem automatically assigns
>> + * for any packets socket's IP option.
>> + */
>> + if (!netlbl_mgmt_s0_flg()
>> + && secattr->flags & NETLBL_SECATTR_MLS_LVL
>> + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT)
>> + && secattr->attr.mls.lvl == 0) {
>> + /* just delete the protocols we support for right now
>> + * but we could remove other protocols if needed */
>> + cipso_v4_req_delattr(req);
>> + ret_val = 0;
>> + break;
>> + }
>> ret_val = cipso_v4_req_setattr(req,
>> entry->cipso, secattr);
>> break;
>> @@ -1251,6 +1330,23 @@ int netlbl_req_setattr(struct request_sock *req,
>> }
>> switch (entry->type) {
>> case NETLBL_NLTYPE_CALIPSO:
>> + /* Our target is skipping marking packets with s0.
>> + * If 'map' command doesn't have specified 'address' and 'domain'
>> + * then netlabel takes 'default' rule.
>> + * Default rule is to mark packets corresponding to socket IP option.
>> + * Socket has IP option. Linux's network subsystem automatically assigns
>> + * for any packets socket's IP option.
>> + */
>> + if (!netlbl_mgmt_s0_flg()
>> + && secattr->flags & NETLBL_SECATTR_MLS_LVL
>> + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT)
>> + && secattr->attr.mls.lvl == 0) {
>> + /* just delete the protocols we support for right now
>> + * but we could remove other protocols if needed */
>> + calipso_req_delattr(req);
>> + ret_val = 0;
>> + break;
>> + }
>> ret_val = calipso_req_setattr(req,
>> entry->calipso, secattr);
>> break;
>> @@ -1328,6 +1424,19 @@ int netlbl_skbuff_setattr(struct sk_buff *skb,
>> }
>> switch (entry->type) {
>> case NETLBL_NLTYPE_CIPSOV4:
>> + /* Our target is skipping marking packets with s0.
>> + * We can't change function netlbl_domhsh_getentry_af4,
>> + * due it is used in other places. Thus, let's place code
>> + * just right here. */
>> + if (!netlbl_mgmt_s0_flg()
>> + && secattr->flags & NETLBL_SECATTR_MLS_LVL
>> + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT)
>> + && secattr->attr.mls.lvl == 0) {
>> + /* just delete the protocols we support for right now
>> + * but we could remove other protocols if needed */
>> + ret_val = cipso_v4_skbuff_delattr(skb);
>> + break;
>> + }
>> ret_val = cipso_v4_skbuff_setattr(skb, entry->cipso,
>> secattr);
>> break;
>> @@ -1351,6 +1460,19 @@ int netlbl_skbuff_setattr(struct sk_buff *skb,
>> }
>> switch (entry->type) {
>> case NETLBL_NLTYPE_CALIPSO:
>> + /* Our target is skipping marking packets with s0.
>> + * We can't change function netlbl_domhsh_getentry_af4,
>> + * due it is used in other places. Thus, let's place code
>> + * just right here. */
>> + if (!netlbl_mgmt_s0_flg()
>> + && secattr->flags & NETLBL_SECATTR_MLS_LVL
>> + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT)
>> + && secattr->attr.mls.lvl == 0) {
>> + /* just delete the protocols we support for right now
>> + * but we could remove other protocols if needed */
>> + ret_val = calipso_skbuff_delattr(skb);
>> + break;
>> + }
>> ret_val = calipso_skbuff_setattr(skb, entry->calipso,
>> secattr);
>> break;
>> diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c
>> index 689eaa2afbec..8ddd9314a496 100644
>> --- a/net/netlabel/netlabel_mgmt.c
>> +++ b/net/netlabel/netlabel_mgmt.c
>> @@ -45,6 +45,9 @@ struct netlbl_domhsh_walk_arg {
>> u32 seq;
>> };
>>
>> +/* Accept unlabeled packets flag */
>> +static u8 netlabel_mgmt_s0_flg = 0;
>> +
>> /* NetLabel Generic NETLINK CIPSOv4 family */
>> static struct genl_family netlbl_mgmt_gnl_family;
>>
>> @@ -56,12 +59,48 @@ static const struct nla_policy netlbl_mgmt_genl_policy[NLBL_MGMT_A_MAX + 1] = {
>> [NLBL_MGMT_A_CV4DOI] = { .type = NLA_U32 },
>> [NLBL_MGMT_A_FAMILY] = { .type = NLA_U16 },
>> [NLBL_MGMT_A_CLPDOI] = { .type = NLA_U32 },
>> + [NLBL_MGMT_A_S0] = { .type = NLA_U8 },
>> };
>>
>> /*
>> * Helper Functions
>> */
>>
>> +/**
>> + * netlbl_mgmt_s0_flg - Get the state of the s0 mark flag
>> + */
>> +int netlbl_mgmt_s0_flg(void)
>> +{
>> + return netlabel_mgmt_s0_flg;
>> +}
>> +
>> +/**
>> + * netlbl_mgmt_s0_update - Set the s0 mark flag
>> + * @value: desired value
>> + * @audit_info: NetLabel audit information
>> + *
>> + * Description:
>> + * Set the value of the s0 mark flag to @value.
