Defaults to <literal>no</literal>.</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term><varname>NetLabel=</varname><replaceable>label</replaceable></term>
+ <listitem>
+
+ <para>This setting provides a method for integrating static and dynamic network configuration into
+ Linux <ulink url="https://docs.kernel.org/netlabel/index.html">NetLabel</ulink> subsystem rules,
+ used by <ulink url="https://en.wikipedia.org/wiki/Linux_Security_Modules">Linux Security Modules
+ (LSMs)</ulink> for network access control. The label, with suitable LSM rules, can be used to
+ control connectivity of (for example) a service with peers in the local network. At least with
+ SELinux, only the ingress can be controlled but not egress. The benefit of using this setting is
+ that it may be possible to apply interface independent part of NetLabel configuration at very early
+ stage of system boot sequence, at the time when the network interfaces are not available yet, with
+ <citerefentry
+ project='man-pages'><refentrytitle>netlabelctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ and the per-interface configuration with <command>systemd-networkd</command> once the interfaces
+ appear later. Currently this feature is only implemented for SELinux.</para>
+
+ <para>The option expects a single NetLabel label. The label must conform to lexical restrictions of
+ LSM labels. When an interface is configured with IP addresses, the addresses and subnetwork masks
+ will be appended to the <ulink
+ url="https://github.com/SELinuxProject/selinux-notebook/blob/main/src/network_support.md">NetLabel
+ Fallback Peer Labeling</ulink> rules. They will be removed when the interface is
+ deconfigured. Failures to manage the labels will be ignored.</para>
+
+ <para>Warning: Once labeling is enabled for network traffic, a lot of LSM access control points in
+ Linux networking stack go from dormant to active. Care should be taken to avoid getting into a
+ situation where for example remote connectivity is broken, when the security policy hasn't been
+ updated to consider LSM per-packet access controls and no rules would allow any network
+ traffic. Also note that additional configuration with <citerefentry
+ project='man-pages'><refentrytitle>netlabelctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ is needed.</para>
+
+ <para>Example:
+ <programlisting>[Address]
+NetLabel=system_u:object_r:localnet_peer_t:s0</programlisting>
+
+ With the example rules applying for interface <literal>eth0</literal>, when the interface is
+ configured with an IPv4 address of 10.0.0.123/8, <command>systemd-networkd</command> performs the
+ equivalent of <command>netlabelctl</command> operation
+
+ <programlisting>netlabelctl unlbl add interface eth0 address:10.0.0.0/8 label:system_u:object_r:localnet_peer_t:s0</programlisting>
+
+ and the reverse operation when the IPv4 address is deconfigured. The configuration can be used with
+ LSM rules; in case of SELinux to allow a SELinux domain to receive data from objects of SELinux
+ <literal>peer</literal> class. For example:
+
+ <programlisting>type localnet_peer_t;
+allow my_server_t localnet_peer_t:peer recv;</programlisting>
+
+ The effect of the above configuration and rules (in absence of other rules as may be the case) is
+ to only allow <literal>my_server_t</literal> (and nothing else) to receive data from local subnet
+ 10.0.0.0/8 of interface <literal>eth0</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
<ulink url="https://tools.ietf.org/html/rfc5227">RFC 5227</ulink>. Defaults to false.</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term><varname>NetLabel=</varname></term>
