111a03f78SPaul Moore /* 211a03f78SPaul Moore * NetLabel System 311a03f78SPaul Moore * 411a03f78SPaul Moore * The NetLabel system manages static and dynamic label mappings for network 511a03f78SPaul Moore * protocols such as CIPSO and RIPSO. 611a03f78SPaul Moore * 711a03f78SPaul Moore * Author: Paul Moore <paul.moore@hp.com> 811a03f78SPaul Moore * 911a03f78SPaul Moore */ 1011a03f78SPaul Moore 1111a03f78SPaul Moore /* 1211a03f78SPaul Moore * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 1311a03f78SPaul Moore * 1411a03f78SPaul Moore * This program is free software; you can redistribute it and/or modify 1511a03f78SPaul Moore * it under the terms of the GNU General Public License as published by 1611a03f78SPaul Moore * the Free Software Foundation; either version 2 of the License, or 1711a03f78SPaul Moore * (at your option) any later version. 1811a03f78SPaul Moore * 1911a03f78SPaul Moore * This program is distributed in the hope that it will be useful, 2011a03f78SPaul Moore * but WITHOUT ANY WARRANTY; without even the implied warranty of 2111a03f78SPaul Moore * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See 2211a03f78SPaul Moore * the GNU General Public License for more details. 2311a03f78SPaul Moore * 2411a03f78SPaul Moore * You should have received a copy of the GNU General Public License 2511a03f78SPaul Moore * along with this program; if not, write to the Free Software 2611a03f78SPaul Moore * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 2711a03f78SPaul Moore * 2811a03f78SPaul Moore */ 2911a03f78SPaul Moore 3011a03f78SPaul Moore #ifndef _NETLABEL_H 3111a03f78SPaul Moore #define _NETLABEL_H 3211a03f78SPaul Moore 3311a03f78SPaul Moore #include <linux/types.h> 347a0e1d60SPaul Moore #include <linux/net.h> 3511a03f78SPaul Moore #include <linux/skbuff.h> 3611a03f78SPaul Moore #include <net/netlink.h> 37ffb733c6Spaul.moore@hp.com #include <asm/atomic.h> 3811a03f78SPaul Moore 3911a03f78SPaul Moore /* 4011a03f78SPaul Moore * NetLabel - A management interface for maintaining network packet label 4111a03f78SPaul Moore * mapping tables for explicit packet labling protocols. 4211a03f78SPaul Moore * 4311a03f78SPaul Moore * Network protocols such as CIPSO and RIPSO require a label translation layer 4411a03f78SPaul Moore * to convert the label on the packet into something meaningful on the host 4511a03f78SPaul Moore * machine. In the current Linux implementation these mapping tables live 4611a03f78SPaul Moore * inside the kernel; NetLabel provides a mechanism for user space applications 4711a03f78SPaul Moore * to manage these mapping tables. 4811a03f78SPaul Moore * 4911a03f78SPaul Moore * NetLabel makes use of the Generic NETLINK mechanism as a transport layer to 5011a03f78SPaul Moore * send messages between kernel and user space. The general format of a 5111a03f78SPaul Moore * NetLabel message is shown below: 5211a03f78SPaul Moore * 5311a03f78SPaul Moore * +-----------------+-------------------+--------- --- -- - 5411a03f78SPaul Moore * | struct nlmsghdr | struct genlmsghdr | payload 5511a03f78SPaul Moore * +-----------------+-------------------+--------- --- -- - 5611a03f78SPaul Moore * 5711a03f78SPaul Moore * The 'nlmsghdr' and 'genlmsghdr' structs should be dealt with like normal. 5811a03f78SPaul Moore * The payload is dependent on the subsystem specified in the 5911a03f78SPaul Moore * 'nlmsghdr->nlmsg_type' and should be defined below, supporting functions 6011a03f78SPaul Moore * should be defined in the corresponding net/netlabel/netlabel_<subsys>.h|c 61fcd48280SPaul Moore * file. All of the fields in the NetLabel payload are NETLINK attributes, see 62fcd48280SPaul Moore * the include/net/netlink.h file for more information on NETLINK attributes. 