Back to home page

OSCL-LXR
 
 

     

0001 /* SPDX-License-Identifier: GPL-2.0-or-later */
0002 /*
0003  * NetLabel Unlabeled Support
0004  *
0005  * This file defines functions for dealing with unlabeled packets for the
0006  * NetLabel system.  The NetLabel system manages static and dynamic label
0007  * mappings for network protocols such as CIPSO and RIPSO.
0008  *
0009  * Author: Paul Moore <paul@paul-moore.com>
0010  */
0011 
0012 /*
0013  * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
0014  */
0015 
0016 #ifndef _NETLABEL_UNLABELED_H
0017 #define _NETLABEL_UNLABELED_H
0018 
0019 #include <net/netlabel.h>
0020 
0021 /*
0022  * The following NetLabel payloads are supported by the Unlabeled subsystem.
0023  *
0024  * o STATICADD
0025  *   This message is sent from an application to add a new static label for
0026  *   incoming unlabeled connections.
0027  *
0028  *   Required attributes:
0029  *
0030  *     NLBL_UNLABEL_A_IFACE
0031  *     NLBL_UNLABEL_A_SECCTX
0032  *
0033  *   If IPv4 is specified the following attributes are required:
0034  *
0035  *     NLBL_UNLABEL_A_IPV4ADDR
0036  *     NLBL_UNLABEL_A_IPV4MASK
0037  *
0038  *   If IPv6 is specified the following attributes are required:
0039  *
0040  *     NLBL_UNLABEL_A_IPV6ADDR
0041  *     NLBL_UNLABEL_A_IPV6MASK
0042  *
0043  * o STATICREMOVE
0044  *   This message is sent from an application to remove an existing static
0045  *   label for incoming unlabeled connections.
0046  *
0047  *   Required attributes:
0048  *
0049  *     NLBL_UNLABEL_A_IFACE
0050  *
0051  *   If IPv4 is specified the following attributes are required:
0052  *
0053  *     NLBL_UNLABEL_A_IPV4ADDR
0054  *     NLBL_UNLABEL_A_IPV4MASK
0055  *
0056  *   If IPv6 is specified the following attributes are required:
0057  *
0058  *     NLBL_UNLABEL_A_IPV6ADDR
0059  *     NLBL_UNLABEL_A_IPV6MASK
0060  *
0061  * o STATICLIST
0062  *   This message can be sent either from an application or by the kernel in
0063  *   response to an application generated STATICLIST message.  When sent by an
0064  *   application there is no payload and the NLM_F_DUMP flag should be set.
0065  *   The kernel should response with a series of the following messages.
0066  *
0067  *   Required attributes:
0068  *
0069  *     NLBL_UNLABEL_A_IFACE
0070  *     NLBL_UNLABEL_A_SECCTX
0071  *
0072  *   If IPv4 is specified the following attributes are required:
0073  *
0074  *     NLBL_UNLABEL_A_IPV4ADDR
0075  *     NLBL_UNLABEL_A_IPV4MASK
0076  *
0077  *   If IPv6 is specified the following attributes are required:
0078  *
0079  *     NLBL_UNLABEL_A_IPV6ADDR
0080  *     NLBL_UNLABEL_A_IPV6MASK
0081  *
0082  * o STATICADDDEF
0083  *   This message is sent from an application to set the default static
0084  *   label for incoming unlabeled connections.
0085  *
0086  *   Required attribute:
0087  *
0088  *     NLBL_UNLABEL_A_SECCTX
0089  *
0090  *   If IPv4 is specified the following attributes are required:
0091  *
0092  *     NLBL_UNLABEL_A_IPV4ADDR
0093  *     NLBL_UNLABEL_A_IPV4MASK
0094  *
0095  *   If IPv6 is specified the following attributes are required:
0096  *
0097  *     NLBL_UNLABEL_A_IPV6ADDR
0098  *     NLBL_UNLABEL_A_IPV6MASK
0099  *
0100  * o STATICREMOVEDEF
0101  *   This message is sent from an application to remove the existing default
0102  *   static label for incoming unlabeled connections.
0103  *
0104  *   If IPv4 is specified the following attributes are required:
0105  *
0106  *     NLBL_UNLABEL_A_IPV4ADDR
0107  *     NLBL_UNLABEL_A_IPV4MASK
0108  *
0109  *   If IPv6 is specified the following attributes are required:
0110  *
0111  *     NLBL_UNLABEL_A_IPV6ADDR
0112  *     NLBL_UNLABEL_A_IPV6MASK
0113  *
0114  * o STATICLISTDEF
0115  *   This message can be sent either from an application or by the kernel in
0116  *   response to an application generated STATICLISTDEF message.  When sent by
0117  *   an application there is no payload and the NLM_F_DUMP flag should be set.
