xref: /openbmc/linux/include/net/netlabel.h (revision 1ccea77e2a2687cae171b7987eb44730ec8c6d5f) 
1*1ccea77eSThomas Gleixner /* SPDX-License-Identifier: GPL-2.0-or-later */
211a03f78SPaul Moore /*
311a03f78SPaul Moore  * NetLabel System
411a03f78SPaul Moore  *
511a03f78SPaul Moore  * The NetLabel system manages static and dynamic label mappings for network
611a03f78SPaul Moore  * protocols such as CIPSO and RIPSO.
711a03f78SPaul Moore  *
882c21bfaSPaul Moore  * Author: Paul Moore <paul@paul-moore.com>
911a03f78SPaul Moore  */
1011a03f78SPaul Moore 
1111a03f78SPaul Moore /*
1263c41688SPaul Moore  * (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2008
1311a03f78SPaul Moore  */
1411a03f78SPaul Moore 
1511a03f78SPaul Moore #ifndef _NETLABEL_H
1611a03f78SPaul Moore #define _NETLABEL_H
1711a03f78SPaul Moore 
1811a03f78SPaul Moore #include <linux/types.h>
195a0e3ad6STejun Heo #include <linux/slab.h>
207a0e1d60SPaul Moore #include <linux/net.h>
2111a03f78SPaul Moore #include <linux/skbuff.h>
226c2e8ac0SPaul Moore #include <linux/in.h>
236c2e8ac0SPaul Moore #include <linux/in6.h>
2411a03f78SPaul Moore #include <net/netlink.h>
25389fb800SPaul Moore #include <net/request_sock.h>
26b4217b82SReshetova, Elena #include <linux/refcount.h>
2711a03f78SPaul Moore 
28eda61d32SPaul Moore struct cipso_v4_doi;
29cb72d382SHuw Davies struct calipso_doi;
30eda61d32SPaul Moore 
3111a03f78SPaul Moore /*
3211a03f78SPaul Moore  * NetLabel - A management interface for maintaining network packet label
3311a03f78SPaul Moore  *            mapping tables for explicit packet labling protocols.
3411a03f78SPaul Moore  *
3511a03f78SPaul Moore  * Network protocols such as CIPSO and RIPSO require a label translation layer
3611a03f78SPaul Moore  * to convert the label on the packet into something meaningful on the host
3711a03f78SPaul Moore  * machine.  In the current Linux implementation these mapping tables live
3811a03f78SPaul Moore  * inside the kernel; NetLabel provides a mechanism for user space applications
3911a03f78SPaul Moore  * to manage these mapping tables.
4011a03f78SPaul Moore  *
4111a03f78SPaul Moore  * NetLabel makes use of the Generic NETLINK mechanism as a transport layer to
4211a03f78SPaul Moore  * send messages between kernel and user space.  The general format of a
4311a03f78SPaul Moore  * NetLabel message is shown below:
4411a03f78SPaul Moore  *
4511a03f78SPaul Moore  *  +-----------------+-------------------+--------- --- -- -
4611a03f78SPaul Moore  *  | struct nlmsghdr | struct genlmsghdr | payload
4711a03f78SPaul Moore  *  +-----------------+-------------------+--------- --- -- -
4811a03f78SPaul Moore  *
4911a03f78SPaul Moore  * The 'nlmsghdr' and 'genlmsghdr' structs should be dealt with like normal.
5011a03f78SPaul Moore  * The payload is dependent on the subsystem specified in the
5111a03f78SPaul Moore  * 'nlmsghdr->nlmsg_type' and should be defined below, supporting functions
5211a03f78SPaul Moore  * should be defined in the corresponding net/netlabel/netlabel_<subsys>.h|c
53fcd48280SPaul Moore  * file.  All of the fields in the NetLabel payload are NETLINK attributes, see
54fcd48280SPaul Moore  * the include/net/netlink.h file for more information on NETLINK attributes.
5511a03f78SPaul Moore  *
5611a03f78SPaul Moore  */
5711a03f78SPaul Moore 
5811a03f78SPaul Moore /*
5911a03f78SPaul Moore  * NetLabel NETLINK protocol
6011a03f78SPaul Moore  */
6111a03f78SPaul Moore 
628cc44579SPaul Moore /* NetLabel NETLINK protocol version
638cc44579SPaul Moore  *  1: initial version
648cc44579SPaul Moore  *  2: added static labels for unlabeled connections
65d91d4079SPaul Moore  *  3: network selectors added to the NetLabel/LSM domain mapping and the
66d91d4079SPaul Moore  *     CIPSO_V4_MAP_LOCAL CIPSO mapping was added
678cc44579SPaul Moore  */
6863c41688SPaul Moore #define NETLBL_PROTO_VERSION            3
6911a03f78SPaul Moore 
7011a03f78SPaul Moore /* NetLabel NETLINK types/families */
7111a03f78SPaul Moore #define NETLBL_NLTYPE_NONE              0
7211a03f78SPaul Moore #define NETLBL_NLTYPE_MGMT              1
7311a03f78SPaul Moore #define NETLBL_NLTYPE_MGMT_NAME         "NLBL_MGMT"
7411a03f78SPaul Moore #define NETLBL_NLTYPE_RIPSO             2
7511a03f78SPaul Moore #define NETLBL_NLTYPE_RIPSO_NAME        "NLBL_RIPSO"
7611a03f78SPaul Moore #define NETLBL_NLTYPE_CIPSOV4           3
7711a03f78SPaul Moore #define NETLBL_NLTYPE_CIPSOV4_NAME      "NLBL_CIPSOv4"
7811a03f78SPaul Moore #define NETLBL_NLTYPE_CIPSOV6           4
7911a03f78SPaul Moore #define NETLBL_NLTYPE_CIPSOV6_NAME      "NLBL_CIPSOv6"
8011a03f78SPaul Moore #define NETLBL_NLTYPE_UNLABELED         5
8111a03f78SPaul Moore #define NETLBL_NLTYPE_UNLABELED_NAME    "NLBL_UNLBL"
8263c41688SPaul Moore #define NETLBL_NLTYPE_ADDRSELECT        6
8363c41688SPaul Moore #define NETLBL_NLTYPE_ADDRSELECT_NAME   "NLBL_ADRSEL"
84cb72d382SHuw Davies #define NETLBL_NLTYPE_CALIPSO           7
85cb72d382SHuw Davies #define NETLBL_NLTYPE_CALIPSO_NAME      "NLBL_CALIPSO"
8611a03f78SPaul Moore 
8711a03f78SPaul Moore /*
8811a03f78SPaul Moore  * NetLabel - Kernel API for accessing the network packet label mappings.
