xref: /openbmc/linux/include/net/netlabel.h (revision 3f09354ac84c6904787189d85fb306bf60f714b8) 
111a03f78SPaul Moore /*
211a03f78SPaul Moore  * NetLabel System
311a03f78SPaul Moore  *
411a03f78SPaul Moore  * The NetLabel system manages static and dynamic label mappings for network
511a03f78SPaul Moore  * protocols such as CIPSO and RIPSO.
611a03f78SPaul Moore  *
782c21bfaSPaul Moore  * Author: Paul Moore <paul@paul-moore.com>
811a03f78SPaul Moore  *
911a03f78SPaul Moore  */
1011a03f78SPaul Moore 
1111a03f78SPaul Moore /*
1263c41688SPaul Moore  * (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2008
1311a03f78SPaul Moore  *
1411a03f78SPaul Moore  * This program is free software;  you can redistribute it and/or modify
1511a03f78SPaul Moore  * it under the terms of the GNU General Public License as published by
1611a03f78SPaul Moore  * the Free Software Foundation; either version 2 of the License, or
1711a03f78SPaul Moore  * (at your option) any later version.
1811a03f78SPaul Moore  *
1911a03f78SPaul Moore  * This program is distributed in the hope that it will be useful,
2011a03f78SPaul Moore  * but WITHOUT ANY WARRANTY;  without even the implied warranty of
2111a03f78SPaul Moore  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
2211a03f78SPaul Moore  * the GNU General Public License for more details.
2311a03f78SPaul Moore  *
2411a03f78SPaul Moore  * You should have received a copy of the GNU General Public License
25a6227e26SJeff Kirsher  * along with this program;  if not, see <http://www.gnu.org/licenses/>.
2611a03f78SPaul Moore  *
2711a03f78SPaul Moore  */
2811a03f78SPaul Moore 
2911a03f78SPaul Moore #ifndef _NETLABEL_H
3011a03f78SPaul Moore #define _NETLABEL_H
3111a03f78SPaul Moore 
3211a03f78SPaul Moore #include <linux/types.h>
335a0e3ad6STejun Heo #include <linux/slab.h>
347a0e1d60SPaul Moore #include <linux/net.h>
3511a03f78SPaul Moore #include <linux/skbuff.h>
366c2e8ac0SPaul Moore #include <linux/in.h>
376c2e8ac0SPaul Moore #include <linux/in6.h>
3811a03f78SPaul Moore #include <net/netlink.h>
39389fb800SPaul Moore #include <net/request_sock.h>
4060063497SArun Sharma #include <linux/atomic.h>
4111a03f78SPaul Moore 
42eda61d32SPaul Moore struct cipso_v4_doi;
43cb72d382SHuw Davies struct calipso_doi;
44eda61d32SPaul Moore 
4511a03f78SPaul Moore /*
4611a03f78SPaul Moore  * NetLabel - A management interface for maintaining network packet label
4711a03f78SPaul Moore  *            mapping tables for explicit packet labling protocols.
4811a03f78SPaul Moore  *
4911a03f78SPaul Moore  * Network protocols such as CIPSO and RIPSO require a label translation layer
5011a03f78SPaul Moore  * to convert the label on the packet into something meaningful on the host
5111a03f78SPaul Moore  * machine.  In the current Linux implementation these mapping tables live
5211a03f78SPaul Moore  * inside the kernel; NetLabel provides a mechanism for user space applications
5311a03f78SPaul Moore  * to manage these mapping tables.
5411a03f78SPaul Moore  *
5511a03f78SPaul Moore  * NetLabel makes use of the Generic NETLINK mechanism as a transport layer to
5611a03f78SPaul Moore  * send messages between kernel and user space.  The general format of a
5711a03f78SPaul Moore  * NetLabel message is shown below:
5811a03f78SPaul Moore  *
5911a03f78SPaul Moore  *  +-----------------+-------------------+--------- --- -- -
6011a03f78SPaul Moore  *  | struct nlmsghdr | struct genlmsghdr | payload
6111a03f78SPaul Moore  *  +-----------------+-------------------+--------- --- -- -
6211a03f78SPaul Moore  *
6311a03f78SPaul Moore  * The 'nlmsghdr' and 'genlmsghdr' structs should be dealt with like normal.
6411a03f78SPaul Moore  * The payload is dependent on the subsystem specified in the
6511a03f78SPaul Moore  * 'nlmsghdr->nlmsg_type' and should be defined below, supporting functions
6611a03f78SPaul Moore  * should be defined in the corresponding net/netlabel/netlabel_<subsys>.h|c
67fcd48280SPaul Moore  * file.  All of the fields in the NetLabel payload are NETLINK attributes, see
68fcd48280SPaul Moore  * the include/net/netlink.h file for more information on NETLINK attributes.
6911a03f78SPaul Moore  *
7011a03f78SPaul Moore  */
7111a03f78SPaul Moore 
7211a03f78SPaul Moore /*
7311a03f78SPaul Moore  * NetLabel NETLINK protocol
7411a03f78SPaul Moore  */
7511a03f78SPaul Moore 
768cc44579SPaul Moore /* NetLabel NETLINK protocol version
778cc44579SPaul Moore  *  1: initial version
788cc44579SPaul Moore  *  2: added static labels for unlabeled connections
79d91d4079SPaul Moore  *  3: network selectors added to the NetLabel/LSM domain mapping and the
80d91d4079SPaul Moore  *     CIPSO_V4_MAP_LOCAL CIPSO mapping was added
818cc44579SPaul Moore  */
8263c41688SPaul Moore #define NETLBL_PROTO_VERSION            3
8311a03f78SPaul Moore 
8411a03f78SPaul Moore /* NetLabel NETLINK types/families */
8511a03f78SPaul Moore #define NETLBL_NLTYPE_NONE              0
8611a03f78SPaul Moore #define NETLBL_NLTYPE_MGMT              1
8711a03f78SPaul Moore #define NETLBL_NLTYPE_MGMT_NAME         "NLBL_MGMT"
8811a03f78SPaul Moore #define NETLBL_NLTYPE_RIPSO             2
8911a03f78SPaul Moore #define NETLBL_NLTYPE_RIPSO_NAME        "NLBL_RIPSO"
9011a03f78SPaul Moore #define NETLBL_NLTYPE_CIPSOV4           3
9111a03f78SPaul Moore #define NETLBL_NLTYPE_CIPSOV4_NAME      "NLBL_CIPSOv4"
9211a03f78SPaul Moore #define NETLBL_NLTYPE_CIPSOV6           4
9311a03f78SPaul Moore #define NETLBL_NLTYPE_CIPSOV6_NAME      "NLBL_CIPSOv6"
9411a03f78SPaul Moore #define NETLBL_NLTYPE_UNLABELED         5
9511a03f78SPaul Moore #define NETLBL_NLTYPE_UNLABELED_NAME    "NLBL_UNLBL"
9663c41688SPaul Moore #define NETLBL_NLTYPE_ADDRSELECT        6
9763c41688SPaul Moore #define NETLBL_NLTYPE_ADDRSELECT_NAME   "NLBL_ADRSEL"
98cb72d382SHuw Davies #define NETLBL_NLTYPE_CALIPSO           7
99cb72d382SHuw Davies #define NETLBL_NLTYPE_CALIPSO_NAME      "NLBL_CALIPSO"
10011a03f78SPaul Moore 
10111a03f78SPaul Moore /*
10211a03f78SPaul Moore  * NetLabel - Kernel API for accessing the network packet label mappings.
