Commit 593733ab authored by Mauro Carvalho Chehab's avatar Mauro Carvalho Chehab Committed by Jonathan Corbet

docs: netlabel: convert docs to ReST and rename to *.rst

Convert netlabel documentation to ReST.

This was trivial: just add proper title markups.

At its new index.rst, let's add a :orphan: while this is not linked to
the main index.rst file, in order to avoid build warnings.
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
Acked-by: default avatarPaul Moore <paul@paul-moore.com>
Signed-off-by: default avatarJonathan Corbet <corbet@lwn.net>
parent 09bbf055
===================================
NetLabel CIPSO/IPv4 Protocol Engine NetLabel CIPSO/IPv4 Protocol Engine
============================================================================== ===================================
Paul Moore, paul.moore@hp.com Paul Moore, paul.moore@hp.com
May 17, 2006 May 17, 2006
* Overview Overview
========
The NetLabel CIPSO/IPv4 protocol engine is based on the IETF Commercial The NetLabel CIPSO/IPv4 protocol engine is based on the IETF Commercial
IP Security Option (CIPSO) draft from July 16, 1992. A copy of this IP Security Option (CIPSO) draft from July 16, 1992. A copy of this
...@@ -13,7 +16,8 @@ draft can be found in this directory ...@@ -13,7 +16,8 @@ draft can be found in this directory
it to an RFC standard it has become a de-facto standard for labeled it to an RFC standard it has become a de-facto standard for labeled
networking and is used in many trusted operating systems. networking and is used in many trusted operating systems.
* Outbound Packet Processing Outbound Packet Processing
==========================
The CIPSO/IPv4 protocol engine applies the CIPSO IP option to packets by The CIPSO/IPv4 protocol engine applies the CIPSO IP option to packets by
adding the CIPSO label to the socket. This causes all packets leaving the adding the CIPSO label to the socket. This causes all packets leaving the
...@@ -24,7 +28,8 @@ label by using the NetLabel security module API; if the NetLabel "domain" is ...@@ -24,7 +28,8 @@ label by using the NetLabel security module API; if the NetLabel "domain" is
configured to use CIPSO for packet labeling then a CIPSO IP option will be configured to use CIPSO for packet labeling then a CIPSO IP option will be
generated and attached to the socket. generated and attached to the socket.
* Inbound Packet Processing Inbound Packet Processing
=========================
The CIPSO/IPv4 protocol engine validates every CIPSO IP option it finds at the The CIPSO/IPv4 protocol engine validates every CIPSO IP option it finds at the
IP layer without any special handling required by the LSM. However, in order IP layer without any special handling required by the LSM. However, in order
...@@ -33,7 +38,8 @@ NetLabel security module API to extract the security attributes of the packet. ...@@ -33,7 +38,8 @@ NetLabel security module API to extract the security attributes of the packet.
This is typically done at the socket layer using the 'socket_sock_rcv_skb()' This is typically done at the socket layer using the 'socket_sock_rcv_skb()'
LSM hook. LSM hook.
* Label Translation Label Translation
=================
The CIPSO/IPv4 protocol engine contains a mechanism to translate CIPSO security The CIPSO/IPv4 protocol engine contains a mechanism to translate CIPSO security
attributes such as sensitivity level and category to values which are attributes such as sensitivity level and category to values which are
...@@ -42,7 +48,8 @@ Domain Of Interpretation (DOI) definition and are configured through the ...@@ -42,7 +48,8 @@ Domain Of Interpretation (DOI) definition and are configured through the
NetLabel user space communication layer. Each DOI definition can have a NetLabel user space communication layer. Each DOI definition can have a
different security attribute mapping table. different security attribute mapping table.
* Label Translation Cache Label Translation Cache
=======================
The NetLabel system provides a framework for caching security attribute The NetLabel system provides a framework for caching security attribute
mappings from the network labels to the corresponding LSM identifiers. The mappings from the network labels to the corresponding LSM identifiers. The
......
Draft IETF CIPSO IP Security
----------------------------
.. include:: draft-ietf-cipso-ipsecurity-01.txt
:literal:
:orphan:
========
NetLabel
========
.. toctree::
:maxdepth: 1
introduction
cipso_ipv4
lsm_interface
draft_ietf
.. only:: subproject and html
Indices
=======
* :ref:`genindex`
=====================
NetLabel Introduction NetLabel Introduction
============================================================================== =====================
Paul Moore, paul.moore@hp.com Paul Moore, paul.moore@hp.com
August 2, 2006 August 2, 2006
* Overview Overview
========
NetLabel is a mechanism which can be used by kernel security modules to attach NetLabel is a mechanism which can be used by kernel security modules to attach
security attributes to outgoing network packets generated from user space security attributes to outgoing network packets generated from user space
...@@ -12,7 +15,8 @@ applications and read security attributes from incoming network packets. It ...@@ -12,7 +15,8 @@ applications and read security attributes from incoming network packets. It
