include/net/cipso_ipv4.h

0001 /* SPDX-License-Identifier: GPL-2.0-or-later */
0002 /*
0003  * CIPSO - Commercial IP Security Option
0004  *
0005  * This is an implementation of the CIPSO 2.2 protocol as specified in
0006  * draft-ietf-cipso-ipsecurity-01.txt with additional tag types as found in
0007  * FIPS-188, copies of both documents can be found in the Documentation
0008  * directory.  While CIPSO never became a full IETF RFC standard many vendors
0009  * have chosen to adopt the protocol and over the years it has become a
0010  * de-facto standard for labeled networking.
0011  *
0012  * Author: Paul Moore <paul@paul-moore.com>
0013  */
0014
0015 /*
0016  * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
0017  */
0018
0019 #ifndef _CIPSO_IPV4_H
0020 #define _CIPSO_IPV4_H
0021
0022 #include <linux/types.h>
0023 #include <linux/rcupdate.h>
0024 #include <linux/list.h>
0025 #include <linux/net.h>
0026 #include <linux/skbuff.h>
0027 #include <net/netlabel.h>
0028 #include <net/request_sock.h>
0029 #include <linux/atomic.h>
0030 #include <linux/refcount.h>
0031 #include <asm/unaligned.h>
0032
0033 /* known doi values */
0034 #define CIPSO_V4_DOI_UNKNOWN          0x00000000
0035
0036 /* standard tag types */
0037 #define CIPSO_V4_TAG_INVALID          0
0038 #define CIPSO_V4_TAG_RBITMAP          1
0039 #define CIPSO_V4_TAG_ENUM             2
0040 #define CIPSO_V4_TAG_RANGE            5
0041 #define CIPSO_V4_TAG_PBITMAP          6
0042 #define CIPSO_V4_TAG_FREEFORM         7
0043
0044 /* non-standard tag types (tags > 127) */
0045 #define CIPSO_V4_TAG_LOCAL            128
0046
0047 /* doi mapping types */
0048 #define CIPSO_V4_MAP_UNKNOWN          0
0049 #define CIPSO_V4_MAP_TRANS            1
0050 #define CIPSO_V4_MAP_PASS             2
0051 #define CIPSO_V4_MAP_LOCAL            3
0052
0053 /* limits */
0054 #define CIPSO_V4_MAX_REM_LVLS         255
0055 #define CIPSO_V4_INV_LVL              0x80000000
0056 #define CIPSO_V4_MAX_LOC_LVLS         (CIPSO_V4_INV_LVL - 1)
0057 #define CIPSO_V4_MAX_REM_CATS         65534
0058 #define CIPSO_V4_INV_CAT              0x80000000
0059 #define CIPSO_V4_MAX_LOC_CATS         (CIPSO_V4_INV_CAT - 1)
0060
0061 /*
0062  * CIPSO DOI definitions
0063  */
0064
0065 /* DOI definition struct */
0066 #define CIPSO_V4_TAG_MAXCNT           5
0067 struct cipso_v4_doi {
0068     u32 doi;
0069     u32 type;
0070     union {
0071         struct cipso_v4_std_map_tbl *std;
0072     } map;
0073     u8 tags[CIPSO_V4_TAG_MAXCNT];
0074
0075     refcount_t refcount;
0076     struct list_head list;
0077     struct rcu_head rcu;
0078 };
0079
0080 /* Standard CIPSO mapping table */
0081 /* NOTE: the highest order bit (i.e. 0x80000000) is an 'invalid' flag, if the
0082  *       bit is set then consider that value as unspecified, meaning the
0083  *       mapping for that particular level/category is invalid */
0084 struct cipso_v4_std_map_tbl {
0085     struct {
0086         u32 *cipso;
0087         u32 *local;
0088         u32 cipso_size;
0089         u32 local_size;
0090     } lvl;
0091     struct {
0092         u32 *cipso;
0093         u32 *local;
0094         u32 cipso_size;
0095         u32 local_size;
0096     } cat;
0097 };
0098
0099 /*
0100  * Sysctl Variables
0101  */
0102
0103 #ifdef CONFIG_NETLABEL
0104 extern int cipso_v4_cache_enabled;
0105 extern int cipso_v4_cache_bucketsize;
0106 extern int cipso_v4_rbm_optfmt;
0107 extern int cipso_v4_rbm_strictvalid;
0108 #endif
0109
0110 /*
0111  * DOI List Functions
0112  */
0113
0114 #ifdef CONFIG_NETLABEL
0115 int cipso_v4_doi_add(struct cipso_v4_doi *doi_def,
0116              struct netlbl_audit *audit_info);
0117 void cipso_v4_doi_free(struct cipso_v4_doi *doi_def);
0118 int cipso_v4_doi_remove(u32 doi, struct netlbl_audit *audit_info);
0119 struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi);
0120 void cipso_v4_doi_putdef(struct cipso_v4_doi *doi_def);
0121 int cipso_v4_doi_walk(u32 *skip_cnt,
0122              int (*callback) (struct cipso_v4_doi *doi_def, void *arg),
0123                  void *cb_arg);
0124 #else
0125 static inline int cipso_v4_doi_add(struct cipso_v4_doi *doi_def,
0126                    struct netlbl_audit *audit_info)
0127 {
0128     return -ENOSYS;
0129 }
0130
0131 static inline void cipso_v4_doi_free(struct cipso_v4_doi *doi_def)
0132 {
0133     return;
0134 }
0135
0136 static inline int cipso_v4_doi_remove(u32 doi,
0137                       struct netlbl_audit *audit_info)
0138 {
0139     return 0;
0140 }
0141
0142 static inline struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi)
0143 {
0144     return NULL;
0145 }
0146
0147 static inline int cipso_v4_doi_walk(u32 *skip_cnt,
0148              int (*callback) (struct cipso_v4_doi *doi_def, void *arg),
0149              void *cb_arg)
0150 {
0151     return 0;
