xfrm security context support
In the Linux kernel, ipsec policy and SAs can include a
security context to support MAC networking. This feature
is often referred to as "labeled ipsec".
This patchset adds security context support into ip xfrm
such that a security context can be included when
add/delete/display SAs and policies with the ip command.
The user provides the security context when adding
SAs and policies. If a policy or SA contains a security
context, the changes allow the security context to be displayed.
For example,
ip xfrm state
src 10.1.1.6 dst 10.1.1.2
proto esp spi 0x00000301 reqid 0 mode transport
replay-window 0
auth hmac(digest_null) 0x3078
enc cbc(des3_ede) 0x6970763672656164796c6f676f33646573636263696e3031
security context root:system_r:unconfined_t:s0
Please let me know if all is ok with the patchset.
Thanks!!
regards,
Joy
Signed-off-by: Joy Latten <latten@austin.ibm.com>
diff --git a/ip/ipxfrm.c b/ip/ipxfrm.c
index 9753822..cc4dc80 100644
--- a/ip/ipxfrm.c
+++ b/ip/ipxfrm.c
@@ -850,6 +850,20 @@
xfrm_lifetime_print(&xsinfo->lft, &xsinfo->curlft, fp, buf);
xfrm_stats_print(&xsinfo->stats, fp, buf);
}
+
+ if (tb[XFRMA_SEC_CTX]) {
+ struct xfrm_user_sec_ctx *sctx;
+
+ fprintf(fp, "\tsecurity context ");
+
+ if (RTA_PAYLOAD(tb[XFRMA_SEC_CTX]) < sizeof(*sctx))
+ fprintf(fp, "(ERROR truncated)");
+
+ sctx = (struct xfrm_user_sec_ctx *)RTA_DATA(tb[XFRMA_SEC_CTX]);
+
+ fprintf(fp, "%s %s", (char *)(sctx + 1), _SL_);
+ }
+
}
void xfrm_policy_info_print(struct xfrm_userpolicy_info *xpinfo,
@@ -862,6 +876,20 @@
xfrm_selector_print(&xpinfo->sel, preferred_family, fp, title);
+ if (tb[XFRMA_SEC_CTX]) {
+ struct xfrm_user_sec_ctx *sctx;
+
+ fprintf(fp, "\tsecurity context ");
+
+ if (RTA_PAYLOAD(tb[XFRMA_SEC_CTX]) < sizeof(*sctx))
+ fprintf(fp, "(ERROR truncated)");
+
+ sctx = (struct xfrm_user_sec_ctx *)RTA_DATA(tb[XFRMA_SEC_CTX]);
+
+ fprintf(fp, "%s ", (char *)(sctx + 1));
+ fprintf(fp, "%s", _SL_);
+ }
+
if (prefix)
STRBUF_CAT(buf, prefix);
STRBUF_CAT(buf, "\t");