6311a03f78SPaul Moore * 6411a03f78SPaul Moore */ 6511a03f78SPaul Moore 6611a03f78SPaul Moore /* 6711a03f78SPaul Moore * NetLabel NETLINK protocol 6811a03f78SPaul Moore */ 6911a03f78SPaul Moore 7011a03f78SPaul Moore #define NETLBL_PROTO_VERSION 1 7111a03f78SPaul Moore 7211a03f78SPaul Moore /* NetLabel NETLINK types/families */ 7311a03f78SPaul Moore #define NETLBL_NLTYPE_NONE 0 7411a03f78SPaul Moore #define NETLBL_NLTYPE_MGMT 1 7511a03f78SPaul Moore #define NETLBL_NLTYPE_MGMT_NAME "NLBL_MGMT" 7611a03f78SPaul Moore #define NETLBL_NLTYPE_RIPSO 2 7711a03f78SPaul Moore #define NETLBL_NLTYPE_RIPSO_NAME "NLBL_RIPSO" 7811a03f78SPaul Moore #define NETLBL_NLTYPE_CIPSOV4 3 7911a03f78SPaul Moore #define NETLBL_NLTYPE_CIPSOV4_NAME "NLBL_CIPSOv4" 8011a03f78SPaul Moore #define NETLBL_NLTYPE_CIPSOV6 4 8111a03f78SPaul Moore #define NETLBL_NLTYPE_CIPSOV6_NAME "NLBL_CIPSOv6" 8211a03f78SPaul Moore #define NETLBL_NLTYPE_UNLABELED 5 8311a03f78SPaul Moore #define NETLBL_NLTYPE_UNLABELED_NAME "NLBL_UNLBL" 8411a03f78SPaul Moore 8511a03f78SPaul Moore /* 8611a03f78SPaul Moore * NetLabel - Kernel API for accessing the network packet label mappings. 8711a03f78SPaul Moore * 8811a03f78SPaul Moore * The following functions are provided for use by other kernel modules, 8911a03f78SPaul Moore * specifically kernel LSM modules, to provide a consistent, transparent API 9011a03f78SPaul Moore * for dealing with explicit packet labeling protocols such as CIPSO and 9111a03f78SPaul Moore * RIPSO. The functions defined here are implemented in the 9211a03f78SPaul Moore * net/netlabel/netlabel_kapi.c file. 9311a03f78SPaul Moore * 9411a03f78SPaul Moore */ 9511a03f78SPaul Moore 9695d4e6beSPaul Moore /* NetLabel audit information */ 9795d4e6beSPaul Moore struct netlbl_audit { 9895d4e6beSPaul Moore u32 secid; 9995d4e6beSPaul Moore uid_t loginuid; 10095d4e6beSPaul Moore }; 10195d4e6beSPaul Moore 10211a03f78SPaul Moore /* Domain mapping definition struct */ 10311a03f78SPaul Moore struct netlbl_dom_map; 10411a03f78SPaul Moore 10511a03f78SPaul Moore /* Domain mapping operations */ 10695d4e6beSPaul Moore int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info); 10711a03f78SPaul Moore 10811a03f78SPaul Moore /* LSM security attributes */ 10911a03f78SPaul Moore struct netlbl_lsm_cache { 110ffb733c6Spaul.moore@hp.com atomic_t refcount; 11111a03f78SPaul Moore void (*free) (const void *data); 11211a03f78SPaul Moore void *data; 11311a03f78SPaul Moore }; 11411a03f78SPaul Moore struct netlbl_lsm_secattr { 11511a03f78SPaul Moore char *domain; 11611a03f78SPaul Moore 11711a03f78SPaul Moore u32 mls_lvl; 11811a03f78SPaul Moore u32 mls_lvl_vld; 11911a03f78SPaul Moore unsigned char *mls_cat; 12011a03f78SPaul Moore size_t mls_cat_len; 12111a03f78SPaul Moore 122ffb733c6Spaul.moore@hp.com struct netlbl_lsm_cache *cache; 12311a03f78SPaul Moore }; 12411a03f78SPaul Moore 12511a03f78SPaul Moore /* 12611a03f78SPaul Moore * LSM security attribute operations 12711a03f78SPaul Moore */ 12811a03f78SPaul Moore 12911a03f78SPaul Moore 13011a03f78SPaul Moore /** 131ffb733c6Spaul.moore@hp.com * netlbl_secattr_cache_alloc - Allocate and initialize a secattr cache 132ffb733c6Spaul.moore@hp.com * @flags: the memory allocation flags 133ffb733c6Spaul.moore@hp.com * 134ffb733c6Spaul.moore@hp.com * Description: 135ffb733c6Spaul.moore@hp.com * Allocate and initialize a netlbl_lsm_cache structure. Returns a pointer 136ffb733c6Spaul.moore@hp.com * on success, NULL on failure. 