8911a03f78SPaul Moore  *
9011a03f78SPaul Moore  * The following functions are provided for use by other kernel modules,
9111a03f78SPaul Moore  * specifically kernel LSM modules, to provide a consistent, transparent API
9211a03f78SPaul Moore  * for dealing with explicit packet labeling protocols such as CIPSO and
9311a03f78SPaul Moore  * RIPSO.  The functions defined here are implemented in the
9411a03f78SPaul Moore  * net/netlabel/netlabel_kapi.c file.
9511a03f78SPaul Moore  *
9611a03f78SPaul Moore  */
9711a03f78SPaul Moore 
9895d4e6beSPaul Moore /* NetLabel audit information */
9995d4e6beSPaul Moore struct netlbl_audit {
10095d4e6beSPaul Moore 	u32 secid;
101e1760bd5SEric W. Biederman 	kuid_t loginuid;
1024440e854SEric Paris 	unsigned int sessionid;
10395d4e6beSPaul Moore };
10495d4e6beSPaul Moore 
10516efd454SPaul Moore /*
10616efd454SPaul Moore  * LSM security attributes
10716efd454SPaul Moore  */
10816efd454SPaul Moore 
10916efd454SPaul Moore /**
11016efd454SPaul Moore  * struct netlbl_lsm_cache - NetLabel LSM security attribute cache
11116efd454SPaul Moore  * @refcount: atomic reference counter
11216efd454SPaul Moore  * @free: LSM supplied function to free the cache data
11316efd454SPaul Moore  * @data: LSM supplied cache data
11416efd454SPaul Moore  *
11516efd454SPaul Moore  * Description:
11616efd454SPaul Moore  * This structure is provided for LSMs which wish to make use of the NetLabel
11716efd454SPaul Moore  * caching mechanism to store LSM specific data/attributes in the NetLabel
11816efd454SPaul Moore  * cache.  If the LSM has to perform a lot of translation from the NetLabel
11916efd454SPaul Moore  * security attributes into it's own internal representation then the cache
12016efd454SPaul Moore  * mechanism can provide a way to eliminate some or all of that translation
12116efd454SPaul Moore  * overhead on a cache hit.
12216efd454SPaul Moore  *
12316efd454SPaul Moore  */
12411a03f78SPaul Moore struct netlbl_lsm_cache {
125b4217b82SReshetova, Elena 	refcount_t refcount;
12611a03f78SPaul Moore 	void (*free) (const void *data);
12711a03f78SPaul Moore 	void *data;
12811a03f78SPaul Moore };
12916efd454SPaul Moore 
13016efd454SPaul Moore /**
1314fbe63d1SPaul Moore  * struct netlbl_lsm_catmap - NetLabel LSM secattr category bitmap
13216efd454SPaul Moore  * @startbit: the value of the lowest order bit in the bitmap
13316efd454SPaul Moore  * @bitmap: the category bitmap
13416efd454SPaul Moore  * @next: pointer to the next bitmap "node" or NULL
13516efd454SPaul Moore  *
13616efd454SPaul Moore  * Description:
13716efd454SPaul Moore  * This structure is used to represent category bitmaps.  Due to the large
13816efd454SPaul Moore  * number of categories supported by most labeling protocols it is not
13916efd454SPaul Moore  * practical to transfer a full bitmap internally so NetLabel adopts a sparse
14016efd454SPaul Moore  * bitmap structure modeled after SELinux's ebitmap structure.
14116efd454SPaul Moore  * The catmap bitmap field MUST be a power of two in length and large
14202752760SPaul Moore  * enough to hold at least 240 bits.  Special care (i.e. check the code!)
14302752760SPaul Moore  * should be used when changing these values as the LSM implementation
14402752760SPaul Moore  * probably has functions which rely on the sizes of these types to speed
14516efd454SPaul Moore  * processing.
14616efd454SPaul Moore  *
14716efd454SPaul Moore  */
14802752760SPaul Moore #define NETLBL_CATMAP_MAPTYPE           u64
14902752760SPaul Moore #define NETLBL_CATMAP_MAPCNT            4
15002752760SPaul Moore #define NETLBL_CATMAP_MAPSIZE           (sizeof(NETLBL_CATMAP_MAPTYPE) * 8)
15102752760SPaul Moore #define NETLBL_CATMAP_SIZE              (NETLBL_CATMAP_MAPSIZE * \
15202752760SPaul Moore 					 NETLBL_CATMAP_MAPCNT)
15302752760SPaul Moore #define NETLBL_CATMAP_BIT               (NETLBL_CATMAP_MAPTYPE)0x01
1544fbe63d1SPaul Moore struct netlbl_lsm_catmap {
15502752760SPaul Moore 	u32 startbit;
15602752760SPaul Moore 	NETLBL_CATMAP_MAPTYPE bitmap[NETLBL_CATMAP_MAPCNT];
1574fbe63d1SPaul Moore 	struct netlbl_lsm_catmap *next;
15802752760SPaul Moore };
15916efd454SPaul Moore 
16016efd454SPaul Moore /**
16116efd454SPaul Moore  * struct netlbl_lsm_secattr - NetLabel LSM security attributes
16200447872SPaul Moore  * @flags: indicate structure attributes, see NETLBL_SECATTR_*
16316efd454SPaul Moore  * @type: indicate the NLTYPE of the attributes
16416efd454SPaul Moore  * @domain: the NetLabel LSM domain
16516efd454SPaul Moore  * @cache: NetLabel LSM specific cache
16616efd454SPaul Moore  * @attr.mls: MLS sensitivity label
16716efd454SPaul Moore  * @attr.mls.cat: MLS category bitmap
16816efd454SPaul Moore  * @attr.mls.lvl: MLS sensitivity level
16916efd454SPaul Moore  * @attr.secid: LSM specific secid token
17016efd454SPaul Moore  *
17116efd454SPaul Moore  * Description:
17216efd454SPaul Moore  * This structure is used to pass security attributes between NetLabel and the
17316efd454SPaul Moore  * LSM modules.  The flags field is used to specify which fields within the
17416efd454SPaul Moore  * struct are valid and valid values can be created by bitwise OR'ing the
17516efd454SPaul Moore  * NETLBL_SECATTR_* defines.  The domain field is typically set by the LSM to
17616efd454SPaul Moore  * specify domain specific configuration settings and is not usually used by
17716efd454SPaul Moore  * NetLabel itself when returning security attributes to the LSM.
