1 /* 2 * NetLabel System 3 * 4 * The NetLabel system manages static and dynamic label mappings for network 5 * protocols such as CIPSO and RIPSO. 6 * 7 * Author: Paul Moore <paul.moore@hp.com> 8 * 9 */ 10 11 /* 12 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2008 13 * 14 * This program is free software; you can redistribute it and/or modify 15 * it under the terms of the GNU General Public License as published by 16 * the Free Software Foundation; either version 2 of the License, or 17 * (at your option) any later version. 18 * 19 * This program is distributed in the hope that it will be useful, 20 * but WITHOUT ANY WARRANTY; without even the implied warranty of 21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See 22 * the GNU General Public License for more details. 23 * 24 * You should have received a copy of the GNU General Public License 25 * along with this program; if not, write to the Free Software 26 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 27 * 28 */ 29 30 #ifndef _NETLABEL_H 31 #define _NETLABEL_H 32 33 #include <linux/types.h> 34 #include <linux/net.h> 35 #include <linux/skbuff.h> 36 #include <linux/in.h> 37 #include <linux/in6.h> 38 #include <net/netlink.h> 39 #include <asm/atomic.h> 40 41 struct cipso_v4_doi; 42 43 /* 44 * NetLabel - A management interface for maintaining network packet label 45 * mapping tables for explicit packet labling protocols. 46 * 47 * Network protocols such as CIPSO and RIPSO require a label translation layer 48 * to convert the label on the packet into something meaningful on the host 49 * machine. In the current Linux implementation these mapping tables live 50 * inside the kernel; NetLabel provides a mechanism for user space applications 51 * to manage these mapping tables. 52 * 53 * NetLabel makes use of the Generic NETLINK mechanism as a transport layer to 54 * send messages between kernel and user space. The general format of a 55 * NetLabel message is shown below: 56 * 57 * +-----------------+-------------------+--------- --- -- - 58 * | struct nlmsghdr | struct genlmsghdr | payload 59 * +-----------------+-------------------+--------- --- -- - 60 * 61 * The 'nlmsghdr' and 'genlmsghdr' structs should be dealt with like normal. 62 * The payload is dependent on the subsystem specified in the 63 * 'nlmsghdr->nlmsg_type' and should be defined below, supporting functions 64 * should be defined in the corresponding net/netlabel/netlabel_<subsys>.h|c 65 * file. All of the fields in the NetLabel payload are NETLINK attributes, see 66 * the include/net/netlink.h file for more information on NETLINK attributes. 67 * 68 */ 69 70 /* 71 * NetLabel NETLINK protocol 72 */ 73 74 /* NetLabel NETLINK protocol version 75 * 1: initial version 76 * 2: added static labels for unlabeled connections 77 * 3: network selectors added to the NetLabel/LSM domain mapping and the 78 * CIPSO_V4_MAP_LOCAL CIPSO mapping was added 79 */ 80 #define NETLBL_PROTO_VERSION 3 81 82 /* NetLabel NETLINK types/families */ 83 #define NETLBL_NLTYPE_NONE 0 84 #define NETLBL_NLTYPE_MGMT 1 85 #define NETLBL_NLTYPE_MGMT_NAME "NLBL_MGMT" 86 #define NETLBL_NLTYPE_RIPSO 2 87 #define NETLBL_NLTYPE_RIPSO_NAME "NLBL_RIPSO" 88 #define NETLBL_NLTYPE_CIPSOV4 3 89 #define NETLBL_NLTYPE_CIPSOV4_NAME "NLBL_CIPSOv4" 90 #define NETLBL_NLTYPE_CIPSOV6 4 91 #define NETLBL_NLTYPE_CIPSOV6_NAME "NLBL_CIPSOv6" 92 #define NETLBL_NLTYPE_UNLABELED 5 93 #define NETLBL_NLTYPE_UNLABELED_NAME "NLBL_UNLBL" 94 #define NETLBL_NLTYPE_ADDRSELECT 6 95 #define NETLBL_NLTYPE_ADDRSELECT_NAME "NLBL_ADRSEL" 96 97 /* 98 * NetLabel - Kernel API for accessing the network packet label mappings. 