xref: /openbmc/linux/include/net/netlabel.h (revision 4b8feff251da3d7058b5779e21b33a85c686b974) 
111a03f78SPaul Moore /*
211a03f78SPaul Moore  * NetLabel System
311a03f78SPaul Moore  *
411a03f78SPaul Moore  * The NetLabel system manages static and dynamic label mappings for network
511a03f78SPaul Moore  * protocols such as CIPSO and RIPSO.
611a03f78SPaul Moore  *
782c21bfaSPaul Moore  * Author: Paul Moore <paul@paul-moore.com>
811a03f78SPaul Moore  *
911a03f78SPaul Moore  */
1011a03f78SPaul Moore 
1111a03f78SPaul Moore /*
1263c41688SPaul Moore  * (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2008
1311a03f78SPaul Moore  *
1411a03f78SPaul Moore  * This program is free software;  you can redistribute it and/or modify
1511a03f78SPaul Moore  * it under the terms of the GNU General Public License as published by
1611a03f78SPaul Moore  * the Free Software Foundation; either version 2 of the License, or
1711a03f78SPaul Moore  * (at your option) any later version.
1811a03f78SPaul Moore  *
1911a03f78SPaul Moore  * This program is distributed in the hope that it will be useful,
2011a03f78SPaul Moore  * but WITHOUT ANY WARRANTY;  without even the implied warranty of
2111a03f78SPaul Moore  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
2211a03f78SPaul Moore  * the GNU General Public License for more details.
2311a03f78SPaul Moore  *
2411a03f78SPaul Moore  * You should have received a copy of the GNU General Public License
25a6227e26SJeff Kirsher  * along with this program;  if not, see <http://www.gnu.org/licenses/>.
2611a03f78SPaul Moore  *
2711a03f78SPaul Moore  */
2811a03f78SPaul Moore 
2911a03f78SPaul Moore #ifndef _NETLABEL_H
3011a03f78SPaul Moore #define _NETLABEL_H
3111a03f78SPaul Moore 
3211a03f78SPaul Moore #include <linux/types.h>
335a0e3ad6STejun Heo #include <linux/slab.h>
347a0e1d60SPaul Moore #include <linux/net.h>
3511a03f78SPaul Moore #include <linux/skbuff.h>
366c2e8ac0SPaul Moore #include <linux/in.h>
376c2e8ac0SPaul Moore #include <linux/in6.h>
3811a03f78SPaul Moore #include <net/netlink.h>
39389fb800SPaul Moore #include <net/request_sock.h>
4060063497SArun Sharma #include <linux/atomic.h>
4111a03f78SPaul Moore 
42eda61d32SPaul Moore struct cipso_v4_doi;
43eda61d32SPaul Moore 
4411a03f78SPaul Moore /*
4511a03f78SPaul Moore  * NetLabel - A management interface for maintaining network packet label
4611a03f78SPaul Moore  *            mapping tables for explicit packet labling protocols.
4711a03f78SPaul Moore  *
4811a03f78SPaul Moore  * Network protocols such as CIPSO and RIPSO require a label translation layer
4911a03f78SPaul Moore  * to convert the label on the packet into something meaningful on the host
5011a03f78SPaul Moore  * machine.  In the current Linux implementation these mapping tables live
5111a03f78SPaul Moore  * inside the kernel; NetLabel provides a mechanism for user space applications
5211a03f78SPaul Moore  * to manage these mapping tables.
5311a03f78SPaul Moore  *
5411a03f78SPaul Moore  * NetLabel makes use of the Generic NETLINK mechanism as a transport layer to
5511a03f78SPaul Moore  * send messages between kernel and user space.  The general format of a
5611a03f78SPaul Moore  * NetLabel message is shown below:
5711a03f78SPaul Moore  *
5811a03f78SPaul Moore  *  +-----------------+-------------------+--------- --- -- -
5911a03f78SPaul Moore  *  | struct nlmsghdr | struct genlmsghdr | payload
6011a03f78SPaul Moore  *  +-----------------+-------------------+--------- --- -- -
6111a03f78SPaul Moore  *
6211a03f78SPaul Moore  * The 'nlmsghdr' and 'genlmsghdr' structs should be dealt with like normal.
6311a03f78SPaul Moore  * The payload is dependent on the subsystem specified in the
6411a03f78SPaul Moore  * 'nlmsghdr->nlmsg_type' and should be defined below, supporting functions
6511a03f78SPaul Moore  * should be defined in the corresponding net/netlabel/netlabel_<subsys>.h|c
66fcd48280SPaul Moore  * file.  All of the fields in the NetLabel payload are NETLINK attributes, see
67fcd48280SPaul Moore  * the include/net/netlink.h file for more information on NETLINK attributes.