+ <listitem>
+ <para>This applies the NetLabel for the addresses received with DHCP, like
+ <varname>NetLabel=</varname> in [Address] section applies it to statically configured
+ addresses. See <varname>NetLabel=</varname> in [Address] section for more details.</para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
<term><varname>UseNTP=</varname></term>
<term><varname>UseHostname=</varname></term>
<term><varname>UseDomains=</varname></term>
+ <term><varname>NetLabel=</varname></term>
<listitem>
<para>As in the [DHCPv4] section.</para>
</listitem>
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term><varname>NetLabel=</varname></term>
+ <listitem>
+ <para>This applies the NetLabel for the addresses received with DHCP, like
+ <varname>NetLabel=</varname> in [Address] section applies it to statically configured
+ addresses. See <varname>NetLabel=</varname> in [Address] section for more details.</para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
specified. Defaults to true.</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term><varname>NetLabel=</varname></term>
+ <listitem>
+ <para>This applies the NetLabel for the addresses received with RA, like
+ <varname>NetLabel=</varname> in [Address] section applies it to statically configured
+ addresses. See <varname>NetLabel=</varname> in [Address] section for more details.</para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
'networkd-ndisc.h',
'networkd-neighbor.c',
'networkd-neighbor.h',
+ 'networkd-netlabel.c',
+ 'networkd-netlabel.h',
'networkd-network-bus.c',
'networkd-network-bus.h',
'networkd-network.c',
#include "networkd-dhcp-server.h"
#include "networkd-ipv4acd.h"
#include "networkd-manager.h"
+#include "networkd-netlabel.h"
#include "networkd-network.h"
#include "networkd-queue.h"
#include "networkd-route-util.h"
config_section_free(address->section);
free(address->label);
+ free(address->netlabel);
return mfree(address);
}
dest->link = NULL;
dest->label = NULL;
dest->acd = NULL;
+ dest->netlabel = NULL;
if (src->family == AF_INET) {
r = free_and_strdup(&dest->label, src->label);
return r;
}
+ r = free_and_strdup(&dest->netlabel, src->netlabel);
+ if (r < 0)
+ return r;
+
*ret = TAKE_PTR(dest);
return 0;
}
if (r < 0)
return log_link_warning_errno(link, r, "Could not enable IP masquerading: %m");
+ address_add_netlabel(address);
+
if (address_is_ready(address) && address->callback) {
r = address->callback(address);
if (r < 0)
if (r < 0)
log_link_warning_errno(link, r, "Failed to disable IP masquerading, ignoring: %m");
+ address_del_netlabel(address);
+
if (address->state == 0)
address_free(address);
return 0;
}
+int config_parse_address_netlabel(
+ const char *unit,
+ const char *filename,
+ unsigned line,
+ const char *section,
+ unsigned section_line,
+ const char *lvalue,
+ int ltype,
+ const char *rvalue,
+ void *data,
+ void *userdata) {
+
+ Network *network = userdata;
+ _cleanup_(address_free_or_set_invalidp) Address *n = NULL;
+ int r;
+
+ assert(filename);
+ assert(section);
+ assert(lvalue);
+ assert(rvalue);
+ assert(data);
+ assert(network);
+
+ r = address_new_static(network, filename, section_line, &n);
+ if (r == -ENOMEM)
+ return log_oom();
+ if (r < 0) {
+ log_syntax(unit, LOG_WARNING, filename, line, r,
+ "Failed to allocate new address, ignoring assignment: %m");
+ return 0;
+ }
+
+ r = config_parse_string(unit, filename, line, section, section_line,
+ lvalue, CONFIG_PARSE_STRING_SAFE, rvalue, &n->netlabel, network);
+ if (r < 0)
+ return r;
+
+ TAKE_PTR(n);
+ return 0;
+}
+
static int address_section_verify(Address *address) {
