xref: /openbmc/linux/include/net/netlabel.h (revision a1e58bbd) 
1 /*
2  * NetLabel System
3  *
4  * The NetLabel system manages static and dynamic label mappings for network
5  * protocols such as CIPSO and RIPSO.
6  *
7  * Author: Paul Moore <paul.moore@hp.com>
8  *
9  */
10 
11 /*
12  * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
13  *
14  * This program is free software;  you can redistribute it and/or modify
15  * it under the terms of the GNU General Public License as published by
16  * the Free Software Foundation; either version 2 of the License, or
17  * (at your option) any later version.
18  *
19  * This program is distributed in the hope that it will be useful,
20  * but WITHOUT ANY WARRANTY;  without even the implied warranty of
21  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
22  * the GNU General Public License for more details.
23  *
24  * You should have received a copy of the GNU General Public License
25  * along with this program;  if not, write to the Free Software
26  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
27  *
28  */
29 
30 #ifndef _NETLABEL_H
31 #define _NETLABEL_H
32 
33 #include <linux/types.h>
34 #include <linux/net.h>
35 #include <linux/skbuff.h>
36 #include <net/netlink.h>
37 #include <asm/atomic.h>
38 
39 struct cipso_v4_doi;
40 
41 /*
42  * NetLabel - A management interface for maintaining network packet label
43  *            mapping tables for explicit packet labling protocols.
44  *
45  * Network protocols such as CIPSO and RIPSO require a label translation layer
46  * to convert the label on the packet into something meaningful on the host
47  * machine.  In the current Linux implementation these mapping tables live
48  * inside the kernel; NetLabel provides a mechanism for user space applications
49  * to manage these mapping tables.
50  *
51  * NetLabel makes use of the Generic NETLINK mechanism as a transport layer to
52  * send messages between kernel and user space.  The general format of a
53  * NetLabel message is shown below:
54  *
55  *  +-----------------+-------------------+--------- --- -- -
56  *  | struct nlmsghdr | struct genlmsghdr | payload
57  *  +-----------------+-------------------+--------- --- -- -
58  *
59  * The 'nlmsghdr' and 'genlmsghdr' structs should be dealt with like normal.
60  * The payload is dependent on the subsystem specified in the
61  * 'nlmsghdr->nlmsg_type' and should be defined below, supporting functions
62  * should be defined in the corresponding net/netlabel/netlabel_<subsys>.h|c
63  * file.  All of the fields in the NetLabel payload are NETLINK attributes, see
64  * the include/net/netlink.h file for more information on NETLINK attributes.
65  *
66  */
67 
68 /*
69  * NetLabel NETLINK protocol
70  */
71 
72 /* NetLabel NETLINK protocol version
73  *  1: initial version
74  *  2: added static labels for unlabeled connections
75  */
76 #define NETLBL_PROTO_VERSION            2
77 
78 /* NetLabel NETLINK types/families */
79 #define NETLBL_NLTYPE_NONE              0
80 #define NETLBL_NLTYPE_MGMT              1
81 #define NETLBL_NLTYPE_MGMT_NAME         "NLBL_MGMT"
82 #define NETLBL_NLTYPE_RIPSO             2
83 #define NETLBL_NLTYPE_RIPSO_NAME        "NLBL_RIPSO"
84 #define NETLBL_NLTYPE_CIPSOV4           3
85 #define NETLBL_NLTYPE_CIPSOV4_NAME      "NLBL_CIPSOv4"
86 #define NETLBL_NLTYPE_CIPSOV6           4
87 #define NETLBL_NLTYPE_CIPSOV6_NAME      "NLBL_CIPSOv6"
88 #define NETLBL_NLTYPE_UNLABELED         5
89 #define NETLBL_NLTYPE_UNLABELED_NAME    "NLBL_UNLBL"
90 
91 /*
92  * NetLabel - Kernel API for accessing the network packet label mappings.
93  *
94  * The following functions are provided for use by other kernel modules,
95  * specifically kernel LSM modules, to provide a consistent, transparent API
96  * for dealing with explicit packet labeling protocols such as CIPSO and
97  * RIPSO.  The functions defined here are implemented in the
98  * net/netlabel/netlabel_kapi.c file.
