1*1ccea77eSThomas Gleixner /* SPDX-License-Identifier: GPL-2.0-or-later */ 2d15c345fSPaul Moore /* 3d15c345fSPaul Moore * NetLabel Unlabeled Support 4d15c345fSPaul Moore * 5d15c345fSPaul Moore * This file defines functions for dealing with unlabeled packets for the 6d15c345fSPaul Moore * NetLabel system. The NetLabel system manages static and dynamic label 7d15c345fSPaul Moore * mappings for network protocols such as CIPSO and RIPSO. 8d15c345fSPaul Moore * 982c21bfaSPaul Moore * Author: Paul Moore <paul@paul-moore.com> 10d15c345fSPaul Moore */ 11d15c345fSPaul Moore 12d15c345fSPaul Moore /* 13d15c345fSPaul Moore * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 14d15c345fSPaul Moore */ 15d15c345fSPaul Moore 16d15c345fSPaul Moore #ifndef _NETLABEL_UNLABELED_H 17d15c345fSPaul Moore #define _NETLABEL_UNLABELED_H 18d15c345fSPaul Moore 19d15c345fSPaul Moore #include <net/netlabel.h> 20d15c345fSPaul Moore 21d15c345fSPaul Moore /* 22d15c345fSPaul Moore * The following NetLabel payloads are supported by the Unlabeled subsystem. 23d15c345fSPaul Moore * 248cc44579SPaul Moore * o STATICADD 258cc44579SPaul Moore * This message is sent from an application to add a new static label for 268cc44579SPaul Moore * incoming unlabeled connections. 278cc44579SPaul Moore * 288cc44579SPaul Moore * Required attributes: 298cc44579SPaul Moore * 308cc44579SPaul Moore * NLBL_UNLABEL_A_IFACE 318cc44579SPaul Moore * NLBL_UNLABEL_A_SECCTX 328cc44579SPaul Moore * 338cc44579SPaul Moore * If IPv4 is specified the following attributes are required: 348cc44579SPaul Moore * 358cc44579SPaul Moore * NLBL_UNLABEL_A_IPV4ADDR 368cc44579SPaul Moore * NLBL_UNLABEL_A_IPV4MASK 378cc44579SPaul Moore * 388cc44579SPaul Moore * If IPv6 is specified the following attributes are required: 398cc44579SPaul Moore * 408cc44579SPaul Moore * NLBL_UNLABEL_A_IPV6ADDR 418cc44579SPaul Moore * NLBL_UNLABEL_A_IPV6MASK 428cc44579SPaul Moore * 438cc44579SPaul Moore * o STATICREMOVE 448cc44579SPaul Moore * This message is sent from an application to remove an existing static 458cc44579SPaul Moore * label for incoming unlabeled connections. 468cc44579SPaul Moore * 478cc44579SPaul Moore * Required attributes: 488cc44579SPaul Moore * 498cc44579SPaul Moore * NLBL_UNLABEL_A_IFACE 508cc44579SPaul Moore * 518cc44579SPaul Moore * If IPv4 is specified the following attributes are required: 528cc44579SPaul Moore * 538cc44579SPaul Moore * NLBL_UNLABEL_A_IPV4ADDR 548cc44579SPaul Moore * NLBL_UNLABEL_A_IPV4MASK 558cc44579SPaul Moore * 568cc44579SPaul Moore * If IPv6 is specified the following attributes are required: 578cc44579SPaul Moore * 588cc44579SPaul Moore * NLBL_UNLABEL_A_IPV6ADDR 598cc44579SPaul Moore * NLBL_UNLABEL_A_IPV6MASK 608cc44579SPaul Moore * 618cc44579SPaul Moore * o STATICLIST 628cc44579SPaul Moore * This message can be sent either from an application or by the kernel in 638cc44579SPaul Moore * response to an application generated STATICLIST message. When sent by an 648cc44579SPaul Moore * application there is no payload and the NLM_F_DUMP flag should be set. 658cc44579SPaul Moore * The kernel should response with a series of the following messages. 668cc44579SPaul Moore * 678cc44579SPaul Moore * Required attributes: 688cc44579SPaul Moore * 698cc44579SPaul Moore * NLBL_UNLABEL_A_IFACE 708cc44579SPaul Moore * NLBL_UNLABEL_A_SECCTX 718cc44579SPaul Moore * 728cc44579SPaul Moore * If IPv4 is specified the following attributes are required: 738cc44579SPaul Moore * 748cc44579SPaul Moore * NLBL_UNLABEL_A_IPV4ADDR 758cc44579SPaul Moore * NLBL_UNLABEL_A_IPV4MASK 768cc44579SPaul Moore * 778cc44579SPaul Moore * If IPv6 is specified the following attributes are required: 788cc44579SPaul Moore * 798cc44579SPaul Moore * NLBL_UNLABEL_A_IPV6ADDR 808cc44579SPaul Moore * NLBL_UNLABEL_A_IPV6MASK 818cc44579SPaul Moore * 828cc44579SPaul Moore * o STATICADDDEF 838cc44579SPaul Moore * This message is sent from an application to set the default static 848cc44579SPaul Moore * label for incoming unlabeled connections. 