99 * 100 * The following functions are provided for use by other kernel modules, 101 * specifically kernel LSM modules, to provide a consistent, transparent API 102 * for dealing with explicit packet labeling protocols such as CIPSO and 103 * RIPSO. The functions defined here are implemented in the 104 * net/netlabel/netlabel_kapi.c file. 105 * 106 */ 107 108 /* NetLabel audit information */ 109 struct netlbl_audit { 110 u32 secid; 111 uid_t loginuid; 112 u32 sessionid; 113 }; 114 115 /* 116 * LSM security attributes 117 */ 118 119 /** 120 * struct netlbl_lsm_cache - NetLabel LSM security attribute cache 121 * @refcount: atomic reference counter 122 * @free: LSM supplied function to free the cache data 123 * @data: LSM supplied cache data 124 * 125 * Description: 126 * This structure is provided for LSMs which wish to make use of the NetLabel 127 * caching mechanism to store LSM specific data/attributes in the NetLabel 128 * cache. If the LSM has to perform a lot of translation from the NetLabel 129 * security attributes into it's own internal representation then the cache 130 * mechanism can provide a way to eliminate some or all of that translation 131 * overhead on a cache hit. 132 * 133 */ 134 struct netlbl_lsm_cache { 135 atomic_t refcount; 136 void (*free) (const void *data); 137 void *data; 138 }; 139 140 /** 141 * struct netlbl_lsm_secattr_catmap - NetLabel LSM secattr category bitmap 142 * @startbit: the value of the lowest order bit in the bitmap 143 * @bitmap: the category bitmap 144 * @next: pointer to the next bitmap "node" or NULL 145 * 146 * Description: 147 * This structure is used to represent category bitmaps. Due to the large 148 * number of categories supported by most labeling protocols it is not 149 * practical to transfer a full bitmap internally so NetLabel adopts a sparse 150 * bitmap structure modeled after SELinux's ebitmap structure. 151 * The catmap bitmap field MUST be a power of two in length and large 152 * enough to hold at least 240 bits. Special care (i.e. check the code!) 153 * should be used when changing these values as the LSM implementation 154 * probably has functions which rely on the sizes of these types to speed 155 * processing. 156 * 157 */ 158 #define NETLBL_CATMAP_MAPTYPE u64 159 #define NETLBL_CATMAP_MAPCNT 4 160 #define NETLBL_CATMAP_MAPSIZE (sizeof(NETLBL_CATMAP_MAPTYPE) * 8) 161 #define NETLBL_CATMAP_SIZE (NETLBL_CATMAP_MAPSIZE * \ 162 NETLBL_CATMAP_MAPCNT) 163 #define NETLBL_CATMAP_BIT (NETLBL_CATMAP_MAPTYPE)0x01 164 struct netlbl_lsm_secattr_catmap { 165 u32 startbit; 166 NETLBL_CATMAP_MAPTYPE bitmap[NETLBL_CATMAP_MAPCNT]; 167 struct netlbl_lsm_secattr_catmap *next; 168 }; 169 170 /** 171 * struct netlbl_lsm_secattr - NetLabel LSM security attributes 172 * @flags: indicate structure attributes, see NETLBL_SECATTR_* 173 * @type: indicate the NLTYPE of the attributes 174 * @domain: the NetLabel LSM domain 175 * @cache: NetLabel LSM specific cache 176 * @attr.mls: MLS sensitivity label 177 * @attr.mls.cat: MLS category bitmap 178 * @attr.mls.lvl: MLS sensitivity level 179 * @attr.secid: LSM specific secid token 180 * 181 * Description: 182 * This structure is used to pass security attributes between NetLabel and the 183 * LSM modules. The flags field is used to specify which fields within the 184 * struct are valid and valid values can be created by bitwise OR'ing the 185 * NETLBL_SECATTR_* defines. The domain field is typically set by the LSM to 186 * specify domain specific configuration