The SELinux network device hook function implementations manage the
security fields of network device structures (struct
net_device
). At present, LSM only provides a single hook
function that is called when a network device is unregistered. The
LSM project decided that it would be too invasive to provide hooks in
all locations where network devices were probed or initialized.
Hence, security modules are expected to allocate and initialize the
security field on the first access to the device. This section
describes the network device hook and helper functions.
The netdev_security_struct
structure contains
security information for network devices. This structure is defined as
follows:
struct netdev_security_struct { unsigned long magic; struct net_device *dev; struct list_head list; security_id_t sid; security_id_t default_msg_sid; avc_entry_ref_t avcr; };
Table 41. netdev_security_struct
Field | Description |
---|---|
magic | Module id for the SELinux module. |
dev | Back pointer to the associated network device. |
list | Pointer used to maintain the list of allocated network device security structures. |
sid | SID for the network device. |
default_msg_sid | SID used for unlabeled messages received on this network device. |
avcr | AVC entry reference. |
The netdev_alloc_security
and
netdev_free_security
helper functions are the
primitive allocation functions for network device security structures.
These functions perform the usual processing for allocating and
freeing security structures.
This helper function is the precondition function for network device
security structures. If the network device security structure is not
already allocated, this function calls
netdev_alloc_security
to allocate one. It then
calls the security_netif_sid
interface of the
security server to obtain a device SID and a default packet SID for
the network device. The default packet SID is used for incoming
packets received on the network device unless a packet labeling
mechanism was used. This precondition function is called by the
IPv4 networking hook functions prior to accessing the network
device security structure.
This hook function is called when a network device is unregistered.
It calls netdev_free_security
to free the
security structure.