if (section_is_invalid(address->section))
return -EINVAL;
unsigned char scope;
uint32_t flags;
uint32_t route_metric; /* route metric for prefix route */
- char *label;
+ char *label, *netlabel;
int set_broadcast;
struct in_addr broadcast;
CONFIG_PARSER_PROTOTYPE(config_parse_address_scope);
CONFIG_PARSER_PROTOTYPE(config_parse_address_route_metric);
CONFIG_PARSER_PROTOTYPE(config_parse_duplicate_address_detection);
+CONFIG_PARSER_PROTOTYPE(config_parse_address_netlabel);
log_dhcp_pd_address(link, address);
+ r = free_and_strdup_warn(&address->netlabel, link->network->dhcp_pd_netlabel);
+ if (r < 0)
+ return r;
+
if (address_get(link, address, &existing) < 0)
link->dhcp_pd_configured = false;
else
if (r < 0)
return r;
+ r = free_and_strdup_warn(&addr->netlabel, link->network->dhcp_netlabel);
+ if (r < 0)
+ return r;
+
if (address_get(link, addr, &existing) < 0) /* The address is new. */
link->dhcp4_configured = false;
else
if (verify_dhcp6_address(link, addr) < 0)
return 0;
+ r = free_and_strdup_warn(&addr->netlabel, link->network->dhcp6_netlabel);
+ if (r < 0)
+ return r;
+
if (address_get(link, addr, &existing) < 0)
link->dhcp6_configured = false;
else
address->source = NETWORK_CONFIG_SOURCE_NDISC;
address->provider.in6 = router;
+ r = free_and_strdup_warn(&address->netlabel, link->network->ndisc_netlabel);
+ if (r < 0)
+ return r;
+
if (address_get(link, address, &existing) < 0)
link->ndisc_configured = false;
else
--- /dev/null
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include "escape.h"
+#include "netlink-util.h"
+#include "networkd-address.h"
+#include "networkd-link.h"
+#include "networkd-manager.h"
+#include "networkd-netlabel.h"
+#include "networkd-network.h"
+
+static int netlabel_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) {
+ int r;
+
+ assert_se(rtnl);
+ assert_se(m);
+ assert_se(link);
+
+ r = sd_netlink_message_get_errno(m);
+ if (r < 0) {
+ log_link_message_warning_errno(link, m, r, "NetLabel operation failed, ignoring");
+ return 1;
+ }
+
+ log_link_debug(link, "NetLabel operation successful");
+
+ return 1;
+}
+
+static int netlabel_command(uint16_t command, const char *label, const Address *address) {
+ _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
+ int r;
+
+ assert(command != NLBL_UNLABEL_C_UNSPEC && command < __NLBL_UNLABEL_C_MAX);
+ assert(address);
+ assert(address->link);
+ assert(address->link->ifname);
+ assert(address->link->manager);
+ assert(address->link->manager->genl);
+ assert(IN_SET(address->family, AF_INET, AF_INET6));
+
+ r = sd_genl_message_new(address->link->manager->genl, NETLBL_NLTYPE_UNLABELED_NAME, command, &m);
+ if (r < 0)
+ return r;
+
+ r = sd_netlink_message_append_string(m, NLBL_UNLABEL_A_IFACE, address->link->ifname);
+ if (r < 0)
+ return r;
+
+ if (command == NLBL_UNLABEL_C_STATICADD) {
+ assert(label);
+ r = sd_netlink_message_append_string(m, NLBL_UNLABEL_A_SECCTX, label);
+ if (r < 0)
+ return r;
+ }
+
+ union in_addr_union netmask, masked_addr;
+ r = in_addr_prefixlen_to_netmask(address->family, &netmask, address->prefixlen);
+ if (r < 0)
+ return r;
+
+ /*
+ * When adding rules, kernel adds the address to its hash table _applying also the netmask_, but on
+ * removal, an exact match is required _without netmask applied_, so apply the mask on both
+ * operations.
+ */
+ masked_addr = address->in_addr;
+ r = in_addr_mask(address->family, &masked_addr, address->prefixlen);
+ if (r < 0)
+ return r;
+
+ if (address->family == AF_INET) {
+ r = sd_netlink_message_append_in_addr(m, NLBL_UNLABEL_A_IPV4ADDR, &masked_addr.in);
+ if (r < 0)
+ return r;
+