10311a03f78SPaul Moore  *
10411a03f78SPaul Moore  * The following functions are provided for use by other kernel modules,
10511a03f78SPaul Moore  * specifically kernel LSM modules, to provide a consistent, transparent API
10611a03f78SPaul Moore  * for dealing with explicit packet labeling protocols such as CIPSO and
10711a03f78SPaul Moore  * RIPSO.  The functions defined here are implemented in the
10811a03f78SPaul Moore  * net/netlabel/netlabel_kapi.c file.
10911a03f78SPaul Moore  *
11011a03f78SPaul Moore  */
11111a03f78SPaul Moore 
11295d4e6beSPaul Moore /* NetLabel audit information */
11395d4e6beSPaul Moore struct netlbl_audit {
11495d4e6beSPaul Moore 	u32 secid;
115e1760bd5SEric W. Biederman 	kuid_t loginuid;
1164440e854SEric Paris 	unsigned int sessionid;
11795d4e6beSPaul Moore };
11895d4e6beSPaul Moore 
11916efd454SPaul Moore /*
12016efd454SPaul Moore  * LSM security attributes
12116efd454SPaul Moore  */
12216efd454SPaul Moore 
12316efd454SPaul Moore /**
12416efd454SPaul Moore  * struct netlbl_lsm_cache - NetLabel LSM security attribute cache
12516efd454SPaul Moore  * @refcount: atomic reference counter
12616efd454SPaul Moore  * @free: LSM supplied function to free the cache data
12716efd454SPaul Moore  * @data: LSM supplied cache data
12816efd454SPaul Moore  *
12916efd454SPaul Moore  * Description:
13016efd454SPaul Moore  * This structure is provided for LSMs which wish to make use of the NetLabel
13116efd454SPaul Moore  * caching mechanism to store LSM specific data/attributes in the NetLabel
13216efd454SPaul Moore  * cache.  If the LSM has to perform a lot of translation from the NetLabel
13316efd454SPaul Moore  * security attributes into it's own internal representation then the cache
13416efd454SPaul Moore  * mechanism can provide a way to eliminate some or all of that translation
13516efd454SPaul Moore  * overhead on a cache hit.
13616efd454SPaul Moore  *
13716efd454SPaul Moore  */
13811a03f78SPaul Moore struct netlbl_lsm_cache {
139ffb733c6Spaul.moore@hp.com 	atomic_t refcount;
14011a03f78SPaul Moore 	void (*free) (const void *data);
14111a03f78SPaul Moore 	void *data;
14211a03f78SPaul Moore };
14316efd454SPaul Moore 
14416efd454SPaul Moore /**
1454fbe63d1SPaul Moore  * struct netlbl_lsm_catmap - NetLabel LSM secattr category bitmap
14616efd454SPaul Moore  * @startbit: the value of the lowest order bit in the bitmap
14716efd454SPaul Moore  * @bitmap: the category bitmap
14816efd454SPaul Moore  * @next: pointer to the next bitmap "node" or NULL
14916efd454SPaul Moore  *
15016efd454SPaul Moore  * Description:
15116efd454SPaul Moore  * This structure is used to represent category bitmaps.  Due to the large
15216efd454SPaul Moore  * number of categories supported by most labeling protocols it is not
15316efd454SPaul Moore  * practical to transfer a full bitmap internally so NetLabel adopts a sparse
15416efd454SPaul Moore  * bitmap structure modeled after SELinux's ebitmap structure.
15516efd454SPaul Moore  * The catmap bitmap field MUST be a power of two in length and large
15602752760SPaul Moore  * enough to hold at least 240 bits.  Special care (i.e. check the code!)
15702752760SPaul Moore  * should be used when changing these values as the LSM implementation
15802752760SPaul Moore  * probably has functions which rely on the sizes of these types to speed
15916efd454SPaul Moore  * processing.
