mirror of
https://github.com/morgan9e/systemd
synced 2026-04-15 17:06:39 +09:00
3cf63830ac
New directive `NetLabel=` provides a method for integrating dynamic network
configuration into Linux NetLabel subsystem rules, used by Linux security
modules (LSMs) for network access control. The option expects a whitespace
separated list of NetLabel labels. The labels must conform to lexical
restrictions of LSM labels. When an interface is configured with IP addresses,
the addresses and subnetwork masks will be appended to the NetLabel Fallback
Peer Labeling rules. They will be removed when the interface is
deconfigured. Failures to manage the labels will be ignored.
Example:
```
[DHCP]
NetLabel=system_u:object_r:localnet_peer_t:s0
```
With the above rules for interface `eth0`, when the interface is configured with
an IPv4 address of 10.0.0.0/8, `systemd-networkd` performs the equivalent of
`netlabelctl` operation
```
$ sudo netlabelctl unlbl add interface eth0 address:10.0.0.0/8 label:system_u:object_r:localnet_peer_t:s0
```
Result:
```
$ sudo netlabelctl -p unlbl list
...
interface: eth0
address: 10.0.0.0/8
label: "system_u:object_r:localnet_peer_t:s0"
...
```
84 lines
2.2 KiB
C
84 lines
2.2 KiB
C
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
|
#pragma once
|
|
|
|
/* linux/in6.h or netinet/in.h */
|
|
#ifndef IPV6_UNICAST_IF
|
|
#define IPV6_UNICAST_IF 76
|
|
#endif
|
|
|
|
/* linux/in6.h or netinet/in.h */
|
|
#ifndef IPV6_TRANSPARENT
|
|
#define IPV6_TRANSPARENT 75
|
|
#endif
|
|
|
|
/* Not exposed but defined at include/net/ip.h */
|
|
#ifndef IPV4_MIN_MTU
|
|
#define IPV4_MIN_MTU 68
|
|
#endif
|
|
|
|
/* linux/ipv6.h */
|
|
#ifndef IPV6_MIN_MTU
|
|
#define IPV6_MIN_MTU 1280
|
|
#endif
|
|
|
|
/* Note that LOOPBACK_IFINDEX is currently not exposed by the
|
|
* kernel/glibc, but hardcoded internally by the kernel. However, as
|
|
* it is exported to userspace indirectly via rtnetlink and the
|
|
* ioctls, and made use of widely we define it here too, in a way that
|
|
* is compatible with the kernel's internal definition. */
|
|
#ifndef LOOPBACK_IFINDEX
|
|
#define LOOPBACK_IFINDEX 1
|
|
#endif
|
|
|
|
/* Not exposed yet. Similar values are defined in net/ethernet.h */
|
|
#ifndef ETHERTYPE_LLDP
|
|
#define ETHERTYPE_LLDP 0x88cc
|
|
#endif
|
|
|
|
/* Not exposed but defined in linux/netdevice.h */
|
|
#ifndef MAX_PHYS_ITEM_ID_LEN
|
|
#define MAX_PHYS_ITEM_ID_LEN 32
|
|
#endif
|
|
|
|
/* Not exposed but defined in include/net/bonding.h */
|
|
#ifndef BOND_MAX_ARP_TARGETS
|
|
#define BOND_MAX_ARP_TARGETS 16
|
|
#endif
|
|
|
|
/* Not exposed but defined in include/linux/ieee80211.h */
|
|
#ifndef IEEE80211_MAX_SSID_LEN
|
|
#define IEEE80211_MAX_SSID_LEN 32
|
|
#endif
|
|
|
|
/* Not exposed but defined in include/net/netlabel.h */
|
|
#ifndef NETLBL_NLTYPE_UNLABELED_NAME
|
|
#define NETLBL_NLTYPE_UNLABELED_NAME "NLBL_UNLBL"
|
|
#endif
|
|
|
|
/* Not exposed but defined in net/netlabel/netlabel_unlabeled.h */
|
|
enum {
|
|
NLBL_UNLABEL_C_UNSPEC,
|
|
NLBL_UNLABEL_C_ACCEPT,
|
|
NLBL_UNLABEL_C_LIST,
|
|
NLBL_UNLABEL_C_STATICADD,
|
|
NLBL_UNLABEL_C_STATICREMOVE,
|
|
NLBL_UNLABEL_C_STATICLIST,
|
|
NLBL_UNLABEL_C_STATICADDDEF,
|
|
NLBL_UNLABEL_C_STATICREMOVEDEF,
|
|
NLBL_UNLABEL_C_STATICLISTDEF,
|
|
__NLBL_UNLABEL_C_MAX,
|
|
};
|
|
|
|
/* Not exposed but defined in net/netlabel/netlabel_unlabeled.h */
|
|
enum {
|
|
NLBL_UNLABEL_A_UNSPEC,
|
|
NLBL_UNLABEL_A_ACPTFLG,
|
|
NLBL_UNLABEL_A_IPV6ADDR,
|
|
NLBL_UNLABEL_A_IPV6MASK,
|
|
NLBL_UNLABEL_A_IPV4ADDR,
|
|
NLBL_UNLABEL_A_IPV4MASK,
|
|
NLBL_UNLABEL_A_IFACE,
|
|
NLBL_UNLABEL_A_SECCTX,
|
|
__NLBL_UNLABEL_A_MAX,
|
|
};
|