21. Network Device Hook Functions

The SELinux network device hook function implementations manage the security fields of network device structures (struct net_device). At present, LSM only provides a single hook function that is called when a network device is unregistered. The LSM project decided that it would be too invasive to provide hooks in all locations where network devices were probed or initialized. Hence, security modules are expected to allocate and initialize the security field on the first access to the device. This section describes the network device hook and helper functions.

21.1. Managing Network Device Security Fields

21.1.1. Network Device Security Structure

The netdev_security_struct structure contains security information for network devices. This structure is defined as follows:

struct netdev_security_struct {
        unsigned long magic;
        struct net_device *dev;
        struct list_head list;
        security_id_t sid;
        security_id_t default_msg_sid;
        avc_entry_ref_t avcr;
};

Table 41. netdev_security_struct

FieldDescription
magicModule id for the SELinux module.
dev Back pointer to the associated network device.
list Pointer used to maintain the list of allocated network device security structures.
sidSID for the network device.
default_msg_sid SID used for unlabeled messages received on this network device.
avcrAVC entry reference.

21.1.2. netdev_alloc_security and netdev_free_security

The netdev_alloc_security and netdev_free_security helper functions are the primitive allocation functions for network device security structures. These functions perform the usual processing for allocating and freeing security structures.

21.1.3. netdev_precondition

This helper function is the precondition function for network device security structures. If the network device security structure is not already allocated, this function calls netdev_alloc_security to allocate one. It then calls the security_netif_sid interface of the security server to obtain a device SID and a default packet SID for the network device. The default packet SID is used for incoming packets received on the network device unless a packet labeling mechanism was used. This precondition function is called by the IPv4 networking hook functions prior to accessing the network device security structure.

21.1.4. selinux_netdev_unregister

This hook function is called when a network device is unregistered. It calls netdev_free_security to free the security structure.