Network data traverses the network stack in packets encapsulated by a structure called an sk_buff (socket buffer). The sk_buff structure provides storage for packet data and related state information, and is considered to be owned by the current layer of the network stack.
LSM adds an opaque security field to the sk_buff structure, so that security state may be managed across network layers on a per-packet basis.
A set of sk_buff hooks is provided for lifecycle management of the security field. For LSM, the critical lifecycle events for an sk_buff are:
Hooks are provided for each of these events, although they are only intended to be used for maintaining the security field data. Encoding, decoding and interpretation of the security field data is performed by layer-specific hooks such as the socket and network layer hooks.
Generally, the sk_buff hooks and security field only need to be used when the security state of a packet must be managed between layers of the network stack. Examples of such cases include labeled networking via IP options and management of nested IPSec Security Associations [15].