17816efd454SPaul Moore  *
17916efd454SPaul Moore  */
18000447872SPaul Moore struct netlbl_lsm_secattr {
18100447872SPaul Moore 	u32 flags;
18200447872SPaul Moore 	/* bitmap values for 'flags' */
183701a90baSPaul Moore #define NETLBL_SECATTR_NONE             0x00000000
184701a90baSPaul Moore #define NETLBL_SECATTR_DOMAIN           0x00000001
18500447872SPaul Moore #define NETLBL_SECATTR_DOMAIN_CPY       (NETLBL_SECATTR_DOMAIN | \
18600447872SPaul Moore 					 NETLBL_SECATTR_FREE_DOMAIN)
187701a90baSPaul Moore #define NETLBL_SECATTR_CACHE            0x00000002
188701a90baSPaul Moore #define NETLBL_SECATTR_MLS_LVL          0x00000004
189701a90baSPaul Moore #define NETLBL_SECATTR_MLS_CAT          0x00000008
19016efd454SPaul Moore #define NETLBL_SECATTR_SECID            0x00000010
19100447872SPaul Moore 	/* bitmap meta-values for 'flags' */
19200447872SPaul Moore #define NETLBL_SECATTR_FREE_DOMAIN      0x01000000
1939534f71cSPaul Moore #define NETLBL_SECATTR_CACHEABLE        (NETLBL_SECATTR_MLS_LVL | \
19416efd454SPaul Moore 					 NETLBL_SECATTR_MLS_CAT | \
19516efd454SPaul Moore 					 NETLBL_SECATTR_SECID)
19616efd454SPaul Moore 	u32 type;
19711a03f78SPaul Moore 	char *domain;
198ffb733c6Spaul.moore@hp.com 	struct netlbl_lsm_cache *cache;
1998d75899dSPaul Moore 	struct {
20016efd454SPaul Moore 		struct {
2014fbe63d1SPaul Moore 			struct netlbl_lsm_catmap *cat;
20216efd454SPaul Moore 			u32 lvl;
20316efd454SPaul Moore 		} mls;
20416efd454SPaul Moore 		u32 secid;
20516efd454SPaul Moore 	} attr;
20611a03f78SPaul Moore };
20711a03f78SPaul Moore 
208cb72d382SHuw Davies /**
209cb72d382SHuw Davies  * struct netlbl_calipso_ops - NetLabel CALIPSO operations
210cb72d382SHuw Davies  * @doi_add: add a CALIPSO DOI
211cb72d382SHuw Davies  * @doi_free: free a CALIPSO DOI
212a5e34490SHuw Davies  * @doi_getdef: returns a reference to a DOI
213a5e34490SHuw Davies  * @doi_putdef: releases a reference of a DOI
214e1ce69dfSHuw Davies  * @doi_walk: enumerate the DOI list
215ceba1832SHuw Davies  * @sock_getattr: retrieve the socket's attr
216ceba1832SHuw Davies  * @sock_setattr: set the socket's attr
217ceba1832SHuw Davies  * @sock_delattr: remove the socket's attr
218e1adea92SHuw Davies  * @req_setattr: set the req socket's attr
219e1adea92SHuw Davies  * @req_delattr: remove the req socket's attr
2202917f57bSHuw Davies  * @opt_getattr: retrieve attr from memory block
2212917f57bSHuw Davies  * @skbuff_optptr: find option in packet
2222917f57bSHuw Davies  * @skbuff_setattr: set the skbuff's attr
2232917f57bSHuw Davies  * @skbuff_delattr: remove the skbuff's attr
2244fee5242SHuw Davies  * @cache_invalidate: invalidate cache
2254fee5242SHuw Davies  * @cache_add: add cache entry
226cb72d382SHuw Davies  *
227cb72d382SHuw Davies  * Description:
228cb72d382SHuw Davies  * This structure is filled out by the CALIPSO engine and passed
229cb72d382SHuw Davies  * to the NetLabel core via a call to netlbl_calipso_ops_register().
230cb72d382SHuw Davies  * It enables the CALIPSO engine (and hence IPv6) to be compiled
231cb72d382SHuw Davies  * as a module.