>> + *
>> + */
>> +static void netlbl_mgmt_s0_update(u8 value,
>> + struct netlbl_audit *audit_info)
>> +{
>> + struct audit_buffer *audit_buf;
>> + u8 old_val;
>> +
>> + old_val = netlabel_mgmt_s0_flg;
>> + netlabel_mgmt_s0_flg = value;
>> + // XXX: change type
>> + audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW,
>> + audit_info);
>> + if (audit_buf != NULL) {
>> + audit_log_format(audit_buf,
>> + " mark_s0=%u old=%u", value, old_val);
>> + audit_log_end(audit_buf);
>> + }
>> +}
>> +
>> /**
>> * netlbl_mgmt_add_common - Handle an ADD message
>> * @info: the Generic NETLINK info block
>> @@ -408,6 +447,73 @@ static int netlbl_mgmt_listentry(struct sk_buff *skb,
>> * NetLabel Command Handlers
>> */
>>
>> +/**
>> + * netlbl_mgmt_s0_set - Handle an s0 mark message
>> + * @skb: the NETLINK buffer
>> + * @info: the Generic NETLINK info block
>> + *
>> + * Description:
>> + * Process a user generated s0 mark message and set the accept flag accordingly.
>> + * Returns zero on success, negative values on failure.
>> + *
>> + */
>> +static int netlbl_mgmt_s0_set(struct sk_buff *skb, struct genl_info *info)
>> +{
>> + u8 value;
>> + struct netlbl_audit audit_info;
>> +
>> + if (info->attrs[NLBL_MGMT_A_S0]) {
>> + value = nla_get_u8(info->attrs[NLBL_MGMT_A_S0]);
>> + if (value == 1 || value == 0) {
>> + netlbl_netlink_auditinfo(&audit_info);
>> + netlbl_mgmt_s0_update(value, &audit_info);
>> + return 0;
>> + }
>> + }
>> +
>> + return -EINVAL;
>> +}
>> +
>> +/**
>> + * netlbl_mgmt_s0_get - Handle an s0 mark message
>> + * @skb: the NETLINK buffer
>> + * @info: the Generic NETLINK info block
>> + *
>> + * Description:
>> + * Process a user generated s0 mark message and respond with the current status.
>> + * Returns zero on success, negative values on failure.