99  *
100  */
101 
102 /* NetLabel audit information */
103 struct netlbl_audit {
104 	u32 secid;
105 	uid_t loginuid;
106 };
107 
108 /*
109  * LSM security attributes
110  */
111 
112 /**
113  * struct netlbl_lsm_cache - NetLabel LSM security attribute cache
114  * @refcount: atomic reference counter
115  * @free: LSM supplied function to free the cache data
116  * @data: LSM supplied cache data
117  *
118  * Description:
119  * This structure is provided for LSMs which wish to make use of the NetLabel
120  * caching mechanism to store LSM specific data/attributes in the NetLabel
121  * cache.  If the LSM has to perform a lot of translation from the NetLabel
122  * security attributes into it's own internal representation then the cache
123  * mechanism can provide a way to eliminate some or all of that translation
124  * overhead on a cache hit.
125  *
126  */
127 struct netlbl_lsm_cache {
128 	atomic_t refcount;
129 	void (*free) (const void *data);
130 	void *data;
131 };
132 
133 /**
134  * struct netlbl_lsm_secattr_catmap - NetLabel LSM secattr category bitmap
135  * @startbit: the value of the lowest order bit in the bitmap
136  * @bitmap: the category bitmap
137  * @next: pointer to the next bitmap "node" or NULL
138  *
139  * Description:
140  * This structure is used to represent category bitmaps.  Due to the large
141  * number of categories supported by most labeling protocols it is not
142  * practical to transfer a full bitmap internally so NetLabel adopts a sparse
143  * bitmap structure modeled after SELinux's ebitmap structure.
144  * The catmap bitmap field MUST be a power of two in length and large
145  * enough to hold at least 240 bits.  Special care (i.e. check the code!)
146  * should be used when changing these values as the LSM implementation
147  * probably has functions which rely on the sizes of these types to speed
148  * processing.
149  *
150  */
151 #define NETLBL_CATMAP_MAPTYPE           u64
152 #define NETLBL_CATMAP_MAPCNT            4
153 #define NETLBL_CATMAP_MAPSIZE           (sizeof(NETLBL_CATMAP_MAPTYPE) * 8)
154 #define NETLBL_CATMAP_SIZE              (NETLBL_CATMAP_MAPSIZE * \
155 					 NETLBL_CATMAP_MAPCNT)
156 #define NETLBL_CATMAP_BIT               (NETLBL_CATMAP_MAPTYPE)0x01
157 struct netlbl_lsm_secattr_catmap {
158 	u32 startbit;
159 	NETLBL_CATMAP_MAPTYPE bitmap[NETLBL_CATMAP_MAPCNT];
160 	struct netlbl_lsm_secattr_catmap *next;
161 };
162 
163 /**
164  * struct netlbl_lsm_secattr - NetLabel LSM security attributes
165  * @flags: indicate which attributes are contained in this structure
166  * @type: indicate the NLTYPE of the attributes
167  * @domain: the NetLabel LSM domain
168  * @cache: NetLabel LSM specific cache
169  * @attr.mls: MLS sensitivity label
170  * @attr.mls.cat: MLS category bitmap
171  * @attr.mls.lvl: MLS sensitivity level
172  * @attr.secid: LSM specific secid token
173  *
174  * Description:
175  * This structure is used to pass security attributes between NetLabel and the
176  * LSM modules.  The flags field is used to specify which fields within the
177  * struct are valid and valid values can be created by bitwise OR'ing the
178  * NETLBL_SECATTR_* defines.  The domain field is typically set by the LSM to
179  * specify domain specific configuration settings and is not usually used by
180  * NetLabel itself when returning security attributes to the LSM.
181  *
182  */
183 #define NETLBL_SECATTR_NONE             0x00000000
184 #define NETLBL_SECATTR_DOMAIN           0x00000001
185 #define NETLBL_SECATTR_CACHE            0x00000002
186 #define NETLBL_SECATTR_MLS_LVL          0x00000004
187 #define NETLBL_SECATTR_MLS_CAT          0x00000008
188 #define NETLBL_SECATTR_SECID            0x00000010
189 #define NETLBL_SECATTR_CACHEABLE        (NETLBL_SECATTR_MLS_LVL | \
190 					 NETLBL_SECATTR_MLS_CAT | \
191 					 NETLBL_SECATTR_SECID)
192 struct netlbl_lsm_secattr {
193 	u32 flags;
194 	u32 type;
195 	char *domain;
196 	struct netlbl_lsm_cache *cache;
197 	union {
198 		struct {
199 			struct netlbl_lsm_secattr_catmap *cat;
200 			u32 lvl;
201 		} mls;
202 		u32 secid;
203 	} attr;
204 };
205 
206 /*
207  * LSM security attribute operations (inline)
208  */
209 
210 /**
211  * netlbl_secattr_cache_alloc - Allocate and initialize a secattr cache
212  * @flags: the memory allocation flags
213  *
214  * Description:
215  * Allocate and initialize a netlbl_lsm_cache structure.  Returns a pointer
216  * on success, NULL on failure.