settings and is not usually used by 187 * NetLabel itself when returning security attributes to the LSM. 188 * 189 */ 190 struct netlbl_lsm_secattr { 191 u32 flags; 192 /* bitmap values for 'flags' */ 193 #define NETLBL_SECATTR_NONE 0x00000000 194 #define NETLBL_SECATTR_DOMAIN 0x00000001 195 #define NETLBL_SECATTR_DOMAIN_CPY (NETLBL_SECATTR_DOMAIN | \ 196 NETLBL_SECATTR_FREE_DOMAIN) 197 #define NETLBL_SECATTR_CACHE 0x00000002 198 #define NETLBL_SECATTR_MLS_LVL 0x00000004 199 #define NETLBL_SECATTR_MLS_CAT 0x00000008 200 #define NETLBL_SECATTR_SECID 0x00000010 201 /* bitmap meta-values for 'flags' */ 202 #define NETLBL_SECATTR_FREE_DOMAIN 0x01000000 203 #define NETLBL_SECATTR_CACHEABLE (NETLBL_SECATTR_MLS_LVL | \ 204 NETLBL_SECATTR_MLS_CAT | \ 205 NETLBL_SECATTR_SECID) 206 u32 type; 207 char *domain; 208 struct netlbl_lsm_cache *cache; 209 struct { 210 struct { 211 struct netlbl_lsm_secattr_catmap *cat; 212 u32 lvl; 213 } mls; 214 u32 secid; 215 } attr; 216 }; 217 218 /* 219 * LSM security attribute operations (inline) 220 */ 221 222 /** 223 * netlbl_secattr_cache_alloc - Allocate and initialize a secattr cache 224 * @flags: the memory allocation flags 225 * 226 * Description: 227 * Allocate and initialize a netlbl_lsm_cache structure. Returns a pointer 228 * on success, NULL on failure. 229 * 230 */ 231 static inline struct netlbl_lsm_cache *netlbl_secattr_cache_alloc(gfp_t flags) 232 { 233 struct netlbl_lsm_cache *cache; 234 235 cache = kzalloc(sizeof(*cache), flags); 236 if (cache) 237 atomic_set(&cache->refcount, 1); 238 return cache; 239 } 240 241 /** 242 * netlbl_secattr_cache_free - Frees a netlbl_lsm_cache struct 243 * @cache: the struct to free 244 * 245 * Description: 246 * Frees @secattr including all of the internal buffers. 247 * 248 */ 249 static inline void netlbl_secattr_cache_free(struct netlbl_lsm_cache *cache) 250 { 251 if (!atomic_dec_and_test(&cache->refcount)) 252 return; 253 254 if (cache->free) 255 cache->free(cache->data); 256 kfree(cache); 257 } 258 259 /** 260 * netlbl_secattr_catmap_alloc - Allocate a LSM secattr catmap 261 * @flags: memory allocation flags 262 * 263 * Description: 264 * Allocate memory for a LSM secattr catmap, returns a pointer on success, NULL 265 * on failure. 266 * 267 */ 268 static inline struct netlbl_lsm_secattr_catmap *netlbl_secattr_catmap_alloc( 269 gfp_t flags) 270 { 271 return kzalloc(sizeof(struct netlbl_lsm_secattr_catmap), flags); 272 } 273 274 /** 275 * netlbl_secattr_catmap_free - Free a LSM secattr catmap 276 * @catmap: the category bitmap 277 * 278 * Description: 279 * Free a LSM secattr catmap. 280 * 281 */ 282 static inline void netlbl_secattr_catmap_free( 283 struct netlbl_lsm_secattr_catmap *catmap) 284 { 285 struct netlbl_lsm_secattr_catmap *iter; 286 287 do { 288 iter = catmap; 289 catmap = catmap->next; 290 kfree(iter); 291 } while (catmap); 292 } 293 294 /** 295 * netlbl_secattr_init - Initialize a netlbl_lsm_secattr struct 296 * @secattr: the struct to initialize 297 * 298 * Description: 299 * Initialize an already allocated netlbl_lsm_secattr struct. 300 * 301 */ 302 static inline void netlbl_secattr_init(struct netlbl_lsm_secattr *secattr) 303 { 304 memset(secattr, 0, sizeof(*secattr)); 305 } 306 307 /** 308 * netlbl_secattr_destroy - Clears a netlbl_lsm_secattr struct 309 * @secattr: the struct to clear 310 * 311 * Description: 312 * Destroys the @secattr struct, including freeing all of the internal buffers. 313 * The struct must be reset with a call to netlbl_secattr_init() before reuse. 