From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 27 Jan 2022 13:49:39 +0000 (+0100)
Subject: sec-label: Add enum for security label mode
X-Git-Tag: 5.9.6rc1~3^2~34
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=2dd60e49463bb20db9b20b38dde998fc049672c4;p=thirdparty%2Fstrongswan.git

sec-label: Add enum for security label mode
---

diff --git a/src/libstrongswan/selectors/sec_label.c b/src/libstrongswan/selectors/sec_label.c
index 1b85942e9e..596e98c036 100644
--- a/src/libstrongswan/selectors/sec_label.c
+++ b/src/libstrongswan/selectors/sec_label.c
@@ -28,6 +28,12 @@
 
 #include "sec_label.h"
 
+ENUM(sec_label_mode_names, SEC_LABEL_MODE_SYSTEM, SEC_LABEL_MODE_SELINUX,
+	"system",
+	"simple",
+	"selinux",
+);
+
 typedef struct private_sec_label_t private_sec_label_t;
 
 /**
@@ -195,3 +201,28 @@ sec_label_t *sec_label_from_string(const char *value)
 	}
 	return sec_label_from_encoding(chunk_create((char*)value, strlen(value)+1));
 }
+
+/*
+ * Described in header
+ */
+bool sec_label_mode_from_string(const char *value, sec_label_mode_t *mode)
+{
+	sec_label_mode_t def = sec_label_mode_default();
+
+	return enum_from_name(sec_label_mode_names, value, mode) &&
+		(def == SEC_LABEL_MODE_SELINUX || *mode != SEC_LABEL_MODE_SELINUX);
+}
+
+/*
+ * Described in header
+ */
+sec_label_mode_t sec_label_mode_default()
+{
+#ifdef USE_SELINUX
+	if (is_selinux_enabled())
+	{
+		return SEC_LABEL_MODE_SELINUX;
+	}
+#endif
+	return SEC_LABEL_MODE_SIMPLE;
+}
diff --git a/src/libstrongswan/selectors/sec_label.h b/src/libstrongswan/selectors/sec_label.h
index 55feec439d..0392db77fa 100644
--- a/src/libstrongswan/selectors/sec_label.h
+++ b/src/libstrongswan/selectors/sec_label.h
@@ -28,10 +28,41 @@
 #ifndef SEC_LABEL_H_
 #define SEC_LABEL_H_
 
+typedef enum sec_label_mode_t sec_label_mode_t;
 typedef struct sec_label_t sec_label_t;
 
 #include <library.h>
 
+/**
+ * Mode in which security labels are used.
+ */
+enum sec_label_mode_t {
+
+	/**
+	 * System default.  Simple mode if SELinux is not supported or disabled
+	 * on the system.
+	 */
+	SEC_LABEL_MODE_SYSTEM,
+
+	/**
+	 * Simple mode that does establish regular CHILD_SAs, matches labels exactly
+	 * and does not install them in the kernel.
+	 */
+	SEC_LABEL_MODE_SIMPLE,
+
+	/**
+	 * SELinux mode where configured labels are installed on (trap) policies,
+	 * labels from acquires/peer on SAs, child-less IKE_SAs are initiated
+	 * if there is no acquire, labels are also matched via polmatch.
+	 */
+	SEC_LABEL_MODE_SELINUX,
+};
+
+/**
+ * Names for security label modes.
+ */
+extern enum_name_t *sec_label_mode_names;
+
 /**
  * Representation of a security label used on policies/SAs.
  *
@@ -122,4 +153,20 @@ static inline bool sec_labels_equal(sec_label_t *a, sec_label_t *b)
 	return (!a && !b) || (a && a->equals(a, b));
 }
 
+/**
+ * Try to parse a security label mode from the given string.
+ *
+ * @param value			string to parse
+ * @param mode			parsed mode
+ * @return				TRUE if mode is valid (and usable on system)
+ */
+bool sec_label_mode_from_string(const char *value, sec_label_mode_t *mode);
+
+/**
+ * Get the system default security label mode.
+ *
+ * @return				default mode
+ */
+sec_label_mode_t sec_label_mode_default();
+
 #endif /** SEC_LABEL_H_ @}*/