0118  *   The kernel should response with the following message.
0119  *
0120  *   Required attribute:
0121  *
0122  *     NLBL_UNLABEL_A_SECCTX
0123  *
0124  *   If IPv4 is specified the following attributes are required:
0125  *
0126  *     NLBL_UNLABEL_A_IPV4ADDR
0127  *     NLBL_UNLABEL_A_IPV4MASK
0128  *
0129  *   If IPv6 is specified the following attributes are required:
0130  *
0131  *     NLBL_UNLABEL_A_IPV6ADDR
0132  *     NLBL_UNLABEL_A_IPV6MASK
0133  *
0134  * o ACCEPT
0135  *   This message is sent from an application to specify if the kernel should
0136  *   allow unlabled packets to pass if they do not match any of the static
0137  *   mappings defined in the unlabeled module.
0138  *
0139  *   Required attributes:
0140  *
0141  *     NLBL_UNLABEL_A_ACPTFLG
0142  *
0143  * o LIST
0144  *   This message can be sent either from an application or by the kernel in
0145  *   response to an application generated LIST message.  When sent by an
0146  *   application there is no payload.  The kernel should respond to a LIST
0147  *   message with a LIST message on success.
0148  *
0149  *   Required attributes:
0150  *
0151  *     NLBL_UNLABEL_A_ACPTFLG
0152  *
0153  */
0154 
0155 /* NetLabel Unlabeled commands */
0156 enum {
0157     NLBL_UNLABEL_C_UNSPEC,
0158     NLBL_UNLABEL_C_ACCEPT,
0159     NLBL_UNLABEL_C_LIST,
0160     NLBL_UNLABEL_C_STATICADD,
0161     NLBL_UNLABEL_C_STATICREMOVE,
0162     NLBL_UNLABEL_C_STATICLIST,
0163     NLBL_UNLABEL_C_STATICADDDEF,
0164     NLBL_UNLABEL_C_STATICREMOVEDEF,
0165     NLBL_UNLABEL_C_STATICLISTDEF,
0166     __NLBL_UNLABEL_C_MAX,
0167 };
0168 
0169 /* NetLabel Unlabeled attributes */
0170 enum {
0171     NLBL_UNLABEL_A_UNSPEC,
0172     NLBL_UNLABEL_A_ACPTFLG,
0173     /* (NLA_U8)
0174      * if true then unlabeled packets are allowed to pass, else unlabeled
0175      * packets are rejected */
0176     NLBL_UNLABEL_A_IPV6ADDR,
0177     /* (NLA_BINARY, struct in6_addr)
0178      * an IPv6 address */
0179     NLBL_UNLABEL_A_IPV6MASK,
0180     /* (NLA_BINARY, struct in6_addr)
0181      * an IPv6 address mask */
0182     NLBL_UNLABEL_A_IPV4ADDR,
0183     /* (NLA_BINARY, struct in_addr)
0184      * an IPv4 address */
0185     NLBL_UNLABEL_A_IPV4MASK,
0186     /* (NLA_BINARY, struct in_addr)
0187      * and IPv4 address mask */
0188     NLBL_UNLABEL_A_IFACE,
0189     /* (NLA_NULL_STRING)
0190      * network interface */
0191     NLBL_UNLABEL_A_SECCTX,
0192     /* (NLA_BINARY)
0193      * a LSM specific security context */
0194     __NLBL_UNLABEL_A_MAX,
0195 };
0196 #define NLBL_UNLABEL_A_MAX (__NLBL_UNLABEL_A_MAX - 1)
0197 
0198 /* NetLabel protocol functions */
0199 int netlbl_unlabel_genl_init(void);
0200 
0201 /* Unlabeled connection hash table size */
0202 /* XXX - currently this number is an uneducated guess */
0203 #define NETLBL_UNLHSH_BITSIZE       7
0204 
0205 /* General Unlabeled init function */
0206 int netlbl_unlabel_init(u32 size);
0207 
0208 /* Static/Fallback label management functions */
0209 int netlbl_unlhsh_add(struct net *net,
0210               const char *dev_name,
0211               const void *addr,
0212               const void *mask,
0213               u32 addr_len,
0214               u32 secid,
0215               struct netlbl_audit *audit_info);
0216 int netlbl_unlhsh_remove(struct net *net,
0217              const char *dev_name,
0218              const void *addr,
0219              const void *mask,
0220              u32 addr_len,
0221              struct netlbl_audit *audit_info);
0222 
0223 /* Process Unlabeled incoming network packets */
0224 int netlbl_unlabel_getattr(const struct sk_buff *skb,
0225                u16 family,
0226                struct netlbl_lsm_secattr *secattr);
0227 
0228 /* Set the default configuration to allow Unlabeled packets */
0229 int netlbl_unlabel_defconf(void);
0230 
0231 #endif
Source navigation ] Diff markup ] Identifier search ] general search ]

This page was automatically generated by the 2.1.0 LXR engine.

The LXR team
Valid CSS 2.1! Valid HTML 4.01!