6811a03f78SPaul Moore  *
6911a03f78SPaul Moore  */
7011a03f78SPaul Moore 
7111a03f78SPaul Moore /*
7211a03f78SPaul Moore  * NetLabel NETLINK protocol
7311a03f78SPaul Moore  */
7411a03f78SPaul Moore 
758cc44579SPaul Moore /* NetLabel NETLINK protocol version
768cc44579SPaul Moore  *  1: initial version
778cc44579SPaul Moore  *  2: added static labels for unlabeled connections
78d91d4079SPaul Moore  *  3: network selectors added to the NetLabel/LSM domain mapping and the
79d91d4079SPaul Moore  *     CIPSO_V4_MAP_LOCAL CIPSO mapping was added
808cc44579SPaul Moore  */
8163c41688SPaul Moore #define NETLBL_PROTO_VERSION            3
8211a03f78SPaul Moore 
8311a03f78SPaul Moore /* NetLabel NETLINK types/families */
8411a03f78SPaul Moore #define NETLBL_NLTYPE_NONE              0
8511a03f78SPaul Moore #define NETLBL_NLTYPE_MGMT              1
8611a03f78SPaul Moore #define NETLBL_NLTYPE_MGMT_NAME         "NLBL_MGMT"
8711a03f78SPaul Moore #define NETLBL_NLTYPE_RIPSO             2
8811a03f78SPaul Moore #define NETLBL_NLTYPE_RIPSO_NAME        "NLBL_RIPSO"
8911a03f78SPaul Moore #define NETLBL_NLTYPE_CIPSOV4           3
9011a03f78SPaul Moore #define NETLBL_NLTYPE_CIPSOV4_NAME      "NLBL_CIPSOv4"
9111a03f78SPaul Moore #define NETLBL_NLTYPE_CIPSOV6           4
9211a03f78SPaul Moore #define NETLBL_NLTYPE_CIPSOV6_NAME      "NLBL_CIPSOv6"
9311a03f78SPaul Moore #define NETLBL_NLTYPE_UNLABELED         5
9411a03f78SPaul Moore #define NETLBL_NLTYPE_UNLABELED_NAME    "NLBL_UNLBL"
9563c41688SPaul Moore #define NETLBL_NLTYPE_ADDRSELECT        6
9663c41688SPaul Moore #define NETLBL_NLTYPE_ADDRSELECT_NAME   "NLBL_ADRSEL"
9711a03f78SPaul Moore 
9811a03f78SPaul Moore /*
9911a03f78SPaul Moore  * NetLabel - Kernel API for accessing the network packet label mappings.
10011a03f78SPaul Moore  *
10111a03f78SPaul Moore  * The following functions are provided for use by other kernel modules,
10211a03f78SPaul Moore  * specifically kernel LSM modules, to provide a consistent, transparent API
10311a03f78SPaul Moore  * for dealing with explicit packet labeling protocols such as CIPSO and
10411a03f78SPaul Moore  * RIPSO.  The functions defined here are implemented in the
10511a03f78SPaul Moore  * net/netlabel/netlabel_kapi.c file.
10611a03f78SPaul Moore  *
10711a03f78SPaul Moore  */
10811a03f78SPaul Moore 
10995d4e6beSPaul Moore /* NetLabel audit information */
11095d4e6beSPaul Moore struct netlbl_audit {
11195d4e6beSPaul Moore 	u32 secid;
112e1760bd5SEric W. Biederman 	kuid_t loginuid;
1134440e854SEric Paris 	unsigned int sessionid;
11495d4e6beSPaul Moore };
11595d4e6beSPaul Moore 
11616efd454SPaul Moore /*
11716efd454SPaul Moore  * LSM security attributes
11816efd454SPaul Moore  */
11916efd454SPaul Moore 
12016efd454SPaul Moore /**
12116efd454SPaul Moore  * struct netlbl_lsm_cache - NetLabel LSM security attribute cache
12216efd454SPaul Moore  * @refcount: atomic reference counter
12316efd454SPaul Moore  * @free: LSM supplied function to free the cache data
12416efd454SPaul Moore  * @data: LSM supplied cache data
12516efd454SPaul Moore  *
12616efd454SPaul Moore  * Description:
12716efd454SPaul Moore  * This structure is provided for LSMs which wish to make use of the NetLabel
12816efd454SPaul Moore  * caching mechanism to store LSM specific data/attributes in the NetLabel
12916efd454SPaul Moore  * cache.  If the LSM has to perform a lot of translation from the NetLabel
13016efd454SPaul Moore  * security attributes into it's own internal representation then the cache
13116efd454SPaul Moore  * mechanism can provide a way to eliminate some or all of that translation
13216efd454SPaul Moore  * overhead on a cache hit.
13316efd454SPaul Moore  *
13416efd454SPaul Moore  */
13511a03f78SPaul Moore struct netlbl_lsm_cache {
136ffb733c6Spaul.moore@hp.com 	atomic_t refcount;
13711a03f78SPaul Moore 	void (*free) (const void *data);
13811a03f78SPaul Moore 	void *data;
13911a03f78SPaul Moore };
14016efd454SPaul Moore 
14116efd454SPaul Moore /**
14216efd454SPaul Moore  * struct netlbl_lsm_secattr_catmap - NetLabel LSM secattr category bitmap
14316efd454SPaul Moore  * @startbit: the value of the lowest order bit in the bitmap
14416efd454SPaul Moore  * @bitmap: the category bitmap
14516efd454SPaul Moore  * @next: pointer to the next bitmap "node" or NULL
14616efd454SPaul Moore  *
14716efd454SPaul Moore  * Description:
14816efd454SPaul Moore  * This structure is used to represent category bitmaps.  Due to the large
14916efd454SPaul Moore  * number of categories supported by most labeling protocols it is not
15016efd454SPaul Moore  * practical to transfer a full bitmap internally so NetLabel adopts a sparse
15116efd454SPaul Moore  * bitmap structure modeled after SELinux's ebitmap structure.
