sec-label: Add enum for security label mode

diff --git a/src/libstrongswan/selectors/sec_label.c b/src/libstrongswan/selectors/sec_label.c
index 1b85942e9e529f53baccc8b288647e6476983875..596e98c036f02745e0bc23f1ef1e744176ed734c 100644 (file)
--- a/src/libstrongswan/selectors/sec_label.c
+++ b/src/libstrongswan/selectors/sec_label.c
@@ -28,6 +28,12 @@
 
 #include "sec_label.h"
 
+ENUM(sec_label_mode_names, SEC_LABEL_MODE_SYSTEM, SEC_LABEL_MODE_SELINUX,
+       "system",
+       "simple",
+       "selinux",
+);
+
 typedef struct private_sec_label_t private_sec_label_t;
 
 /**
@@ -195,3 +201,28 @@ sec_label_t *sec_label_from_string(const char *value)
        }
        return sec_label_from_encoding(chunk_create((char*)value, strlen(value)+1));
 }
+
+/*
+ * Described in header
+ */
+bool sec_label_mode_from_string(const char *value, sec_label_mode_t *mode)
+{
+       sec_label_mode_t def = sec_label_mode_default();
+
+       return enum_from_name(sec_label_mode_names, value, mode) &&
+               (def == SEC_LABEL_MODE_SELINUX || *mode != SEC_LABEL_MODE_SELINUX);
+}
+
+/*
+ * Described in header
+ */
+sec_label_mode_t sec_label_mode_default()
+{
+#ifdef USE_SELINUX
+       if (is_selinux_enabled())
+       {
+               return SEC_LABEL_MODE_SELINUX;
+       }
+#endif
+       return SEC_LABEL_MODE_SIMPLE;
+}

diff --git a/src/libstrongswan/selectors/sec_label.h b/src/libstrongswan/selectors/sec_label.h
index 55feec439dc15b6cb2f7100a710c2da98eb62f8c..0392db77fade5d1d5cde1e3b86ff55584ae623b9 100644 (file)
--- a/src/libstrongswan/selectors/sec_label.h
+++ b/src/libstrongswan/selectors/sec_label.h
@@ -28,10 +28,41 @@
 #ifndef SEC_LABEL_H_
 #define SEC_LABEL_H_
 
+typedef enum sec_label_mode_t sec_label_mode_t;
 typedef struct sec_label_t sec_label_t;
 
 #include <library.h>
 
+/**
+ * Mode in which security labels are used.
+ */
+enum sec_label_mode_t {
+
+       /**
+        * System default.  Simple mode if SELinux is not supported or disabled
+        * on the system.
+        */
+       SEC_LABEL_MODE_SYSTEM,
+
+       /**
+        * Simple mode that does establish regular CHILD_SAs, matches labels exactly
+        * and does not install them in the kernel.
+        */
+       SEC_LABEL_MODE_SIMPLE,
+
+       /**
+        * SELinux mode where configured labels are installed on (trap) policies,
+        * labels from acquires/peer on SAs, child-less IKE_SAs are initiated
+        * if there is no acquire, labels are also matched via polmatch.
+        */
+       SEC_LABEL_MODE_SELINUX,
+};
+
+/**
+ * Names for security label modes.
+ */
+extern enum_name_t *sec_label_mode_names;
+
 /**
  * Representation of a security label used on policies/SAs.
  *
@@ -122,4 +153,20 @@ static inline bool sec_labels_equal(sec_label_t *a, sec_label_t *b)
        return (!a && !b) || (a && a->equals(a, b));
 }
 
+/**
+ * Try to parse a security label mode from the given string.
+ *
+ * @param value                        string to parse
+ * @param mode                 parsed mode
+ * @return                             TRUE if mode is valid (and usable on system)
+ */
+bool sec_label_mode_from_string(const char *value, sec_label_mode_t *mode);
+
+/**
+ * Get the system default security label mode.
+ *
+ * @return                             default mode
+ */
+sec_label_mode_t sec_label_mode_default();
+
 #endif /** SEC_LABEL_H_ @}*/