1*11a03f78SPaul Moore /* 2*11a03f78SPaul Moore * NetLabel System 3*11a03f78SPaul Moore * 4*11a03f78SPaul Moore * The NetLabel system manages static and dynamic label mappings for network 5*11a03f78SPaul Moore * protocols such as CIPSO and RIPSO. 6*11a03f78SPaul Moore * 7*11a03f78SPaul Moore * Author: Paul Moore <paul.moore@hp.com> 8*11a03f78SPaul Moore * 9*11a03f78SPaul Moore */ 10*11a03f78SPaul Moore 11*11a03f78SPaul Moore /* 12*11a03f78SPaul Moore * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 13*11a03f78SPaul Moore * 14*11a03f78SPaul Moore * This program is free software; you can redistribute it and/or modify 15*11a03f78SPaul Moore * it under the terms of the GNU General Public License as published by 16*11a03f78SPaul Moore * the Free Software Foundation; either version 2 of the License, or 17*11a03f78SPaul Moore * (at your option) any later version. 18*11a03f78SPaul Moore * 19*11a03f78SPaul Moore * This program is distributed in the hope that it will be useful, 20*11a03f78SPaul Moore * but WITHOUT ANY WARRANTY; without even the implied warranty of 21*11a03f78SPaul Moore * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See 22*11a03f78SPaul Moore * the GNU General Public License for more details. 23*11a03f78SPaul Moore * 24*11a03f78SPaul Moore * You should have received a copy of the GNU General Public License 25*11a03f78SPaul Moore * along with this program; if not, write to the Free Software 26*11a03f78SPaul Moore * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 27*11a03f78SPaul Moore * 28*11a03f78SPaul Moore */ 29*11a03f78SPaul Moore 30*11a03f78SPaul Moore #ifndef _NETLABEL_H 31*11a03f78SPaul Moore #define _NETLABEL_H 32*11a03f78SPaul Moore 33*11a03f78SPaul Moore #include <linux/types.h> 34*11a03f78SPaul Moore #include <linux/skbuff.h> 35*11a03f78SPaul Moore #include <net/netlink.h> 36*11a03f78SPaul Moore 37*11a03f78SPaul Moore /* 38*11a03f78SPaul Moore * NetLabel - A management interface for maintaining network packet label 39*11a03f78SPaul Moore * mapping tables for explicit packet labling protocols. 40*11a03f78SPaul Moore * 41*11a03f78SPaul Moore * Network protocols such as CIPSO and RIPSO require a label translation layer 42*11a03f78SPaul Moore * to convert the label on the packet into something meaningful on the host 43*11a03f78SPaul Moore * machine. In the current Linux implementation these mapping tables live 44*11a03f78SPaul Moore * inside the kernel; NetLabel provides a mechanism for user space applications 45*11a03f78SPaul Moore * to manage these mapping tables. 46*11a03f78SPaul Moore * 47*11a03f78SPaul Moore * NetLabel makes use of the Generic NETLINK mechanism as a transport layer to 48*11a03f78SPaul Moore * send messages between kernel and user space. The general format of a 49*11a03f78SPaul Moore * NetLabel message is shown below: 50*11a03f78SPaul Moore * 51*11a03f78SPaul Moore * +-----------------+-------------------+--------- --- -- - 52*11a03f78SPaul Moore * | struct nlmsghdr | struct genlmsghdr | payload 53*11a03f78SPaul Moore * +-----------------+-------------------+--------- --- -- - 54*11a03f78SPaul Moore * 55*11a03f78SPaul Moore * The 'nlmsghdr' and 'genlmsghdr' structs should be dealt with like normal. 