2019-05-19 16:51:43 +03:00
/* SPDX-License-Identifier: GPL-2.0-or-later */
2006-08-04 03:48:37 +04:00
/*
* NetLabel Unlabeled Support
*
* This file defines functions for dealing with unlabeled packets for the
* NetLabel system . The NetLabel system manages static and dynamic label
* mappings for network protocols such as CIPSO and RIPSO .
*
2011-08-01 15:10:33 +04:00
* Author : Paul Moore < paul @ paul - moore . com >
2006-08-04 03:48:37 +04:00
*/
/*
* ( c ) Copyright Hewlett - Packard Development Company , L . P . , 2006
*/
# ifndef _NETLABEL_UNLABELED_H
# define _NETLABEL_UNLABELED_H
# include <net/netlabel.h>
/*
* The following NetLabel payloads are supported by the Unlabeled subsystem .
*
2008-01-29 16:44:21 +03:00
* o STATICADD
* This message is sent from an application to add a new static label for
* incoming unlabeled connections .
*
* Required attributes :
*
* NLBL_UNLABEL_A_IFACE
* NLBL_UNLABEL_A_SECCTX
*
* If IPv4 is specified the following attributes are required :
*
* NLBL_UNLABEL_A_IPV4ADDR
* NLBL_UNLABEL_A_IPV4MASK
*
* If IPv6 is specified the following attributes are required :
*
* NLBL_UNLABEL_A_IPV6ADDR
* NLBL_UNLABEL_A_IPV6MASK
*
* o STATICREMOVE
* This message is sent from an application to remove an existing static
* label for incoming unlabeled connections .
*
* Required attributes :
*
* NLBL_UNLABEL_A_IFACE
*
* If IPv4 is specified the following attributes are required :
*
* NLBL_UNLABEL_A_IPV4ADDR
* NLBL_UNLABEL_A_IPV4MASK
*
* If IPv6 is specified the following attributes are required :
*
* NLBL_UNLABEL_A_IPV6ADDR
* NLBL_UNLABEL_A_IPV6MASK
*
* o STATICLIST
* This message can be sent either from an application or by the kernel in
* response to an application generated STATICLIST message . When sent by an
* application there is no payload and the NLM_F_DUMP flag should be set .
* The kernel should response with a series of the following messages .
*
* Required attributes :
*
* NLBL_UNLABEL_A_IFACE
* NLBL_UNLABEL_A_SECCTX
*
* If IPv4 is specified the following attributes are required :
*
* NLBL_UNLABEL_A_IPV4ADDR
* NLBL_UNLABEL_A_IPV4MASK
*
* If IPv6 is specified the following attributes are required :
*
* NLBL_UNLABEL_A_IPV6ADDR
* NLBL_UNLABEL_A_IPV6MASK
*
* o STATICADDDEF
* This message is sent from an application to set the default static
* label for incoming unlabeled connections .
*
* Required attribute :
*
* NLBL_UNLABEL_A_SECCTX
*
* If IPv4 is specified the following attributes are required :
*
* NLBL_UNLABEL_A_IPV4ADDR
* NLBL_UNLABEL_A_IPV4MASK
*
* If IPv6 is specified the following attributes are required :
*
* NLBL_UNLABEL_A_IPV6ADDR
* NLBL_UNLABEL_A_IPV6MASK
*
* o STATICREMOVEDEF
* This message is sent from an application to remove the existing default
* static label for incoming unlabeled connections .
*
* If IPv4 is specified the following attributes are required :
*
* NLBL_UNLABEL_A_IPV4ADDR
* NLBL_UNLABEL_A_IPV4MASK
*
* If IPv6 is specified the following attributes are required :
*
* NLBL_UNLABEL_A_IPV6ADDR
* NLBL_UNLABEL_A_IPV6MASK
*
* o STATICLISTDEF
* This message can be sent either from an application or by the kernel in
* response to an application generated STATICLISTDEF message . When sent by
* an application there is no payload and the NLM_F_DUMP flag should be set .
* The kernel should response with the following message .
*
* Required attribute :
*
* NLBL_UNLABEL_A_SECCTX
*
* If IPv4 is specified the following attributes are required :
*
* NLBL_UNLABEL_A_IPV4ADDR
* NLBL_UNLABEL_A_IPV4MASK
*
* If IPv6 is specified the following attributes are required :
*
* NLBL_UNLABEL_A_IPV6ADDR
* NLBL_UNLABEL_A_IPV6MASK
*
2006-08-04 03:48:37 +04:00
* o ACCEPT
* This message is sent from an application to specify if the kernel should
* allow unlabled packets to pass if they do not match any of the static
* mappings defined in the unlabeled module .
