[PATCH] smack: dont compile ipv6 code unless ipv6 is configured

[Konstantin Andreev]

Casey Schaufler, 26 Jan 2025:
> On 1/26/2025 6:15 AM, Konstantin Andreev wrote:
>> Casey Schaufler, 21 Jan 2025:
>>> On 1/17/2025 8:36 AM, Konstantin Andreev wrote:
>>>> I want to be sure that ipv6-specific code
>>>> is not compiled in kernel binaries
>>>> if ipv6 is not configured.
>>>
>>> The IPv6 Smack support really ought to be replaced with an
>>> implementation of CALIPSO, now that it is available. The
>>> conditional compilations that already exist have drawn no
>>> small amount of well founded criticism. I will most likely
>>> take this patch, but if you want to be extremely helpful
>>> you could have a shot at CALIPSO for Smack.
>>
>> Actually, I am sharing the changes
>> I have made to SMACK along the way,
>> during development of other feature.
> 
> Thank you for the work you're doing. 
> I'm curious about your "other feature".

Well, you may remember the concept of multilevel ports,
that ascends to Trusted Solaris (2.5 as far as I know)

The approach to allow a single instance of a trusted service
to serve clients with different labels.

Given the idea, we decided to make “multilevel” not port,
but process, and we limited protocol support to
tcp/ipv4 and unix/stream.

Implementing this in SMACK turned out to be very simple,
and we found the result highly useful in our use cases.

I guess that `@' label was invented for similar goal,
but we consider `@' approach less secure.

The interfaces we created are not yet stable,
and the feature isn't generic enough to be offered
for public use.
-- 
Regards, Konstantin Andreev