1/* SPDX-License-Identifier: GPL-2.0-or-later */
2/*
3 * NetLabel Unlabeled Support
4 *
5 * This file defines functions for dealing with unlabeled packets for the
6 * NetLabel system. The NetLabel system manages static and dynamic label
7 * mappings for network protocols such as CIPSO and RIPSO.
8 *
9 * Author: Paul Moore <paul@paul-moore.com>
10 */
11
12/*
13 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
14 */
15
16#ifndef _NETLABEL_UNLABELED_H
17#define _NETLABEL_UNLABELED_H
18
19#include <net/netlabel.h>
20
21/*
22 * The following NetLabel payloads are supported by the Unlabeled subsystem.
23 *
24 * o STATICADD
25 * This message is sent from an application to add a new static label for
26 * incoming unlabeled connections.
27 *
28 * Required attributes:
29 *
30 * NLBL_UNLABEL_A_IFACE
31 * NLBL_UNLABEL_A_SECCTX
32 *
33 * If IPv4 is specified the following attributes are required:
34 *
35 * NLBL_UNLABEL_A_IPV4ADDR
36 * NLBL_UNLABEL_A_IPV4MASK
37 *
38 * If IPv6 is specified the following attributes are required:
39 *
40 * NLBL_UNLABEL_A_IPV6ADDR
41 * NLBL_UNLABEL_A_IPV6MASK
42 *
43 * o STATICREMOVE
44 * This message is sent from an application to remove an existing static
45 * label for incoming unlabeled connections.
46 *
47 * Required attributes:
48 *
49 * NLBL_UNLABEL_A_IFACE
50 *
51 * If IPv4 is specified the following attributes are required:
52 *
53 * NLBL_UNLABEL_A_IPV4ADDR
54 * NLBL_UNLABEL_A_IPV4MASK
55 *
56 * If IPv6 is specified the following attributes are required:
57 *
58 * NLBL_UNLABEL_A_IPV6ADDR
59 * NLBL_UNLABEL_A_IPV6MASK
60 *
61 * o STATICLIST
62 * This message can be sent either from an application or by the kernel in
63 * response to an application generated STATICLIST message. When sent by an
64 * application there is no payload and the NLM_F_DUMP flag should be set.
65 * The kernel should response with a series of the following messages.
66 *
67 * Required attributes:
68 *
69 * NLBL_UNLABEL_A_IFACE
70 * NLBL_UNLABEL_A_SECCTX
71 *
72 * If IPv4 is specified the following attributes are required:
73 *
74 * NLBL_UNLABEL_A_IPV4ADDR
75 * NLBL_UNLABEL_A_IPV4MASK
76 *
77 * If IPv6 is specified the following attributes are required:
78 *
79 * NLBL_UNLABEL_A_IPV6ADDR
80 * NLBL_UNLABEL_A_IPV6MASK
81 *
82 * o STATICADDDEF
83 * This message is sent from an application to set the default static
84 * label for incoming unlabeled connections.
85 *
86 * Required attribute:
87 *
88 * NLBL_UNLABEL_A_SECCTX
89 *
90 * If IPv4 is specified the following attributes are required:
91 *
92 * NLBL_UNLABEL_A_IPV4ADDR
93 * NLBL_UNLABEL_A_IPV4MASK
94 *
95 * If IPv6 is specified the following attributes are required:
96 *
97 * NLBL_UNLABEL_A_IPV6ADDR
98 * NLBL_UNLABEL_A_IPV6MASK
99 *
100 * o STATICREMOVEDEF
101 * This message is sent from an application to remove the existing default
102 * static label for incoming unlabeled connections.
103 *
104 * If IPv4 is specified the following attributes are required:
105 *
106 * NLBL_UNLABEL_A_IPV4ADDR
107 * NLBL_UNLABEL_A_IPV4MASK
108 *
109 * If IPv6 is specified the following attributes are required:
110 *
111 * NLBL_UNLABEL_A_IPV6ADDR
112 * NLBL_UNLABEL_A_IPV6MASK
113 *
114 * o STATICLISTDEF
115 * This message can be sent either from an application or by the kernel in
116 * response to an application generated STATICLISTDEF message. When sent by
117 * an application there is no payload and the NLM_F_DUMP flag should be set.
118 * The kernel should response with the following message.