*
2006-09-26 02:56:37 +04:00
* Required attributes :
2006-08-04 03:48:37 +04:00
*
2006-09-26 02:56:37 +04:00
* NLBL_UNLABEL_A_ACPTFLG
2006-08-04 03:48:37 +04:00
*
* o LIST
* This message can be sent either from an application or by the kernel in
* response to an application generated LIST message . When sent by an
* application there is no payload . The kernel should respond to a LIST
2006-09-26 02:56:37 +04:00
* message with a LIST message on success .
2006-08-04 03:48:37 +04:00
*
2006-09-26 02:56:37 +04:00
* Required attributes :
2006-08-04 03:48:37 +04:00
*
2006-09-26 02:56:37 +04:00
* NLBL_UNLABEL_A_ACPTFLG
2006-08-04 03:48:37 +04:00
*
*/
/* NetLabel Unlabeled commands */
enum {
NLBL_UNLABEL_C_UNSPEC ,
NLBL_UNLABEL_C_ACCEPT ,
NLBL_UNLABEL_C_LIST ,
2008-01-29 16:44:21 +03:00
NLBL_UNLABEL_C_STATICADD ,
NLBL_UNLABEL_C_STATICREMOVE ,
NLBL_UNLABEL_C_STATICLIST ,
NLBL_UNLABEL_C_STATICADDDEF ,
NLBL_UNLABEL_C_STATICREMOVEDEF ,
NLBL_UNLABEL_C_STATICLISTDEF ,
2006-08-04 03:48:37 +04:00
__NLBL_UNLABEL_C_MAX ,
} ;
2006-09-26 02:56:37 +04:00
/* NetLabel Unlabeled attributes */
enum {
NLBL_UNLABEL_A_UNSPEC ,
NLBL_UNLABEL_A_ACPTFLG ,
/* (NLA_U8)
* if true then unlabeled packets are allowed to pass , else unlabeled
* packets are rejected */
2008-01-29 16:44:21 +03:00
NLBL_UNLABEL_A_IPV6ADDR ,
/* (NLA_BINARY, struct in6_addr)
* an IPv6 address */
NLBL_UNLABEL_A_IPV6MASK ,
/* (NLA_BINARY, struct in6_addr)
* an IPv6 address mask */
NLBL_UNLABEL_A_IPV4ADDR ,
/* (NLA_BINARY, struct in_addr)
* an IPv4 address */
NLBL_UNLABEL_A_IPV4MASK ,
/* (NLA_BINARY, struct in_addr)
* and IPv4 address mask */
NLBL_UNLABEL_A_IFACE ,
/* (NLA_NULL_STRING)
* network interface */
NLBL_UNLABEL_A_SECCTX ,
/* (NLA_BINARY)
* a LSM specific security context */
2006-09-26 02:56:37 +04:00
__NLBL_UNLABEL_A_MAX ,
} ;
# define NLBL_UNLABEL_A_MAX (__NLBL_UNLABEL_A_MAX - 1)
2006-08-04 03:48:37 +04:00
/* NetLabel protocol functions */
int netlbl_unlabel_genl_init ( void ) ;
2008-01-29 16:44:21 +03:00
/* Unlabeled connection hash table size */
/* XXX - currently this number is an uneducated guess */
# define NETLBL_UNLHSH_BITSIZE 7
/* General Unlabeled init function */
int netlbl_unlabel_init ( u32 size ) ;
2008-12-31 20:54:11 +03:00
/* Static/Fallback label management functions */
int netlbl_unlhsh_add ( struct net * net ,
const char * dev_name ,
const void * addr ,
const void * mask ,
u32 addr_len ,
u32 secid ,
struct netlbl_audit * audit_info ) ;
int netlbl_unlhsh_remove ( struct net * net ,
const char * dev_name ,
const void * addr ,
const void * mask ,
u32 addr_len ,
struct netlbl_audit * audit_info ) ;
2006-08-04 03:48:37 +04:00
/* Process Unlabeled incoming network packets */
2008-01-29 16:44:21 +03:00
int netlbl_unlabel_getattr ( const struct sk_buff * skb ,
u16 family ,
struct netlbl_lsm_secattr * secattr ) ;
2006-08-04 03:48:37 +04:00
/* Set the default configuration to allow Unlabeled packets */
int netlbl_unlabel_defconf ( void ) ;
# endif