111a03f78SPaul Moore /* 211a03f78SPaul Moore * NetLabel System 311a03f78SPaul Moore * 411a03f78SPaul Moore * The NetLabel system manages static and dynamic label mappings for network 511a03f78SPaul Moore * protocols such as CIPSO and RIPSO. 611a03f78SPaul Moore * 711a03f78SPaul Moore * Author: Paul Moore <paul.moore@hp.com> 811a03f78SPaul Moore * 911a03f78SPaul Moore */ 1011a03f78SPaul Moore 1111a03f78SPaul Moore /* 1211a03f78SPaul Moore * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 1311a03f78SPaul Moore * 1411a03f78SPaul Moore * This program is free software; you can redistribute it and/or modify 1511a03f78SPaul Moore * it under the terms of the GNU General Public License as published by 1611a03f78SPaul Moore * the Free Software Foundation; either version 2 of the License, or 1711a03f78SPaul Moore * (at your option) any later version. 1811a03f78SPaul Moore * 1911a03f78SPaul Moore * This program is distributed in the hope that it will be useful, 2011a03f78SPaul Moore * but WITHOUT ANY WARRANTY; without even the implied warranty of 2111a03f78SPaul Moore * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See 2211a03f78SPaul Moore * the GNU General Public License for more details. 2311a03f78SPaul Moore * 2411a03f78SPaul Moore * You should have received a copy of the GNU General Public License 2511a03f78SPaul Moore * along with this program; if not, write to the Free Software 2611a03f78SPaul Moore * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 2711a03f78SPaul Moore * 2811a03f78SPaul Moore */ 2911a03f78SPaul Moore 3011a03f78SPaul Moore #ifndef _NETLABEL_H 3111a03f78SPaul Moore #define _NETLABEL_H 3211a03f78SPaul Moore 3311a03f78SPaul Moore #include <linux/types.h> 347a0e1d60SPaul Moore #include <linux/net.h> 3511a03f78SPaul Moore #include <linux/skbuff.h> 3611a03f78SPaul Moore #include <net/netlink.h> 37ffb733c6Spaul.moore@hp.com #include <asm/atomic.h> 3811a03f78SPaul Moore 3911a03f78SPaul Moore /* 4011a03f78SPaul Moore * NetLabel - A management interface for maintaining network packet label 4111a03f78SPaul Moore * mapping tables for explicit packet labling protocols. 4211a03f78SPaul Moore * 4311a03f78SPaul Moore * Network protocols such as CIPSO and RIPSO require a label translation layer 4411a03f78SPaul Moore * to convert the label on the packet into something meaningful on the host 4511a03f78SPaul Moore * machine. In the current Linux implementation these mapping tables live 4611a03f78SPaul Moore * inside the kernel; NetLabel provides a mechanism for user space applications 4711a03f78SPaul Moore * to manage these mapping tables. 4811a03f78SPaul Moore * 4911a03f78SPaul Moore * NetLabel makes use of the Generic NETLINK mechanism as a transport layer to 5011a03f78SPaul Moore * send messages between kernel and user space. The general format of a 5111a03f78SPaul Moore * NetLabel message is shown below: 5211a03f78SPaul Moore * 5311a03f78SPaul Moore * +-----------------+-------------------+--------- --- -- - 5411a03f78SPaul Moore * | struct nlmsghdr | struct genlmsghdr | payload 5511a03f78SPaul Moore * +-----------------+-------------------+--------- --- -- - 5611a03f78SPaul Moore * 5711a03f78SPaul Moore * The 'nlmsghdr' and 'genlmsghdr' structs should be dealt with like normal. 