+ r = sd_netlink_message_append_in_addr(m, NLBL_UNLABEL_A_IPV4MASK, &netmask.in);
+ } else if (address->family == AF_INET6) {
+ r = sd_netlink_message_append_in6_addr(m, NLBL_UNLABEL_A_IPV6ADDR, &masked_addr.in6);
+ if (r < 0)
+ return r;
+
+ r = sd_netlink_message_append_in6_addr(m, NLBL_UNLABEL_A_IPV6MASK, &netmask.in6);
+ }
+ if (r < 0)
+ return r;
+
+ r = netlink_call_async(address->link->manager->genl, NULL, m, netlabel_handler, link_netlink_destroy_callback,
+ address->link);
+ if (r < 0)
+ return r;
+
+ link_ref(address->link);
+ return 0;
+}
+
+void address_add_netlabel(const Address *address) {
+ int r;
+
+ assert(address);
+
+ if (!address->netlabel)
+ return;
+
+ r = netlabel_command(NLBL_UNLABEL_C_STATICADD, address->netlabel, address);
+ if (r < 0)
+ log_link_warning_errno(address->link, r, "Adding NetLabel %s for IP address %s failed, ignoring", address->netlabel,
+ IN_ADDR_PREFIX_TO_STRING(address->family, &address->in_addr, address->prefixlen));
+ else
+ log_link_debug(address->link, "Adding NetLabel %s for IP address %s", address->netlabel,
+ IN_ADDR_PREFIX_TO_STRING(address->family, &address->in_addr, address->prefixlen));
+}
+
+void address_del_netlabel(const Address *address) {
+ int r;
+
+ assert(address);
+
+ if (!address->netlabel)
+ return;
+
+ r = netlabel_command(NLBL_UNLABEL_C_STATICREMOVE, address->netlabel, address);
+ if (r < 0)
+ log_link_warning_errno(address->link, r, "Deleting NetLabel %s for IP address %s failed, ignoring", address->netlabel,
+ IN_ADDR_PREFIX_TO_STRING(address->family, &address->in_addr, address->prefixlen));
+ else
+ log_link_debug(address->link, "Deleting NetLabel %s for IP address %s", address->netlabel,
+ IN_ADDR_PREFIX_TO_STRING(address->family, &address->in_addr, address->prefixlen));
+}
--- /dev/null
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#pragma once
+
+void address_add_netlabel(const Address *address);
+void address_del_netlabel(const Address *address);
#include "networkd-ipv6ll.h"
#include "networkd-lldp-tx.h"
#include "networkd-ndisc.h"
+#include "networkd-netlabel.h"
#include "networkd-network.h"
#include "networkd-neighbor.h"
#include "networkd-nexthop.h"
Address.DuplicateAddressDetection, config_parse_duplicate_address_detection, 0, 0
Address.Scope, config_parse_address_scope, 0, 0
Address.RouteMetric, config_parse_address_route_metric, 0, 0
+Address.NetLabel, config_parse_address_netlabel, 0, 0
IPv6AddressLabel.Prefix, config_parse_address_label_prefix, 0, 0
IPv6AddressLabel.Label, config_parse_address_label, 0, 0
Neighbor.Address, config_parse_neighbor_address, 0, 0
DHCPv4.RouteMTUBytes, config_parse_mtu, AF_INET, offsetof(Network, dhcp_route_mtu)
DHCPv4.FallbackLeaseLifetimeSec, config_parse_dhcp_fallback_lease_lifetime, 0, 0
DHCPv4.Use6RD, config_parse_bool, 0, offsetof(Network, dhcp_use_6rd)
+DHCPv4.NetLabel, config_parse_string, CONFIG_PARSE_STRING_SAFE, offsetof(Network, dhcp_netlabel)
DHCPv6.UseAddress, config_parse_bool, 0, offsetof(Network, dhcp6_use_address)
DHCPv6.UseDelegatedPrefix, config_parse_bool, 0, offsetof(Network, dhcp6_use_pd_prefix)
DHCPv6.UseDNS, config_parse_dhcp_use_dns, AF_INET6, 0
DHCPv6.DUIDType, config_parse_duid_type, 0, offsetof(Network, dhcp6_duid)
DHCPv6.DUIDRawData, config_parse_duid_rawdata, 0, offsetof(Network, dhcp6_duid)
DHCPv6.RapidCommit, config_parse_bool, 0, offsetof(Network, dhcp6_use_rapid_commit)
+DHCPv6.NetLabel, config_parse_string, CONFIG_PARSE_STRING_SAFE, offsetof(Network, dhcp6_netlabel)
IPv6AcceptRA.UseGateway, config_parse_bool, 0, offsetof(Network, ipv6_accept_ra_use_gateway)