232cb72d382SHuw Davies  */
233cb72d382SHuw Davies struct netlbl_calipso_ops {
234cb72d382SHuw Davies 	int (*doi_add)(struct calipso_doi *doi_def,
235cb72d382SHuw Davies 		       struct netlbl_audit *audit_info);
236cb72d382SHuw Davies 	void (*doi_free)(struct calipso_doi *doi_def);
237d7cce015SHuw Davies 	int (*doi_remove)(u32 doi, struct netlbl_audit *audit_info);
238a5e34490SHuw Davies 	struct calipso_doi *(*doi_getdef)(u32 doi);
239a5e34490SHuw Davies 	void (*doi_putdef)(struct calipso_doi *doi_def);
240e1ce69dfSHuw Davies 	int (*doi_walk)(u32 *skip_cnt,
241e1ce69dfSHuw Davies 			int (*callback)(struct calipso_doi *doi_def, void *arg),
242e1ce69dfSHuw Davies 			void *cb_arg);
243ceba1832SHuw Davies 	int (*sock_getattr)(struct sock *sk,
244ceba1832SHuw Davies 			    struct netlbl_lsm_secattr *secattr);
245ceba1832SHuw Davies 	int (*sock_setattr)(struct sock *sk,
246ceba1832SHuw Davies 			    const struct calipso_doi *doi_def,
247ceba1832SHuw Davies 			    const struct netlbl_lsm_secattr *secattr);
248ceba1832SHuw Davies 	void (*sock_delattr)(struct sock *sk);
249e1adea92SHuw Davies 	int (*req_setattr)(struct request_sock *req,
250e1adea92SHuw Davies 			   const struct calipso_doi *doi_def,
251e1adea92SHuw Davies 			   const struct netlbl_lsm_secattr *secattr);
252e1adea92SHuw Davies 	void (*req_delattr)(struct request_sock *req);
2532917f57bSHuw Davies 	int (*opt_getattr)(const unsigned char *calipso,
2542917f57bSHuw Davies 			   struct netlbl_lsm_secattr *secattr);
2552917f57bSHuw Davies 	unsigned char *(*skbuff_optptr)(const struct sk_buff *skb);
2562917f57bSHuw Davies 	int (*skbuff_setattr)(struct sk_buff *skb,
2572917f57bSHuw Davies 			      const struct calipso_doi *doi_def,
2582917f57bSHuw Davies 			      const struct netlbl_lsm_secattr *secattr);
2592917f57bSHuw Davies 	int (*skbuff_delattr)(struct sk_buff *skb);
2604fee5242SHuw Davies 	void (*cache_invalidate)(void);
2614fee5242SHuw Davies 	int (*cache_add)(const unsigned char *calipso_ptr,
2624fee5242SHuw Davies 			 const struct netlbl_lsm_secattr *secattr);
263cb72d382SHuw Davies };
264cb72d382SHuw Davies 
26511a03f78SPaul Moore /*
26623bcdc1aSPaul Moore  * LSM security attribute operations (inline)
26711a03f78SPaul Moore  */
26811a03f78SPaul Moore 
26911a03f78SPaul Moore /**
270ffb733c6Spaul.moore@hp.com  * netlbl_secattr_cache_alloc - Allocate and initialize a secattr cache
271ffb733c6Spaul.moore@hp.com  * @flags: the memory allocation flags
272ffb733c6Spaul.moore@hp.com  *
273ffb733c6Spaul.moore@hp.com  * Description:
274ffb733c6Spaul.moore@hp.com  * Allocate and initialize a netlbl_lsm_cache structure.  Returns a pointer
275ffb733c6Spaul.moore@hp.com  * on success, NULL on failure.
276ffb733c6Spaul.moore@hp.com  *
277ffb733c6Spaul.moore@hp.com  */
278645408d1SAl Viro static inline struct netlbl_lsm_cache *netlbl_secattr_cache_alloc(gfp_t flags)
279ffb733c6Spaul.moore@hp.com {
280ffb733c6Spaul.moore@hp.com 	struct netlbl_lsm_cache *cache;
281ffb733c6Spaul.moore@hp.com 
282ffb733c6Spaul.moore@hp.com 	cache = kzalloc(sizeof(*cache), flags);
283ffb733c6Spaul.moore@hp.com 	if (cache)
284b4217b82SReshetova, Elena 		refcount_set(&cache->refcount, 1);
285ffb733c6Spaul.moore@hp.com 	return cache;
286ffb733c6Spaul.moore@hp.com }
287ffb733c6Spaul.moore@hp.com 
288ffb733c6Spaul.moore@hp.com /**
289ffb733c6Spaul.moore@hp.com  * netlbl_secattr_cache_free - Frees a netlbl_lsm_cache struct
290ffb733c6Spaul.moore@hp.com  * @cache: the struct to free
291ffb733c6Spaul.moore@hp.com  *
292ffb733c6Spaul.moore@hp.com  * Description:
293ffb733c6Spaul.moore@hp.com  * Frees @secattr including all of the internal buffers.
294ffb733c6Spaul.moore@hp.com  *
295ffb733c6Spaul.moore@hp.com  */
296ffb733c6Spaul.moore@hp.com static inline void netlbl_secattr_cache_free(struct netlbl_lsm_cache *cache)
297ffb733c6Spaul.moore@hp.com {
298b4217b82SReshetova, Elena 	if (!refcount_dec_and_test(&cache->refcount))
299ffb733c6Spaul.moore@hp.com 		return;
300ffb733c6Spaul.moore@hp.com 
301ffb733c6Spaul.moore@hp.com 	if (cache->free)
302ffb733c6Spaul.moore@hp.com 		cache->free(cache->data);
303ffb733c6Spaul.moore@hp.com 	kfree(cache);
304ffb733c6Spaul.moore@hp.com }
305ffb733c6Spaul.moore@hp.com 
306ffb733c6Spaul.moore@hp.com /**
3074fbe63d1SPaul Moore  * netlbl_catmap_alloc - Allocate a LSM secattr catmap
30802752760SPaul Moore  * @flags: memory allocation flags
30902752760SPaul Moore  *
31002752760SPaul Moore  * Description:
31102752760SPaul Moore  * Allocate memory for a LSM secattr catmap, returns a pointer on success, NULL
31202752760SPaul Moore  * on failure.
31302752760SPaul Moore  *
31402752760SPaul Moore  */
3154fbe63d1SPaul Moore static inline struct netlbl_lsm_catmap *netlbl_catmap_alloc(gfp_t flags)
31602752760SPaul Moore {
3174fbe63d1SPaul Moore 	return kzalloc(sizeof(struct netlbl_lsm_catmap), flags);
31802752760SPaul Moore }
31902752760SPaul Moore 
32002752760SPaul Moore /**
3214fbe63d1SPaul Moore  * netlbl_catmap_free - Free a LSM secattr catmap
32202752760SPaul Moore  * @catmap: the category bitmap
32302752760SPaul Moore  *
32402752760SPaul Moore  * Description:
32502752760SPaul Moore  * Free a LSM secattr catmap.
