calipso: Allow the lsm to label the skbuff directly.
In some cases, the lsm needs to add the label to the skbuff directly.
A NF_INET_LOCAL_OUT IPv6 hook is added to selinux to match the IPv4
behaviour. This allows selinux to label the skbuffs that it requires.
Signed-off-by: Huw Davies <huw@codeweavers.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index a2408c3..e0e4ce8 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -231,6 +231,10 @@
* @sock_delattr: remove the socket's attr
* @req_setattr: set the req socket's attr
* @req_delattr: remove the req socket's attr
+ * @opt_getattr: retrieve attr from memory block
+ * @skbuff_optptr: find option in packet
+ * @skbuff_setattr: set the skbuff's attr
+ * @skbuff_delattr: remove the skbuff's attr
*
* Description:
* This structure is filled out by the CALIPSO engine and passed
@@ -258,6 +262,13 @@
const struct calipso_doi *doi_def,
const struct netlbl_lsm_secattr *secattr);
void (*req_delattr)(struct request_sock *req);
+ int (*opt_getattr)(const unsigned char *calipso,
+ struct netlbl_lsm_secattr *secattr);
+ unsigned char *(*skbuff_optptr)(const struct sk_buff *skb);
+ int (*skbuff_setattr)(struct sk_buff *skb,
+ const struct calipso_doi *doi_def,
+ const struct netlbl_lsm_secattr *secattr);
+ int (*skbuff_delattr)(struct sk_buff *skb);
};
/*