56*11a03f78SPaul Moore * The payload is dependent on the subsystem specified in the 57*11a03f78SPaul Moore * 'nlmsghdr->nlmsg_type' and should be defined below, supporting functions 58*11a03f78SPaul Moore * should be defined in the corresponding net/netlabel/netlabel_<subsys>.h|c 59*11a03f78SPaul Moore * file. All of the fields in the NetLabel payload are NETLINK attributes, the 60*11a03f78SPaul Moore * length of each field is the length of the NETLINK attribute payload, see 61*11a03f78SPaul Moore * include/net/netlink.h for more information on NETLINK attributes. 62*11a03f78SPaul Moore * 63*11a03f78SPaul Moore */ 64*11a03f78SPaul Moore 65*11a03f78SPaul Moore /* 66*11a03f78SPaul Moore * NetLabel NETLINK protocol 67*11a03f78SPaul Moore */ 68*11a03f78SPaul Moore 69*11a03f78SPaul Moore #define NETLBL_PROTO_VERSION 1 70*11a03f78SPaul Moore 71*11a03f78SPaul Moore /* NetLabel NETLINK types/families */ 72*11a03f78SPaul Moore #define NETLBL_NLTYPE_NONE 0 73*11a03f78SPaul Moore #define NETLBL_NLTYPE_MGMT 1 74*11a03f78SPaul Moore #define NETLBL_NLTYPE_MGMT_NAME "NLBL_MGMT" 75*11a03f78SPaul Moore #define NETLBL_NLTYPE_RIPSO 2 76*11a03f78SPaul Moore #define NETLBL_NLTYPE_RIPSO_NAME "NLBL_RIPSO" 77*11a03f78SPaul Moore #define NETLBL_NLTYPE_CIPSOV4 3 78*11a03f78SPaul Moore #define NETLBL_NLTYPE_CIPSOV4_NAME "NLBL_CIPSOv4" 79*11a03f78SPaul Moore #define NETLBL_NLTYPE_CIPSOV6 4 80*11a03f78SPaul Moore #define NETLBL_NLTYPE_CIPSOV6_NAME "NLBL_CIPSOv6" 81*11a03f78SPaul Moore #define NETLBL_NLTYPE_UNLABELED 5 82*11a03f78SPaul Moore #define NETLBL_NLTYPE_UNLABELED_NAME "NLBL_UNLBL" 83*11a03f78SPaul Moore 84*11a03f78SPaul Moore /* NetLabel return codes */ 85*11a03f78SPaul Moore #define NETLBL_E_OK 0 86*11a03f78SPaul Moore 87*11a03f78SPaul Moore /* 88*11a03f78SPaul Moore * Helper functions 89*11a03f78SPaul Moore */ 90*11a03f78SPaul Moore 91*11a03f78SPaul Moore #define NETLBL_LEN_U8 nla_total_size(sizeof(u8)) 92*11a03f78SPaul Moore #define NETLBL_LEN_U16 nla_total_size(sizeof(u16)) 93*11a03f78SPaul Moore #define NETLBL_LEN_U32 nla_total_size(sizeof(u32)) 94*11a03f78SPaul Moore 95*11a03f78SPaul Moore /** 96*11a03f78SPaul Moore * netlbl_netlink_alloc_skb - Allocate a NETLINK message buffer 97*11a03f78SPaul Moore * @head: the amount of headroom in bytes 98*11a03f78SPaul Moore * @body: the desired size (minus headroom) in bytes 99*11a03f78SPaul Moore * @gfp_flags: the alloc flags to pass to alloc_skb() 100*11a03f78SPaul Moore * 101*11a03f78SPaul Moore * Description: 102*11a03f78SPaul Moore * Allocate a NETLINK message buffer based on the sizes given in @head and 103*11a03f78SPaul Moore * @body. If @head is greater than zero skb_reserve() is called to reserve 104*11a03f78SPaul Moore * @head bytes at the start of the buffer. Returns a valid sk_buff pointer on 105*11a03f78SPaul Moore * success, NULL on failure. 