16016efd454SPaul Moore  *
16116efd454SPaul Moore  */
16202752760SPaul Moore #define NETLBL_CATMAP_MAPTYPE           u64
16302752760SPaul Moore #define NETLBL_CATMAP_MAPCNT            4
16402752760SPaul Moore #define NETLBL_CATMAP_MAPSIZE           (sizeof(NETLBL_CATMAP_MAPTYPE) * 8)
16502752760SPaul Moore #define NETLBL_CATMAP_SIZE              (NETLBL_CATMAP_MAPSIZE * \
16602752760SPaul Moore 					 NETLBL_CATMAP_MAPCNT)
16702752760SPaul Moore #define NETLBL_CATMAP_BIT               (NETLBL_CATMAP_MAPTYPE)0x01
1684fbe63d1SPaul Moore struct netlbl_lsm_catmap {
16902752760SPaul Moore 	u32 startbit;
17002752760SPaul Moore 	NETLBL_CATMAP_MAPTYPE bitmap[NETLBL_CATMAP_MAPCNT];
1714fbe63d1SPaul Moore 	struct netlbl_lsm_catmap *next;
17202752760SPaul Moore };
17316efd454SPaul Moore 
17416efd454SPaul Moore /**
17516efd454SPaul Moore  * struct netlbl_lsm_secattr - NetLabel LSM security attributes
17600447872SPaul Moore  * @flags: indicate structure attributes, see NETLBL_SECATTR_*
17716efd454SPaul Moore  * @type: indicate the NLTYPE of the attributes
17816efd454SPaul Moore  * @domain: the NetLabel LSM domain
17916efd454SPaul Moore  * @cache: NetLabel LSM specific cache
18016efd454SPaul Moore  * @attr.mls: MLS sensitivity label
18116efd454SPaul Moore  * @attr.mls.cat: MLS category bitmap
18216efd454SPaul Moore  * @attr.mls.lvl: MLS sensitivity level
18316efd454SPaul Moore  * @attr.secid: LSM specific secid token
18416efd454SPaul Moore  *
18516efd454SPaul Moore  * Description:
18616efd454SPaul Moore  * This structure is used to pass security attributes between NetLabel and the
18716efd454SPaul Moore  * LSM modules.  The flags field is used to specify which fields within the
18816efd454SPaul Moore  * struct are valid and valid values can be created by bitwise OR'ing the
18916efd454SPaul Moore  * NETLBL_SECATTR_* defines.  The domain field is typically set by the LSM to
19016efd454SPaul Moore  * specify domain specific configuration settings and is not usually used by
19116efd454SPaul Moore  * NetLabel itself when returning security attributes to the LSM.
19216efd454SPaul Moore  *
19316efd454SPaul Moore  */
19400447872SPaul Moore struct netlbl_lsm_secattr {
19500447872SPaul Moore 	u32 flags;
19600447872SPaul Moore 	/* bitmap values for 'flags' */
197701a90baSPaul Moore #define NETLBL_SECATTR_NONE             0x00000000
198701a90baSPaul Moore #define NETLBL_SECATTR_DOMAIN           0x00000001
19900447872SPaul Moore #define NETLBL_SECATTR_DOMAIN_CPY       (NETLBL_SECATTR_DOMAIN | \
20000447872SPaul Moore 					 NETLBL_SECATTR_FREE_DOMAIN)
201701a90baSPaul Moore #define NETLBL_SECATTR_CACHE            0x00000002
202701a90baSPaul Moore #define NETLBL_SECATTR_MLS_LVL          0x00000004
203701a90baSPaul Moore #define NETLBL_SECATTR_MLS_CAT          0x00000008
20416efd454SPaul Moore #define NETLBL_SECATTR_SECID            0x00000010
20500447872SPaul Moore 	/* bitmap meta-values for 'flags' */
20600447872SPaul Moore #define NETLBL_SECATTR_FREE_DOMAIN      0x01000000
2079534f71cSPaul Moore #define NETLBL_SECATTR_CACHEABLE        (NETLBL_SECATTR_MLS_LVL | \
20816efd454SPaul Moore 					 NETLBL_SECATTR_MLS_CAT | \
20916efd454SPaul Moore 					 NETLBL_SECATTR_SECID)
21016efd454SPaul Moore 	u32 type;
21111a03f78SPaul Moore 	char *domain;
212ffb733c6Spaul.moore@hp.com 	struct netlbl_lsm_cache *cache;
2138d75899dSPaul Moore 	struct {
21416efd454SPaul Moore 		struct {
2154fbe63d1SPaul Moore 			struct netlbl_lsm_catmap *cat;
21616efd454SPaul Moore 			u32 lvl;
21716efd454SPaul Moore 		} mls;
21816efd454SPaul Moore 		u32 secid;
21916efd454SPaul Moore 	} attr;
22011a03f78SPaul Moore };
22111a03f78SPaul Moore 
222cb72d382SHuw Davies /**
223cb72d382SHuw Davies  * struct netlbl_calipso_ops - NetLabel CALIPSO operations
224cb72d382SHuw Davies  * @doi_add: add a CALIPSO DOI
225cb72d382SHuw Davies  * @doi_free: free a CALIPSO DOI
226a5e34490SHuw Davies  * @doi_getdef: returns a reference to a DOI
227a5e34490SHuw Davies  * @doi_putdef: releases a reference of a DOI
228e1ce69dfSHuw Davies  * @doi_walk: enumerate the DOI list
229ceba1832SHuw Davies  * @sock_getattr: retrieve the socket's attr
230ceba1832SHuw Davies  * @sock_setattr: set the socket's attr
231ceba1832SHuw Davies  * @sock_delattr: remove the socket's attr
232e1adea92SHuw Davies  * @req_setattr: set the req socket's attr
233e1adea92SHuw Davies  * @req_delattr: remove the req socket's attr
2342917f57bSHuw Davies  * @opt_getattr: retrieve attr from memory block
2352917f57bSHuw Davies  * @skbuff_optptr: find option in packet
2362917f57bSHuw Davies  * @skbuff_setattr: set the skbuff's attr
2372917f57bSHuw Davies  * @skbuff_delattr: remove the skbuff's attr
2384fee5242SHuw Davies  * @cache_invalidate: invalidate cache
2394fee5242SHuw Davies  * @cache_add: add cache entry
240cb72d382SHuw Davies  *
241cb72d382SHuw Davies  * Description:
242cb72d382SHuw Davies  * This structure is filled out by the CALIPSO engine and passed
243cb72d382SHuw Davies  * to the NetLabel core via a call to netlbl_calipso_ops_register().
244cb72d382SHuw Davies  * It enables the CALIPSO engine (and hence IPv6) to be compiled
245cb72d382SHuw Davies  * as a module.
