[linux.git] / Documentation / netlabel / introduction.txt

NetLabel Introduction
==============================================================================
Paul Moore, [email protected]

August 2, 2006

 * Overview

NetLabel is a mechanism which can be used by kernel security modules to attach
security attributes to outgoing network packets generated from user space
applications and read security attributes from incoming network packets.  It
is composed of three main components, the protocol engines, the communication
layer, and the kernel security module API.

 * Protocol Engines

The protocol engines are responsible for both applying and retrieving the
network packet's security attributes.  If any translation between the network
security attributes and those on the host are required then the protocol
engine will handle those tasks as well.  Other kernel subsystems should
refrain from calling the protocol engines directly, instead they should use
the NetLabel kernel security module API described below.

Detailed information about each NetLabel protocol engine can be found in this
directory, consult '00-INDEX' for filenames.

 * Communication Layer

The communication layer exists to allow NetLabel configuration and monitoring
from user space.  The NetLabel communication layer uses a message based
protocol built on top of the Generic NETLINK transport mechanism.  The exact
formatting of these NetLabel messages as well as the Generic NETLINK family
names can be found in the 'net/netlabel/' directory as comments in the
header files as well as in 'include/net/netlabel.h'.

 * Security Module API

The purpose of the NetLabel security module API is to provide a protocol
independent interface to the underlying NetLabel protocol engines.  In addition
to protocol independence, the security module API is designed to be completely
LSM independent which should allow multiple LSMs to leverage the same code
base.

Detailed information about the NetLabel security module API can be found in the
'include/net/netlabel.h' header file as well as the 'lsm_interface.txt' file
found in this directory.
Commit	Line	Data
8802f616 PM	1	NetLabel Introduction
	2	==============================================================================
	3	Paul Moore, [email protected]
	4
	5	August 2, 2006
	6
	7	* Overview
	8
	9	NetLabel is a mechanism which can be used by kernel security modules to attach
	10	security attributes to outgoing network packets generated from user space
	11	applications and read security attributes from incoming network packets. It
	12	is composed of three main components, the protocol engines, the communication
	13	layer, and the kernel security module API.
	14
	15	* Protocol Engines
	16
	17	The protocol engines are responsible for both applying and retrieving the
	18	network packet's security attributes. If any translation between the network
	19	security attributes and those on the host are required then the protocol
	20	engine will handle those tasks as well. Other kernel subsystems should
	21	refrain from calling the protocol engines directly, instead they should use
	22	the NetLabel kernel security module API described below.
	23
	24	Detailed information about each NetLabel protocol engine can be found in this
	25	directory, consult '00-INDEX' for filenames.
	26
	27	* Communication Layer
	28
	29	The communication layer exists to allow NetLabel configuration and monitoring
	30	from user space. The NetLabel communication layer uses a message based
	31	protocol built on top of the Generic NETLINK transport mechanism. The exact
	32	formatting of these NetLabel messages as well as the Generic NETLINK family
59c51591	33	names can be found in the 'net/netlabel/' directory as comments in the
8802f616 PM	34	header files as well as in 'include/net/netlabel.h'.
	35
	36	* Security Module API
	37
	38	The purpose of the NetLabel security module API is to provide a protocol
	39	independent interface to the underlying NetLabel protocol engines. In addition
	40	to protocol independence, the security module API is designed to be completely
	41	LSM independent which should allow multiple LSMs to leverage the same code
	42	base.
	43
	44	Detailed information about the NetLabel security module API can be found in the
	45	'include/net/netlabel.h' header file as well as the 'lsm_interface.txt' file
	46	found in this directory.