From: Tobias Brunner Date: Tue, 21 Dec 2021 10:56:32 +0000 (+0100) Subject: vici: Make security labels and mode configurable X-Git-Tag: 5.9.6rc1~3^2~6 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=7cf6f29ac5eac7d0759dc98101134d42796a2008;p=thirdparty%2Fstrongswan.git vici: Make security labels and mode configurable --- diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index a7cd7f9d5e..3a783b822d 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -563,6 +563,9 @@ static void log_child_data(child_data_t *data, char *name) cfg->set_mark_in.value, cfg->set_mark_in.mask); DBG2(DBG_CFG, " set_mark_out = %u/%u", cfg->set_mark_out.value, cfg->set_mark_out.mask); + DBG2(DBG_CFG, " label = %s", + cfg->label ? cfg->label->get_string(cfg->label) : NULL); + DBG2(DBG_CFG, " label_mode = %N", sec_label_mode_names, cfg->label_mode); DBG2(DBG_CFG, " inactivity = %llu", cfg->inactivity); DBG2(DBG_CFG, " proposals = %#P", data->proposals); DBG2(DBG_CFG, " local_ts = %#R", data->local_ts); @@ -585,6 +588,7 @@ static void free_child_data(child_data_t *data) offsetof(traffic_selector_t, destroy)); data->remote_ts->destroy_offset(data->remote_ts, offsetof(traffic_selector_t, destroy)); + DESTROY_IF(data->cfg.label); free(data->cfg.updown); free(data->cfg.interface); } @@ -1270,6 +1274,38 @@ CALLBACK(parse_if_id, bool, return if_id_from_string(buf, out); } +/** + * Parse security label + */ +CALLBACK(parse_label, bool, + sec_label_t **out, chunk_t v) +{ + char buf[BUF_LEN]; + + if (!vici_stringify(v, buf, sizeof(buf))) + { + return FALSE; + } + *out = sec_label_from_string(buf); + return *out != NULL; +} + +/** + * Parse security label mode + */ +CALLBACK(parse_label_mode, bool, + sec_label_mode_t *out, chunk_t v) +{ + char buf[BUF_LEN]; + + if (!vici_stringify(v, buf, sizeof(buf)) || + !sec_label_mode_from_string(buf, out)) + { + return FALSE; + } + return TRUE; +} + /** * Parse TFC padding option */ @@ -1769,6 +1805,8 @@ CALLBACK(child_kv, bool, { "copy_dscp", parse_copy_dscp, &child->cfg.copy_dscp }, { "if_id_in", parse_if_id, &child->cfg.if_id_in }, { "if_id_out", parse_if_id, &child->cfg.if_id_out }, + { "label", parse_label, &child->cfg.label }, + { "label_mode", parse_label_mode, &child->cfg.label_mode }, }; return parse_rules(rules, countof(rules), name, value, diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index 082bf4cbb0..553831eca8 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -1011,6 +1011,34 @@ connections..children..if_id_out = 0 The daemon will not install routes for CHILD_SAs that have this option set. +connections..children..label + Optional security label (e.g. SELinux context), IKEv2 only. Refer to + **label_mode** for details on how labels are processed. + +connections..children..label_mode = system + Security label mode (_system_, _simple_ or _selinux_), IKEv2 only. + + Defines the mode in which the configured security label is used. The default + value of _system_ selects _selinux_ if strongSwan was built with SELinux + support and SELinux is enabled by the kernel, otherwise, _simple_ will be + selected. + + If set to _simple_, the label will be used as is as an additional + identifier/selector on the IKEv2 level when negotiating CHILD_SAs and + selecting configs, labels are not installed in the kernel and received + labels have to match exactly. + + If set to _selinux_, which is only allowed if SELinux is usable on the + system, the configured label is expected to be a generic context (e.g. + _system_u:object_r:ipsec_spd_t:s0_) for which flows, whose context match it + via association:polmatch, will trigger an acquire if no SA exists yet for + the flow's specific context. The configured label is installed on (trap) + policies, so this should generally be combined with _trap_ in + **start_action**. However, if the connection is initiated directly, + without acquire, a childless IKE_SA is established and appropriate trap + policies are installed on both ends. Labels received from peers are accepted + if they match the configured label via association:polmatch. + connections..children..tfc_padding = 0 Traffic Flow Confidentiality padding.