32602752760SPaul Moore  *
32702752760SPaul Moore  */
3284fbe63d1SPaul Moore static inline void netlbl_catmap_free(struct netlbl_lsm_catmap *catmap)
32902752760SPaul Moore {
3304fbe63d1SPaul Moore 	struct netlbl_lsm_catmap *iter;
33102752760SPaul Moore 
3324b8feff2SPaul Moore 	while (catmap) {
33302752760SPaul Moore 		iter = catmap;
33402752760SPaul Moore 		catmap = catmap->next;
33502752760SPaul Moore 		kfree(iter);
3364b8feff2SPaul Moore 	}
33702752760SPaul Moore }
33802752760SPaul Moore 
33902752760SPaul Moore /**
34011a03f78SPaul Moore  * netlbl_secattr_init - Initialize a netlbl_lsm_secattr struct
34111a03f78SPaul Moore  * @secattr: the struct to initialize
34211a03f78SPaul Moore  *
34311a03f78SPaul Moore  * Description:
344c6fa82a9SPaul Moore  * Initialize an already allocated netlbl_lsm_secattr struct.
34511a03f78SPaul Moore  *
34611a03f78SPaul Moore  */
347c6fa82a9SPaul Moore static inline void netlbl_secattr_init(struct netlbl_lsm_secattr *secattr)
34811a03f78SPaul Moore {
34916efd454SPaul Moore 	memset(secattr, 0, sizeof(*secattr));
35011a03f78SPaul Moore }
35111a03f78SPaul Moore 
35211a03f78SPaul Moore /**
35311a03f78SPaul Moore  * netlbl_secattr_destroy - Clears a netlbl_lsm_secattr struct
35411a03f78SPaul Moore  * @secattr: the struct to clear
35511a03f78SPaul Moore  *
35611a03f78SPaul Moore  * Description:
35711a03f78SPaul Moore  * Destroys the @secattr struct, including freeing all of the internal buffers.
358ffb733c6Spaul.moore@hp.com  * The struct must be reset with a call to netlbl_secattr_init() before reuse.
35911a03f78SPaul Moore  *
36011a03f78SPaul Moore  */
361ffb733c6Spaul.moore@hp.com static inline void netlbl_secattr_destroy(struct netlbl_lsm_secattr *secattr)
36211a03f78SPaul Moore {
36300447872SPaul Moore 	if (secattr->flags & NETLBL_SECATTR_FREE_DOMAIN)
36411a03f78SPaul Moore 		kfree(secattr->domain);
36516efd454SPaul Moore 	if (secattr->flags & NETLBL_SECATTR_CACHE)
36616efd454SPaul Moore 		netlbl_secattr_cache_free(secattr->cache);
36716efd454SPaul Moore 	if (secattr->flags & NETLBL_SECATTR_MLS_CAT)
3684fbe63d1SPaul Moore 		netlbl_catmap_free(secattr->attr.mls.cat);
36911a03f78SPaul Moore }
37011a03f78SPaul Moore 
37111a03f78SPaul Moore /**
37211a03f78SPaul Moore  * netlbl_secattr_alloc - Allocate and initialize a netlbl_lsm_secattr struct
37311a03f78SPaul Moore  * @flags: the memory allocation flags
37411a03f78SPaul Moore  *
37511a03f78SPaul Moore  * Description:
37611a03f78SPaul Moore  * Allocate and initialize a netlbl_lsm_secattr struct.  Returns a valid
37711a03f78SPaul Moore  * pointer on success, or NULL on failure.
37811a03f78SPaul Moore  *
37911a03f78SPaul Moore  */
3801f758d93SPaul Moore static inline struct netlbl_lsm_secattr *netlbl_secattr_alloc(gfp_t flags)
38111a03f78SPaul Moore {
38211a03f78SPaul Moore 	return kzalloc(sizeof(struct netlbl_lsm_secattr), flags);
38311a03f78SPaul Moore }
38411a03f78SPaul Moore 
38511a03f78SPaul Moore /**
38611a03f78SPaul Moore  * netlbl_secattr_free - Frees a netlbl_lsm_secattr struct
38711a03f78SPaul Moore  * @secattr: the struct to free
38811a03f78SPaul Moore  *
38911a03f78SPaul Moore  * Description:
390ffb733c6Spaul.moore@hp.com  * Frees @secattr including all of the internal buffers.
