sec-label: Add enum for security label mode

2025-10-05 00:00:45 -04:00 · 2022-01-27 14:49:39 +01:00 · 2022-01-27 14:49:39 +01:00 · 2dd60e4946
commit 2dd60e4946
parent decfe44433
2 changed files with 78 additions and 0 deletions
--- a/src/libstrongswan/selectors/sec_label.c
+++ b/src/libstrongswan/selectors/sec_label.c
@ -28,6 +28,12 @@

 #include "sec_label.h"

+ENUM(sec_label_mode_names, SEC_LABEL_MODE_SYSTEM, SEC_LABEL_MODE_SELINUX,
+	"system",
+	"simple",
+	"selinux",
+);
+
 typedef struct private_sec_label_t private_sec_label_t;

 /**
@ -195,3 +201,28 @@ sec_label_t *sec_label_from_string(const char *value)
 	}
 	return sec_label_from_encoding(chunk_create((char*)value, strlen(value)+1));
 }
+
+/*
+ * Described in header
+ */
+bool sec_label_mode_from_string(const char *value, sec_label_mode_t *mode)
+{
+	sec_label_mode_t def = sec_label_mode_default();
+
+	return enum_from_name(sec_label_mode_names, value, mode) &&
+		(def == SEC_LABEL_MODE_SELINUX || *mode != SEC_LABEL_MODE_SELINUX);
+}
+
+/*
+ * Described in header
+ */
+sec_label_mode_t sec_label_mode_default()
+{
+#ifdef USE_SELINUX
+	if (is_selinux_enabled())
+	{
+		return SEC_LABEL_MODE_SELINUX;
+	}
+#endif
+	return SEC_LABEL_MODE_SIMPLE;
+}
--- a/src/libstrongswan/selectors/sec_label.h
+++ b/src/libstrongswan/selectors/sec_label.h
@ -28,10 +28,41 @@
 #ifndef SEC_LABEL_H_
 #define SEC_LABEL_H_

+typedef enum sec_label_mode_t sec_label_mode_t;
 typedef struct sec_label_t sec_label_t;

 #include <library.h>

+/**
+ * Mode in which security labels are used.
+ */
+enum sec_label_mode_t {
+
+	/**
+	 * System default.  Simple mode if SELinux is not supported or disabled
+	 * on the system.
+	 */
+	SEC_LABEL_MODE_SYSTEM,
+
+	/**
+	 * Simple mode that does establish regular CHILD_SAs, matches labels exactly
+	 * and does not install them in the kernel.
+	 */
+	SEC_LABEL_MODE_SIMPLE,
+
+	/**
+	 * SELinux mode where configured labels are installed on (trap) policies,
+	 * labels from acquires/peer on SAs, child-less IKE_SAs are initiated
+	 * if there is no acquire, labels are also matched via polmatch.
+	 */
+	SEC_LABEL_MODE_SELINUX,
+};
+
+/**
+ * Names for security label modes.
+ */
+extern enum_name_t *sec_label_mode_names;
+
 /**
 * Representation of a security label used on policies/SAs.
 *
@ -122,4 +153,20 @@ static inline bool sec_labels_equal(sec_label_t *a, sec_label_t *b)
 	return (!a && !b) || (a && a->equals(a, b));
 }

+/**
+ * Try to parse a security label mode from the given string.
+ *
+ * @param value			string to parse
+ * @param mode			parsed mode
+ * @return				TRUE if mode is valid (and usable on system)
+ */
+bool sec_label_mode_from_string(const char *value, sec_label_mode_t *mode);
+
+/**
+ * Get the system default security label mode.
+ *
+ * @return				default mode
+ */
+sec_label_mode_t sec_label_mode_default();
+
 #endif /** SEC_LABEL_H_ @}*/