is composed of three main components, the protocol engines, the communication is composed of three main components, the protocol engines, the communication
layer, and the kernel security module API. layer, and the kernel security module API.
* Protocol Engines Protocol Engines
================
The protocol engines are responsible for both applying and retrieving the The protocol engines are responsible for both applying and retrieving the
network packet's security attributes. If any translation between the network network packet's security attributes. If any translation between the network
...@@ -24,7 +28,8 @@ the NetLabel kernel security module API described below. ...@@ -24,7 +28,8 @@ the NetLabel kernel security module API described below.
Detailed information about each NetLabel protocol engine can be found in this Detailed information about each NetLabel protocol engine can be found in this
directory. directory.
* Communication Layer Communication Layer
===================
The communication layer exists to allow NetLabel configuration and monitoring The communication layer exists to allow NetLabel configuration and monitoring
from user space. The NetLabel communication layer uses a message based from user space. The NetLabel communication layer uses a message based
...@@ -33,7 +38,8 @@ formatting of these NetLabel messages as well as the Generic NETLINK family ...@@ -33,7 +38,8 @@ formatting of these NetLabel messages as well as the Generic NETLINK family
names can be found in the 'net/netlabel/' directory as comments in the names can be found in the 'net/netlabel/' directory as comments in the
header files as well as in 'include/net/netlabel.h'. header files as well as in 'include/net/netlabel.h'.
* Security Module API Security Module API
===================
The purpose of the NetLabel security module API is to provide a protocol The purpose of the NetLabel security module API is to provide a protocol
independent interface to the underlying NetLabel protocol engines. In addition independent interface to the underlying NetLabel protocol engines. In addition
......
========================================
NetLabel Linux Security Module Interface NetLabel Linux Security Module Interface
============================================================================== ========================================
Paul Moore, paul.moore@hp.com Paul Moore, paul.moore@hp.com
May 17, 2006 May 17, 2006
* Overview Overview
========
NetLabel is a mechanism which can set and retrieve security attributes from NetLabel is a mechanism which can set and retrieve security attributes from
network packets. It is intended to be used by LSM developers who want to make network packets. It is intended to be used by LSM developers who want to make
...@@ -12,7 +15,8 @@ use of a common code base for several different packet labeling protocols. ...@@ -12,7 +15,8 @@ use of a common code base for several different packet labeling protocols.
The NetLabel security module API is defined in 'include/net/netlabel.h' but a The NetLabel security module API is defined in 'include/net/netlabel.h' but a
brief overview is given below. brief overview is given below.
* NetLabel Security Attributes NetLabel Security Attributes
============================
Since NetLabel supports multiple different packet labeling protocols and LSMs Since NetLabel supports multiple different packet labeling protocols and LSMs
it uses the concept of security attributes to refer to the packet's security it uses the concept of security attributes to refer to the packet's security
...@@ -24,7 +28,8 @@ configuration. It is up to the LSM developer to translate the NetLabel ...@@ -24,7 +28,8 @@ configuration. It is up to the LSM developer to translate the NetLabel
security attributes into whatever security identifiers are in use for their security attributes into whatever security identifiers are in use for their
particular LSM. particular LSM.
* NetLabel LSM Protocol Operations NetLabel LSM Protocol Operations
================================
These are the functions which allow the LSM developer to manipulate the labels These are the functions which allow the LSM developer to manipulate the labels
on outgoing packets as well as read the labels on incoming packets. Functions on outgoing packets as well as read the labels on incoming packets. Functions
...@@ -32,7 +37,8 @@ exist to operate both on sockets as well as the sk_buffs directly. These high ...@@ -32,7 +37,8 @@ exist to operate both on sockets as well as the sk_buffs directly. These high
level functions are translated into low level protocol operations based on how level functions are translated into low level protocol operations based on how
the administrator has configured the NetLabel subsystem. the administrator has configured the NetLabel subsystem.
* NetLabel Label Mapping Cache Operations NetLabel Label Mapping Cache Operations
=======================================
Depending on the exact configuration, translation between the network packet Depending on the exact configuration, translation between the network packet
label and the internal LSM security identifier can be time consuming. The label and the internal LSM security identifier can be time consuming. The
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment