1 /*
2  * NetLabel Unlabeled Support
3  *
4  * This file defines functions for dealing with unlabeled packets for the
5  * NetLabel system.  The NetLabel system manages static and dynamic label
6  * mappings for network protocols such as CIPSO and RIPSO.
7  *
8  * Author: Paul Moore <paul@paul-moore.com>
9  *
10  */
11 
12 /*
13  * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
14  *
15  * This program is free software;  you can redistribute it and/or modify
16  * it under the terms of the GNU General Public License as published by
17  * the Free Software Foundation; either version 2 of the License, or
18  * (at your option) any later version.
19  *
20  * This program is distributed in the hope that it will be useful,
21  * but WITHOUT ANY WARRANTY;  without even the implied warranty of
22  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
23  * the GNU General Public License for more details.
24  *
25  * You should have received a copy of the GNU General Public License
26  * along with this program;  if not, see <http://www.gnu.org/licenses/>.
27  *
28  */
29 
30 #ifndef _NETLABEL_UNLABELED_H
31 #define _NETLABEL_UNLABELED_H
32 
33 #include <net/netlabel.h>
34 
35 /*
36  * The following NetLabel payloads are supported by the Unlabeled subsystem.
37  *
38  * o STATICADD
39  *   This message is sent from an application to add a new static label for
40  *   incoming unlabeled connections.
41  *
42  *   Required attributes:
43  *
44  *     NLBL_UNLABEL_A_IFACE
45  *     NLBL_UNLABEL_A_SECCTX
46  *
47  *   If IPv4 is specified the following attributes are required:
48  *
49  *     NLBL_UNLABEL_A_IPV4ADDR
50  *     NLBL_UNLABEL_A_IPV4MASK
51  *
52  *   If IPv6 is specified the following attributes are required:
53  *
54  *     NLBL_UNLABEL_A_IPV6ADDR
55  *     NLBL_UNLABEL_A_IPV6MASK
56  *
57  * o STATICREMOVE
58  *   This message is sent from an application to remove an existing static
59  *   label for incoming unlabeled connections.
60  *
61  *   Required attributes:
62  *
63  *     NLBL_UNLABEL_A_IFACE
64  *
65  *   If IPv4 is specified the following attributes are required:
66  *
67  *     NLBL_UNLABEL_A_IPV4ADDR
68  *     NLBL_UNLABEL_A_IPV4MASK
69  *
70  *   If IPv6 is specified the following attributes are required:
71  *
72  *     NLBL_UNLABEL_A_IPV6ADDR
73  *     NLBL_UNLABEL_A_IPV6MASK
74  *
75  * o STATICLIST
76  *   This message can be sent either from an application or by the kernel in
77  *   response to an application generated STATICLIST message.  When sent by an
78  *   application there is no payload and the NLM_F_DUMP flag should be set.
79  *   The kernel should response with a series of the following messages.
80  *
81  *   Required attributes:
82  *
83  *     NLBL_UNLABEL_A_IFACE
84  *     NLBL_UNLABEL_A_SECCTX
85  *
86  *   If IPv4 is specified the following attributes are required:
87  *
88  *     NLBL_UNLABEL_A_IPV4ADDR
89  *     NLBL_UNLABEL_A_IPV4MASK
90  *
91  *   If IPv6 is specified the following attributes are required:
92  *
93  *     NLBL_UNLABEL_A_IPV6ADDR
94  *     NLBL_UNLABEL_A_IPV6MASK
95  *
96  * o STATICADDDEF
97  *   This message is sent from an application to set the default static
98  *   label for incoming unlabeled connections.
99  *
100  *   Required attribute:
101  *
102  *     NLBL_UNLABEL_A_SECCTX
103  *
104  *   If IPv4 is specified the following attributes are required:
105  *
106  *     NLBL_UNLABEL_A_IPV4ADDR
107  *     NLBL_UNLABEL_A_IPV4MASK
108  *
109  *   If IPv6 is specified the following attributes are required:
110  *
111  *     NLBL_UNLABEL_A_IPV6ADDR
112  *     NLBL_UNLABEL_A_IPV6MASK
113  *
114  * o STATICREMOVEDEF
115  *   This message is sent from an application to remove the existing default
116  *   static label for incoming unlabeled connections.
117  *
118  *   If IPv4 is specified the following attributes are required:
119  *
120  *     NLBL_UNLABEL_A_IPV4ADDR
121  *     NLBL_UNLABEL_A_IPV4MASK
122  *
123  *   If IPv6 is specified the following attributes are required:
124  *
125  *     NLBL_UNLABEL_A_IPV6ADDR
126  *     NLBL_UNLABEL_A_IPV6MASK
127  *
128  * o STATICLISTDEF
129  *   This message can be sent either from an application or by the kernel in
130  *   response to an application generated STATICLISTDEF message.  When sent by
131  *   an application there is no payload and the NLM_F_DUMP flag should be set.
