From: Tobias Brunner Date: Mon, 20 Dec 2021 12:49:56 +0000 (+0100) Subject: child-cfg: Add optional security label and mode X-Git-Tag: 5.9.6rc1~3^2~27 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ef72ac88c32e11ab39840636fc567b658a5cc5b7;p=thirdparty%2Fstrongswan.git child-cfg: Add optional security label and mode --- diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c index 9ea6186c3a..92a1ed5027 100644 --- a/src/libcharon/config/child_cfg.c +++ b/src/libcharon/config/child_cfg.c @@ -143,6 +143,16 @@ struct private_child_cfg_t { */ mark_t set_mark_out; + /** + * Optional security label for policies + */ + sec_label_t *label; + + /** + * Optional label mode for policies + */ + sec_label_mode_t label_mode; + /** * Traffic Flow Confidentiality padding, if enabled */ @@ -522,6 +532,18 @@ METHOD(child_cfg_t, get_set_mark, mark_t, return inbound ? this->set_mark_in : this->set_mark_out; } +METHOD(child_cfg_t, get_label, sec_label_t*, + private_child_cfg_t *this) +{ + return this->label; +} + +METHOD(child_cfg_t, get_label_mode, sec_label_mode_t, + private_child_cfg_t *this) +{ + return this->label_mode; +} + METHOD(child_cfg_t, get_tfc, uint32_t, private_child_cfg_t *this) { @@ -607,7 +629,9 @@ METHOD(child_cfg_t, equals, bool, this->hw_offload == other->hw_offload && this->copy_dscp == other->copy_dscp && streq(this->updown, other->updown) && - streq(this->interface, other->interface); + streq(this->interface, other->interface) && + sec_labels_equal(this->label, other->label) && + this->label_mode == other->label_mode; } METHOD(child_cfg_t, get_ref, child_cfg_t*, @@ -625,6 +649,7 @@ METHOD(child_cfg_t, destroy, void, this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy)); this->my_ts->destroy_offset(this->my_ts, offsetof(traffic_selector_t, destroy)); this->other_ts->destroy_offset(this->other_ts, offsetof(traffic_selector_t, destroy)); + DESTROY_IF(this->label); free(this->updown); free(this->interface); free(this->name); @@ -659,6 +684,8 @@ child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data) .get_if_id = _get_if_id, .get_mark = _get_mark, .get_set_mark = _get_set_mark, + .get_label = _get_label, + .get_label_mode = _get_label_mode, .get_tfc = _get_tfc, .get_manual_prio = _get_manual_prio, .get_interface = _get_interface, @@ -685,6 +712,9 @@ child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data) .mark_out = data->mark_out, .set_mark_in = data->set_mark_in, .set_mark_out = data->set_mark_out, + .label = data->label ? data->label->clone(data->label) : NULL, + .label_mode = data->label_mode != SEC_LABEL_MODE_SYSTEM ? + data->label_mode : sec_label_mode_default(), .lifetime = data->lifetime, .inactivity = data->inactivity, .tfc = data->tfc, diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h index 4de978826e..15c52b7bc9 100644 --- a/src/libcharon/config/child_cfg.h +++ b/src/libcharon/config/child_cfg.h @@ -247,6 +247,20 @@ struct child_cfg_t { */ mark_t (*get_set_mark)(child_cfg_t *this, bool inbound); + /** + * Optional security label to be configured on policies. + * + * @return label or NULL + */ + sec_label_t *(*get_label)(child_cfg_t *this); + + /** + * Get the mode in which the security label is used. + * + * @return label mode (never SEC_LABEL_MODE_SYSTEM) + */ + sec_label_mode_t (*get_label_mode)(child_cfg_t *this); + /** * Get the TFC padding value to use for CHILD_SA. * @@ -367,6 +381,10 @@ struct child_cfg_create_t { mark_t set_mark_in; /** Optional outbound mark the SA should apply to traffic */ mark_t set_mark_out; + /** Optional security label configured on policies (cloned) */ + sec_label_t *label; + /** Optional security label mode */ + sec_label_mode_t label_mode; /** Mode to propose for CHILD_SA */ ipsec_mode_t mode; /** TFC padding size, 0 to disable, -1 to pad to PMTU */