217  *
218  */
219 static inline struct netlbl_lsm_cache *netlbl_secattr_cache_alloc(gfp_t flags)
220 {
221 	struct netlbl_lsm_cache *cache;
222 
223 	cache = kzalloc(sizeof(*cache), flags);
224 	if (cache)
225 		atomic_set(&cache->refcount, 1);
226 	return cache;
227 }
228 
229 /**
230  * netlbl_secattr_cache_free - Frees a netlbl_lsm_cache struct
231  * @cache: the struct to free
232  *
233  * Description:
234  * Frees @secattr including all of the internal buffers.
235  *
236  */
237 static inline void netlbl_secattr_cache_free(struct netlbl_lsm_cache *cache)
238 {
239 	if (!atomic_dec_and_test(&cache->refcount))
240 		return;
241 
242 	if (cache->free)
243 		cache->free(cache->data);
244 	kfree(cache);
245 }
246 
247 /**
248  * netlbl_secattr_catmap_alloc - Allocate a LSM secattr catmap
249  * @flags: memory allocation flags
250  *
251  * Description:
252  * Allocate memory for a LSM secattr catmap, returns a pointer on success, NULL
253  * on failure.
254  *
255  */
256 static inline struct netlbl_lsm_secattr_catmap *netlbl_secattr_catmap_alloc(
257 	                                                           gfp_t flags)
258 {
259 	return kzalloc(sizeof(struct netlbl_lsm_secattr_catmap), flags);
260 }
261 
262 /**
263  * netlbl_secattr_catmap_free - Free a LSM secattr catmap
264  * @catmap: the category bitmap
265  *
266  * Description:
267  * Free a LSM secattr catmap.
268  *
269  */
270 static inline void netlbl_secattr_catmap_free(
271 	                              struct netlbl_lsm_secattr_catmap *catmap)
272 {
273 	struct netlbl_lsm_secattr_catmap *iter;
274 
275 	do {
276 		iter = catmap;
277 		catmap = catmap->next;
278 		kfree(iter);
279 	} while (catmap);
280 }
281 
282 /**
283  * netlbl_secattr_init - Initialize a netlbl_lsm_secattr struct
284  * @secattr: the struct to initialize
285  *
286  * Description:
287  * Initialize an already allocated netlbl_lsm_secattr struct.
288  *
289  */
290 static inline void netlbl_secattr_init(struct netlbl_lsm_secattr *secattr)
291 {
292 	memset(secattr, 0, sizeof(*secattr));
293 }
294 
295 /**
296  * netlbl_secattr_destroy - Clears a netlbl_lsm_secattr struct
297  * @secattr: the struct to clear
298  *
299  * Description:
300  * Destroys the @secattr struct, including freeing all of the internal buffers.
301  * The struct must be reset with a call to netlbl_secattr_init() before reuse.
302  *
303  */
304 static inline void netlbl_secattr_destroy(struct netlbl_lsm_secattr *secattr)
305 {
306 	kfree(secattr->domain);
307 	if (secattr->flags & NETLBL_SECATTR_CACHE)
308 		netlbl_secattr_cache_free(secattr->cache);
309 	if (secattr->flags & NETLBL_SECATTR_MLS_CAT)
310 		netlbl_secattr_catmap_free(secattr->attr.mls.cat);
311 }
312 
313 /**
314  * netlbl_secattr_alloc - Allocate and initialize a netlbl_lsm_secattr struct
315  * @flags: the memory allocation flags
316  *
317  * Description:
318  * Allocate and initialize a netlbl_lsm_secattr struct.  Returns a valid
319  * pointer on success, or NULL on failure.
320  *
321  */
322 static inline struct netlbl_lsm_secattr *netlbl_secattr_alloc(gfp_t flags)
323 {
324 	return kzalloc(sizeof(struct netlbl_lsm_secattr), flags);
325 }
326 
327 /**
328  * netlbl_secattr_free - Frees a netlbl_lsm_secattr struct
329  * @secattr: the struct to free
330  *
331  * Description:
332  * Frees @secattr including all of the internal buffers.