246cb72d382SHuw Davies  */
247cb72d382SHuw Davies struct netlbl_calipso_ops {
248cb72d382SHuw Davies 	int (*doi_add)(struct calipso_doi *doi_def,
249cb72d382SHuw Davies 		       struct netlbl_audit *audit_info);
250cb72d382SHuw Davies 	void (*doi_free)(struct calipso_doi *doi_def);
251d7cce015SHuw Davies 	int (*doi_remove)(u32 doi, struct netlbl_audit *audit_info);
252a5e34490SHuw Davies 	struct calipso_doi *(*doi_getdef)(u32 doi);
253a5e34490SHuw Davies 	void (*doi_putdef)(struct calipso_doi *doi_def);
254e1ce69dfSHuw Davies 	int (*doi_walk)(u32 *skip_cnt,
255e1ce69dfSHuw Davies 			int (*callback)(struct calipso_doi *doi_def, void *arg),
256e1ce69dfSHuw Davies 			void *cb_arg);
257ceba1832SHuw Davies 	int (*sock_getattr)(struct sock *sk,
258ceba1832SHuw Davies 			    struct netlbl_lsm_secattr *secattr);
259ceba1832SHuw Davies 	int (*sock_setattr)(struct sock *sk,
260ceba1832SHuw Davies 			    const struct calipso_doi *doi_def,
261ceba1832SHuw Davies 			    const struct netlbl_lsm_secattr *secattr);
262ceba1832SHuw Davies 	void (*sock_delattr)(struct sock *sk);
263e1adea92SHuw Davies 	int (*req_setattr)(struct request_sock *req,
264e1adea92SHuw Davies 			   const struct calipso_doi *doi_def,
265e1adea92SHuw Davies 			   const struct netlbl_lsm_secattr *secattr);
266e1adea92SHuw Davies 	void (*req_delattr)(struct request_sock *req);
2672917f57bSHuw Davies 	int (*opt_getattr)(const unsigned char *calipso,
2682917f57bSHuw Davies 			   struct netlbl_lsm_secattr *secattr);
2692917f57bSHuw Davies 	unsigned char *(*skbuff_optptr)(const struct sk_buff *skb);
2702917f57bSHuw Davies 	int (*skbuff_setattr)(struct sk_buff *skb,
2712917f57bSHuw Davies 			      const struct calipso_doi *doi_def,
2722917f57bSHuw Davies 			      const struct netlbl_lsm_secattr *secattr);
2732917f57bSHuw Davies 	int (*skbuff_delattr)(struct sk_buff *skb);
2744fee5242SHuw Davies 	void (*cache_invalidate)(void);
2754fee5242SHuw Davies 	int (*cache_add)(const unsigned char *calipso_ptr,
2764fee5242SHuw Davies 			 const struct netlbl_lsm_secattr *secattr);
277cb72d382SHuw Davies };
278cb72d382SHuw Davies 
27911a03f78SPaul Moore /*
28023bcdc1aSPaul Moore  * LSM security attribute operations (inline)
28111a03f78SPaul Moore  */
28211a03f78SPaul Moore 
28311a03f78SPaul Moore /**
284ffb733c6Spaul.moore@hp.com  * netlbl_secattr_cache_alloc - Allocate and initialize a secattr cache
285ffb733c6Spaul.moore@hp.com  * @flags: the memory allocation flags
286ffb733c6Spaul.moore@hp.com  *
287ffb733c6Spaul.moore@hp.com  * Description:
288ffb733c6Spaul.moore@hp.com  * Allocate and initialize a netlbl_lsm_cache structure.  Returns a pointer
289ffb733c6Spaul.moore@hp.com  * on success, NULL on failure.
290ffb733c6Spaul.moore@hp.com  *
291ffb733c6Spaul.moore@hp.com  */
292645408d1SAl Viro static inline struct netlbl_lsm_cache *netlbl_secattr_cache_alloc(gfp_t flags)
293ffb733c6Spaul.moore@hp.com {
294ffb733c6Spaul.moore@hp.com 	struct netlbl_lsm_cache *cache;
295ffb733c6Spaul.moore@hp.com 
296ffb733c6Spaul.moore@hp.com 	cache = kzalloc(sizeof(*cache), flags);
297ffb733c6Spaul.moore@hp.com 	if (cache)
298ffb733c6Spaul.moore@hp.com 		atomic_set(&cache->refcount, 1);
299ffb733c6Spaul.moore@hp.com 	return cache;
300ffb733c6Spaul.moore@hp.com }
301ffb733c6Spaul.moore@hp.com 
302ffb733c6Spaul.moore@hp.com /**
303ffb733c6Spaul.moore@hp.com  * netlbl_secattr_cache_free - Frees a netlbl_lsm_cache struct
304ffb733c6Spaul.moore@hp.com  * @cache: the struct to free
305ffb733c6Spaul.moore@hp.com  *
306ffb733c6Spaul.moore@hp.com  * Description:
307ffb733c6Spaul.moore@hp.com  * Frees @secattr including all of the internal buffers.
308ffb733c6Spaul.moore@hp.com  *
309ffb733c6Spaul.moore@hp.com  */
310ffb733c6Spaul.moore@hp.com static inline void netlbl_secattr_cache_free(struct netlbl_lsm_cache *cache)
311ffb733c6Spaul.moore@hp.com {
312ffb733c6Spaul.moore@hp.com 	if (!atomic_dec_and_test(&cache->refcount))
313ffb733c6Spaul.moore@hp.com 		return;
314ffb733c6Spaul.moore@hp.com 
315ffb733c6Spaul.moore@hp.com 	if (cache->free)
316ffb733c6Spaul.moore@hp.com 		cache->free(cache->data);
317ffb733c6Spaul.moore@hp.com 	kfree(cache);
318ffb733c6Spaul.moore@hp.com }
319ffb733c6Spaul.moore@hp.com 
320ffb733c6Spaul.moore@hp.com /**
3214fbe63d1SPaul Moore  * netlbl_catmap_alloc - Allocate a LSM secattr catmap
32202752760SPaul Moore  * @flags: memory allocation flags
32302752760SPaul Moore  *
32402752760SPaul Moore  * Description:
32502752760SPaul Moore  * Allocate memory for a LSM secattr catmap, returns a pointer on success, NULL
32602752760SPaul Moore  * on failure.