106*11a03f78SPaul Moore * 107*11a03f78SPaul Moore */ 108*11a03f78SPaul Moore static inline struct sk_buff *netlbl_netlink_alloc_skb(size_t head, 109*11a03f78SPaul Moore size_t body, 110*11a03f78SPaul Moore int gfp_flags) 111*11a03f78SPaul Moore { 112*11a03f78SPaul Moore struct sk_buff *skb; 113*11a03f78SPaul Moore 114*11a03f78SPaul Moore skb = alloc_skb(NLMSG_ALIGN(head + body), gfp_flags); 115*11a03f78SPaul Moore if (skb == NULL) 116*11a03f78SPaul Moore return NULL; 117*11a03f78SPaul Moore if (head > 0) { 118*11a03f78SPaul Moore skb_reserve(skb, head); 119*11a03f78SPaul Moore if (skb_tailroom(skb) < body) { 120*11a03f78SPaul Moore kfree_skb(skb); 121*11a03f78SPaul Moore return NULL; 122*11a03f78SPaul Moore } 123*11a03f78SPaul Moore } 124*11a03f78SPaul Moore 125*11a03f78SPaul Moore return skb; 126*11a03f78SPaul Moore } 127*11a03f78SPaul Moore 128*11a03f78SPaul Moore /* 129*11a03f78SPaul Moore * NetLabel - Kernel API for accessing the network packet label mappings. 130*11a03f78SPaul Moore * 131*11a03f78SPaul Moore * The following functions are provided for use by other kernel modules, 132*11a03f78SPaul Moore * specifically kernel LSM modules, to provide a consistent, transparent API 133*11a03f78SPaul Moore * for dealing with explicit packet labeling protocols such as CIPSO and 134*11a03f78SPaul Moore * RIPSO. The functions defined here are implemented in the 135*11a03f78SPaul Moore * net/netlabel/netlabel_kapi.c file. 136*11a03f78SPaul Moore * 137*11a03f78SPaul Moore */ 138*11a03f78SPaul Moore 139*11a03f78SPaul Moore /* Domain mapping definition struct */ 140*11a03f78SPaul Moore struct netlbl_dom_map; 141*11a03f78SPaul Moore 142*11a03f78SPaul Moore /* Domain mapping operations */ 143*11a03f78SPaul Moore int netlbl_domhsh_remove(const char *domain); 144*11a03f78SPaul Moore 145*11a03f78SPaul Moore /* LSM security attributes */ 146*11a03f78SPaul Moore struct netlbl_lsm_cache { 147*11a03f78SPaul Moore void (*free) (const void *data); 148*11a03f78SPaul Moore void *data; 149*11a03f78SPaul Moore }; 150*11a03f78SPaul Moore struct netlbl_lsm_secattr { 151*11a03f78SPaul Moore char *domain; 152*11a03f78SPaul Moore 153*11a03f78SPaul Moore u32 mls_lvl; 154*11a03f78SPaul Moore u32 mls_lvl_vld; 155*11a03f78SPaul Moore unsigned char *mls_cat; 156*11a03f78SPaul Moore size_t mls_cat_len; 157*11a03f78SPaul Moore 158*11a03f78SPaul Moore struct netlbl_lsm_cache cache; 159*11a03f78SPaul Moore }; 160*11a03f78SPaul Moore 161*11a03f78SPaul Moore /* 162*11a03f78SPaul Moore * LSM security attribute operations 163*11a03f78SPaul Moore */ 164*11a03f78SPaul Moore 165*11a03f78SPaul Moore 166*11a03f78SPaul Moore /** 167*11a03f78SPaul Moore * netlbl_secattr_init - Initialize a netlbl_lsm_secattr struct 168*11a03f78SPaul Moore * @secattr: the struct to initialize 169*11a03f78SPaul Moore * 170*11a03f78SPaul Moore * Description: 171*11a03f78SPaul Moore * Initialize an already allocated netlbl_lsm_secattr struct. Returns zero on 172*11a03f78SPaul Moore * success, negative values on error. 