1 | /* SPDX-License-Identifier: GPL-2.0-or-later */ |
2 | /* |
3 | * NetLabel Unlabeled Support |
4 | * |
5 | * This file defines functions for dealing with unlabeled packets for the |
6 | * NetLabel system. The NetLabel system manages static and dynamic label |
7 | * mappings for network protocols such as CIPSO and RIPSO. |
8 | * |
9 | * Author: Paul Moore <paul@paul-moore.com> |
10 | */ |
11 | |
12 | /* |
13 | * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 |
14 | */ |
15 | |
16 | #ifndef _NETLABEL_UNLABELED_H |
17 | #define _NETLABEL_UNLABELED_H |
18 | |
19 | #include <net/netlabel.h> |
20 | |
21 | /* |
22 | * The following NetLabel payloads are supported by the Unlabeled subsystem. |
23 | * |
24 | * o STATICADD |
25 | * This message is sent from an application to add a new static label for |
26 | * incoming unlabeled connections. |
27 | * |
28 | * Required attributes: |
29 | * |
30 | * NLBL_UNLABEL_A_IFACE |
31 | * NLBL_UNLABEL_A_SECCTX |
32 | * |
33 | * If IPv4 is specified the following attributes are required: |
34 | * |
35 | * NLBL_UNLABEL_A_IPV4ADDR |
36 | * NLBL_UNLABEL_A_IPV4MASK |
37 | * |
38 | * If IPv6 is specified the following attributes are required: |
39 | * |
40 | * NLBL_UNLABEL_A_IPV6ADDR |
41 | * NLBL_UNLABEL_A_IPV6MASK |
42 | * |
43 | * o STATICREMOVE |
44 | * This message is sent from an application to remove an existing static |
45 | * label for incoming unlabeled connections. |
46 | * |
47 | * Required attributes: |
48 | * |
49 | * NLBL_UNLABEL_A_IFACE |
50 | * |
51 | * If IPv4 is specified the following attributes are required: |
52 | * |
53 | * NLBL_UNLABEL_A_IPV4ADDR |
54 | * NLBL_UNLABEL_A_IPV4MASK |
55 | * |
56 | * If IPv6 is specified the following attributes are required: |
57 | * |
58 | * NLBL_UNLABEL_A_IPV6ADDR |
59 | * NLBL_UNLABEL_A_IPV6MASK |
60 | * |
61 | * o STATICLIST |
62 | * This message can be sent either from an application or by the kernel in |
63 | * response to an application generated STATICLIST message. When sent by an |
64 | * application there is no payload and the NLM_F_DUMP flag should be set. |
65 | * The kernel should response with a series of the following messages. |
66 | * |
67 | * Required attributes: |
68 | * |
69 | * NLBL_UNLABEL_A_IFACE |
70 | * NLBL_UNLABEL_A_SECCTX |
71 | * |
72 | * If IPv4 is specified the following attributes are required: |
73 | * |
74 | * NLBL_UNLABEL_A_IPV4ADDR |
75 | * NLBL_UNLABEL_A_IPV4MASK |
76 | * |
77 | * If IPv6 is specified the following attributes are required: |
78 | * |
79 | * NLBL_UNLABEL_A_IPV6ADDR |
80 | * NLBL_UNLABEL_A_IPV6MASK |
81 | * |
82 | * o STATICADDDEF |
83 | * This message is sent from an application to set the default static |
84 | * label for incoming unlabeled connections. |
85 | * |
86 | * Required attribute: |
87 | * |
88 | * NLBL_UNLABEL_A_SECCTX |
89 | * |
90 | * If IPv4 is specified the following attributes are required: |
91 | * |
92 | * NLBL_UNLABEL_A_IPV4ADDR |
93 | * NLBL_UNLABEL_A_IPV4MASK |
94 | * |
95 | * If IPv6 is specified the following attributes are required: |
96 | * |
97 | * NLBL_UNLABEL_A_IPV6ADDR |
98 | * NLBL_UNLABEL_A_IPV6MASK |
99 | * |
100 | * o STATICREMOVEDEF |
101 | * This message is sent from an application to remove the existing default |
102 | * static label for incoming unlabeled connections. |
103 | * |
104 | * If IPv4 is specified the following attributes are required: |
105 | * |
106 | * NLBL_UNLABEL_A_IPV4ADDR |
107 | * NLBL_UNLABEL_A_IPV4MASK |
108 | * |
109 | * If IPv6 is specified the following attributes are required: |
110 | * |
111 | * NLBL_UNLABEL_A_IPV6ADDR |
112 | * NLBL_UNLABEL_A_IPV6MASK |
113 | * |
114 | * o STATICLISTDEF |
115 | * This message can be sent either from an application or by the kernel in |
116 | * response to an application generated STATICLISTDEF message. When sent by |