5811a03f78SPaul Moore * The payload is dependent on the subsystem specified in the 5911a03f78SPaul Moore * 'nlmsghdr->nlmsg_type' and should be defined below, supporting functions 6011a03f78SPaul Moore * should be defined in the corresponding net/netlabel/netlabel_<subsys>.h|c 61fcd48280SPaul Moore * file. All of the fields in the NetLabel payload are NETLINK attributes, see 62fcd48280SPaul Moore * the include/net/netlink.h file for more information on NETLINK attributes. 6311a03f78SPaul Moore * 6411a03f78SPaul Moore */ 6511a03f78SPaul Moore 6611a03f78SPaul Moore /* 6711a03f78SPaul Moore * NetLabel NETLINK protocol 6811a03f78SPaul Moore */ 6911a03f78SPaul Moore 7011a03f78SPaul Moore #define NETLBL_PROTO_VERSION 1 7111a03f78SPaul Moore 7211a03f78SPaul Moore /* NetLabel NETLINK types/families */ 7311a03f78SPaul Moore #define NETLBL_NLTYPE_NONE 0 7411a03f78SPaul Moore #define NETLBL_NLTYPE_MGMT 1 7511a03f78SPaul Moore #define NETLBL_NLTYPE_MGMT_NAME "NLBL_MGMT" 7611a03f78SPaul Moore #define NETLBL_NLTYPE_RIPSO 2 7711a03f78SPaul Moore #define NETLBL_NLTYPE_RIPSO_NAME "NLBL_RIPSO" 7811a03f78SPaul Moore #define NETLBL_NLTYPE_CIPSOV4 3 7911a03f78SPaul Moore #define NETLBL_NLTYPE_CIPSOV4_NAME "NLBL_CIPSOv4" 8011a03f78SPaul Moore #define NETLBL_NLTYPE_CIPSOV6 4 8111a03f78SPaul Moore #define NETLBL_NLTYPE_CIPSOV6_NAME "NLBL_CIPSOv6" 8211a03f78SPaul Moore #define NETLBL_NLTYPE_UNLABELED 5 8311a03f78SPaul Moore #define NETLBL_NLTYPE_UNLABELED_NAME "NLBL_UNLBL" 8411a03f78SPaul Moore 8511a03f78SPaul Moore /* 8611a03f78SPaul Moore * NetLabel - Kernel API for accessing the network packet label mappings. 8711a03f78SPaul Moore * 8811a03f78SPaul Moore * The following functions are provided for use by other kernel modules, 8911a03f78SPaul Moore * specifically kernel LSM modules, to provide a consistent, transparent API 9011a03f78SPaul Moore * for dealing with explicit packet labeling protocols such as CIPSO and 9111a03f78SPaul Moore * RIPSO. The functions defined here are implemented in the 9211a03f78SPaul Moore * net/netlabel/netlabel_kapi.c file. 9311a03f78SPaul Moore * 9411a03f78SPaul Moore */ 9511a03f78SPaul Moore 9695d4e6beSPaul Moore /* NetLabel audit information */ 9795d4e6beSPaul Moore struct netlbl_audit { 9895d4e6beSPaul Moore u32 secid; 9995d4e6beSPaul Moore uid_t loginuid; 10095d4e6beSPaul Moore }; 10195d4e6beSPaul Moore 10211a03f78SPaul Moore /* Domain mapping definition struct */ 10311a03f78SPaul Moore struct netlbl_dom_map; 10411a03f78SPaul Moore 10511a03f78SPaul Moore /* Domain mapping operations */ 10695d4e6beSPaul Moore int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info); 10711a03f78SPaul Moore 10811a03f78SPaul Moore /* LSM security attributes */ 10911a03f78SPaul Moore struct netlbl_lsm_cache { 110ffb733c6Spaul.moore@hp.com atomic_t refcount; 11111a03f78SPaul Moore void (*free) (const void *data); 11211a03f78SPaul Moore void *data; 11311a03f78SPaul Moore }; 11402752760SPaul Moore /* The catmap bitmap field MUST be a power of two in length and large 11502752760SPaul Moore * enough to hold at least 240 bits. Special care (i.e. check the code!) 11602752760SPaul Moore * should