child-cfg: Add optional security label and mode

2025-10-05 00:00:45 -04:00 · 2021-12-20 13:49:56 +01:00 · 2021-12-20 13:49:56 +01:00 · ef72ac88c3
commit ef72ac88c3
parent bf0542c4e1
2 changed files with 49 additions and 1 deletions
--- a/src/libcharon/config/child_cfg.c
+++ b/src/libcharon/config/child_cfg.c
@ -143,6 +143,16 @@ struct private_child_cfg_t {
 	 */
 	mark_t set_mark_out;

+	/**
+	 * Optional security label for policies
+	 */
+	sec_label_t *label;
+
+	/**
+	 * Optional label mode for policies
+	 */
+	sec_label_mode_t label_mode;
+
 	/**
 	 * Traffic Flow Confidentiality padding, if enabled
 	 */
@ -522,6 +532,18 @@ METHOD(child_cfg_t, get_set_mark, mark_t,
 	return inbound ? this->set_mark_in : this->set_mark_out;
 }

+METHOD(child_cfg_t, get_label, sec_label_t*,
+	private_child_cfg_t *this)
+{
+	return this->label;
+}
+
+METHOD(child_cfg_t, get_label_mode, sec_label_mode_t,
+	private_child_cfg_t *this)
+{
+	return this->label_mode;
+}
+
 METHOD(child_cfg_t, get_tfc, uint32_t,
 	private_child_cfg_t *this)
 {
@ -607,7 +629,9 @@ METHOD(child_cfg_t, equals, bool,
 		this->hw_offload == other->hw_offload &&
 		this->copy_dscp == other->copy_dscp &&
 		streq(this->updown, other->updown) &&
-		streq(this->interface, other->interface);
+		streq(this->interface, other->interface) &&
+		sec_labels_equal(this->label, other->label) &&
+		this->label_mode == other->label_mode;
 }

 METHOD(child_cfg_t, get_ref, child_cfg_t*,
@ -625,6 +649,7 @@ METHOD(child_cfg_t, destroy, void,
 		this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
 		this->my_ts->destroy_offset(this->my_ts, offsetof(traffic_selector_t, destroy));
 		this->other_ts->destroy_offset(this->other_ts, offsetof(traffic_selector_t, destroy));
+		DESTROY_IF(this->label);
 		free(this->updown);
 		free(this->interface);
 		free(this->name);
@ -659,6 +684,8 @@ child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data)
 			.get_if_id = _get_if_id,
 			.get_mark = _get_mark,
 			.get_set_mark = _get_set_mark,
+			.get_label = _get_label,
+			.get_label_mode = _get_label_mode,
 			.get_tfc = _get_tfc,
 			.get_manual_prio = _get_manual_prio,
 			.get_interface = _get_interface,
@ -685,6 +712,9 @@ child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data)
 		.mark_out = data->mark_out,
 		.set_mark_in = data->set_mark_in,
 		.set_mark_out = data->set_mark_out,
+		.label = data->label ? data->label->clone(data->label) : NULL,
+		.label_mode = data->label_mode != SEC_LABEL_MODE_SYSTEM ?
+								data->label_mode : sec_label_mode_default(),
 		.lifetime = data->lifetime,
 		.inactivity = data->inactivity,
 		.tfc = data->tfc,
--- a/src/libcharon/config/child_cfg.h
+++ b/src/libcharon/config/child_cfg.h
@ -247,6 +247,20 @@ struct child_cfg_t {
 	 */
 	mark_t (*get_set_mark)(child_cfg_t *this, bool inbound);

+	/**
+	 * Optional security label to be configured on policies.
+	 *
+	 * @return				label or NULL
+	 */
+	sec_label_t *(*get_label)(child_cfg_t *this);
+
+	/**
+	 * Get the mode in which the security label is used.
+	 *
+	 * @return				label mode (never SEC_LABEL_MODE_SYSTEM)
+	 */
+	sec_label_mode_t (*get_label_mode)(child_cfg_t *this);
+
 	/**
 	 * Get the TFC padding value to use for CHILD_SA.
 	 *
@ -367,6 +381,10 @@ struct child_cfg_create_t {
 	mark_t set_mark_in;
 	/** Optional outbound mark the SA should apply to traffic */
 	mark_t set_mark_out;
+	/** Optional security label configured on policies (cloned) */
+	sec_label_t *label;
+	/** Optional security label mode */
+	sec_label_mode_t label_mode;
 	/** Mode to propose for CHILD_SA */
 	ipsec_mode_t mode;
 	/** TFC padding size, 0 to disable, -1 to pad to PMTU */