32702752760SPaul Moore  *
32802752760SPaul Moore  */
3294fbe63d1SPaul Moore static inline struct netlbl_lsm_catmap *netlbl_catmap_alloc(gfp_t flags)
33002752760SPaul Moore {
3314fbe63d1SPaul Moore 	return kzalloc(sizeof(struct netlbl_lsm_catmap), flags);
33202752760SPaul Moore }
33302752760SPaul Moore 
33402752760SPaul Moore /**
3354fbe63d1SPaul Moore  * netlbl_catmap_free - Free a LSM secattr catmap
33602752760SPaul Moore  * @catmap: the category bitmap
33702752760SPaul Moore  *
33802752760SPaul Moore  * Description:
33902752760SPaul Moore  * Free a LSM secattr catmap.
34002752760SPaul Moore  *
34102752760SPaul Moore  */
3424fbe63d1SPaul Moore static inline void netlbl_catmap_free(struct netlbl_lsm_catmap *catmap)
34302752760SPaul Moore {
3444fbe63d1SPaul Moore 	struct netlbl_lsm_catmap *iter;
34502752760SPaul Moore 
3464b8feff2SPaul Moore 	while (catmap) {
34702752760SPaul Moore 		iter = catmap;
34802752760SPaul Moore 		catmap = catmap->next;
34902752760SPaul Moore 		kfree(iter);
3504b8feff2SPaul Moore 	}
35102752760SPaul Moore }
35202752760SPaul Moore 
35302752760SPaul Moore /**
35411a03f78SPaul Moore  * netlbl_secattr_init - Initialize a netlbl_lsm_secattr struct
35511a03f78SPaul Moore  * @secattr: the struct to initialize
35611a03f78SPaul Moore  *
35711a03f78SPaul Moore  * Description:
358c6fa82a9SPaul Moore  * Initialize an already allocated netlbl_lsm_secattr struct.
35911a03f78SPaul Moore  *
36011a03f78SPaul Moore  */
361c6fa82a9SPaul Moore static inline void netlbl_secattr_init(struct netlbl_lsm_secattr *secattr)
36211a03f78SPaul Moore {
36316efd454SPaul Moore 	memset(secattr, 0, sizeof(*secattr));
36411a03f78SPaul Moore }
36511a03f78SPaul Moore 
36611a03f78SPaul Moore /**
36711a03f78SPaul Moore  * netlbl_secattr_destroy - Clears a netlbl_lsm_secattr struct
36811a03f78SPaul Moore  * @secattr: the struct to clear
36911a03f78SPaul Moore  *
37011a03f78SPaul Moore  * Description:
37111a03f78SPaul Moore  * Destroys the @secattr struct, including freeing all of the internal buffers.
372ffb733c6Spaul.moore@hp.com  * The struct must be reset with a call to netlbl_secattr_init() before reuse.
37311a03f78SPaul Moore  *
37411a03f78SPaul Moore  */
375ffb733c6Spaul.moore@hp.com static inline void netlbl_secattr_destroy(struct netlbl_lsm_secattr *secattr)
37611a03f78SPaul Moore {
37700447872SPaul Moore 	if (secattr->flags & NETLBL_SECATTR_FREE_DOMAIN)
37811a03f78SPaul Moore 		kfree(secattr->domain);
37916efd454SPaul Moore 	if (secattr->flags & NETLBL_SECATTR_CACHE)
38016efd454SPaul Moore 		netlbl_secattr_cache_free(secattr->cache);
38116efd454SPaul Moore 	if (secattr->flags & NETLBL_SECATTR_MLS_CAT)
3824fbe63d1SPaul Moore 		netlbl_catmap_free(secattr->attr.mls.cat);
38311a03f78SPaul Moore }
38411a03f78SPaul Moore 
38511a03f78SPaul Moore /**
38611a03f78SPaul Moore  * netlbl_secattr_alloc - Allocate and initialize a netlbl_lsm_secattr struct
38711a03f78SPaul Moore  * @flags: the memory allocation flags
38811a03f78SPaul Moore  *
38911a03f78SPaul Moore  * Description:
39011a03f78SPaul Moore  * Allocate and initialize a netlbl_lsm_secattr struct.  Returns a valid
39111a03f78SPaul Moore  * pointer on success, or NULL on failure.
39211a03f78SPaul Moore  *
39311a03f78SPaul Moore  */
3941f758d93SPaul Moore static inline struct netlbl_lsm_secattr *netlbl_secattr_alloc(gfp_t flags)
39511a03f78SPaul Moore {
39611a03f78SPaul Moore 	return kzalloc(sizeof(struct netlbl_lsm_secattr), flags);
39711a03f78SPaul Moore }
39811a03f78SPaul Moore 
39911a03f78SPaul Moore /**
40011a03f78SPaul Moore  * netlbl_secattr_free - Frees a netlbl_lsm_secattr struct
40111a03f78SPaul Moore  * @secattr: the struct to free
40211a03f78SPaul Moore  *
40311a03f78SPaul Moore  * Description:
404ffb733c6Spaul.moore@hp.com  * Frees @secattr including all of the internal buffers.
