xref: /openbmc/linux/net/netlabel/netlabel_unlabeled.h (revision 87fcfa7b7fe6bf819033fe827a27f710e38639b5)
1 /* SPDX-License-Identifier: GPL-2.0-or-later */
2 /*
3  * NetLabel Unlabeled Support
4  *
5  * This file defines functions for dealing with unlabeled packets for the
6  * NetLabel system.  The NetLabel system manages static and dynamic label
7  * mappings for network protocols such as CIPSO and RIPSO.
8  *
9  * Author: Paul Moore <paul@paul-moore.com>
10  */
11 
12 /*
13  * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
14  */
15 
16 #ifndef _NETLABEL_UNLABELED_H
17 #define _NETLABEL_UNLABELED_H
18 
19 #include <net/netlabel.h>
20 
21 /*
22  * The following NetLabel payloads are supported by the Unlabeled subsystem.
23  *
24  * o STATICADD
25  *   This message is sent from an application to add a new static label for
26  *   incoming unlabeled connections.
27  *
28  *   Required attributes:
29  *
30  *     NLBL_UNLABEL_A_IFACE
31  *     NLBL_UNLABEL_A_SECCTX
32  *
33  *   If IPv4 is specified the following attributes are required:
34  *
35  *     NLBL_UNLABEL_A_IPV4ADDR
36  *     NLBL_UNLABEL_A_IPV4MASK
37  *
38  *   If IPv6 is specified the following attributes are required:
39  *
40  *     NLBL_UNLABEL_A_IPV6ADDR
41  *     NLBL_UNLABEL_A_IPV6MASK
42  *
43  * o STATICREMOVE
44  *   This message is sent from an application to remove an existing static
45  *   label for incoming unlabeled connections.
46  *
47  *   Required attributes:
48  *
49  *     NLBL_UNLABEL_A_IFACE
50  *
51  *   If IPv4 is specified the following attributes are required:
52  *
53  *     NLBL_UNLABEL_A_IPV4ADDR
54  *     NLBL_UNLABEL_A_IPV4MASK
55  *
56  *   If IPv6 is specified the following attributes are required:
57  *
58  *     NLBL_UNLABEL_A_IPV6ADDR
59  *     NLBL_UNLABEL_A_IPV6MASK
60  *
61  * o STATICLIST
62  *   This message can be sent either from an application or by the kernel in
63  *   response to an application generated STATICLIST message.  When sent by an
64  *   application there is no payload and the NLM_F_DUMP flag should be set.
65  *   The kernel should response with a series of the following messages.
66  *
67  *   Required attributes:
68  *
69  *     NLBL_UNLABEL_A_IFACE
70  *     NLBL_UNLABEL_A_SECCTX
71  *
72  *   If IPv4 is specified the following attributes are required:
73  *
74  *     NLBL_UNLABEL_A_IPV4ADDR
75  *     NLBL_UNLABEL_A_IPV4MASK
76  *
77  *   If IPv6 is specified the following attributes are required:
78  *
79  *     NLBL_UNLABEL_A_IPV6ADDR
80  *     NLBL_UNLABEL_A_IPV6MASK
81  *
82  * o STATICADDDEF
83  *   This message is sent from an application to set the default static
84  *   label for incoming unlabeled connections.
85  *
86  *   Required attribute:
87  *
88  *     NLBL_UNLABEL_A_SECCTX
89  *
90  *   If IPv4 is specified the following attributes are required:
91  *
92  *     NLBL_UNLABEL_A_IPV4ADDR
93  *     NLBL_UNLABEL_A_IPV4MASK
94  *
95  *   If IPv6 is specified the following attributes are required:
96  *
97  *     NLBL_UNLABEL_A_IPV6ADDR
98  *     NLBL_UNLABEL_A_IPV6MASK
99  *
100  * o STATICREMOVEDEF
101  *   This message is sent from an application to remove the existing default
102  *   static label for incoming unlabeled connections.
103  *
104  *   If IPv4 is specified the following attributes are required:
105  *
106  *     NLBL_UNLABEL_A_IPV4ADDR
107  *     NLBL_UNLABEL_A_IPV4MASK
108  *
109  *   If IPv6 is specified the following attributes are required:
110  *
111  *     NLBL_UNLABEL_A_IPV6ADDR
112  *     NLBL_UNLABEL_A_IPV6MASK
113  *
114  * o STATICLISTDEF
115  *   This message can be sent either from an application or by the kernel in
116  *   response to an application generated STATICLISTDEF message.  When sent by
117  *   an application there is no payload and the NLM_F_DUMP flag should be set.
118  *   The kernel should response with the following message.