858cc44579SPaul Moore * 868cc44579SPaul Moore * Required attribute: 878cc44579SPaul Moore * 888cc44579SPaul Moore * NLBL_UNLABEL_A_SECCTX 898cc44579SPaul Moore * 908cc44579SPaul Moore * If IPv4 is specified the following attributes are required: 918cc44579SPaul Moore * 928cc44579SPaul Moore * NLBL_UNLABEL_A_IPV4ADDR 938cc44579SPaul Moore * NLBL_UNLABEL_A_IPV4MASK 948cc44579SPaul Moore * 958cc44579SPaul Moore * If IPv6 is specified the following attributes are required: 968cc44579SPaul Moore * 978cc44579SPaul Moore * NLBL_UNLABEL_A_IPV6ADDR 988cc44579SPaul Moore * NLBL_UNLABEL_A_IPV6MASK 998cc44579SPaul Moore * 1008cc44579SPaul Moore * o STATICREMOVEDEF 1018cc44579SPaul Moore * This message is sent from an application to remove the existing default 1028cc44579SPaul Moore * static label for incoming unlabeled connections. 1038cc44579SPaul Moore * 1048cc44579SPaul Moore * If IPv4 is specified the following attributes are required: 1058cc44579SPaul Moore * 1068cc44579SPaul Moore * NLBL_UNLABEL_A_IPV4ADDR 1078cc44579SPaul Moore * NLBL_UNLABEL_A_IPV4MASK 1088cc44579SPaul Moore * 1098cc44579SPaul Moore * If IPv6 is specified the following attributes are required: 1108cc44579SPaul Moore * 1118cc44579SPaul Moore * NLBL_UNLABEL_A_IPV6ADDR 1128cc44579SPaul Moore * NLBL_UNLABEL_A_IPV6MASK 1138cc44579SPaul Moore * 1148cc44579SPaul Moore * o STATICLISTDEF 1158cc44579SPaul Moore * This message can be sent either from an application or by the kernel in 1168cc44579SPaul Moore * response to an application generated STATICLISTDEF message. When sent by 1178cc44579SPaul Moore * an application there is no payload and the NLM_F_DUMP flag should be set. 1188cc44579SPaul Moore * The kernel should response with the following message. 1198cc44579SPaul Moore * 1208cc44579SPaul Moore * Required attribute: 1218cc44579SPaul Moore * 1228cc44579SPaul Moore * NLBL_UNLABEL_A_SECCTX 1238cc44579SPaul Moore * 1248cc44579SPaul Moore * If IPv4 is specified the following attributes are required: 1258cc44579SPaul Moore * 1268cc44579SPaul Moore * NLBL_UNLABEL_A_IPV4ADDR 1278cc44579SPaul Moore * NLBL_UNLABEL_A_IPV4MASK 1288cc44579SPaul Moore * 1298cc44579SPaul Moore * If IPv6 is specified the following attributes are required: 1308cc44579SPaul Moore * 1318cc44579SPaul Moore * NLBL_UNLABEL_A_IPV6ADDR 1328cc44579SPaul Moore * NLBL_UNLABEL_A_IPV6MASK 1338cc44579SPaul Moore * 134d15c345fSPaul Moore * o ACCEPT 135d15c345fSPaul Moore * This message is sent from an application to specify if the kernel should 136d15c345fSPaul Moore * allow unlabled packets to pass if they do not match any of the static 137d15c345fSPaul Moore * mappings defined in the unlabeled module. 138d15c345fSPaul Moore * 139fd385855SPaul Moore * Required attributes: 140d15c345fSPaul Moore * 141fd385855SPaul Moore * NLBL_UNLABEL_A_ACPTFLG 142d15c345fSPaul Moore * 143d15c345fSPaul Moore * o LIST 144d15c345fSPaul Moore * This message can be sent either from an application or by the kernel in 145d15c345fSPaul Moore * response to an application generated LIST message. When sent by an 146d15c345fSPaul Moore * application there is no payload. The kernel should respond to a LIST 147fd385855SPaul Moore * message with a LIST message on success. 