173*11a03f78SPaul Moore * 174*11a03f78SPaul Moore */ 175*11a03f78SPaul Moore static inline int netlbl_secattr_init(struct netlbl_lsm_secattr *secattr) 176*11a03f78SPaul Moore { 177*11a03f78SPaul Moore memset(secattr, 0, sizeof(*secattr)); 178*11a03f78SPaul Moore return 0; 179*11a03f78SPaul Moore } 180*11a03f78SPaul Moore 181*11a03f78SPaul Moore /** 182*11a03f78SPaul Moore * netlbl_secattr_destroy - Clears a netlbl_lsm_secattr struct 183*11a03f78SPaul Moore * @secattr: the struct to clear 184*11a03f78SPaul Moore * @clear_cache: cache clear flag 185*11a03f78SPaul Moore * 186*11a03f78SPaul Moore * Description: 187*11a03f78SPaul Moore * Destroys the @secattr struct, including freeing all of the internal buffers. 188*11a03f78SPaul Moore * If @clear_cache is true then free the cache fields, otherwise leave them 189*11a03f78SPaul Moore * intact. The struct must be reset with a call to netlbl_secattr_init() 190*11a03f78SPaul Moore * before reuse. 191*11a03f78SPaul Moore * 192*11a03f78SPaul Moore */ 193*11a03f78SPaul Moore static inline void netlbl_secattr_destroy(struct netlbl_lsm_secattr *secattr, 194*11a03f78SPaul Moore u32 clear_cache) 195*11a03f78SPaul Moore { 196*11a03f78SPaul Moore if (clear_cache && secattr->cache.data != NULL && secattr->cache.free) 197*11a03f78SPaul Moore secattr->cache.free(secattr->cache.data); 198*11a03f78SPaul Moore kfree(secattr->domain); 199*11a03f78SPaul Moore kfree(secattr->mls_cat); 200*11a03f78SPaul Moore } 201*11a03f78SPaul Moore 202*11a03f78SPaul Moore /** 203*11a03f78SPaul Moore * netlbl_secattr_alloc - Allocate and initialize a netlbl_lsm_secattr struct 204*11a03f78SPaul Moore * @flags: the memory allocation flags 205*11a03f78SPaul Moore * 206*11a03f78SPaul Moore * Description: 207*11a03f78SPaul Moore * Allocate and initialize a netlbl_lsm_secattr struct. Returns a valid 208*11a03f78SPaul Moore * pointer on success, or NULL on failure. 209*11a03f78SPaul Moore * 210*11a03f78SPaul Moore */ 211*11a03f78SPaul Moore static inline struct netlbl_lsm_secattr *netlbl_secattr_alloc(int flags) 212*11a03f78SPaul Moore { 213*11a03f78SPaul Moore return kzalloc(sizeof(struct netlbl_lsm_secattr), flags); 214*11a03f78SPaul Moore } 215*11a03f78SPaul Moore 216*11a03f78SPaul Moore /** 217*11a03f78SPaul Moore * netlbl_secattr_free - Frees a netlbl_lsm_secattr struct 218*11a03f78SPaul Moore * @secattr: the struct to free 219*11a03f78SPaul Moore * @clear_cache: cache clear flag 220*11a03f78SPaul Moore * 221*11a03f78SPaul Moore * Description: 222*11a03f78SPaul Moore * Frees @secattr including all of the internal buffers. If @clear_cache is 223*11a03f78SPaul Moore * true then free the cache fields, otherwise leave them intact. 