119  *
120  *   Required attribute:
121  *
122  *     NLBL_UNLABEL_A_SECCTX
123  *
124  *   If IPv4 is specified the following attributes are required:
125  *
126  *     NLBL_UNLABEL_A_IPV4ADDR
127  *     NLBL_UNLABEL_A_IPV4MASK
128  *
129  *   If IPv6 is specified the following attributes are required:
130  *
131  *     NLBL_UNLABEL_A_IPV6ADDR
132  *     NLBL_UNLABEL_A_IPV6MASK
133  *
134  * o ACCEPT
135  *   This message is sent from an application to specify if the kernel should
136  *   allow unlabled packets to pass if they do not match any of the static
137  *   mappings defined in the unlabeled module.
138  *
139  *   Required attributes:
140  *
141  *     NLBL_UNLABEL_A_ACPTFLG
142  *
143  * o LIST
144  *   This message can be sent either from an application or by the kernel in
145  *   response to an application generated LIST message.  When sent by an
146  *   application there is no payload.  The kernel should respond to a LIST
147  *   message with a LIST message on success.
148  *
149  *   Required attributes:
150  *
151  *     NLBL_UNLABEL_A_ACPTFLG
152  *
153  */
154 
155 /* NetLabel Unlabeled commands */
156 enum {
157 	NLBL_UNLABEL_C_UNSPEC,
158 	NLBL_UNLABEL_C_ACCEPT,
159 	NLBL_UNLABEL_C_LIST,
160 	NLBL_UNLABEL_C_STATICADD,
161 	NLBL_UNLABEL_C_STATICREMOVE,
162 	NLBL_UNLABEL_C_STATICLIST,
163 	NLBL_UNLABEL_C_STATICADDDEF,
164 	NLBL_UNLABEL_C_STATICREMOVEDEF,
165 	NLBL_UNLABEL_C_STATICLISTDEF,
166 	__NLBL_UNLABEL_C_MAX,
167 };
168 
169 /* NetLabel Unlabeled attributes */
170 enum {
171 	NLBL_UNLABEL_A_UNSPEC,
172 	NLBL_UNLABEL_A_ACPTFLG,
173 	/* (NLA_U8)
174 	 * if true then unlabeled packets are allowed to pass, else unlabeled
175 	 * packets are rejected */
176 	NLBL_UNLABEL_A_IPV6ADDR,
177 	/* (NLA_BINARY, struct in6_addr)
178 	 * an IPv6 address */
179 	NLBL_UNLABEL_A_IPV6MASK,
180 	/* (NLA_BINARY, struct in6_addr)
181 	 * an IPv6 address mask */
182 	NLBL_UNLABEL_A_IPV4ADDR,
183 	/* (NLA_BINARY, struct in_addr)
184 	 * an IPv4 address */
185 	NLBL_UNLABEL_A_IPV4MASK,
186 	/* (NLA_BINARY, struct in_addr)
187 	 * and IPv4 address mask */
188 	NLBL_UNLABEL_A_IFACE,
189 	/* (NLA_NULL_STRING)
190 	 * network interface */
191 	NLBL_UNLABEL_A_SECCTX,
192 	/* (NLA_BINARY)
193 	 * a LSM specific security context */
194 	__NLBL_UNLABEL_A_MAX,
195 };
196 #define NLBL_UNLABEL_A_MAX (__NLBL_UNLABEL_A_MAX - 1)
197 
198 /* NetLabel protocol functions */
199 int netlbl_unlabel_genl_init(void);
200 
201 /* Unlabeled connection hash table size */
202 /* XXX - currently this number is an uneducated guess */
203 #define NETLBL_UNLHSH_BITSIZE       7
204 
205 /* General Unlabeled init function */
206 int netlbl_unlabel_init(u32 size);
207 
208 /* Static/Fallback label management functions */
209 int netlbl_unlhsh_add(struct net *net,
210 		      const char *dev_name,
211 		      const void *addr,
212 		      const void *mask,
213 		      u32 addr_len,
214 		      u32 secid,
215 		      struct netlbl_audit *audit_info);
216 int netlbl_unlhsh_remove(struct net *net,
217 			 const char *dev_name,
218 			 const void *addr,
219 			 const void *mask,
220 			 u32 addr_len,
221 			 struct netlbl_audit *audit_info);
222 
223 /* Process Unlabeled incoming network packets */
224 int netlbl_unlabel_getattr(const struct sk_buff *skb,
225 			   u16 family,
226 			   struct netlbl_lsm_secattr *secattr);
227 
228 /* Set the default configuration to allow Unlabeled packets */
229 int netlbl_unlabel_defconf(void);
230 
231 #endif
232