117 | * an application there is no payload and the NLM_F_DUMP flag should be set. |
118 | * The kernel should response with the following message. |
119 | * |
120 | * Required attribute: |
121 | * |
122 | * NLBL_UNLABEL_A_SECCTX |
123 | * |
124 | * If IPv4 is specified the following attributes are required: |
125 | * |
126 | * NLBL_UNLABEL_A_IPV4ADDR |
127 | * NLBL_UNLABEL_A_IPV4MASK |
128 | * |
129 | * If IPv6 is specified the following attributes are required: |
130 | * |
131 | * NLBL_UNLABEL_A_IPV6ADDR |
132 | * NLBL_UNLABEL_A_IPV6MASK |
133 | * |
134 | * o ACCEPT |
135 | * This message is sent from an application to specify if the kernel should |
136 | * allow unlabled packets to pass if they do not match any of the static |
137 | * mappings defined in the unlabeled module. |
138 | * |
139 | * Required attributes: |
140 | * |
141 | * NLBL_UNLABEL_A_ACPTFLG |
142 | * |
143 | * o LIST |
144 | * This message can be sent either from an application or by the kernel in |
145 | * response to an application generated LIST message. When sent by an |
146 | * application there is no payload. The kernel should respond to a LIST |
147 | * message with a LIST message on success. |
148 | * |
149 | * Required attributes: |
150 | * |
151 | * NLBL_UNLABEL_A_ACPTFLG |
152 | * |
153 | */ |
154 | |
155 | /* NetLabel Unlabeled commands */ |
156 | enum { |
157 | NLBL_UNLABEL_C_UNSPEC, |
158 | NLBL_UNLABEL_C_ACCEPT, |
159 | NLBL_UNLABEL_C_LIST, |
160 | NLBL_UNLABEL_C_STATICADD, |
161 | NLBL_UNLABEL_C_STATICREMOVE, |
162 | NLBL_UNLABEL_C_STATICLIST, |
163 | NLBL_UNLABEL_C_STATICADDDEF, |
164 | NLBL_UNLABEL_C_STATICREMOVEDEF, |
165 | NLBL_UNLABEL_C_STATICLISTDEF, |
166 | __NLBL_UNLABEL_C_MAX, |
167 | }; |
168 | |
169 | /* NetLabel Unlabeled attributes */ |
170 | enum { |
171 | NLBL_UNLABEL_A_UNSPEC, |
172 | NLBL_UNLABEL_A_ACPTFLG, |
173 | /* (NLA_U8) |
174 | * if true then unlabeled packets are allowed to pass, else unlabeled |
175 | * packets are rejected */ |
176 | NLBL_UNLABEL_A_IPV6ADDR, |
177 | /* (NLA_BINARY, struct in6_addr) |
178 | * an IPv6 address */ |
179 | NLBL_UNLABEL_A_IPV6MASK, |
180 | /* (NLA_BINARY, struct in6_addr) |
181 | * an IPv6 address mask */ |
182 | NLBL_UNLABEL_A_IPV4ADDR, |
183 | /* (NLA_BINARY, struct in_addr) |
184 | * an IPv4 address */ |
185 | NLBL_UNLABEL_A_IPV4MASK, |
186 | /* (NLA_BINARY, struct in_addr) |
187 | * and IPv4 address mask */ |
188 | NLBL_UNLABEL_A_IFACE, |
189 | /* (NLA_NULL_STRING) |
190 | * network interface */ |
191 | NLBL_UNLABEL_A_SECCTX, |
192 | /* (NLA_BINARY) |
193 | * a LSM specific security context */ |
194 | __NLBL_UNLABEL_A_MAX, |
195 | }; |
196 | #define NLBL_UNLABEL_A_MAX (__NLBL_UNLABEL_A_MAX - 1) |
197 | |
198 | /* NetLabel protocol functions */ |
199 | int netlbl_unlabel_genl_init(void); |
200 | |
201 | /* Unlabeled connection hash table size */ |
202 | /* XXX - currently this number is an uneducated guess */ |
203 | #define NETLBL_UNLHSH_BITSIZE 7 |
204 | |
205 | /* General Unlabeled init function */ |
206 | int netlbl_unlabel_init(u32 size); |
207 | |
208 | /* Static/Fallback label management functions */ |
209 | int netlbl_unlhsh_add(struct net *net, |
210 | const char *dev_name, |
211 | const void *addr, |
212 | const void *mask, |
213 | u32 addr_len, |
214 | u32 secid, |
215 | struct netlbl_audit *audit_info); |
216 | int netlbl_unlhsh_remove(struct net *net, |
217 | const char *dev_name, |
218 | const void *addr, |
219 | const void *mask, |
220 | u32 addr_len, |
221 | struct netlbl_audit *audit_info); |
222 | |
223 | /* Process Unlabeled incoming network packets */ |
224 | int netlbl_unlabel_getattr(const struct sk_buff *skb, |
225 | u16 family, |
226 | struct netlbl_lsm_secattr *secattr); |
227 | |
228 | /* Set the default configuration to allow Unlabeled packets */ |
229 | int netlbl_unlabel_defconf(void); |
230 | |
231 | #endif |
232 | |