39111a03f78SPaul Moore  *
39211a03f78SPaul Moore  */
393ffb733c6Spaul.moore@hp.com static inline void netlbl_secattr_free(struct netlbl_lsm_secattr *secattr)
39411a03f78SPaul Moore {
395ffb733c6Spaul.moore@hp.com 	netlbl_secattr_destroy(secattr);
39611a03f78SPaul Moore 	kfree(secattr);
39711a03f78SPaul Moore }
39811a03f78SPaul Moore 
39902752760SPaul Moore #ifdef CONFIG_NETLABEL
40023bcdc1aSPaul Moore /*
401eda61d32SPaul Moore  * LSM configuration operations
402eda61d32SPaul Moore  */
4036c2e8ac0SPaul Moore int netlbl_cfg_map_del(const char *domain,
4046c2e8ac0SPaul Moore 		       u16 family,
4056c2e8ac0SPaul Moore 		       const void *addr,
4066c2e8ac0SPaul Moore 		       const void *mask,
407eda61d32SPaul Moore 		       struct netlbl_audit *audit_info);
4086c2e8ac0SPaul Moore int netlbl_cfg_unlbl_map_add(const char *domain,
4096c2e8ac0SPaul Moore 			     u16 family,
4106c2e8ac0SPaul Moore 			     const void *addr,
4116c2e8ac0SPaul Moore 			     const void *mask,
4126c2e8ac0SPaul Moore 			     struct netlbl_audit *audit_info);
4136c2e8ac0SPaul Moore int netlbl_cfg_unlbl_static_add(struct net *net,
4146c2e8ac0SPaul Moore 				const char *dev_name,
4156c2e8ac0SPaul Moore 				const void *addr,
4166c2e8ac0SPaul Moore 				const void *mask,
4176c2e8ac0SPaul Moore 				u16 family,
4186c2e8ac0SPaul Moore 				u32 secid,
4196c2e8ac0SPaul Moore 				struct netlbl_audit *audit_info);
4206c2e8ac0SPaul Moore int netlbl_cfg_unlbl_static_del(struct net *net,
4216c2e8ac0SPaul Moore 				const char *dev_name,
4226c2e8ac0SPaul Moore 				const void *addr,
4236c2e8ac0SPaul Moore 				const void *mask,
4246c2e8ac0SPaul Moore 				u16 family,
4256c2e8ac0SPaul Moore 				struct netlbl_audit *audit_info);
4266c2e8ac0SPaul Moore int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def,
4276c2e8ac0SPaul Moore 			   struct netlbl_audit *audit_info);
4286c2e8ac0SPaul Moore void netlbl_cfg_cipsov4_del(u32 doi, struct netlbl_audit *audit_info);
4296c2e8ac0SPaul Moore int netlbl_cfg_cipsov4_map_add(u32 doi,
430eda61d32SPaul Moore 			       const char *domain,
4316c2e8ac0SPaul Moore 			       const struct in_addr *addr,
4326c2e8ac0SPaul Moore 			       const struct in_addr *mask,
433eda61d32SPaul Moore 			       struct netlbl_audit *audit_info);
4343f09354aSHuw Davies int netlbl_cfg_calipso_add(struct calipso_doi *doi_def,
4353f09354aSHuw Davies 			   struct netlbl_audit *audit_info);
4363f09354aSHuw Davies void netlbl_cfg_calipso_del(u32 doi, struct netlbl_audit *audit_info);
4373f09354aSHuw Davies int netlbl_cfg_calipso_map_add(u32 doi,
4383f09354aSHuw Davies 			       const char *domain,
4393f09354aSHuw Davies 			       const struct in6_addr *addr,
4403f09354aSHuw Davies 			       const struct in6_addr *mask,
4413f09354aSHuw Davies 			       struct netlbl_audit *audit_info);
442eda61d32SPaul Moore /*
44323bcdc1aSPaul Moore  * LSM security attribute operations
44423bcdc1aSPaul Moore  */
4454fbe63d1SPaul Moore int netlbl_catmap_walk(struct netlbl_lsm_catmap *catmap, u32 offset);
4464fbe63d1SPaul Moore int netlbl_catmap_walkrng(struct netlbl_lsm_catmap *catmap, u32 offset);
4474fbe63d1SPaul Moore int netlbl_catmap_getlong(struct netlbl_lsm_catmap *catmap,
4484b8feff2SPaul Moore 			  u32 *offset,
4494b8feff2SPaul Moore 			  unsigned long *bitmap);
4504fbe63d1SPaul Moore int netlbl_catmap_setbit(struct netlbl_lsm_catmap **catmap,
45102752760SPaul Moore 			 u32 bit,
45202752760SPaul Moore 			 gfp_t flags);
4534fbe63d1SPaul Moore int netlbl_catmap_setrng(struct netlbl_lsm_catmap **catmap,
45402752760SPaul Moore 			 u32 start,
45502752760SPaul Moore 			 u32 end,
45602752760SPaul Moore 			 gfp_t flags);
4574fbe63d1SPaul Moore int netlbl_catmap_setlong(struct netlbl_lsm_catmap **catmap,
4584b8feff2SPaul Moore 			  u32 offset,
4594b8feff2SPaul Moore 			  unsigned long bitmap,
4604b8feff2SPaul Moore 			  gfp_t flags);
46123bcdc1aSPaul Moore 
4623faa8f98SHuw Davies /* Bitmap functions
4633faa8f98SHuw Davies  */
4643faa8f98SHuw Davies int netlbl_bitmap_walk(const unsigned char *bitmap, u32 bitmap_len,
4653faa8f98SHuw Davies 		       u32 offset, u8 state);
4663faa8f98SHuw Davies void netlbl_bitmap_setbit(unsigned char *bitmap, u32 bit, u8 state);
4673faa8f98SHuw Davies 
46823bcdc1aSPaul Moore /*
46916efd454SPaul Moore  * LSM protocol operations (NetLabel LSM/kernel API)
47023bcdc1aSPaul Moore  */
47123bcdc1aSPaul Moore int netlbl_enabled(void);
47223bcdc1aSPaul Moore int netlbl_sock_setattr(struct sock *sk,
473389fb800SPaul Moore 			u16 family,
47423bcdc1aSPaul Moore 			const struct netlbl_lsm_secattr *secattr);
475014ab19aSPaul Moore void netlbl_sock_delattr(struct sock *sk);
47623bcdc1aSPaul Moore int netlbl_sock_getattr(struct sock *sk,
47723bcdc1aSPaul Moore 			struct netlbl_lsm_secattr *secattr);
478014ab19aSPaul Moore int netlbl_conn_setattr(struct sock *sk,
479014ab19aSPaul Moore 			struct sockaddr *addr,