15216efd454SPaul Moore  * The catmap bitmap field MUST be a power of two in length and large
15302752760SPaul Moore  * enough to hold at least 240 bits.  Special care (i.e. check the code!)
15402752760SPaul Moore  * should be used when changing these values as the LSM implementation
15502752760SPaul Moore  * probably has functions which rely on the sizes of these types to speed
15616efd454SPaul Moore  * processing.
15716efd454SPaul Moore  *
15816efd454SPaul Moore  */
15902752760SPaul Moore #define NETLBL_CATMAP_MAPTYPE           u64
16002752760SPaul Moore #define NETLBL_CATMAP_MAPCNT            4
16102752760SPaul Moore #define NETLBL_CATMAP_MAPSIZE           (sizeof(NETLBL_CATMAP_MAPTYPE) * 8)
16202752760SPaul Moore #define NETLBL_CATMAP_SIZE              (NETLBL_CATMAP_MAPSIZE * \
16302752760SPaul Moore 					 NETLBL_CATMAP_MAPCNT)
16402752760SPaul Moore #define NETLBL_CATMAP_BIT               (NETLBL_CATMAP_MAPTYPE)0x01
16502752760SPaul Moore struct netlbl_lsm_secattr_catmap {
16602752760SPaul Moore 	u32 startbit;
16702752760SPaul Moore 	NETLBL_CATMAP_MAPTYPE bitmap[NETLBL_CATMAP_MAPCNT];
16802752760SPaul Moore 	struct netlbl_lsm_secattr_catmap *next;
16902752760SPaul Moore };
17016efd454SPaul Moore 
17116efd454SPaul Moore /**
17216efd454SPaul Moore  * struct netlbl_lsm_secattr - NetLabel LSM security attributes
17300447872SPaul Moore  * @flags: indicate structure attributes, see NETLBL_SECATTR_*
17416efd454SPaul Moore  * @type: indicate the NLTYPE of the attributes
17516efd454SPaul Moore  * @domain: the NetLabel LSM domain
17616efd454SPaul Moore  * @cache: NetLabel LSM specific cache
17716efd454SPaul Moore  * @attr.mls: MLS sensitivity label
17816efd454SPaul Moore  * @attr.mls.cat: MLS category bitmap
17916efd454SPaul Moore  * @attr.mls.lvl: MLS sensitivity level
18016efd454SPaul Moore  * @attr.secid: LSM specific secid token
18116efd454SPaul Moore  *
18216efd454SPaul Moore  * Description:
18316efd454SPaul Moore  * This structure is used to pass security attributes between NetLabel and the
18416efd454SPaul Moore  * LSM modules.  The flags field is used to specify which fields within the
18516efd454SPaul Moore  * struct are valid and valid values can be created by bitwise OR'ing the
18616efd454SPaul Moore  * NETLBL_SECATTR_* defines.  The domain field is typically set by the LSM to
18716efd454SPaul Moore  * specify domain specific configuration settings and is not usually used by
18816efd454SPaul Moore  * NetLabel itself when returning security attributes to the LSM.
18916efd454SPaul Moore  *
19016efd454SPaul Moore  */
19100447872SPaul Moore struct netlbl_lsm_secattr {
19200447872SPaul Moore 	u32 flags;
19300447872SPaul Moore 	/* bitmap values for 'flags' */
194701a90baSPaul Moore #define NETLBL_SECATTR_NONE             0x00000000
195701a90baSPaul Moore #define NETLBL_SECATTR_DOMAIN           0x00000001
19600447872SPaul Moore #define NETLBL_SECATTR_DOMAIN_CPY       (NETLBL_SECATTR_DOMAIN | \
19700447872SPaul Moore 					 NETLBL_SECATTR_FREE_DOMAIN)
198701a90baSPaul Moore #define NETLBL_SECATTR_CACHE            0x00000002
199701a90baSPaul Moore #define NETLBL_SECATTR_MLS_LVL          0x00000004
200701a90baSPaul Moore #define NETLBL_SECATTR_MLS_CAT          0x00000008
20116efd454SPaul Moore #define NETLBL_SECATTR_SECID            0x00000010
20200447872SPaul Moore 	/* bitmap meta-values for 'flags' */
20300447872SPaul Moore #define NETLBL_SECATTR_FREE_DOMAIN      0x01000000
2049534f71cSPaul Moore #define NETLBL_SECATTR_CACHEABLE        (NETLBL_SECATTR_MLS_LVL | \
20516efd454SPaul Moore 					 NETLBL_SECATTR_MLS_CAT | \
20616efd454SPaul Moore 					 NETLBL_SECATTR_SECID)
20716efd454SPaul Moore 	u32 type;
20811a03f78SPaul Moore 	char *domain;
209ffb733c6Spaul.moore@hp.com 	struct netlbl_lsm_cache *cache;
2108d75899dSPaul Moore 	struct {
21116efd454SPaul Moore 		struct {
21216efd454SPaul Moore 			struct netlbl_lsm_secattr_catmap *cat;
21316efd454SPaul Moore 			u32 lvl;
21416efd454SPaul Moore 		} mls;
21516efd454SPaul Moore 		u32 secid;
21616efd454SPaul Moore 	} attr;
21711a03f78SPaul Moore };
21811a03f78SPaul Moore 
21911a03f78SPaul Moore /*
22023bcdc1aSPaul Moore  * LSM security attribute operations (inline)
22111a03f78SPaul Moore  */
22211a03f78SPaul Moore 
22311a03f78SPaul Moore /**
224ffb733c6Spaul.moore@hp.com  * netlbl_secattr_cache_alloc - Allocate and initialize a secattr cache
225ffb733c6Spaul.moore@hp.com  * @flags: the memory allocation flags
226ffb733c6Spaul.moore@hp.com  *
227ffb733c6Spaul.moore@hp.com  * Description:
228ffb733c6Spaul.moore@hp.com  * Allocate and initialize a netlbl_lsm_cache structure.  Returns a pointer
229ffb733c6Spaul.moore@hp.com  * on success, NULL on failure.