40511a03f78SPaul Moore  *
40611a03f78SPaul Moore  */
407ffb733c6Spaul.moore@hp.com static inline void netlbl_secattr_free(struct netlbl_lsm_secattr *secattr)
40811a03f78SPaul Moore {
409ffb733c6Spaul.moore@hp.com 	netlbl_secattr_destroy(secattr);
41011a03f78SPaul Moore 	kfree(secattr);
41111a03f78SPaul Moore }
41211a03f78SPaul Moore 
41302752760SPaul Moore #ifdef CONFIG_NETLABEL
41423bcdc1aSPaul Moore /*
415eda61d32SPaul Moore  * LSM configuration operations
416eda61d32SPaul Moore  */
4176c2e8ac0SPaul Moore int netlbl_cfg_map_del(const char *domain,
4186c2e8ac0SPaul Moore 		       u16 family,
4196c2e8ac0SPaul Moore 		       const void *addr,
4206c2e8ac0SPaul Moore 		       const void *mask,
421eda61d32SPaul Moore 		       struct netlbl_audit *audit_info);
4226c2e8ac0SPaul Moore int netlbl_cfg_unlbl_map_add(const char *domain,
4236c2e8ac0SPaul Moore 			     u16 family,
4246c2e8ac0SPaul Moore 			     const void *addr,
4256c2e8ac0SPaul Moore 			     const void *mask,
4266c2e8ac0SPaul Moore 			     struct netlbl_audit *audit_info);
4276c2e8ac0SPaul Moore int netlbl_cfg_unlbl_static_add(struct net *net,
4286c2e8ac0SPaul Moore 				const char *dev_name,
4296c2e8ac0SPaul Moore 				const void *addr,
4306c2e8ac0SPaul Moore 				const void *mask,
4316c2e8ac0SPaul Moore 				u16 family,
4326c2e8ac0SPaul Moore 				u32 secid,
4336c2e8ac0SPaul Moore 				struct netlbl_audit *audit_info);
4346c2e8ac0SPaul Moore int netlbl_cfg_unlbl_static_del(struct net *net,
4356c2e8ac0SPaul Moore 				const char *dev_name,
4366c2e8ac0SPaul Moore 				const void *addr,
4376c2e8ac0SPaul Moore 				const void *mask,
4386c2e8ac0SPaul Moore 				u16 family,
4396c2e8ac0SPaul Moore 				struct netlbl_audit *audit_info);
4406c2e8ac0SPaul Moore int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def,
4416c2e8ac0SPaul Moore 			   struct netlbl_audit *audit_info);
4426c2e8ac0SPaul Moore void netlbl_cfg_cipsov4_del(u32 doi, struct netlbl_audit *audit_info);
4436c2e8ac0SPaul Moore int netlbl_cfg_cipsov4_map_add(u32 doi,
444eda61d32SPaul Moore 			       const char *domain,
4456c2e8ac0SPaul Moore 			       const struct in_addr *addr,
4466c2e8ac0SPaul Moore 			       const struct in_addr *mask,
447eda61d32SPaul Moore 			       struct netlbl_audit *audit_info);
448*3f09354aSHuw Davies int netlbl_cfg_calipso_add(struct calipso_doi *doi_def,
449*3f09354aSHuw Davies 			   struct netlbl_audit *audit_info);
450*3f09354aSHuw Davies void netlbl_cfg_calipso_del(u32 doi, struct netlbl_audit *audit_info);
451*3f09354aSHuw Davies int netlbl_cfg_calipso_map_add(u32 doi,
452*3f09354aSHuw Davies 			       const char *domain,
453*3f09354aSHuw Davies 			       const struct in6_addr *addr,
454*3f09354aSHuw Davies 			       const struct in6_addr *mask,
455*3f09354aSHuw Davies 			       struct netlbl_audit *audit_info);
456eda61d32SPaul Moore /*
45723bcdc1aSPaul Moore  * LSM security attribute operations
45823bcdc1aSPaul Moore  */
4594fbe63d1SPaul Moore int netlbl_catmap_walk(struct netlbl_lsm_catmap *catmap, u32 offset);
4604fbe63d1SPaul Moore int netlbl_catmap_walkrng(struct netlbl_lsm_catmap *catmap, u32 offset);
4614fbe63d1SPaul Moore int netlbl_catmap_getlong(struct netlbl_lsm_catmap *catmap,
4624b8feff2SPaul Moore 			  u32 *offset,
4634b8feff2SPaul Moore 			  unsigned long *bitmap);
4644fbe63d1SPaul Moore int netlbl_catmap_setbit(struct netlbl_lsm_catmap **catmap,
46502752760SPaul Moore 			 u32 bit,
46602752760SPaul Moore 			 gfp_t flags);
4674fbe63d1SPaul Moore int netlbl_catmap_setrng(struct netlbl_lsm_catmap **catmap,
46802752760SPaul Moore 			 u32 start,
46902752760SPaul Moore 			 u32 end,
47002752760SPaul Moore 			 gfp_t flags);
4714fbe63d1SPaul Moore int netlbl_catmap_setlong(struct netlbl_lsm_catmap **catmap,
4724b8feff2SPaul Moore 			  u32 offset,
4734b8feff2SPaul Moore 			  unsigned long bitmap,
4744b8feff2SPaul Moore 			  gfp_t flags);
47523bcdc1aSPaul Moore 
4763faa8f98SHuw Davies /* Bitmap functions
4773faa8f98SHuw Davies  */
4783faa8f98SHuw Davies int netlbl_bitmap_walk(const unsigned char *bitmap, u32 bitmap_len,
4793faa8f98SHuw Davies 		       u32 offset, u8 state);
4803faa8f98SHuw Davies void netlbl_bitmap_setbit(unsigned char *bitmap, u32 bit, u8 state);
4813faa8f98SHuw Davies 
48223bcdc1aSPaul Moore /*
48316efd454SPaul Moore  * LSM protocol operations (NetLabel LSM/kernel API)
48423bcdc1aSPaul Moore  */
48523bcdc1aSPaul Moore int netlbl_enabled(void);
48623bcdc1aSPaul Moore int netlbl_sock_setattr(struct sock *sk,
487389fb800SPaul Moore 			u16 family,
48823bcdc1aSPaul Moore 			const struct netlbl_lsm_secattr *secattr);
489014ab19aSPaul Moore void netlbl_sock_delattr(struct sock *sk);
49023bcdc1aSPaul Moore int netlbl_sock_getattr(struct sock *sk,
49123bcdc1aSPaul Moore 			struct netlbl_lsm_secattr *secattr);
492014ab19aSPaul Moore int netlbl_conn_setattr(struct sock *sk,
493014ab19aSPaul Moore 			struct sockaddr *addr,