333  *
334  */
335 static inline void netlbl_secattr_free(struct netlbl_lsm_secattr *secattr)
336 {
337 	netlbl_secattr_destroy(secattr);
338 	kfree(secattr);
339 }
340 
341 #ifdef CONFIG_NETLABEL
342 /*
343  * LSM configuration operations
344  */
345 int netlbl_cfg_map_del(const char *domain, struct netlbl_audit *audit_info);
346 int netlbl_cfg_unlbl_add_map(const char *domain,
347 			     struct netlbl_audit *audit_info);
348 int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def,
349 			   struct netlbl_audit *audit_info);
350 int netlbl_cfg_cipsov4_add_map(struct cipso_v4_doi *doi_def,
351 			       const char *domain,
352 			       struct netlbl_audit *audit_info);
353 int netlbl_cfg_cipsov4_del(u32 doi, struct netlbl_audit *audit_info);
354 
355 /*
356  * LSM security attribute operations
357  */
358 int netlbl_secattr_catmap_walk(struct netlbl_lsm_secattr_catmap *catmap,
359 			       u32 offset);
360 int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap,
361 				   u32 offset);
362 int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap *catmap,
363 				 u32 bit,
364 				 gfp_t flags);
365 int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap,
366 				 u32 start,
367 				 u32 end,
368 				 gfp_t flags);
369 
370 /*
371  * LSM protocol operations (NetLabel LSM/kernel API)
372  */
373 int netlbl_enabled(void);
374 int netlbl_sock_setattr(struct sock *sk,
375 			const struct netlbl_lsm_secattr *secattr);
376 int netlbl_sock_getattr(struct sock *sk,
377 			struct netlbl_lsm_secattr *secattr);
378 int netlbl_skbuff_getattr(const struct sk_buff *skb,
379 			  u16 family,
380 			  struct netlbl_lsm_secattr *secattr);
381 void netlbl_skbuff_err(struct sk_buff *skb, int error);
382 
383 /*
384  * LSM label mapping cache operations
385  */
386 void netlbl_cache_invalidate(void);
387 int netlbl_cache_add(const struct sk_buff *skb,
388 		     const struct netlbl_lsm_secattr *secattr);
389 #else
390 static inline int netlbl_cfg_map_del(const char *domain,
391 				     struct netlbl_audit *audit_info)
392 {
393 	return -ENOSYS;
394 }
395 static inline int netlbl_cfg_unlbl_add_map(const char *domain,
396 					   struct netlbl_audit *audit_info)
397 {
398 	return -ENOSYS;
399 }
400 static inline int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def,
401 					 struct netlbl_audit *audit_info)
402 {
403 	return -ENOSYS;
404 }
405 static inline int netlbl_cfg_cipsov4_add_map(struct cipso_v4_doi *doi_def,
406 					     const char *domain,
407 					     struct netlbl_audit *audit_info)
408 {
409 	return -ENOSYS;
410 }
411 static inline int netlbl_cfg_cipsov4_del(u32 doi,
412 					 struct netlbl_audit *audit_info)
413 {
414 	return -ENOSYS;
415 }
416 static inline int netlbl_secattr_catmap_walk(
417 	                              struct netlbl_lsm_secattr_catmap *catmap,
418 				      u32 offset)
419 {
420 	return -ENOENT;
421 }
422 static inline int netlbl_secattr_catmap_walk_rng(
423 				      struct netlbl_lsm_secattr_catmap *catmap,
424 				      u32 offset)
425 {
426 	return -ENOENT;
427 }
428 static inline int netlbl_secattr_catmap_setbit(
429 	                              struct netlbl_lsm_secattr_catmap *catmap,
430 				      u32 bit,
431 				      gfp_t flags)
432 {
433 	return 0;
434 }
435 static inline int netlbl_secattr_catmap_setrng(
436 	                              struct netlbl_lsm_secattr_catmap *catmap,
437 				      u32 start,
438 				      u32 end,
439 				      gfp_t flags)
440 {
441 	return 0;
442 }
443 static inline int netlbl_enabled(void)
444 {
445 	return 0;
446 }
447 static inline int netlbl_sock_setattr(struct sock *sk,
448 				     const struct netlbl_lsm_secattr *secattr)
449 {
450 	return -ENOSYS;
451 }
452 static inline int netlbl_sock_getattr(struct sock *sk,
453 				      struct netlbl_lsm_secattr *secattr)
454 {
455 	return -ENOSYS;
456 }
457 static inline int netlbl_skbuff_getattr(const struct sk_buff *skb,
458 					u16 family,
459 					struct netlbl_lsm_secattr *secattr)
460 {
461 	return -ENOSYS;
462 }
463 static inline void netlbl_skbuff_err(struct sk_buff *skb, int error)
464 {
465 	return;
466 }
467 static inline void netlbl_cache_invalidate(void)
468 {
469 	return;
470 }
471 static inline int netlbl_cache_add(const struct sk_buff *skb,
472 				   const struct netlbl_lsm_secattr *secattr)
473 {
474 	return 0;
475 }
476 #endif /* CONFIG_NETLABEL */
477 
478 #endif /* _NETLABEL_H */
479