119 *
120 * Required attribute:
121 *
122 * NLBL_UNLABEL_A_SECCTX
123 *
124 * If IPv4 is specified the following attributes are required:
125 *
126 * NLBL_UNLABEL_A_IPV4ADDR
127 * NLBL_UNLABEL_A_IPV4MASK
128 *
129 * If IPv6 is specified the following attributes are required:
130 *
131 * NLBL_UNLABEL_A_IPV6ADDR
132 * NLBL_UNLABEL_A_IPV6MASK
133 *
134 * o ACCEPT
135 * This message is sent from an application to specify if the kernel should
136 * allow unlabled packets to pass if they do not match any of the static
137 * mappings defined in the unlabeled module.
138 *
139 * Required attributes:
140 *
141 * NLBL_UNLABEL_A_ACPTFLG
142 *
143 * o LIST
144 * This message can be sent either from an application or by the kernel in
145 * response to an application generated LIST message. When sent by an
146 * application there is no payload. The kernel should respond to a LIST
147 * message with a LIST message on success.
148 *
149 * Required attributes:
150 *
151 * NLBL_UNLABEL_A_ACPTFLG
152 *
153 */
154
155/* NetLabel Unlabeled commands */
156enum {
157 NLBL_UNLABEL_C_UNSPEC,
158 NLBL_UNLABEL_C_ACCEPT,
159 NLBL_UNLABEL_C_LIST,
160 NLBL_UNLABEL_C_STATICADD,
161 NLBL_UNLABEL_C_STATICREMOVE,
162 NLBL_UNLABEL_C_STATICLIST,
163 NLBL_UNLABEL_C_STATICADDDEF,
164 NLBL_UNLABEL_C_STATICREMOVEDEF,
165 NLBL_UNLABEL_C_STATICLISTDEF,
166 __NLBL_UNLABEL_C_MAX,
167};
168
169/* NetLabel Unlabeled attributes */
170enum {
171 NLBL_UNLABEL_A_UNSPEC,
172 NLBL_UNLABEL_A_ACPTFLG,
173 /* (NLA_U8)
174 * if true then unlabeled packets are allowed to pass, else unlabeled
175 * packets are rejected */
176 NLBL_UNLABEL_A_IPV6ADDR,
177 /* (NLA_BINARY, struct in6_addr)
178 * an IPv6 address */
179 NLBL_UNLABEL_A_IPV6MASK,
180 /* (NLA_BINARY, struct in6_addr)
181 * an IPv6 address mask */
182 NLBL_UNLABEL_A_IPV4ADDR,
183 /* (NLA_BINARY, struct in_addr)
184 * an IPv4 address */
185 NLBL_UNLABEL_A_IPV4MASK,
186 /* (NLA_BINARY, struct in_addr)
187 * and IPv4 address mask */
188 NLBL_UNLABEL_A_IFACE,
189 /* (NLA_NULL_STRING)
190 * network interface */
191 NLBL_UNLABEL_A_SECCTX,
192 /* (NLA_BINARY)
193 * a LSM specific security context */
194 __NLBL_UNLABEL_A_MAX,
195};
196#define NLBL_UNLABEL_A_MAX (__NLBL_UNLABEL_A_MAX - 1)
197
198/* NetLabel protocol functions */
199int netlbl_unlabel_genl_init(void);
200
201/* Unlabeled connection hash table size */
202/* XXX - currently this number is an uneducated guess */
203#define NETLBL_UNLHSH_BITSIZE 7
204
205/* General Unlabeled init function */
206int netlbl_unlabel_init(u32 size);
207
208/* Static/Fallback label management functions */
209int netlbl_unlhsh_add(struct net *net,
210 const char *dev_name,
211 const void *addr,
212 const void *mask,
213 u32 addr_len,
214 u32 secid,
215 struct netlbl_audit *audit_info);
216int netlbl_unlhsh_remove(struct net *net,
217 const char *dev_name,
218 const void *addr,
219 const void *mask,
220 u32 addr_len,
221 struct netlbl_audit *audit_info);
222
223/* Process Unlabeled incoming network packets */
224int netlbl_unlabel_getattr(const struct sk_buff *skb,
225 u16 family,
226 struct netlbl_lsm_secattr *secattr);
227
228/* Set the default configuration to allow Unlabeled packets */
229int netlbl_unlabel_defconf(void);
230
231#endif
232

source code of linux/net/netlabel/netlabel_unlabeled.h