480014ab19aSPaul Moore 			const struct netlbl_lsm_secattr *secattr);
481389fb800SPaul Moore int netlbl_req_setattr(struct request_sock *req,
482389fb800SPaul Moore 		       const struct netlbl_lsm_secattr *secattr);
48307feee8fSPaul Moore void netlbl_req_delattr(struct request_sock *req);
484948bf85cSPaul Moore int netlbl_skbuff_setattr(struct sk_buff *skb,
485948bf85cSPaul Moore 			  u16 family,
486948bf85cSPaul Moore 			  const struct netlbl_lsm_secattr *secattr);
48723bcdc1aSPaul Moore int netlbl_skbuff_getattr(const struct sk_buff *skb,
48875e22910SPaul Moore 			  u16 family,
48923bcdc1aSPaul Moore 			  struct netlbl_lsm_secattr *secattr);
490a04e71f6SHuw Davies void netlbl_skbuff_err(struct sk_buff *skb, u16 family, int error, int gateway);
49123bcdc1aSPaul Moore 
49223bcdc1aSPaul Moore /*
49323bcdc1aSPaul Moore  * LSM label mapping cache operations
49423bcdc1aSPaul Moore  */
49523bcdc1aSPaul Moore void netlbl_cache_invalidate(void);
4964fee5242SHuw Davies int netlbl_cache_add(const struct sk_buff *skb, u16 family,
49723bcdc1aSPaul Moore 		     const struct netlbl_lsm_secattr *secattr);
4986c2e8ac0SPaul Moore 
4996c2e8ac0SPaul Moore /*
5006c2e8ac0SPaul Moore  * Protocol engine operations
5016c2e8ac0SPaul Moore  */
5026c2e8ac0SPaul Moore struct audit_buffer *netlbl_audit_start(int type,
5036c2e8ac0SPaul Moore 					struct netlbl_audit *audit_info);
50402752760SPaul Moore #else
505eda61d32SPaul Moore static inline int netlbl_cfg_map_del(const char *domain,
5066c2e8ac0SPaul Moore 				     u16 family,
5076c2e8ac0SPaul Moore 				     const void *addr,
5086c2e8ac0SPaul Moore 				     const void *mask,
509eda61d32SPaul Moore 				     struct netlbl_audit *audit_info)
510eda61d32SPaul Moore {
511eda61d32SPaul Moore 	return -ENOSYS;
512eda61d32SPaul Moore }
5136c2e8ac0SPaul Moore static inline int netlbl_cfg_unlbl_map_add(const char *domain,
5146c2e8ac0SPaul Moore 					   u16 family,
5156c2e8ac0SPaul Moore 					   void *addr,
5166c2e8ac0SPaul Moore 					   void *mask,
517eda61d32SPaul Moore 					   struct netlbl_audit *audit_info)
518eda61d32SPaul Moore {
519eda61d32SPaul Moore 	return -ENOSYS;
520eda61d32SPaul Moore }
5216c2e8ac0SPaul Moore static inline int netlbl_cfg_unlbl_static_add(struct net *net,
5226c2e8ac0SPaul Moore 					      const char *dev_name,
5236c2e8ac0SPaul Moore 					      const void *addr,
5246c2e8ac0SPaul Moore 					      const void *mask,
5256c2e8ac0SPaul Moore 					      u16 family,
5266c2e8ac0SPaul Moore 					      u32 secid,
5276c2e8ac0SPaul Moore 					      struct netlbl_audit *audit_info)
5286c2e8ac0SPaul Moore {
5296c2e8ac0SPaul Moore 	return -ENOSYS;
5306c2e8ac0SPaul Moore }
5316c2e8ac0SPaul Moore static inline int netlbl_cfg_unlbl_static_del(struct net *net,
5326c2e8ac0SPaul Moore 					      const char *dev_name,
5336c2e8ac0SPaul Moore 					      const void *addr,
5346c2e8ac0SPaul Moore 					      const void *mask,
5356c2e8ac0SPaul Moore 					      u16 family,
5366c2e8ac0SPaul Moore 					      struct netlbl_audit *audit_info)
5376c2e8ac0SPaul Moore {
5386c2e8ac0SPaul Moore 	return -ENOSYS;
5396c2e8ac0SPaul Moore }
5406c2e8ac0SPaul Moore static inline int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def,
5416c2e8ac0SPaul Moore 					 struct netlbl_audit *audit_info)
5426c2e8ac0SPaul Moore {
5436c2e8ac0SPaul Moore 	return -ENOSYS;
5446c2e8ac0SPaul Moore }
5456c2e8ac0SPaul Moore static inline void netlbl_cfg_cipsov4_del(u32 doi,
5466c2e8ac0SPaul Moore 					  struct netlbl_audit *audit_info)
5476c2e8ac0SPaul Moore {
5486c2e8ac0SPaul Moore 	return;
5496c2e8ac0SPaul Moore }
5506c2e8ac0SPaul Moore static inline int netlbl_cfg_cipsov4_map_add(u32 doi,
551eda61d32SPaul Moore 					     const char *domain,
5526c2e8ac0SPaul Moore 					     const struct in_addr *addr,
5536c2e8ac0SPaul Moore 					     const struct in_addr *mask,
554eda61d32SPaul Moore 					     struct netlbl_audit *audit_info)
555eda61d32SPaul Moore {
556eda61d32SPaul Moore 	return -ENOSYS;
557eda61d32SPaul Moore }
5583f09354aSHuw Davies static inline int netlbl_cfg_calipso_add(struct calipso_doi *doi_def,
5593f09354aSHuw Davies 					 struct netlbl_audit *audit_info)
5603f09354aSHuw Davies {
5613f09354aSHuw Davies 	return -ENOSYS;
5623f09354aSHuw Davies }
5633f09354aSHuw Davies static inline void netlbl_cfg_calipso_del(u32 doi,
5643f09354aSHuw Davies 					  struct netlbl_audit *audit_info)
5653f09354aSHuw Davies {
5663f09354aSHuw Davies 	return;
5673f09354aSHuw Davies }
5683f09354aSHuw Davies static inline int netlbl_cfg_calipso_map_add(u32 doi,
5693f09354aSHuw Davies 					     const char *domain,
5703f09354aSHuw Davies 					     const struct in6_addr *addr,
5713f09354aSHuw Davies 					     const struct in6_addr *mask,
5723f09354aSHuw Davies 					     struct netlbl_audit *audit_info)
5733f09354aSHuw Davies {
5743f09354aSHuw Davies 	return -ENOSYS;
5753f09354aSHuw Davies }