314 * 315 */ 316 static inline void netlbl_secattr_destroy(struct netlbl_lsm_secattr *secattr) 317 { 318 if (secattr->flags & NETLBL_SECATTR_FREE_DOMAIN) 319 kfree(secattr->domain); 320 if (secattr->flags & NETLBL_SECATTR_CACHE) 321 netlbl_secattr_cache_free(secattr->cache); 322 if (secattr->flags & NETLBL_SECATTR_MLS_CAT) 323 netlbl_secattr_catmap_free(secattr->attr.mls.cat); 324 } 325 326 /** 327 * netlbl_secattr_alloc - Allocate and initialize a netlbl_lsm_secattr struct 328 * @flags: the memory allocation flags 329 * 330 * Description: 331 * Allocate and initialize a netlbl_lsm_secattr struct. Returns a valid 332 * pointer on success, or NULL on failure. 333 * 334 */ 335 static inline struct netlbl_lsm_secattr *netlbl_secattr_alloc(gfp_t flags) 336 { 337 return kzalloc(sizeof(struct netlbl_lsm_secattr), flags); 338 } 339 340 /** 341 * netlbl_secattr_free - Frees a netlbl_lsm_secattr struct 342 * @secattr: the struct to free 343 * 344 * Description: 345 * Frees @secattr including all of the internal buffers. 346 * 347 */ 348 static inline void netlbl_secattr_free(struct netlbl_lsm_secattr *secattr) 349 { 350 netlbl_secattr_destroy(secattr); 351 kfree(secattr); 352 } 353 354 #ifdef CONFIG_NETLABEL 355 /* 356 * LSM configuration operations 357 */ 358 int netlbl_cfg_map_del(const char *domain, 359 u16 family, 360 const void *addr, 361 const void *mask, 362 struct netlbl_audit *audit_info); 363 int netlbl_cfg_unlbl_map_add(const char *domain, 364 u16 family, 365 const void *addr, 366 const void *mask, 367 struct netlbl_audit *audit_info); 368 int netlbl_cfg_unlbl_static_add(struct net *net, 369 const char *dev_name, 370 const void *addr, 371 const void *mask, 372 u16 family, 373 u32 secid, 374 struct netlbl_audit *audit_info); 375 int netlbl_cfg_unlbl_static_del(struct net *net, 376 const char *dev_name, 377 const void *addr, 378 const void *mask, 379 u16 family, 380 struct netlbl_audit *audit_info); 381 int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def, 382 struct netlbl_audit *audit_info); 383 void netlbl_cfg_cipsov4_del(u32 doi, struct netlbl_audit *audit_info); 384 int netlbl_cfg_cipsov4_map_add(u32 doi, 385 const char *domain, 386 const struct in_addr *addr, 387 const struct in_addr *mask, 388 struct netlbl_audit *audit_info); 389 /* 390 * LSM security attribute operations 391 */ 392 int netlbl_secattr_catmap_walk(struct netlbl_lsm_secattr_catmap *catmap, 393 u32 offset); 394 int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap, 395 u32 offset); 396 int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap *catmap, 397 u32 bit, 398 gfp_t flags); 399 int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap, 400 u32 start, 401 u32 end, 402 gfp_t flags); 403 404 /* 405 * LSM protocol operations (NetLabel LSM/kernel API) 406 */ 407 int netlbl_enabled(void); 408 int netlbl_sock_setattr(struct sock *sk, 409 const struct netlbl_lsm_secattr *secattr); 410 void netlbl_sock_delattr(struct sock *sk); 411 int netlbl_sock_getattr(struct sock *sk, 412 struct netlbl_lsm_secattr *secattr); 413 int netlbl_conn_setattr(struct sock *sk, 414 struct sockaddr *addr, 415 const struct netlbl_lsm_secattr *secattr); 416 int netlbl_skbuff_setattr(struct sk_buff *skb, 417 u16 family, 418 const struct netlbl_lsm_secattr *secattr); 419 int netlbl_skbuff_getattr(const struct sk_buff *skb, 420 u16 family, 421 struct netlbl_lsm_secattr *secattr); 422 void netlbl_skbuff_err(struct sk_buff *skb, int error, int gateway); 423 424 /* 425 * LSM label mapping cache operations 426 */ 427 void netlbl_cache_invalidate(void); 428 int netlbl_cache_add(const struct