132  *   The kernel should response with the following message.
133  *
134  *   Required attribute:
135  *
136  *     NLBL_UNLABEL_A_SECCTX
137  *
138  *   If IPv4 is specified the following attributes are required:
139  *
140  *     NLBL_UNLABEL_A_IPV4ADDR
141  *     NLBL_UNLABEL_A_IPV4MASK
142  *
143  *   If IPv6 is specified the following attributes are required:
144  *
145  *     NLBL_UNLABEL_A_IPV6ADDR
146  *     NLBL_UNLABEL_A_IPV6MASK
147  *
148  * o ACCEPT
149  *   This message is sent from an application to specify if the kernel should
150  *   allow unlabled packets to pass if they do not match any of the static
151  *   mappings defined in the unlabeled module.
152  *
153  *   Required attributes:
154  *
155  *     NLBL_UNLABEL_A_ACPTFLG
156  *
157  * o LIST
158  *   This message can be sent either from an application or by the kernel in
159  *   response to an application generated LIST message.  When sent by an
160  *   application there is no payload.  The kernel should respond to a LIST
161  *   message with a LIST message on success.
162  *
163  *   Required attributes:
164  *
165  *     NLBL_UNLABEL_A_ACPTFLG
166  *
167  */
168 
169 /* NetLabel Unlabeled commands */
170 enum {
171 	NLBL_UNLABEL_C_UNSPEC,
172 	NLBL_UNLABEL_C_ACCEPT,
173 	NLBL_UNLABEL_C_LIST,
174 	NLBL_UNLABEL_C_STATICADD,
175 	NLBL_UNLABEL_C_STATICREMOVE,
176 	NLBL_UNLABEL_C_STATICLIST,
177 	NLBL_UNLABEL_C_STATICADDDEF,
178 	NLBL_UNLABEL_C_STATICREMOVEDEF,
179 	NLBL_UNLABEL_C_STATICLISTDEF,
180 	__NLBL_UNLABEL_C_MAX,
181 };
182 
183 /* NetLabel Unlabeled attributes */
184 enum {
185 	NLBL_UNLABEL_A_UNSPEC,
186 	NLBL_UNLABEL_A_ACPTFLG,
187 	/* (NLA_U8)
188 	 * if true then unlabeled packets are allowed to pass, else unlabeled
189 	 * packets are rejected */
190 	NLBL_UNLABEL_A_IPV6ADDR,
191 	/* (NLA_BINARY, struct in6_addr)
192 	 * an IPv6 address */
193 	NLBL_UNLABEL_A_IPV6MASK,
194 	/* (NLA_BINARY, struct in6_addr)
195 	 * an IPv6 address mask */
196 	NLBL_UNLABEL_A_IPV4ADDR,
197 	/* (NLA_BINARY, struct in_addr)
198 	 * an IPv4 address */
199 	NLBL_UNLABEL_A_IPV4MASK,
200 	/* (NLA_BINARY, struct in_addr)
201 	 * and IPv4 address mask */
202 	NLBL_UNLABEL_A_IFACE,
203 	/* (NLA_NULL_STRING)
204 	 * network interface */
205 	NLBL_UNLABEL_A_SECCTX,
206 	/* (NLA_BINARY)
207 	 * a LSM specific security context */
208 	__NLBL_UNLABEL_A_MAX,
209 };
210 #define NLBL_UNLABEL_A_MAX (__NLBL_UNLABEL_A_MAX - 1)
211 
212 /* NetLabel protocol functions */
213 int netlbl_unlabel_genl_init(void);
214 
215 /* Unlabeled connection hash table size */
216 /* XXX - currently this number is an uneducated guess */
217 #define NETLBL_UNLHSH_BITSIZE       7
218 
219 /* General Unlabeled init function */
220 int netlbl_unlabel_init(u32 size);
221 
222 /* Static/Fallback label management functions */
223 int netlbl_unlhsh_add(struct net *net,
224 		      const char *dev_name,
225 		      const void *addr,
226 		      const void *mask,
227 		      u32 addr_len,
228 		      u32 secid,
229 		      struct netlbl_audit *audit_info);
230 int netlbl_unlhsh_remove(struct net *net,
231 			 const char *dev_name,
232 			 const void *addr,
233 			 const void *mask,
234 			 u32 addr_len,
235 			 struct netlbl_audit *audit_info);
236 
237 /* Process Unlabeled incoming network packets */
238 int netlbl_unlabel_getattr(const struct sk_buff *skb,
239 			   u16 family,
240 			   struct netlbl_lsm_secattr *secattr);
241 
242 /* Set the default configuration to allow Unlabeled packets */
243 int netlbl_unlabel_defconf(void);
244 
245 #endif
246