5764fbe63d1SPaul Moore static inline int netlbl_catmap_walk(struct netlbl_lsm_catmap *catmap,
57702752760SPaul Moore 				     u32 offset)
57802752760SPaul Moore {
57902752760SPaul Moore 	return -ENOENT;
58002752760SPaul Moore }
5814fbe63d1SPaul Moore static inline int netlbl_catmap_walkrng(struct netlbl_lsm_catmap *catmap,
58202752760SPaul Moore 					u32 offset)
58302752760SPaul Moore {
58402752760SPaul Moore 	return -ENOENT;
58502752760SPaul Moore }
5864fbe63d1SPaul Moore static inline int netlbl_catmap_getlong(struct netlbl_lsm_catmap *catmap,
5874b8feff2SPaul Moore 					u32 *offset,
5884b8feff2SPaul Moore 					unsigned long *bitmap)
5894b8feff2SPaul Moore {
5904b8feff2SPaul Moore 	return 0;
5914b8feff2SPaul Moore }
5924fbe63d1SPaul Moore static inline int netlbl_catmap_setbit(struct netlbl_lsm_catmap **catmap,
59302752760SPaul Moore 				       u32 bit,
59402752760SPaul Moore 				       gfp_t flags)
59502752760SPaul Moore {
59602752760SPaul Moore 	return 0;
59702752760SPaul Moore }
5984fbe63d1SPaul Moore static inline int netlbl_catmap_setrng(struct netlbl_lsm_catmap **catmap,
59902752760SPaul Moore 				       u32 start,
60002752760SPaul Moore 				       u32 end,
60102752760SPaul Moore 				       gfp_t flags)
60202752760SPaul Moore {
60302752760SPaul Moore 	return 0;
60402752760SPaul Moore }
605bc7e6edbSPaul Moore static inline int netlbl_catmap_setlong(struct netlbl_lsm_catmap **catmap,
6064b8feff2SPaul Moore 					u32 offset,
6074b8feff2SPaul Moore 					unsigned long bitmap,
6084b8feff2SPaul Moore 					gfp_t flags)
6094b8feff2SPaul Moore {
6104b8feff2SPaul Moore 	return 0;
6114b8feff2SPaul Moore }
61223bcdc1aSPaul Moore static inline int netlbl_enabled(void)
61323bcdc1aSPaul Moore {
61423bcdc1aSPaul Moore 	return 0;
61523bcdc1aSPaul Moore }
616ba6ff9f2SPaul Moore static inline int netlbl_sock_setattr(struct sock *sk,
617389fb800SPaul Moore 				      u16 family,
61811a03f78SPaul Moore 				      const struct netlbl_lsm_secattr *secattr)
61911a03f78SPaul Moore {
62011a03f78SPaul Moore 	return -ENOSYS;
62111a03f78SPaul Moore }
622014ab19aSPaul Moore static inline void netlbl_sock_delattr(struct sock *sk)
623014ab19aSPaul Moore {
624014ab19aSPaul Moore }
62514a72f53SPaul Moore static inline int netlbl_sock_getattr(struct sock *sk,
62614a72f53SPaul Moore 				      struct netlbl_lsm_secattr *secattr)
62714a72f53SPaul Moore {
62814a72f53SPaul Moore 	return -ENOSYS;
62914a72f53SPaul Moore }
630014ab19aSPaul Moore static inline int netlbl_conn_setattr(struct sock *sk,
631014ab19aSPaul Moore 				      struct sockaddr *addr,
632014ab19aSPaul Moore 				      const struct netlbl_lsm_secattr *secattr)
633014ab19aSPaul Moore {
634014ab19aSPaul Moore 	return -ENOSYS;
635014ab19aSPaul Moore }
636389fb800SPaul Moore static inline int netlbl_req_setattr(struct request_sock *req,
637389fb800SPaul Moore 				     const struct netlbl_lsm_secattr *secattr)
638389fb800SPaul Moore {
639389fb800SPaul Moore 	return -ENOSYS;
640389fb800SPaul Moore }
64107feee8fSPaul Moore static inline void netlbl_req_delattr(struct request_sock *req)
64207feee8fSPaul Moore {
64307feee8fSPaul Moore 	return;
64407feee8fSPaul Moore }
645948bf85cSPaul Moore static inline int netlbl_skbuff_setattr(struct sk_buff *skb,
646948bf85cSPaul Moore 				      u16 family,
647948bf85cSPaul Moore 				      const struct netlbl_lsm_secattr *secattr)
648948bf85cSPaul Moore {
649948bf85cSPaul Moore 	return -ENOSYS;
650948bf85cSPaul Moore }
65111a03f78SPaul Moore static inline int netlbl_skbuff_getattr(const struct sk_buff *skb,
65275e22910SPaul Moore 					u16 family,
65311a03f78SPaul Moore 					struct netlbl_lsm_secattr *secattr)
65411a03f78SPaul Moore {
65511a03f78SPaul Moore 	return -ENOSYS;
65611a03f78SPaul Moore }
657dfaebe98SPaul Moore static inline void netlbl_skbuff_err(struct sk_buff *skb,
658dfaebe98SPaul Moore 				     int error,
659dfaebe98SPaul Moore 				     int gateway)
66011a03f78SPaul Moore {
66111a03f78SPaul Moore 	return;
66211a03f78SPaul Moore }
66311a03f78SPaul Moore static inline void netlbl_cache_invalidate(void)
66411a03f78SPaul Moore {
66511a03f78SPaul Moore 	return;
66611a03f78SPaul Moore }
6674fee5242SHuw Davies static inline int netlbl_cache_add(const struct sk_buff *skb, u16 family,
66811a03f78SPaul Moore 				   const struct netlbl_lsm_secattr *secattr)
66911a03f78SPaul Moore {
67011a03f78SPaul Moore 	return 0;
67111a03f78SPaul Moore }
6726c2e8ac0SPaul Moore static inline struct audit_buffer *netlbl_audit_start(int type,
6736c2e8ac0SPaul Moore 						struct netlbl_audit *audit_info)
6746c2e8ac0SPaul Moore {
6756c2e8ac0SPaul Moore 	return NULL;
6766c2e8ac0SPaul Moore }
67711a03f78SPaul Moore #endif /* CONFIG_NETLABEL */
67811a03f78SPaul Moore 
679cb72d382SHuw Davies const struct netlbl_calipso_ops *
680cb72d382SHuw Davies netlbl_calipso_ops_register(const struct netlbl_calipso_ops *ops);
681cb72d382SHuw Davies 
68211a03f78SPaul Moore #endif /* _NETLABEL_H */
683