230ffb733c6Spaul.moore@hp.com  *
231ffb733c6Spaul.moore@hp.com  */
232645408d1SAl Viro static inline struct netlbl_lsm_cache *netlbl_secattr_cache_alloc(gfp_t flags)
233ffb733c6Spaul.moore@hp.com {
234ffb733c6Spaul.moore@hp.com 	struct netlbl_lsm_cache *cache;
235ffb733c6Spaul.moore@hp.com 
236ffb733c6Spaul.moore@hp.com 	cache = kzalloc(sizeof(*cache), flags);
237ffb733c6Spaul.moore@hp.com 	if (cache)
238ffb733c6Spaul.moore@hp.com 		atomic_set(&cache->refcount, 1);
239ffb733c6Spaul.moore@hp.com 	return cache;
240ffb733c6Spaul.moore@hp.com }
241ffb733c6Spaul.moore@hp.com 
242ffb733c6Spaul.moore@hp.com /**
243ffb733c6Spaul.moore@hp.com  * netlbl_secattr_cache_free - Frees a netlbl_lsm_cache struct
244ffb733c6Spaul.moore@hp.com  * @cache: the struct to free
245ffb733c6Spaul.moore@hp.com  *
246ffb733c6Spaul.moore@hp.com  * Description:
247ffb733c6Spaul.moore@hp.com  * Frees @secattr including all of the internal buffers.
248ffb733c6Spaul.moore@hp.com  *
249ffb733c6Spaul.moore@hp.com  */
250ffb733c6Spaul.moore@hp.com static inline void netlbl_secattr_cache_free(struct netlbl_lsm_cache *cache)
251ffb733c6Spaul.moore@hp.com {
252ffb733c6Spaul.moore@hp.com 	if (!atomic_dec_and_test(&cache->refcount))
253ffb733c6Spaul.moore@hp.com 		return;
254ffb733c6Spaul.moore@hp.com 
255ffb733c6Spaul.moore@hp.com 	if (cache->free)
256ffb733c6Spaul.moore@hp.com 		cache->free(cache->data);
257ffb733c6Spaul.moore@hp.com 	kfree(cache);
258ffb733c6Spaul.moore@hp.com }
259ffb733c6Spaul.moore@hp.com 
260ffb733c6Spaul.moore@hp.com /**
26102752760SPaul Moore  * netlbl_secattr_catmap_alloc - Allocate a LSM secattr catmap
26202752760SPaul Moore  * @flags: memory allocation flags
26302752760SPaul Moore  *
26402752760SPaul Moore  * Description:
26502752760SPaul Moore  * Allocate memory for a LSM secattr catmap, returns a pointer on success, NULL
26602752760SPaul Moore  * on failure.
26702752760SPaul Moore  *
26802752760SPaul Moore  */
26902752760SPaul Moore static inline struct netlbl_lsm_secattr_catmap *netlbl_secattr_catmap_alloc(
27002752760SPaul Moore 	                                                           gfp_t flags)
27102752760SPaul Moore {
27202752760SPaul Moore 	return kzalloc(sizeof(struct netlbl_lsm_secattr_catmap), flags);
27302752760SPaul Moore }
27402752760SPaul Moore 
27502752760SPaul Moore /**
27602752760SPaul Moore  * netlbl_secattr_catmap_free - Free a LSM secattr catmap
27702752760SPaul Moore  * @catmap: the category bitmap
27802752760SPaul Moore  *
27902752760SPaul Moore  * Description:
28002752760SPaul Moore  * Free a LSM secattr catmap.
28102752760SPaul Moore  *
28202752760SPaul Moore  */
28302752760SPaul Moore static inline void netlbl_secattr_catmap_free(
28402752760SPaul Moore 	                              struct netlbl_lsm_secattr_catmap *catmap)
28502752760SPaul Moore {
28602752760SPaul Moore 	struct netlbl_lsm_secattr_catmap *iter;
28702752760SPaul Moore 
288*4b8feff2SPaul Moore 	while (catmap) {
28902752760SPaul Moore 		iter = catmap;
29002752760SPaul Moore 		catmap = catmap->next;
29102752760SPaul Moore 		kfree(iter);
292*4b8feff2SPaul Moore 	}
29302752760SPaul Moore }
29402752760SPaul Moore 
29502752760SPaul Moore /**
29611a03f78SPaul Moore  * netlbl_secattr_init - Initialize a netlbl_lsm_secattr struct
29711a03f78SPaul Moore  * @secattr: the struct to initialize
29811a03f78SPaul Moore  *
29911a03f78SPaul Moore  * Description:
300c6fa82a9SPaul Moore  * Initialize an already allocated netlbl_lsm_secattr struct.