494014ab19aSPaul Moore 			const struct netlbl_lsm_secattr *secattr);
495389fb800SPaul Moore int netlbl_req_setattr(struct request_sock *req,
496389fb800SPaul Moore 		       const struct netlbl_lsm_secattr *secattr);
49707feee8fSPaul Moore void netlbl_req_delattr(struct request_sock *req);
498948bf85cSPaul Moore int netlbl_skbuff_setattr(struct sk_buff *skb,
499948bf85cSPaul Moore 			  u16 family,
500948bf85cSPaul Moore 			  const struct netlbl_lsm_secattr *secattr);
50123bcdc1aSPaul Moore int netlbl_skbuff_getattr(const struct sk_buff *skb,
50275e22910SPaul Moore 			  u16 family,
50323bcdc1aSPaul Moore 			  struct netlbl_lsm_secattr *secattr);
504a04e71f6SHuw Davies void netlbl_skbuff_err(struct sk_buff *skb, u16 family, int error, int gateway);
50523bcdc1aSPaul Moore 
50623bcdc1aSPaul Moore /*
50723bcdc1aSPaul Moore  * LSM label mapping cache operations
50823bcdc1aSPaul Moore  */
50923bcdc1aSPaul Moore void netlbl_cache_invalidate(void);
5104fee5242SHuw Davies int netlbl_cache_add(const struct sk_buff *skb, u16 family,
51123bcdc1aSPaul Moore 		     const struct netlbl_lsm_secattr *secattr);
5126c2e8ac0SPaul Moore 
5136c2e8ac0SPaul Moore /*
5146c2e8ac0SPaul Moore  * Protocol engine operations
5156c2e8ac0SPaul Moore  */
5166c2e8ac0SPaul Moore struct audit_buffer *netlbl_audit_start(int type,
5176c2e8ac0SPaul Moore 					struct netlbl_audit *audit_info);
51802752760SPaul Moore #else
519eda61d32SPaul Moore static inline int netlbl_cfg_map_del(const char *domain,
5206c2e8ac0SPaul Moore 				     u16 family,
5216c2e8ac0SPaul Moore 				     const void *addr,
5226c2e8ac0SPaul Moore 				     const void *mask,
523eda61d32SPaul Moore 				     struct netlbl_audit *audit_info)
524eda61d32SPaul Moore {
525eda61d32SPaul Moore 	return -ENOSYS;
526eda61d32SPaul Moore }
5276c2e8ac0SPaul Moore static inline int netlbl_cfg_unlbl_map_add(const char *domain,
5286c2e8ac0SPaul Moore 					   u16 family,
5296c2e8ac0SPaul Moore 					   void *addr,
5306c2e8ac0SPaul Moore 					   void *mask,
531eda61d32SPaul Moore 					   struct netlbl_audit *audit_info)
532eda61d32SPaul Moore {
533eda61d32SPaul Moore 	return -ENOSYS;
534eda61d32SPaul Moore }
5356c2e8ac0SPaul Moore static inline int netlbl_cfg_unlbl_static_add(struct net *net,
5366c2e8ac0SPaul Moore 					      const char *dev_name,
5376c2e8ac0SPaul Moore 					      const void *addr,
5386c2e8ac0SPaul Moore 					      const void *mask,
5396c2e8ac0SPaul Moore 					      u16 family,
5406c2e8ac0SPaul Moore 					      u32 secid,
5416c2e8ac0SPaul Moore 					      struct netlbl_audit *audit_info)
5426c2e8ac0SPaul Moore {
5436c2e8ac0SPaul Moore 	return -ENOSYS;
5446c2e8ac0SPaul Moore }
5456c2e8ac0SPaul Moore static inline int netlbl_cfg_unlbl_static_del(struct net *net,
5466c2e8ac0SPaul Moore 					      const char *dev_name,
5476c2e8ac0SPaul Moore 					      const void *addr,
5486c2e8ac0SPaul Moore 					      const void *mask,
5496c2e8ac0SPaul Moore 					      u16 family,
5506c2e8ac0SPaul Moore 					      struct netlbl_audit *audit_info)
5516c2e8ac0SPaul Moore {
5526c2e8ac0SPaul Moore 	return -ENOSYS;
5536c2e8ac0SPaul Moore }
5546c2e8ac0SPaul Moore static inline int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def,
5556c2e8ac0SPaul Moore 					 struct netlbl_audit *audit_info)
5566c2e8ac0SPaul Moore {
5576c2e8ac0SPaul Moore 	return -ENOSYS;
5586c2e8ac0SPaul Moore }
5596c2e8ac0SPaul Moore static inline void netlbl_cfg_cipsov4_del(u32 doi,
5606c2e8ac0SPaul Moore 					  struct netlbl_audit *audit_info)
5616c2e8ac0SPaul Moore {
5626c2e8ac0SPaul Moore 	return;
5636c2e8ac0SPaul Moore }
5646c2e8ac0SPaul Moore static inline int netlbl_cfg_cipsov4_map_add(u32 doi,
565eda61d32SPaul Moore 					     const char *domain,
5666c2e8ac0SPaul Moore 					     const struct in_addr *addr,
5676c2e8ac0SPaul Moore 					     const struct in_addr *mask,
568eda61d32SPaul Moore 					     struct netlbl_audit *audit_info)
569eda61d32SPaul Moore {
570eda61d32SPaul Moore 	return -ENOSYS;
571eda61d32SPaul Moore }
572*3f09354aSHuw Davies static inline int netlbl_cfg_calipso_add(struct calipso_doi *doi_def,
573*3f09354aSHuw Davies 					 struct netlbl_audit *audit_info)
574*3f09354aSHuw Davies {
575*3f09354aSHuw Davies 	return -ENOSYS;
576*3f09354aSHuw Davies }
577*3f09354aSHuw Davies static inline void netlbl_cfg_calipso_del(u32 doi,
578*3f09354aSHuw Davies 					  struct netlbl_audit *audit_info)
579*3f09354aSHuw Davies {
580*3f09354aSHuw Davies 	return;
581*3f09354aSHuw Davies }
582*3f09354aSHuw Davies static inline int netlbl_cfg_calipso_map_add(u32 doi,
583*3f09354aSHuw Davies 					     const char *domain,
584*3f09354aSHuw Davies 					     const struct in6_addr *addr,
585*3f09354aSHuw Davies 					     const struct in6_addr *mask,
586*3f09354aSHuw Davies 					     struct netlbl_audit *audit_info)
587*3f09354aSHuw Davies {
588*3f09354aSHuw Davies 	return -ENOSYS;
589*3f09354aSHuw Davies }