>> + *
>> + */
>> +static int netlbl_mgmt_s0_get(struct sk_buff *skb, struct genl_info *info)
>> +{
>> + int ret_val = -EINVAL;
>> + struct sk_buff *ans_skb;
>> + void *data;
>> +
>> + ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
>> + if (ans_skb == NULL)
>> + goto list_failure;
>> + data = genlmsg_put_reply(ans_skb, info, &netlbl_mgmt_gnl_family,
>> + 0, NLBL_MGMT_C_S0_GET);
>> + if (data == NULL) {
>> + ret_val = -ENOMEM;
>> + goto list_failure;
>> + }
>> +
>> + ret_val = nla_put_u8(ans_skb,
>> + NLBL_MGMT_A_S0,
>> + netlabel_mgmt_s0_flg);
>> + if (ret_val != 0)
>> + goto list_failure;
>> +
>> + genlmsg_end(ans_skb, data);
>> + return genlmsg_reply(ans_skb, info);
>> +
>> +list_failure:
>> + kfree_skb(ans_skb);
>> + return ret_val;
>> +}
>> +
>> /**
>> * netlbl_mgmt_add - Handle an ADD message
>> * @skb: the NETLINK buffer
>> @@ -815,6 +921,20 @@ static const struct genl_small_ops netlbl_mgmt_genl_ops[] = {
>> .doit = netlbl_mgmt_version,
>> .dumpit = NULL,
>> },
>> + {
>> + .cmd = NLBL_MGMT_C_S0_GET,
>> + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
>> + .flags = 0,
>> + .doit = netlbl_mgmt_s0_get,
>> + .dumpit = NULL,
>> + },
>> + {
>> + .cmd = NLBL_MGMT_C_S0_SET,
>> + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
>> + .flags = GENL_ADMIN_PERM,
>> + .doit = netlbl_mgmt_s0_set,
>> + .dumpit = NULL,
>> + },
>> };
>>
>> static struct genl_family netlbl_mgmt_gnl_family __ro_after_init = {
>> @@ -826,7 +946,7 @@ static struct genl_family netlbl_mgmt_gnl_family __ro_after_init = {
>> .module = THIS_MODULE,
>> .small_ops = netlbl_mgmt_genl_ops,
>> .n_small_ops = ARRAY_SIZE(netlbl_mgmt_genl_ops),
>> - .resv_start_op = NLBL_MGMT_C_VERSION + 1,
>> + .resv_start_op = NLBL_MGMT_C_S0_GET + 1,
>> };
>>
>> /*
>> @@ -843,5 +963,10 @@ static struct genl_family netlbl_mgmt_gnl_family __ro_after_init = {
>> */
>> int __init netlbl_mgmt_genl_init(void)
>> {
>> + struct netlbl_audit audit_info;
>> +
>> + /* set default s0 mark flag */
>> + netlbl_mgmt_s0_update(1, &audit_info);
>> +
>> return genl_register_family(&netlbl_mgmt_gnl_family);
>> }
>> diff --git a/net/netlabel/netlabel_mgmt.h b/net/netlabel/netlabel_mgmt.h
>> index db20dfbbd8c4..db53cd1c132c 100644
>> --- a/net/netlabel/netlabel_mgmt.h
>> +++ b/net/netlabel/netlabel_mgmt.h
>> @@ -167,6 +167,8 @@ enum {
>> NLBL_MGMT_C_LISTDEF,
>> NLBL_MGMT_C_PROTOCOLS,
>> NLBL_MGMT_C_VERSION,
>> + NLBL_MGMT_C_S0_SET,
>> + NLBL_MGMT_C_S0_GET,
>> __NLBL_MGMT_C_MAX,
>> };
>>
>> @@ -212,6 +214,9 @@ enum {
>> NLBL_MGMT_A_CLPDOI,
>> /* (NLA_U32)
>> * the CALIPSO DOI value */
>> + NLBL_MGMT_A_S0,
>> + /* (NLA_U8)
>> + * if true then S0 packets are not marked, else marked */
>> __NLBL_MGMT_A_MAX,
>> };
>> #define NLBL_MGMT_A_MAX (__NLBL_MGMT_A_MAX - 1)
>> @@ -222,4 +227,7 @@ int netlbl_mgmt_genl_init(void);
>> /* NetLabel configured protocol reference counter */
>> extern atomic_t netlabel_mgmt_protocount;
>>
>> +/* Status of markup s0 packets flag. */
>> +int netlbl_mgmt_s0_flg(void);
>> +
>> #endif
>> --
>> 2.50.1
>>
>> _______________________________________________
>> devel-kernel mailing list
>> devel-kernel на lists.altlinux.org
>> https://lists.altlinux.org/mailman/listinfo/devel-kernel
> _______________________________________________
> devel-kernel mailing list
> devel-kernel на lists.altlinux.org
> https://lists.altlinux.org/mailman/listinfo/devel-kernel
--
best regards, Anton Midyukov <antohami на altlinux.org>
Подробная информация о списке рассылки devel-kernel