30111a03f78SPaul Moore  *
30211a03f78SPaul Moore  */
303c6fa82a9SPaul Moore static inline void netlbl_secattr_init(struct netlbl_lsm_secattr *secattr)
30411a03f78SPaul Moore {
30516efd454SPaul Moore 	memset(secattr, 0, sizeof(*secattr));
30611a03f78SPaul Moore }
30711a03f78SPaul Moore 
30811a03f78SPaul Moore /**
30911a03f78SPaul Moore  * netlbl_secattr_destroy - Clears a netlbl_lsm_secattr struct
31011a03f78SPaul Moore  * @secattr: the struct to clear
31111a03f78SPaul Moore  *
31211a03f78SPaul Moore  * Description:
31311a03f78SPaul Moore  * Destroys the @secattr struct, including freeing all of the internal buffers.
314ffb733c6Spaul.moore@hp.com  * The struct must be reset with a call to netlbl_secattr_init() before reuse.
31511a03f78SPaul Moore  *
31611a03f78SPaul Moore  */
317ffb733c6Spaul.moore@hp.com static inline void netlbl_secattr_destroy(struct netlbl_lsm_secattr *secattr)
31811a03f78SPaul Moore {
31900447872SPaul Moore 	if (secattr->flags & NETLBL_SECATTR_FREE_DOMAIN)
32011a03f78SPaul Moore 		kfree(secattr->domain);
32116efd454SPaul Moore 	if (secattr->flags & NETLBL_SECATTR_CACHE)
32216efd454SPaul Moore 		netlbl_secattr_cache_free(secattr->cache);
32316efd454SPaul Moore 	if (secattr->flags & NETLBL_SECATTR_MLS_CAT)
32416efd454SPaul Moore 		netlbl_secattr_catmap_free(secattr->attr.mls.cat);
32511a03f78SPaul Moore }
32611a03f78SPaul Moore 
32711a03f78SPaul Moore /**
32811a03f78SPaul Moore  * netlbl_secattr_alloc - Allocate and initialize a netlbl_lsm_secattr struct
32911a03f78SPaul Moore  * @flags: the memory allocation flags
33011a03f78SPaul Moore  *
33111a03f78SPaul Moore  * Description:
33211a03f78SPaul Moore  * Allocate and initialize a netlbl_lsm_secattr struct.  Returns a valid
33311a03f78SPaul Moore  * pointer on success, or NULL on failure.
33411a03f78SPaul Moore  *
33511a03f78SPaul Moore  */
3361f758d93SPaul Moore static inline struct netlbl_lsm_secattr *netlbl_secattr_alloc(gfp_t flags)
33711a03f78SPaul Moore {
33811a03f78SPaul Moore 	return kzalloc(sizeof(struct netlbl_lsm_secattr), flags);
33911a03f78SPaul Moore }
34011a03f78SPaul Moore 
34111a03f78SPaul Moore /**
34211a03f78SPaul Moore  * netlbl_secattr_free - Frees a netlbl_lsm_secattr struct
34311a03f78SPaul Moore  * @secattr: the struct to free
34411a03f78SPaul Moore  *
34511a03f78SPaul Moore  * Description:
346ffb733c6Spaul.moore@hp.com  * Frees @secattr including all of the internal buffers.
34711a03f78SPaul Moore  *
34811a03f78SPaul Moore  */
349ffb733c6Spaul.moore@hp.com static inline void netlbl_secattr_free(struct netlbl_lsm_secattr *secattr)
35011a03f78SPaul Moore {
351ffb733c6Spaul.moore@hp.com 	netlbl_secattr_destroy(secattr);
35211a03f78SPaul Moore 	kfree(secattr);
35311a03f78SPaul Moore }
35411a03f78SPaul Moore 
35502752760SPaul Moore #ifdef CONFIG_NETLABEL
35623bcdc1aSPaul Moore /*
357eda61d32SPaul Moore  * LSM configuration operations
358eda61d32SPaul Moore  */
3596c2e8ac0SPaul Moore int netlbl_cfg_map_del(const char *domain,
3606c2e8ac0SPaul Moore 		       u16 family,
3616c2e8ac0SPaul Moore 		       const void *addr,
3626c2e8ac0SPaul Moore 		       const void *mask,
363eda61d32SPaul Moore 		       struct netlbl_audit *audit_info);
3646c2e8ac0SPaul Moore int netlbl_cfg_unlbl_map_add(const char *domain,
3656c2e8ac0SPaul Moore 			     u16 family,
3666c2e8ac0SPaul Moore 			     const void *addr,
3676c2e8ac0SPaul Moore 			     const void *mask,
3686c2e8ac0SPaul Moore 			     struct netlbl_audit *audit_info);
3696c2e8ac0SPaul Moore int netlbl_cfg_unlbl_static_add(struct net *net,
3706c2e8ac0SPaul Moore 				const char *dev_name,
3716c2e8ac0SPaul Moore 				const void *addr,
3726c2e8ac0SPaul Moore 				const void *mask,
3736c2e8ac0SPaul Moore 				u16 family,
3746c2e8ac0SPaul Moore 				u32 secid,
3756c2e8ac0SPaul Moore 				struct netlbl_audit *audit_info);
3766c2e8ac0SPaul Moore int netlbl_cfg_unlbl_static_del(struct net *net,