5904fbe63d1SPaul Moore static inline int netlbl_catmap_walk(struct netlbl_lsm_catmap *catmap,
59102752760SPaul Moore 				     u32 offset)
59202752760SPaul Moore {
59302752760SPaul Moore 	return -ENOENT;
59402752760SPaul Moore }
5954fbe63d1SPaul Moore static inline int netlbl_catmap_walkrng(struct netlbl_lsm_catmap *catmap,
59602752760SPaul Moore 					u32 offset)
59702752760SPaul Moore {
59802752760SPaul Moore 	return -ENOENT;
59902752760SPaul Moore }
6004fbe63d1SPaul Moore static inline int netlbl_catmap_getlong(struct netlbl_lsm_catmap *catmap,
6014b8feff2SPaul Moore 					u32 *offset,
6024b8feff2SPaul Moore 					unsigned long *bitmap)
6034b8feff2SPaul Moore {
6044b8feff2SPaul Moore 	return 0;
6054b8feff2SPaul Moore }
6064fbe63d1SPaul Moore static inline int netlbl_catmap_setbit(struct netlbl_lsm_catmap **catmap,
60702752760SPaul Moore 				       u32 bit,
60802752760SPaul Moore 				       gfp_t flags)
60902752760SPaul Moore {
61002752760SPaul Moore 	return 0;
61102752760SPaul Moore }
6124fbe63d1SPaul Moore static inline int netlbl_catmap_setrng(struct netlbl_lsm_catmap **catmap,
61302752760SPaul Moore 				       u32 start,
61402752760SPaul Moore 				       u32 end,
61502752760SPaul Moore 				       gfp_t flags)
61602752760SPaul Moore {
61702752760SPaul Moore 	return 0;
61802752760SPaul Moore }
619bc7e6edbSPaul Moore static inline int netlbl_catmap_setlong(struct netlbl_lsm_catmap **catmap,
6204b8feff2SPaul Moore 					u32 offset,
6214b8feff2SPaul Moore 					unsigned long bitmap,
6224b8feff2SPaul Moore 					gfp_t flags)
6234b8feff2SPaul Moore {
6244b8feff2SPaul Moore 	return 0;
6254b8feff2SPaul Moore }
62623bcdc1aSPaul Moore static inline int netlbl_enabled(void)
62723bcdc1aSPaul Moore {
62823bcdc1aSPaul Moore 	return 0;
62923bcdc1aSPaul Moore }
630ba6ff9f2SPaul Moore static inline int netlbl_sock_setattr(struct sock *sk,
631389fb800SPaul Moore 				      u16 family,
63211a03f78SPaul Moore 				      const struct netlbl_lsm_secattr *secattr)
63311a03f78SPaul Moore {
63411a03f78SPaul Moore 	return -ENOSYS;
63511a03f78SPaul Moore }
636014ab19aSPaul Moore static inline void netlbl_sock_delattr(struct sock *sk)
637014ab19aSPaul Moore {
638014ab19aSPaul Moore }
63914a72f53SPaul Moore static inline int netlbl_sock_getattr(struct sock *sk,
64014a72f53SPaul Moore 				      struct netlbl_lsm_secattr *secattr)
64114a72f53SPaul Moore {
64214a72f53SPaul Moore 	return -ENOSYS;
64314a72f53SPaul Moore }
644014ab19aSPaul Moore static inline int netlbl_conn_setattr(struct sock *sk,
645014ab19aSPaul Moore 				      struct sockaddr *addr,
646014ab19aSPaul Moore 				      const struct netlbl_lsm_secattr *secattr)
647014ab19aSPaul Moore {
648014ab19aSPaul Moore 	return -ENOSYS;
649014ab19aSPaul Moore }
650389fb800SPaul Moore static inline int netlbl_req_setattr(struct request_sock *req,
651389fb800SPaul Moore 				     const struct netlbl_lsm_secattr *secattr)
652389fb800SPaul Moore {
653389fb800SPaul Moore 	return -ENOSYS;
654389fb800SPaul Moore }
65507feee8fSPaul Moore static inline void netlbl_req_delattr(struct request_sock *req)
65607feee8fSPaul Moore {
65707feee8fSPaul Moore 	return;
65807feee8fSPaul Moore }
659948bf85cSPaul Moore static inline int netlbl_skbuff_setattr(struct sk_buff *skb,
660948bf85cSPaul Moore 				      u16 family,
661948bf85cSPaul Moore 				      const struct netlbl_lsm_secattr *secattr)
662948bf85cSPaul Moore {
663948bf85cSPaul Moore 	return -ENOSYS;
664948bf85cSPaul Moore }
66511a03f78SPaul Moore static inline int netlbl_skbuff_getattr(const struct sk_buff *skb,
66675e22910SPaul Moore 					u16 family,
66711a03f78SPaul Moore 					struct netlbl_lsm_secattr *secattr)
66811a03f78SPaul Moore {
66911a03f78SPaul Moore 	return -ENOSYS;
67011a03f78SPaul Moore }
671dfaebe98SPaul Moore static inline void netlbl_skbuff_err(struct sk_buff *skb,
672dfaebe98SPaul Moore 				     int error,
673dfaebe98SPaul Moore 				     int gateway)
67411a03f78SPaul Moore {
67511a03f78SPaul Moore 	return;
67611a03f78SPaul Moore }
67711a03f78SPaul Moore static inline void netlbl_cache_invalidate(void)
67811a03f78SPaul Moore {
67911a03f78SPaul Moore 	return;
68011a03f78SPaul Moore }
6814fee5242SHuw Davies static inline int netlbl_cache_add(const struct sk_buff *skb, u16 family,
68211a03f78SPaul Moore 				   const struct netlbl_lsm_secattr *secattr)
68311a03f78SPaul Moore {
68411a03f78SPaul Moore 	return 0;
68511a03f78SPaul Moore }
6866c2e8ac0SPaul Moore static inline struct audit_buffer *netlbl_audit_start(int type,
6876c2e8ac0SPaul Moore 						struct netlbl_audit *audit_info)
6886c2e8ac0SPaul Moore {
6896c2e8ac0SPaul Moore 	return NULL;
6906c2e8ac0SPaul Moore }
69111a03f78SPaul Moore #endif /* CONFIG_NETLABEL */
69211a03f78SPaul Moore 
693cb72d382SHuw Davies const struct netlbl_calipso_ops *
694cb72d382SHuw Davies netlbl_calipso_ops_register(const struct netlbl_calipso_ops *ops);
695cb72d382SHuw Davies 
69611a03f78SPaul Moore #endif /* _NETLABEL_H */
697