IPv6AcceptRA.UseRoutePrefix, config_parse_bool, 0, offsetof(Network, ipv6_accept_ra_use_route_prefix)
IPv6AcceptRA.UseAutonomousPrefix, config_parse_bool, 0, offsetof(Network, ipv6_accept_ra_use_autonomous_prefix)
IPv6AcceptRA.RouteAllowList, config_parse_in_addr_prefixes, AF_INET6, offsetof(Network, ndisc_allow_listed_route_prefix)
IPv6AcceptRA.RouteDenyList, config_parse_in_addr_prefixes, AF_INET6, offsetof(Network, ndisc_deny_listed_route_prefix)
IPv6AcceptRA.Token, config_parse_address_generation_type, 0, offsetof(Network, ndisc_tokens)
+IPv6AcceptRA.NetLabel, config_parse_string, CONFIG_PARSE_STRING_SAFE, offsetof(Network, ndisc_netlabel)
DHCPServer.ServerAddress, config_parse_dhcp_server_address, 0, 0
DHCPServer.UplinkInterface, config_parse_uplink, 0, 0
DHCPServer.RelayTarget, config_parse_in_addr_non_null, AF_INET, offsetof(Network, dhcp_server_relay_target)
DHCPPrefixDelegation.ManageTemporaryAddress, config_parse_bool, 0, offsetof(Network, dhcp_pd_manage_temporary_address)
DHCPPrefixDelegation.Token, config_parse_address_generation_type, 0, offsetof(Network, dhcp_pd_tokens)
DHCPPrefixDelegation.RouteMetric, config_parse_uint32, 0, offsetof(Network, dhcp_pd_route_metric)
+DHCPPrefixDelegation.NetLabel, config_parse_string, CONFIG_PARSE_STRING_SAFE, offsetof(Network, dhcp_pd_netlabel)
IPv6SendRA.RouterLifetimeSec, config_parse_router_lifetime, 0, offsetof(Network, router_lifetime_usec)
IPv6SendRA.Managed, config_parse_bool, 0, offsetof(Network, router_managed)
IPv6SendRA.OtherInformation, config_parse_bool, 0, offsetof(Network, router_other_information)
set_free(network->dhcp_request_options);
ordered_hashmap_free(network->dhcp_client_send_options);
ordered_hashmap_free(network->dhcp_client_send_vendor_options);
+ free(network->dhcp_netlabel);
/* DHCPv6 client */
free(network->dhcp6_mudurl);
set_free(network->dhcp6_request_options);
ordered_hashmap_free(network->dhcp6_client_send_options);
ordered_hashmap_free(network->dhcp6_client_send_vendor_options);
+ free(network->dhcp6_netlabel);
/* DHCP PD */
free(network->dhcp_pd_uplink_name);
set_free(network->dhcp_pd_tokens);
+ free(network->dhcp_pd_netlabel);
/* Router advertisement */
ordered_set_free(network->router_search_domains);
set_free(network->ndisc_deny_listed_route_prefix);
set_free(network->ndisc_allow_listed_route_prefix);
set_free(network->ndisc_tokens);
+ free(network->ndisc_netlabel);
/* LLDP */
free(network->lldp_mudurl);
Set *dhcp_request_options;
OrderedHashmap *dhcp_client_send_options;
OrderedHashmap *dhcp_client_send_vendor_options;
+ char *dhcp_netlabel;
/* DHCPv6 Client support */
bool dhcp6_use_address;
OrderedHashmap *dhcp6_client_send_options;
OrderedHashmap *dhcp6_client_send_vendor_options;
Set *dhcp6_request_options;
+ char *dhcp6_netlabel;
/* DHCP Server Support */
bool dhcp_server;
Set *dhcp_pd_tokens;
int dhcp_pd_uplink_index;
char *dhcp_pd_uplink_name;
+ char *dhcp_pd_netlabel;
/* Bridge Support */
int use_bpdu;
Set *ndisc_deny_listed_route_prefix;
Set *ndisc_allow_listed_route_prefix;
Set *ndisc_tokens;
+ char *ndisc_netlabel;
/* LLDP support */
LLDPMode lldp_mode; /* LLDP reception */
RouteMTUBytes=
FallbackLeaseLifetimeSec=
Use6RD=
+NetLabel=
[DHCPv6]
UseAddress=
UseDelegatedPrefix=
IAID=
DUIDType=
DUIDRawData=
+NetLabel=
[DHCPv6PrefixDelegation]
SubnetId=
Announce=
ManageTemporaryAddress=
Token=
RouteMetric=
+NetLabel=
[DHCPPrefixDelegation]
UplinkInterface=
SubnetId=
ManageTemporaryAddress=
Token=
RouteMetric=
+NetLabel=
[Route]
Destination=
Protocol=
Managed=
OtherInformation=
UplinkInterface=
+NetLabel=
[IPv6PrefixDelegation]
RouterPreference=
DNSLifetimeSec=
projects / thirdparty / systemd.git / commitdiff