be used when changing these values as the LSM implementation 11702752760SPaul Moore * probably has functions which rely on the sizes of these types to speed 11802752760SPaul Moore * processing. */ 11902752760SPaul Moore #define NETLBL_CATMAP_MAPTYPE u64 12002752760SPaul Moore #define NETLBL_CATMAP_MAPCNT 4 12102752760SPaul Moore #define NETLBL_CATMAP_MAPSIZE (sizeof(NETLBL_CATMAP_MAPTYPE) * 8) 12202752760SPaul Moore #define NETLBL_CATMAP_SIZE (NETLBL_CATMAP_MAPSIZE * \ 12302752760SPaul Moore NETLBL_CATMAP_MAPCNT) 12402752760SPaul Moore #define NETLBL_CATMAP_BIT (NETLBL_CATMAP_MAPTYPE)0x01 12502752760SPaul Moore struct netlbl_lsm_secattr_catmap { 12602752760SPaul Moore u32 startbit; 12702752760SPaul Moore NETLBL_CATMAP_MAPTYPE bitmap[NETLBL_CATMAP_MAPCNT]; 12802752760SPaul Moore struct netlbl_lsm_secattr_catmap *next; 12902752760SPaul Moore }; 130701a90baSPaul Moore #define NETLBL_SECATTR_NONE 0x00000000 131701a90baSPaul Moore #define NETLBL_SECATTR_DOMAIN 0x00000001 132701a90baSPaul Moore #define NETLBL_SECATTR_CACHE 0x00000002 133701a90baSPaul Moore #define NETLBL_SECATTR_MLS_LVL 0x00000004 134701a90baSPaul Moore #define NETLBL_SECATTR_MLS_CAT 0x00000008 13511a03f78SPaul Moore struct netlbl_lsm_secattr { 136701a90baSPaul Moore u32 flags; 137701a90baSPaul Moore 13811a03f78SPaul Moore char *domain; 13911a03f78SPaul Moore 14011a03f78SPaul Moore u32 mls_lvl; 14102752760SPaul Moore struct netlbl_lsm_secattr_catmap *mls_cat; 14211a03f78SPaul Moore 143ffb733c6Spaul.moore@hp.com struct netlbl_lsm_cache *cache; 14411a03f78SPaul Moore }; 14511a03f78SPaul Moore 14611a03f78SPaul Moore /* 14711a03f78SPaul Moore * LSM security attribute operations 14811a03f78SPaul Moore */ 14911a03f78SPaul Moore 15011a03f78SPaul Moore 15111a03f78SPaul Moore /** 152ffb733c6Spaul.moore@hp.com * netlbl_secattr_cache_alloc - Allocate and initialize a secattr cache 153ffb733c6Spaul.moore@hp.com * @flags: the memory allocation flags 154ffb733c6Spaul.moore@hp.com * 155ffb733c6Spaul.moore@hp.com * Description: 156ffb733c6Spaul.moore@hp.com * Allocate and initialize a netlbl_lsm_cache structure. Returns a pointer 157ffb733c6Spaul.moore@hp.com * on success, NULL on failure. 158ffb733c6Spaul.moore@hp.com * 159ffb733c6Spaul.moore@hp.com */ 160645408d1SAl Viro static inline struct netlbl_lsm_cache *netlbl_secattr_cache_alloc(gfp_t flags) 161ffb733c6Spaul.moore@hp.com { 162ffb733c6Spaul.moore@hp.com struct netlbl_lsm_cache *cache; 163ffb733c6Spaul.moore@hp.com 164ffb733c6Spaul.moore@hp.com cache = kzalloc(sizeof(*cache), flags); 165ffb733c6Spaul.moore@hp.com if (cache) 166ffb733c6Spaul.moore@hp.com atomic_set(&cache->refcount, 1); 167ffb733c6Spaul.moore@hp.com return cache; 168ffb733c6Spaul.moore@hp.com } 169ffb733c6Spaul.moore@hp.com 170ffb733c6Spaul.moore@hp.com /** 171ffb733c6Spaul.moore@hp.com * netlbl_secattr_cache_free - Frees a netlbl_lsm_cache struct 172ffb733c6Spaul.moore@hp.com * @cache: the struct to free 173ffb733c6Spaul.moore@hp.com * 174ffb733c6Spaul.moore@hp.com * Description: 175ffb733c6Spaul.moore@hp.com * Frees @secattr including all of the internal buffers. 