137ffb733c6Spaul.moore@hp.com * 138ffb733c6Spaul.moore@hp.com */ 139645408d1SAl Viro static inline struct netlbl_lsm_cache *netlbl_secattr_cache_alloc(gfp_t flags) 140ffb733c6Spaul.moore@hp.com { 141ffb733c6Spaul.moore@hp.com struct netlbl_lsm_cache *cache; 142ffb733c6Spaul.moore@hp.com 143ffb733c6Spaul.moore@hp.com cache = kzalloc(sizeof(*cache), flags); 144ffb733c6Spaul.moore@hp.com if (cache) 145ffb733c6Spaul.moore@hp.com atomic_set(&cache->refcount, 1); 146ffb733c6Spaul.moore@hp.com return cache; 147ffb733c6Spaul.moore@hp.com } 148ffb733c6Spaul.moore@hp.com 149ffb733c6Spaul.moore@hp.com /** 150ffb733c6Spaul.moore@hp.com * netlbl_secattr_cache_free - Frees a netlbl_lsm_cache struct 151ffb733c6Spaul.moore@hp.com * @cache: the struct to free 152ffb733c6Spaul.moore@hp.com * 153ffb733c6Spaul.moore@hp.com * Description: 154ffb733c6Spaul.moore@hp.com * Frees @secattr including all of the internal buffers. 155ffb733c6Spaul.moore@hp.com * 156ffb733c6Spaul.moore@hp.com */ 157ffb733c6Spaul.moore@hp.com static inline void netlbl_secattr_cache_free(struct netlbl_lsm_cache *cache) 158ffb733c6Spaul.moore@hp.com { 159ffb733c6Spaul.moore@hp.com if (!atomic_dec_and_test(&cache->refcount)) 160ffb733c6Spaul.moore@hp.com return; 161ffb733c6Spaul.moore@hp.com 162ffb733c6Spaul.moore@hp.com if (cache->free) 163ffb733c6Spaul.moore@hp.com cache->free(cache->data); 164ffb733c6Spaul.moore@hp.com kfree(cache); 165ffb733c6Spaul.moore@hp.com } 166ffb733c6Spaul.moore@hp.com 167ffb733c6Spaul.moore@hp.com /** 16811a03f78SPaul Moore * netlbl_secattr_init - Initialize a netlbl_lsm_secattr struct 16911a03f78SPaul Moore * @secattr: the struct to initialize 17011a03f78SPaul Moore * 17111a03f78SPaul Moore * Description: 172*c6fa82a9SPaul Moore * Initialize an already allocated netlbl_lsm_secattr struct. 17311a03f78SPaul Moore * 17411a03f78SPaul Moore */ 175*c6fa82a9SPaul Moore static inline void netlbl_secattr_init(struct netlbl_lsm_secattr *secattr) 17611a03f78SPaul Moore { 17711a03f78SPaul Moore memset(secattr, 0, sizeof(*secattr)); 17811a03f78SPaul Moore } 17911a03f78SPaul Moore 18011a03f78SPaul Moore /** 18111a03f78SPaul Moore * netlbl_secattr_destroy - Clears a netlbl_lsm_secattr struct 18211a03f78SPaul Moore * @secattr: the struct to clear 18311a03f78SPaul Moore * 18411a03f78SPaul Moore * Description: 18511a03f78SPaul Moore * Destroys the @secattr struct, including freeing all of the internal buffers. 186ffb733c6Spaul.moore@hp.com * The struct must be reset with a call to netlbl_secattr_init() before reuse. 18711a03f78SPaul Moore * 18811a03f78SPaul Moore */ 189ffb733c6Spaul.moore@hp.com static inline void netlbl_secattr_destroy(struct netlbl_lsm_secattr *secattr) 19011a03f78SPaul Moore { 191ffb733c6Spaul.moore@hp.com if (secattr->cache) 192ffb733c6Spaul.moore@hp.com netlbl_secattr_cache_free(secattr->cache); 19311a03f78SPaul Moore kfree(secattr->domain); 19411a03f78SPaul Moore kfree(secattr->mls_cat); 19511a03f78SPaul Moore } 19611a03f78SPaul Moore 19711a03f78SPaul Moore /** 19811a03f78SPaul Moore * netlbl_secattr_alloc - Allocate and initialize a netlbl_lsm_secattr struct 19911a03f78SPaul Moore * @flags: the memory allocation flags 20011a03f78SPaul Moore * 20111a03f78SPaul Moore * Description: 20211a03f78SPaul Moore * Allocate and initialize a netlbl_lsm_secattr struct. Returns a valid 20311a03f78SPaul Moore * pointer on success, or NULL on failure. 20411a03f78SPaul Moore * 20511a03f78SPaul Moore */ 2061f758d93SPaul Moore static inline struct netlbl_lsm_secattr *netlbl_secattr_alloc(gfp_t flags) 20711a03f78SPaul Moore { 20811a03f78SPaul Moore return kzalloc(sizeof(struct netlbl_lsm_secattr), flags); 20911a03f78SPaul Moore } 21011a03f78SPaul Moore 21111a03f78SPaul Moore /** 21211a03f78SPaul Moore * netlbl_secattr_free - Frees a netlbl_lsm_secattr struct 21311a03f78SPaul Moore * @secattr: the struct to free 21411a03f78SPaul Moore * 21511a03f78SPaul Moore * Description: 216ffb733c6Spaul.moore@hp.com * Frees @secattr including all of the internal buffers. 