0152 }
0153 #endif /* CONFIG_NETLABEL */
0154
0155 /*
0156  * Label Mapping Cache Functions
0157  */
0158
0159 #ifdef CONFIG_NETLABEL
0160 void cipso_v4_cache_invalidate(void);
0161 int cipso_v4_cache_add(const unsigned char *cipso_ptr,
0162                const struct netlbl_lsm_secattr *secattr);
0163 #else
0164 static inline void cipso_v4_cache_invalidate(void)
0165 {
0166     return;
0167 }
0168
0169 static inline int cipso_v4_cache_add(const unsigned char *cipso_ptr,
0170                      const struct netlbl_lsm_secattr *secattr)
0171 {
0172     return 0;
0173 }
0174 #endif /* CONFIG_NETLABEL */
0175
0176 /*
0177  * Protocol Handling Functions
0178  */
0179
0180 #ifdef CONFIG_NETLABEL
0181 void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway);
0182 int cipso_v4_getattr(const unsigned char *cipso,
0183              struct netlbl_lsm_secattr *secattr);
0184 int cipso_v4_sock_setattr(struct sock *sk,
0185               const struct cipso_v4_doi *doi_def,
0186               const struct netlbl_lsm_secattr *secattr);
0187 void cipso_v4_sock_delattr(struct sock *sk);
0188 int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr);
0189 int cipso_v4_req_setattr(struct request_sock *req,
0190              const struct cipso_v4_doi *doi_def,
0191              const struct netlbl_lsm_secattr *secattr);
0192 void cipso_v4_req_delattr(struct request_sock *req);
0193 int cipso_v4_skbuff_setattr(struct sk_buff *skb,
0194                 const struct cipso_v4_doi *doi_def,
0195                 const struct netlbl_lsm_secattr *secattr);
0196 int cipso_v4_skbuff_delattr(struct sk_buff *skb);
0197 int cipso_v4_skbuff_getattr(const struct sk_buff *skb,
0198                 struct netlbl_lsm_secattr *secattr);
0199 unsigned char *cipso_v4_optptr(const struct sk_buff *skb);
0200 int cipso_v4_validate(const struct sk_buff *skb, unsigned char **option);
0201 #else
0202 static inline void cipso_v4_error(struct sk_buff *skb,
0203                   int error,
0204                   u32 gateway)
0205 {
0206     return;
0207 }
0208
0209 static inline int cipso_v4_getattr(const unsigned char *cipso,
0210                    struct netlbl_lsm_secattr *secattr)
0211 {
0212     return -ENOSYS;
0213 }
0214
0215 static inline int cipso_v4_sock_setattr(struct sock *sk,
0216                       const struct cipso_v4_doi *doi_def,
0217                       const struct netlbl_lsm_secattr *secattr)
0218 {
0219     return -ENOSYS;
0220 }
0221
0222 static inline void cipso_v4_sock_delattr(struct sock *sk)
0223 {
0224 }
0225
0226 static inline int cipso_v4_sock_getattr(struct sock *sk,
0227                     struct netlbl_lsm_secattr *secattr)
0228 {
0229     return -ENOSYS;
0230 }
0231
0232 static inline int cipso_v4_req_setattr(struct request_sock *req,
0233                        const struct cipso_v4_doi *doi_def,
0234                        const struct netlbl_lsm_secattr *secattr)
0235 {
0236     return -ENOSYS;
0237 }
0238
0239 static inline void cipso_v4_req_delattr(struct request_sock *req)
0240 {
0241     return;
0242 }
0243
0244 static inline int cipso_v4_skbuff_setattr(struct sk_buff *skb,
0245                       const struct cipso_v4_doi *doi_def,
0246                       const struct netlbl_lsm_secattr *secattr)
0247 {
0248     return -ENOSYS;
0249 }
0250
0251 static inline int cipso_v4_skbuff_delattr(struct sk_buff *skb)
0252 {
0253     return -ENOSYS;
0254 }
0255
0256 static inline int cipso_v4_skbuff_getattr(const struct sk_buff *skb,
0257                       struct netlbl_lsm_secattr *secattr)
0258 {
0259     return -ENOSYS;
0260 }
0261
0262 static inline unsigned char *cipso_v4_optptr(const struct sk_buff *skb)
0263 {
0264     return NULL;
0265 }
0266
0267 static inline int cipso_v4_validate(const struct sk_buff *skb,
0268                     unsigned char **option)
0269 {
0270     unsigned char *opt = *option;
0271     unsigned char err_offset = 0;
0272     u8 opt_len = opt[1];
0273     u8 opt_iter;
0274     u8 tag_len;
0275
0276     if (opt_len < 8) {
0277         err_offset = 1;
0278         goto out;
0279     }
0280
0281     if (get_unaligned_be32(&opt[2]) == 0) {
0282         err_offset = 2;
0283         goto out;
0284     }
0285
0286     for (opt_iter = 6; opt_iter < opt_len;) {
0287         if (opt_iter + 1 == opt_len) {
0288             err_offset = opt_iter;
0289             goto out;
0290         }
0291         tag_len = opt[opt_iter + 1];
0292         if ((tag_len == 0) || (tag_len > (opt_len - opt_iter))) {
0293             err_offset = opt_iter + 1;
0294             goto out;
0295         }
0296         opt_iter += tag_len;
0297     }
0298
0299 out:
0300     *option = opt + err_offset;
0301     return err_offset;
0302
0303 }
0304 #endif /* CONFIG_NETLABEL */
0305
0306 #endif /* _CIPSO_IPV4_H */