176ffb733c6Spaul.moore@hp.com * 177ffb733c6Spaul.moore@hp.com */ 178ffb733c6Spaul.moore@hp.com static inline void netlbl_secattr_cache_free(struct netlbl_lsm_cache *cache) 179ffb733c6Spaul.moore@hp.com { 180ffb733c6Spaul.moore@hp.com if (!atomic_dec_and_test(&cache->refcount)) 181ffb733c6Spaul.moore@hp.com return; 182ffb733c6Spaul.moore@hp.com 183ffb733c6Spaul.moore@hp.com if (cache->free) 184ffb733c6Spaul.moore@hp.com cache->free(cache->data); 185ffb733c6Spaul.moore@hp.com kfree(cache); 186ffb733c6Spaul.moore@hp.com } 187ffb733c6Spaul.moore@hp.com 188ffb733c6Spaul.moore@hp.com /** 18902752760SPaul Moore * netlbl_secattr_catmap_alloc - Allocate a LSM secattr catmap 19002752760SPaul Moore * @flags: memory allocation flags 19102752760SPaul Moore * 19202752760SPaul Moore * Description: 19302752760SPaul Moore * Allocate memory for a LSM secattr catmap, returns a pointer on success, NULL 19402752760SPaul Moore * on failure. 19502752760SPaul Moore * 19602752760SPaul Moore */ 19702752760SPaul Moore static inline struct netlbl_lsm_secattr_catmap *netlbl_secattr_catmap_alloc( 19802752760SPaul Moore gfp_t flags) 19902752760SPaul Moore { 20002752760SPaul Moore return kzalloc(sizeof(struct netlbl_lsm_secattr_catmap), flags); 20102752760SPaul Moore } 20202752760SPaul Moore 20302752760SPaul Moore /** 20402752760SPaul Moore * netlbl_secattr_catmap_free - Free a LSM secattr catmap 20502752760SPaul Moore * @catmap: the category bitmap 20602752760SPaul Moore * 20702752760SPaul Moore * Description: 20802752760SPaul Moore * Free a LSM secattr catmap. 20902752760SPaul Moore * 21002752760SPaul Moore */ 21102752760SPaul Moore static inline void netlbl_secattr_catmap_free( 21202752760SPaul Moore struct netlbl_lsm_secattr_catmap *catmap) 21302752760SPaul Moore { 21402752760SPaul Moore struct netlbl_lsm_secattr_catmap *iter; 21502752760SPaul Moore 21602752760SPaul Moore do { 21702752760SPaul Moore iter = catmap; 21802752760SPaul Moore catmap = catmap->next; 21902752760SPaul Moore kfree(iter); 22002752760SPaul Moore } while (catmap); 22102752760SPaul Moore } 22202752760SPaul Moore 22302752760SPaul Moore /** 22411a03f78SPaul Moore * netlbl_secattr_init - Initialize a netlbl_lsm_secattr struct 22511a03f78SPaul Moore * @secattr: the struct to initialize 22611a03f78SPaul Moore * 22711a03f78SPaul Moore * Description: 228c6fa82a9SPaul Moore * Initialize an already allocated netlbl_lsm_secattr struct. 22911a03f78SPaul Moore * 23011a03f78SPaul Moore */ 231c6fa82a9SPaul Moore static inline void netlbl_secattr_init(struct netlbl_lsm_secattr *secattr) 23211a03f78SPaul Moore { 233701a90baSPaul Moore secattr->flags = 0; 234701a90baSPaul Moore secattr->domain = NULL; 235701a90baSPaul Moore secattr->mls_cat = NULL; 236701a90baSPaul Moore secattr->cache = NULL; 23711a03f78SPaul Moore } 23811a03f78SPaul Moore 23911a03f78SPaul Moore /** 24011a03f78SPaul Moore * netlbl_secattr_destroy - Clears a netlbl_lsm_secattr struct 24111a03f78SPaul Moore * @secattr: the struct to clear 24211a03f78SPaul Moore * 24311a03f78SPaul Moore * Description: 24411a03f78SPaul Moore * Destroys the @secattr struct, including freeing all of the internal buffers. 245ffb733c6Spaul.moore@hp.com * The struct must be reset with a call to netlbl_secattr_init() before reuse. 