3776c2e8ac0SPaul Moore 				const char *dev_name,
3786c2e8ac0SPaul Moore 				const void *addr,
3796c2e8ac0SPaul Moore 				const void *mask,
3806c2e8ac0SPaul Moore 				u16 family,
3816c2e8ac0SPaul Moore 				struct netlbl_audit *audit_info);
3826c2e8ac0SPaul Moore int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def,
3836c2e8ac0SPaul Moore 			   struct netlbl_audit *audit_info);
3846c2e8ac0SPaul Moore void netlbl_cfg_cipsov4_del(u32 doi, struct netlbl_audit *audit_info);
3856c2e8ac0SPaul Moore int netlbl_cfg_cipsov4_map_add(u32 doi,
386eda61d32SPaul Moore 			       const char *domain,
3876c2e8ac0SPaul Moore 			       const struct in_addr *addr,
3886c2e8ac0SPaul Moore 			       const struct in_addr *mask,
389eda61d32SPaul Moore 			       struct netlbl_audit *audit_info);
390eda61d32SPaul Moore /*
39123bcdc1aSPaul Moore  * LSM security attribute operations
39223bcdc1aSPaul Moore  */
39302752760SPaul Moore int netlbl_secattr_catmap_walk(struct netlbl_lsm_secattr_catmap *catmap,
39402752760SPaul Moore 			       u32 offset);
39502752760SPaul Moore int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap,
39602752760SPaul Moore 				   u32 offset);
397*4b8feff2SPaul Moore int netlbl_secattr_catmap_getlong(struct netlbl_lsm_secattr_catmap *catmap,
398*4b8feff2SPaul Moore 				  u32 *offset,
399*4b8feff2SPaul Moore 				  unsigned long *bitmap);
40041c3bd20SPaul Moore int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap **catmap,
40102752760SPaul Moore 				 u32 bit,
40202752760SPaul Moore 				 gfp_t flags);
40341c3bd20SPaul Moore int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap **catmap,
40402752760SPaul Moore 				 u32 start,
40502752760SPaul Moore 				 u32 end,
40602752760SPaul Moore 				 gfp_t flags);
407*4b8feff2SPaul Moore int netlbl_secattr_catmap_setlong(struct netlbl_lsm_secattr_catmap **catmap,
408*4b8feff2SPaul Moore 				  u32 offset,
409*4b8feff2SPaul Moore 				  unsigned long bitmap,
410*4b8feff2SPaul Moore 				  gfp_t flags);
41123bcdc1aSPaul Moore 
41223bcdc1aSPaul Moore /*
41316efd454SPaul Moore  * LSM protocol operations (NetLabel LSM/kernel API)
41423bcdc1aSPaul Moore  */
41523bcdc1aSPaul Moore int netlbl_enabled(void);
41623bcdc1aSPaul Moore int netlbl_sock_setattr(struct sock *sk,
417389fb800SPaul Moore 			u16 family,
41823bcdc1aSPaul Moore 			const struct netlbl_lsm_secattr *secattr);
419014ab19aSPaul Moore void netlbl_sock_delattr(struct sock *sk);
42023bcdc1aSPaul Moore int netlbl_sock_getattr(struct sock *sk,
42123bcdc1aSPaul Moore 			struct netlbl_lsm_secattr *secattr);
422014ab19aSPaul Moore int netlbl_conn_setattr(struct sock *sk,
423014ab19aSPaul Moore 			struct sockaddr *addr,
424014ab19aSPaul Moore 			const struct netlbl_lsm_secattr *secattr);
425389fb800SPaul Moore int netlbl_req_setattr(struct request_sock *req,
426389fb800SPaul Moore 		       const struct netlbl_lsm_secattr *secattr);
42707feee8fSPaul Moore void netlbl_req_delattr(struct request_sock *req);
428948bf85cSPaul Moore int netlbl_skbuff_setattr(struct sk_buff *skb,
429948bf85cSPaul Moore 			  u16 family,
430948bf85cSPaul Moore 			  const struct netlbl_lsm_secattr *secattr);
43123bcdc1aSPaul Moore int netlbl_skbuff_getattr(const struct sk_buff *skb,
43275e22910SPaul Moore 			  u16 family,
43323bcdc1aSPaul Moore 			  struct netlbl_lsm_secattr *secattr);
434dfaebe98SPaul Moore void netlbl_skbuff_err(struct sk_buff *skb, int error, int gateway);
43523bcdc1aSPaul Moore 
43623bcdc1aSPaul Moore /*
43723bcdc1aSPaul Moore  * LSM label mapping cache operations
43823bcdc1aSPaul Moore  */
43923bcdc1aSPaul Moore void netlbl_cache_invalidate(void);
44023bcdc1aSPaul Moore int netlbl_cache_add(const struct sk_buff *skb,
44123bcdc1aSPaul Moore 		     const struct netlbl_lsm_secattr *secattr);
4426c2e8ac0SPaul Moore 
4436c2e8ac0SPaul Moore /*
4446c2e8ac0SPaul Moore  * Protocol engine operations
4456c2e8ac0SPaul Moore  */