21711a03f78SPaul Moore * 21811a03f78SPaul Moore */ 219ffb733c6Spaul.moore@hp.com static inline void netlbl_secattr_free(struct netlbl_lsm_secattr *secattr) 22011a03f78SPaul Moore { 221ffb733c6Spaul.moore@hp.com netlbl_secattr_destroy(secattr); 22211a03f78SPaul Moore kfree(secattr); 22311a03f78SPaul Moore } 22411a03f78SPaul Moore 22511a03f78SPaul Moore /* 22611a03f78SPaul Moore * LSM protocol operations 22711a03f78SPaul Moore */ 22811a03f78SPaul Moore 22911a03f78SPaul Moore #ifdef CONFIG_NETLABEL 23011a03f78SPaul Moore int netlbl_socket_setattr(const struct socket *sock, 23111a03f78SPaul Moore const struct netlbl_lsm_secattr *secattr); 23214a72f53SPaul Moore int netlbl_sock_getattr(struct sock *sk, 23314a72f53SPaul Moore struct netlbl_lsm_secattr *secattr); 23411a03f78SPaul Moore int netlbl_socket_getattr(const struct socket *sock, 23511a03f78SPaul Moore struct netlbl_lsm_secattr *secattr); 23611a03f78SPaul Moore int netlbl_skbuff_getattr(const struct sk_buff *skb, 23711a03f78SPaul Moore struct netlbl_lsm_secattr *secattr); 23811a03f78SPaul Moore void netlbl_skbuff_err(struct sk_buff *skb, int error); 23911a03f78SPaul Moore #else 24011a03f78SPaul Moore static inline int netlbl_socket_setattr(const struct socket *sock, 24111a03f78SPaul Moore const struct netlbl_lsm_secattr *secattr) 24211a03f78SPaul Moore { 24311a03f78SPaul Moore return -ENOSYS; 24411a03f78SPaul Moore } 24511a03f78SPaul Moore 24614a72f53SPaul Moore static inline int netlbl_sock_getattr(struct sock *sk, 24714a72f53SPaul Moore struct netlbl_lsm_secattr *secattr) 24814a72f53SPaul Moore { 24914a72f53SPaul Moore return -ENOSYS; 25014a72f53SPaul Moore } 25114a72f53SPaul Moore 25211a03f78SPaul Moore static inline int netlbl_socket_getattr(const struct socket *sock, 25311a03f78SPaul Moore struct netlbl_lsm_secattr *secattr) 25411a03f78SPaul Moore { 25511a03f78SPaul Moore return -ENOSYS; 25611a03f78SPaul Moore } 25711a03f78SPaul Moore 25811a03f78SPaul Moore static inline int netlbl_skbuff_getattr(const struct sk_buff *skb, 25911a03f78SPaul Moore struct netlbl_lsm_secattr *secattr) 26011a03f78SPaul Moore { 26111a03f78SPaul Moore return -ENOSYS; 26211a03f78SPaul Moore } 26311a03f78SPaul Moore 26411a03f78SPaul Moore static inline void netlbl_skbuff_err(struct sk_buff *skb, int error) 26511a03f78SPaul Moore { 26611a03f78SPaul Moore return; 26711a03f78SPaul Moore } 26811a03f78SPaul Moore #endif /* CONFIG_NETLABEL */ 26911a03f78SPaul Moore 27011a03f78SPaul Moore /* 27111a03f78SPaul Moore * LSM label mapping cache operations 27211a03f78SPaul Moore */ 27311a03f78SPaul Moore 27411a03f78SPaul Moore #ifdef CONFIG_NETLABEL 27511a03f78SPaul Moore void netlbl_cache_invalidate(void); 27611a03f78SPaul Moore int netlbl_cache_add(const struct sk_buff *skb, 27711a03f78SPaul Moore const struct netlbl_lsm_secattr *secattr); 27811a03f78SPaul Moore #else 27911a03f78SPaul Moore static inline void netlbl_cache_invalidate(void) 28011a03f78SPaul Moore { 28111a03f78SPaul Moore return; 28211a03f78SPaul Moore } 28311a03f78SPaul Moore 28411a03f78SPaul Moore static inline int netlbl_cache_add(const struct sk_buff *skb, 28511a03f78SPaul Moore const struct netlbl_lsm_secattr *secattr) 28611a03f78SPaul Moore { 28711a03f78SPaul Moore return 0; 28811a03f78SPaul Moore } 28911a03f78SPaul Moore #endif /* CONFIG_NETLABEL */ 29011a03f78SPaul Moore 29111a03f78SPaul Moore #endif /* _NETLABEL_H */ 292