24611a03f78SPaul Moore * 24711a03f78SPaul Moore */ 248ffb733c6Spaul.moore@hp.com static inline void netlbl_secattr_destroy(struct netlbl_lsm_secattr *secattr) 24911a03f78SPaul Moore { 250ffb733c6Spaul.moore@hp.com if (secattr->cache) 251ffb733c6Spaul.moore@hp.com netlbl_secattr_cache_free(secattr->cache); 25211a03f78SPaul Moore kfree(secattr->domain); 25302752760SPaul Moore if (secattr->mls_cat) 25402752760SPaul Moore netlbl_secattr_catmap_free(secattr->mls_cat); 25511a03f78SPaul Moore } 25611a03f78SPaul Moore 25711a03f78SPaul Moore /** 25811a03f78SPaul Moore * netlbl_secattr_alloc - Allocate and initialize a netlbl_lsm_secattr struct 25911a03f78SPaul Moore * @flags: the memory allocation flags 26011a03f78SPaul Moore * 26111a03f78SPaul Moore * Description: 26211a03f78SPaul Moore * Allocate and initialize a netlbl_lsm_secattr struct. Returns a valid 26311a03f78SPaul Moore * pointer on success, or NULL on failure. 26411a03f78SPaul Moore * 26511a03f78SPaul Moore */ 2661f758d93SPaul Moore static inline struct netlbl_lsm_secattr *netlbl_secattr_alloc(gfp_t flags) 26711a03f78SPaul Moore { 26811a03f78SPaul Moore return kzalloc(sizeof(struct netlbl_lsm_secattr), flags); 26911a03f78SPaul Moore } 27011a03f78SPaul Moore 27111a03f78SPaul Moore /** 27211a03f78SPaul Moore * netlbl_secattr_free - Frees a netlbl_lsm_secattr struct 27311a03f78SPaul Moore * @secattr: the struct to free 27411a03f78SPaul Moore * 27511a03f78SPaul Moore * Description: 276ffb733c6Spaul.moore@hp.com * Frees @secattr including all of the internal buffers. 27711a03f78SPaul Moore * 27811a03f78SPaul Moore */ 279ffb733c6Spaul.moore@hp.com static inline void netlbl_secattr_free(struct netlbl_lsm_secattr *secattr) 28011a03f78SPaul Moore { 281ffb733c6Spaul.moore@hp.com netlbl_secattr_destroy(secattr); 28211a03f78SPaul Moore kfree(secattr); 28311a03f78SPaul Moore } 28411a03f78SPaul Moore 28502752760SPaul Moore #ifdef CONFIG_NETLABEL 28602752760SPaul Moore int netlbl_secattr_catmap_walk(struct netlbl_lsm_secattr_catmap *catmap, 28702752760SPaul Moore u32 offset); 28802752760SPaul Moore int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap, 28902752760SPaul Moore u32 offset); 29002752760SPaul Moore int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap *catmap, 29102752760SPaul Moore u32 bit, 29202752760SPaul Moore gfp_t flags); 29302752760SPaul Moore int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap, 29402752760SPaul Moore u32 start, 29502752760SPaul Moore u32 end, 29602752760SPaul Moore gfp_t flags); 29702752760SPaul Moore #else 29802752760SPaul Moore static inline int netlbl_secattr_catmap_walk( 29902752760SPaul Moore struct netlbl_lsm_secattr_catmap *catmap, 30002752760SPaul Moore u32 offset) 30102752760SPaul Moore { 30202752760SPaul Moore return -ENOENT; 30302752760SPaul Moore } 30402752760SPaul Moore 30502752760SPaul Moore static inline int netlbl_secattr_catmap_walk_rng( 30602752760SPaul Moore struct netlbl_lsm_secattr_catmap *catmap, 30702752760SPaul Moore u32 offset) 30802752760SPaul Moore { 30902752760SPaul Moore return -ENOENT; 31002752760SPaul Moore } 31102752760SPaul Moore 31202752760SPaul Moore static inline int netlbl_secattr_catmap_setbit( 31302752760SPaul Moore struct netlbl_lsm_secattr_catmap *catmap, 31402752760SPaul Moore u32 bit, 31502752760SPaul Moore gfp_t flags) 31602752760SPaul Moore { 31702752760SPaul Moore return 0; 31802752760SPaul Moore } 31902752760SPaul Moore 32002752760SPaul Moore static inline int netlbl_secattr_catmap_setrng( 32102752760SPaul Moore struct netlbl_lsm_secattr_catmap *catmap, 32202752760SPaul Moore u32 start, 32302752760SPaul Moore u32 end, 32402752760SPaul Moore gfp_t flags) 32502752760SPaul Moore { 32602752760SPaul Moore return 0; 32702752760SPaul Moore } 32802752760SPaul Moore #endif 32902752760SPaul Moore 33011a03f78SPaul Moore /* 33111a03f78SPaul Moore * LSM protocol operations 33211a03f78SPaul Moore */ 33311a03f78SPaul Moore 33411a03f78SPaul Moore #ifdef CONFIG_NETLABEL 335*ba6ff9f2SPaul Moore int netlbl_sock_setattr(struct sock *sk, 33611a03f78SPaul Moore const struct netlbl_lsm_secattr *secattr); 33714a72f53SPaul Moore int netlbl_sock_getattr(struct sock *sk, 33814a72f53SPaul Moore struct netlbl_lsm_secattr *secattr); 33911a03f78SPaul Moore int netlbl_skbuff_getattr(const struct sk_buff *skb, 34011a03f78SPaul Moore struct netlbl_lsm_secattr *secattr); 34111a03f78SPaul Moore void netlbl_skbuff_err(struct sk_buff *skb, int error); 34211a03f78SPaul Moore #else 343*ba6ff9f2SPaul Moore static inline int netlbl_sock_setattr(struct sock *sk, 34411a03f78SPaul Moore const struct netlbl_lsm_secattr *secattr) 34511a03f78SPaul Moore { 34611a03f78SPaul Moore return -ENOSYS; 34711a03f78SPaul Moore } 34811a03f78SPaul Moore 34914a72f53SPaul Moore static inline int netlbl_sock_getattr(struct sock *sk, 35014a72f53SPaul Moore struct netlbl_lsm_secattr *secattr) 35114a72f53SPaul Moore { 35214a72f53SPaul Moore return -ENOSYS; 35314a72f53SPaul Moore } 35414a72f53SPaul Moore 35511a03f78SPaul Moore static inline int netlbl_skbuff_getattr(const struct sk_buff *skb, 35611a03f78SPaul Moore struct netlbl_lsm_secattr *secattr) 35711a03f78SPaul Moore { 35811a03f78SPaul Moore return -ENOSYS; 35911a03f78SPaul Moore } 36011a03f78SPaul Moore 36111a03f78SPaul Moore static inline void netlbl_skbuff_err(struct sk_buff *skb, int error) 36211a03f78SPaul Moore { 36311a03f78SPaul Moore return; 36411a03f78SPaul Moore } 36511a03f78SPaul Moore #endif /* CONFIG_NETLABEL */ 36611a03f78SPaul Moore 36711a03f78SPaul Moore /* 36811a03f78SPaul Moore * LSM label mapping cache operations 36911a03f78SPaul Moore */ 37011a03f78SPaul Moore 37111a03f78SPaul Moore #ifdef CONFIG_NETLABEL 37211a03f78SPaul Moore void netlbl_cache_invalidate(void); 37311a03f78SPaul Moore int netlbl_cache_add(const struct sk_buff *skb, 37411a03f78SPaul Moore const struct netlbl_lsm_secattr *secattr); 37511a03f78SPaul Moore #else 37611a03f78SPaul Moore static inline void netlbl_cache_invalidate(void) 37711a03f78SPaul Moore { 37811a03f78SPaul Moore return; 37911a03f78SPaul Moore } 38011a03f78SPaul Moore 38111a03f78SPaul Moore static inline int netlbl_cache_add(const struct sk_buff *skb, 38211a03f78SPaul Moore const struct netlbl_lsm_secattr *secattr) 38311a03f78SPaul Moore { 38411a03f78SPaul Moore return 0; 38511a03f78SPaul Moore } 38611a03f78SPaul Moore #endif /* CONFIG_NETLABEL */ 38711a03f78SPaul Moore 38811a03f78SPaul Moore #endif /* _NETLABEL_H */ 389