4466c2e8ac0SPaul Moore struct audit_buffer *netlbl_audit_start(int type,
4476c2e8ac0SPaul Moore 					struct netlbl_audit *audit_info);
44802752760SPaul Moore #else
449eda61d32SPaul Moore static inline int netlbl_cfg_map_del(const char *domain,
4506c2e8ac0SPaul Moore 				     u16 family,
4516c2e8ac0SPaul Moore 				     const void *addr,
4526c2e8ac0SPaul Moore 				     const void *mask,
453eda61d32SPaul Moore 				     struct netlbl_audit *audit_info)
454eda61d32SPaul Moore {
455eda61d32SPaul Moore 	return -ENOSYS;
456eda61d32SPaul Moore }
4576c2e8ac0SPaul Moore static inline int netlbl_cfg_unlbl_map_add(const char *domain,
4586c2e8ac0SPaul Moore 					   u16 family,
4596c2e8ac0SPaul Moore 					   void *addr,
4606c2e8ac0SPaul Moore 					   void *mask,
461eda61d32SPaul Moore 					   struct netlbl_audit *audit_info)
462eda61d32SPaul Moore {
463eda61d32SPaul Moore 	return -ENOSYS;
464eda61d32SPaul Moore }
4656c2e8ac0SPaul Moore static inline int netlbl_cfg_unlbl_static_add(struct net *net,
4666c2e8ac0SPaul Moore 					      const char *dev_name,
4676c2e8ac0SPaul Moore 					      const void *addr,
4686c2e8ac0SPaul Moore 					      const void *mask,
4696c2e8ac0SPaul Moore 					      u16 family,
4706c2e8ac0SPaul Moore 					      u32 secid,
4716c2e8ac0SPaul Moore 					      struct netlbl_audit *audit_info)
4726c2e8ac0SPaul Moore {
4736c2e8ac0SPaul Moore 	return -ENOSYS;
4746c2e8ac0SPaul Moore }
4756c2e8ac0SPaul Moore static inline int netlbl_cfg_unlbl_static_del(struct net *net,
4766c2e8ac0SPaul Moore 					      const char *dev_name,
4776c2e8ac0SPaul Moore 					      const void *addr,
4786c2e8ac0SPaul Moore 					      const void *mask,
4796c2e8ac0SPaul Moore 					      u16 family,
4806c2e8ac0SPaul Moore 					      struct netlbl_audit *audit_info)
4816c2e8ac0SPaul Moore {
4826c2e8ac0SPaul Moore 	return -ENOSYS;
4836c2e8ac0SPaul Moore }
4846c2e8ac0SPaul Moore static inline int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def,
4856c2e8ac0SPaul Moore 					 struct netlbl_audit *audit_info)
4866c2e8ac0SPaul Moore {
4876c2e8ac0SPaul Moore 	return -ENOSYS;
4886c2e8ac0SPaul Moore }
4896c2e8ac0SPaul Moore static inline void netlbl_cfg_cipsov4_del(u32 doi,
4906c2e8ac0SPaul Moore 					  struct netlbl_audit *audit_info)
4916c2e8ac0SPaul Moore {
4926c2e8ac0SPaul Moore 	return;
4936c2e8ac0SPaul Moore }
4946c2e8ac0SPaul Moore static inline int netlbl_cfg_cipsov4_map_add(u32 doi,
495eda61d32SPaul Moore 					     const char *domain,
4966c2e8ac0SPaul Moore 					     const struct in_addr *addr,
4976c2e8ac0SPaul Moore 					     const struct in_addr *mask,
498eda61d32SPaul Moore 					     struct netlbl_audit *audit_info)
499eda61d32SPaul Moore {
500eda61d32SPaul Moore 	return -ENOSYS;
501eda61d32SPaul Moore }
50202752760SPaul Moore static inline int netlbl_secattr_catmap_walk(
50302752760SPaul Moore 	                              struct netlbl_lsm_secattr_catmap *catmap,
50402752760SPaul Moore 				      u32 offset)
50502752760SPaul Moore {
50602752760SPaul Moore 	return -ENOENT;
50702752760SPaul Moore }
50802752760SPaul Moore static inline int netlbl_secattr_catmap_walk_rng(
50902752760SPaul Moore 				      struct netlbl_lsm_secattr_catmap *catmap,
51002752760SPaul Moore 				      u32 offset)
51102752760SPaul Moore {
51202752760SPaul Moore 	return -ENOENT;
51302752760SPaul Moore }
514*4b8feff2SPaul Moore static inline int netlbl_secattr_catmap_getlong(
515*4b8feff2SPaul Moore 				      struct netlbl_lsm_secattr_catmap *catmap,
516*4b8feff2SPaul Moore 				      u32 *offset,
517*4b8feff2SPaul Moore 				      unsigned long *bitmap)
518*4b8feff2SPaul Moore {
519*4b8feff2SPaul Moore 	return 0;
520*4b8feff2SPaul Moore }
52102752760SPaul Moore static inline int netlbl_secattr_catmap_setbit(
52241c3bd20SPaul Moore 				      struct netlbl_lsm_secattr_catmap **catmap,
52302752760SPaul Moore 				      u32 bit,
52402752760SPaul Moore 				      gfp_t flags)
52502752760SPaul Moore {