sk_buff *skb, 429 const struct netlbl_lsm_secattr *secattr); 430 431 /* 432 * Protocol engine operations 433 */ 434 struct audit_buffer *netlbl_audit_start(int type, 435 struct netlbl_audit *audit_info); 436 #else 437 static inline int netlbl_cfg_map_del(const char *domain, 438 u16 family, 439 const void *addr, 440 const void *mask, 441 struct netlbl_audit *audit_info) 442 { 443 return -ENOSYS; 444 } 445 static inline int netlbl_cfg_unlbl_map_add(const char *domain, 446 u16 family, 447 void *addr, 448 void *mask, 449 struct netlbl_audit *audit_info) 450 { 451 return -ENOSYS; 452 } 453 static inline int netlbl_cfg_unlbl_static_add(struct net *net, 454 const char *dev_name, 455 const void *addr, 456 const void *mask, 457 u16 family, 458 u32 secid, 459 struct netlbl_audit *audit_info) 460 { 461 return -ENOSYS; 462 } 463 static inline int netlbl_cfg_unlbl_static_del(struct net *net, 464 const char *dev_name, 465 const void *addr, 466 const void *mask, 467 u16 family, 468 struct netlbl_audit *audit_info) 469 { 470 return -ENOSYS; 471 } 472 static inline int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def, 473 struct netlbl_audit *audit_info) 474 { 475 return -ENOSYS; 476 } 477 static inline void netlbl_cfg_cipsov4_del(u32 doi, 478 struct netlbl_audit *audit_info) 479 { 480 return; 481 } 482 static inline int netlbl_cfg_cipsov4_map_add(u32 doi, 483 const char *domain, 484 const struct in_addr *addr, 485 const struct in_addr *mask, 486 struct netlbl_audit *audit_info) 487 { 488 return -ENOSYS; 489 } 490 static inline int netlbl_secattr_catmap_walk( 491 struct netlbl_lsm_secattr_catmap *catmap, 492 u32 offset) 493 { 494 return -ENOENT; 495 } 496 static inline int netlbl_secattr_catmap_walk_rng( 497 struct netlbl_lsm_secattr_catmap *catmap, 498 u32 offset) 499 { 500 return -ENOENT; 501 } 502 static inline int netlbl_secattr_catmap_setbit( 503 struct netlbl_lsm_secattr_catmap *catmap, 504 u32 bit, 505 gfp_t flags) 506 { 507 return 0; 508 } 509 static inline int netlbl_secattr_catmap_setrng( 510 struct netlbl_lsm_secattr_catmap *catmap, 511 u32 start, 512 u32 end, 513 gfp_t flags) 514 { 515 return 0; 516 } 517 static inline int netlbl_enabled(void) 518 { 519 return 0; 520 } 521 static inline int netlbl_sock_setattr(struct sock *sk, 522 const struct netlbl_lsm_secattr *secattr) 523 { 524 return -ENOSYS; 525 } 526 static inline void netlbl_sock_delattr(struct sock *sk) 527 { 528 } 529 static inline int netlbl_sock_getattr(struct sock *sk, 530 struct netlbl_lsm_secattr *secattr) 531 { 532 return -ENOSYS; 533 } 534 static inline int netlbl_conn_setattr(struct sock *sk, 535 struct sockaddr *addr, 536 const struct netlbl_lsm_secattr *secattr) 537 { 538 return -ENOSYS; 539 } 540 static inline int netlbl_skbuff_setattr(struct sk_buff *skb, 541 u16 family, 542 const struct netlbl_lsm_secattr *secattr) 543 { 544 return -ENOSYS; 545 } 546 static inline int netlbl_skbuff_getattr(const struct sk_buff *skb, 547 u16 family, 548 struct netlbl_lsm_secattr *secattr) 549 { 550 return -ENOSYS; 551 } 552 static inline void netlbl_skbuff_err(struct sk_buff *skb, 553 int error, 554 int gateway) 555 { 556 return; 557 } 558 static inline void netlbl_cache_invalidate(void) 559 { 560 return; 561 } 562 static inline int netlbl_cache_add(const struct sk_buff *skb, 563 const struct netlbl_lsm_secattr *secattr) 564 { 565 return 0; 566 } 567 static inline struct audit_buffer *netlbl_audit_start(int type, 568 struct netlbl_audit *audit_info) 569 { 570 return NULL; 571 } 572 #endif /* CONFIG_NETLABEL */ 573 574 #endif /* _NETLABEL_H */ 575