148d15c345fSPaul Moore * 149fd385855SPaul Moore * Required attributes: 150d15c345fSPaul Moore * 151fd385855SPaul Moore * NLBL_UNLABEL_A_ACPTFLG 152d15c345fSPaul Moore * 153d15c345fSPaul Moore */ 154d15c345fSPaul Moore 155d15c345fSPaul Moore /* NetLabel Unlabeled commands */ 156d15c345fSPaul Moore enum { 157d15c345fSPaul Moore NLBL_UNLABEL_C_UNSPEC, 158d15c345fSPaul Moore NLBL_UNLABEL_C_ACCEPT, 159d15c345fSPaul Moore NLBL_UNLABEL_C_LIST, 1608cc44579SPaul Moore NLBL_UNLABEL_C_STATICADD, 1618cc44579SPaul Moore NLBL_UNLABEL_C_STATICREMOVE, 1628cc44579SPaul Moore NLBL_UNLABEL_C_STATICLIST, 1638cc44579SPaul Moore NLBL_UNLABEL_C_STATICADDDEF, 1648cc44579SPaul Moore NLBL_UNLABEL_C_STATICREMOVEDEF, 1658cc44579SPaul Moore NLBL_UNLABEL_C_STATICLISTDEF, 166d15c345fSPaul Moore __NLBL_UNLABEL_C_MAX, 167d15c345fSPaul Moore }; 168d15c345fSPaul Moore 169fd385855SPaul Moore /* NetLabel Unlabeled attributes */ 170fd385855SPaul Moore enum { 171fd385855SPaul Moore NLBL_UNLABEL_A_UNSPEC, 172fd385855SPaul Moore NLBL_UNLABEL_A_ACPTFLG, 173fd385855SPaul Moore /* (NLA_U8) 174fd385855SPaul Moore * if true then unlabeled packets are allowed to pass, else unlabeled 175fd385855SPaul Moore * packets are rejected */ 1768cc44579SPaul Moore NLBL_UNLABEL_A_IPV6ADDR, 1778cc44579SPaul Moore /* (NLA_BINARY, struct in6_addr) 1788cc44579SPaul Moore * an IPv6 address */ 1798cc44579SPaul Moore NLBL_UNLABEL_A_IPV6MASK, 1808cc44579SPaul Moore /* (NLA_BINARY, struct in6_addr) 1818cc44579SPaul Moore * an IPv6 address mask */ 1828cc44579SPaul Moore NLBL_UNLABEL_A_IPV4ADDR, 1838cc44579SPaul Moore /* (NLA_BINARY, struct in_addr) 1848cc44579SPaul Moore * an IPv4 address */ 1858cc44579SPaul Moore NLBL_UNLABEL_A_IPV4MASK, 1868cc44579SPaul Moore /* (NLA_BINARY, struct in_addr) 1878cc44579SPaul Moore * and IPv4 address mask */ 1888cc44579SPaul Moore NLBL_UNLABEL_A_IFACE, 1898cc44579SPaul Moore /* (NLA_NULL_STRING) 1908cc44579SPaul Moore * network interface */ 1918cc44579SPaul Moore NLBL_UNLABEL_A_SECCTX, 1928cc44579SPaul Moore /* (NLA_BINARY) 1938cc44579SPaul Moore * a LSM specific security context */ 194fd385855SPaul Moore __NLBL_UNLABEL_A_MAX, 195fd385855SPaul Moore }; 196fd385855SPaul Moore #define NLBL_UNLABEL_A_MAX (__NLBL_UNLABEL_A_MAX - 1) 197fd385855SPaul Moore 198d15c345fSPaul Moore /* NetLabel protocol functions */ 199d15c345fSPaul Moore int netlbl_unlabel_genl_init(void); 200d15c345fSPaul Moore 2018cc44579SPaul Moore /* Unlabeled connection hash table size */ 2028cc44579SPaul Moore /* XXX - currently this number is an uneducated guess */ 2038cc44579SPaul Moore #define NETLBL_UNLHSH_BITSIZE 7 2048cc44579SPaul Moore 2058cc44579SPaul Moore /* General Unlabeled init function */ 2068cc44579SPaul Moore int netlbl_unlabel_init(u32 size); 2078cc44579SPaul Moore 2086c2e8ac0SPaul Moore /* Static/Fallback label management functions */ 2096c2e8ac0SPaul Moore int netlbl_unlhsh_add(struct net *net, 2106c2e8ac0SPaul Moore const char *dev_name, 2116c2e8ac0SPaul Moore const void *addr, 2126c2e8ac0SPaul Moore const void *mask, 2136c2e8ac0SPaul Moore u32 addr_len, 2146c2e8ac0SPaul Moore u32 secid, 2156c2e8ac0SPaul Moore struct netlbl_audit *audit_info); 2166c2e8ac0SPaul Moore int netlbl_unlhsh_remove(struct net *net, 2176c2e8ac0SPaul Moore const char *dev_name, 2186c2e8ac0SPaul Moore const void *addr, 2196c2e8ac0SPaul Moore const void *mask, 2206c2e8ac0SPaul Moore u32 addr_len, 2216c2e8ac0SPaul Moore struct netlbl_audit *audit_info); 2226c2e8ac0SPaul Moore 223d15c345fSPaul Moore /* Process Unlabeled incoming network packets */ 2248cc44579SPaul Moore int netlbl_unlabel_getattr(const struct sk_buff *skb, 2258cc44579SPaul Moore u16 family, 2268cc44579SPaul Moore struct netlbl_lsm_secattr *secattr); 227d15c345fSPaul Moore 228d15c345fSPaul Moore /* Set the default configuration to allow Unlabeled packets */ 229d15c345fSPaul Moore int netlbl_unlabel_defconf(void); 230d15c345fSPaul Moore 231d15c345fSPaul Moore #endif 232