52602752760SPaul Moore 	return 0;
52702752760SPaul Moore }
52802752760SPaul Moore static inline int netlbl_secattr_catmap_setrng(
52941c3bd20SPaul Moore 				      struct netlbl_lsm_secattr_catmap **catmap,
53002752760SPaul Moore 				      u32 start,
53102752760SPaul Moore 				      u32 end,
53202752760SPaul Moore 				      gfp_t flags)
53302752760SPaul Moore {
53402752760SPaul Moore 	return 0;
53502752760SPaul Moore }
536*4b8feff2SPaul Moore static int netlbl_secattr_catmap_setlong(
537*4b8feff2SPaul Moore 				      struct netlbl_lsm_secattr_catmap **catmap,
538*4b8feff2SPaul Moore 				      u32 offset,
539*4b8feff2SPaul Moore 				      unsigned long bitmap,
540*4b8feff2SPaul Moore 				      gfp_t flags)
541*4b8feff2SPaul Moore {
542*4b8feff2SPaul Moore 	return 0;
543*4b8feff2SPaul Moore }
54423bcdc1aSPaul Moore static inline int netlbl_enabled(void)
54523bcdc1aSPaul Moore {
54623bcdc1aSPaul Moore 	return 0;
54723bcdc1aSPaul Moore }
548ba6ff9f2SPaul Moore static inline int netlbl_sock_setattr(struct sock *sk,
549389fb800SPaul Moore 				      u16 family,
55011a03f78SPaul Moore 				      const struct netlbl_lsm_secattr *secattr)
55111a03f78SPaul Moore {
55211a03f78SPaul Moore 	return -ENOSYS;
55311a03f78SPaul Moore }
554014ab19aSPaul Moore static inline void netlbl_sock_delattr(struct sock *sk)
555014ab19aSPaul Moore {
556014ab19aSPaul Moore }
55714a72f53SPaul Moore static inline int netlbl_sock_getattr(struct sock *sk,
55814a72f53SPaul Moore 				      struct netlbl_lsm_secattr *secattr)
55914a72f53SPaul Moore {
56014a72f53SPaul Moore 	return -ENOSYS;
56114a72f53SPaul Moore }
562014ab19aSPaul Moore static inline int netlbl_conn_setattr(struct sock *sk,
563014ab19aSPaul Moore 				      struct sockaddr *addr,
564014ab19aSPaul Moore 				      const struct netlbl_lsm_secattr *secattr)
565014ab19aSPaul Moore {
566014ab19aSPaul Moore 	return -ENOSYS;
567014ab19aSPaul Moore }
568389fb800SPaul Moore static inline int netlbl_req_setattr(struct request_sock *req,
569389fb800SPaul Moore 				     const struct netlbl_lsm_secattr *secattr)
570389fb800SPaul Moore {
571389fb800SPaul Moore 	return -ENOSYS;
572389fb800SPaul Moore }
57307feee8fSPaul Moore static inline void netlbl_req_delattr(struct request_sock *req)
57407feee8fSPaul Moore {
57507feee8fSPaul Moore 	return;
57607feee8fSPaul Moore }
577948bf85cSPaul Moore static inline int netlbl_skbuff_setattr(struct sk_buff *skb,
578948bf85cSPaul Moore 				      u16 family,
579948bf85cSPaul Moore 				      const struct netlbl_lsm_secattr *secattr)
580948bf85cSPaul Moore {
581948bf85cSPaul Moore 	return -ENOSYS;
582948bf85cSPaul Moore }
58311a03f78SPaul Moore static inline int netlbl_skbuff_getattr(const struct sk_buff *skb,
58475e22910SPaul Moore 					u16 family,
58511a03f78SPaul Moore 					struct netlbl_lsm_secattr *secattr)
58611a03f78SPaul Moore {
58711a03f78SPaul Moore 	return -ENOSYS;
58811a03f78SPaul Moore }
589dfaebe98SPaul Moore static inline void netlbl_skbuff_err(struct sk_buff *skb,
590dfaebe98SPaul Moore 				     int error,
591dfaebe98SPaul Moore 				     int gateway)
59211a03f78SPaul Moore {
59311a03f78SPaul Moore 	return;
59411a03f78SPaul Moore }
59511a03f78SPaul Moore static inline void netlbl_cache_invalidate(void)
59611a03f78SPaul Moore {
59711a03f78SPaul Moore 	return;
59811a03f78SPaul Moore }
59911a03f78SPaul Moore static inline int netlbl_cache_add(const struct sk_buff *skb,
60011a03f78SPaul Moore 				   const struct netlbl_lsm_secattr *secattr)
60111a03f78SPaul Moore {
60211a03f78SPaul Moore 	return 0;
60311a03f78SPaul Moore }
6046c2e8ac0SPaul Moore static inline struct audit_buffer *netlbl_audit_start(int type,
6056c2e8ac0SPaul Moore 						struct netlbl_audit *audit_info)
6066c2e8ac0SPaul Moore {
6076c2e8ac0SPaul Moore 	return NULL;
6086c2e8ac0SPaul Moore }
60911a03f78SPaul Moore #endif /* CONFIG_NETLABEL */
61011a03f78SPaul Moore 
61111a03f78SPaul Moore #endif /* _NETLABEL_H */
612