224*11a03f78SPaul Moore * 225*11a03f78SPaul Moore */ 226*11a03f78SPaul Moore static inline void netlbl_secattr_free(struct netlbl_lsm_secattr *secattr, 227*11a03f78SPaul Moore u32 clear_cache) 228*11a03f78SPaul Moore { 229*11a03f78SPaul Moore netlbl_secattr_destroy(secattr, clear_cache); 230*11a03f78SPaul Moore kfree(secattr); 231*11a03f78SPaul Moore } 232*11a03f78SPaul Moore 233*11a03f78SPaul Moore /* 234*11a03f78SPaul Moore * LSM protocol operations 235*11a03f78SPaul Moore */ 236*11a03f78SPaul Moore 237*11a03f78SPaul Moore #ifdef CONFIG_NETLABEL 238*11a03f78SPaul Moore int netlbl_socket_setattr(const struct socket *sock, 239*11a03f78SPaul Moore const struct netlbl_lsm_secattr *secattr); 240*11a03f78SPaul Moore int netlbl_socket_getattr(const struct socket *sock, 241*11a03f78SPaul Moore struct netlbl_lsm_secattr *secattr); 242*11a03f78SPaul Moore int netlbl_skbuff_getattr(const struct sk_buff *skb, 243*11a03f78SPaul Moore struct netlbl_lsm_secattr *secattr); 244*11a03f78SPaul Moore void netlbl_skbuff_err(struct sk_buff *skb, int error); 245*11a03f78SPaul Moore #else 246*11a03f78SPaul Moore static inline int netlbl_socket_setattr(const struct socket *sock, 247*11a03f78SPaul Moore const struct netlbl_lsm_secattr *secattr) 248*11a03f78SPaul Moore { 249*11a03f78SPaul Moore return -ENOSYS; 250*11a03f78SPaul Moore } 251*11a03f78SPaul Moore 252*11a03f78SPaul Moore static inline int netlbl_socket_getattr(const struct socket *sock, 253*11a03f78SPaul Moore struct netlbl_lsm_secattr *secattr) 254*11a03f78SPaul Moore { 255*11a03f78SPaul Moore return -ENOSYS; 256*11a03f78SPaul Moore } 257*11a03f78SPaul Moore 258*11a03f78SPaul Moore static inline int netlbl_skbuff_getattr(const struct sk_buff *skb, 259*11a03f78SPaul Moore struct netlbl_lsm_secattr *secattr) 260*11a03f78SPaul Moore { 261*11a03f78SPaul Moore return -ENOSYS; 262*11a03f78SPaul Moore } 263*11a03f78SPaul Moore 264*11a03f78SPaul Moore static inline void netlbl_skbuff_err(struct sk_buff *skb, int error) 265*11a03f78SPaul Moore { 266*11a03f78SPaul Moore return; 267*11a03f78SPaul Moore } 268*11a03f78SPaul Moore #endif /* CONFIG_NETLABEL */ 269*11a03f78SPaul Moore 270*11a03f78SPaul Moore /* 271*11a03f78SPaul Moore * LSM label mapping cache operations 272*11a03f78SPaul Moore */ 273*11a03f78SPaul Moore 274*11a03f78SPaul Moore #ifdef CONFIG_NETLABEL 275*11a03f78SPaul Moore void netlbl_cache_invalidate(void); 276*11a03f78SPaul Moore int netlbl_cache_add(const struct sk_buff *skb, 277*11a03f78SPaul Moore const struct netlbl_lsm_secattr *secattr); 278*11a03f78SPaul Moore #else 279*11a03f78SPaul Moore static inline void netlbl_cache_invalidate(void) 280*11a03f78SPaul Moore { 281*11a03f78SPaul Moore return; 282*11a03f78SPaul Moore } 283*11a03f78SPaul Moore 284*11a03f78SPaul Moore static inline int netlbl_cache_add(const struct sk_buff *skb, 285*11a03f78SPaul Moore const struct netlbl_lsm_secattr *secattr) 286*11a03f78SPaul Moore { 287*11a03f78SPaul Moore return 0; 288*11a03f78SPaul Moore } 289*11a03f78SPaul Moore #endif /* CONFIG_NETLABEL */ 290*11a03f78SPaul Moore 291*11a03f78SPaul Moore #endif /* _NETLABEL_H */ 292