Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
awilliam
GitHub Repository: awilliam/linux-vfio
 Path: blob/master/include/net/cipso_ipv4.h
10817 views
1
/*

2
 * CIPSO - Commercial IP Security Option

3
 *

4
 * This is an implementation of the CIPSO 2.2 protocol as specified in

5
 * draft-ietf-cipso-ipsecurity-01.txt with additional tag types as found in

6
 * FIPS-188, copies of both documents can be found in the Documentation

7
 * directory.  While CIPSO never became a full IETF RFC standard many vendors

8
 * have chosen to adopt the protocol and over the years it has become a

9
 * de-facto standard for labeled networking.

10
 *

11
 * Author: Paul Moore <[email protected]>

12
 *

13
 */

14


15
/*

16
 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006

17
 *

18
 * This program is free software;  you can redistribute it and/or modify

19
 * it under the terms of the GNU General Public License as published by

20
 * the Free Software Foundation; either version 2 of the License, or

21
 * (at your option) any later version.

22
 *

23
 * This program is distributed in the hope that it will be useful,

24
 * but WITHOUT ANY WARRANTY;  without even the implied warranty of

25
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See

26
 * the GNU General Public License for more details.

27
 *

28
 * You should have received a copy of the GNU General Public License

29
 * along with this program;  if not, write to the Free Software

30
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

31
 *

32
 */

33


34
#ifndef _CIPSO_IPV4_H

35
#define _CIPSO_IPV4_H

36


37
#include <linux/types.h>

38
#include <linux/rcupdate.h>

39
#include <linux/list.h>

40
#include <linux/net.h>

41
#include <linux/skbuff.h>

42
#include <net/netlabel.h>

43
#include <net/request_sock.h>

44
#include <asm/atomic.h>

45


46
/* known doi values */

47
#define CIPSO_V4_DOI_UNKNOWN          0x00000000

48


49
/* standard tag types */

50
#define CIPSO_V4_TAG_INVALID          0

51
#define CIPSO_V4_TAG_RBITMAP          1

52
#define CIPSO_V4_TAG_ENUM             2

53
#define CIPSO_V4_TAG_RANGE            5

54
#define CIPSO_V4_TAG_PBITMAP          6

55
#define CIPSO_V4_TAG_FREEFORM         7

56


57
/* non-standard tag types (tags > 127) */

58
#define CIPSO_V4_TAG_LOCAL            128

59


60
/* doi mapping types */

61
#define CIPSO_V4_MAP_UNKNOWN          0

62
#define CIPSO_V4_MAP_TRANS            1

63
#define CIPSO_V4_MAP_PASS             2

64
#define CIPSO_V4_MAP_LOCAL            3

65


66
/* limits */

67
#define CIPSO_V4_MAX_REM_LVLS         255

68
#define CIPSO_V4_INV_LVL              0x80000000

69
#define CIPSO_V4_MAX_LOC_LVLS         (CIPSO_V4_INV_LVL - 1)

70
#define CIPSO_V4_MAX_REM_CATS         65534

71
#define CIPSO_V4_INV_CAT              0x80000000

72
#define CIPSO_V4_MAX_LOC_CATS         (CIPSO_V4_INV_CAT - 1)

73


74
/*

75
 * CIPSO DOI definitions

76
 */

77


78
/* DOI definition struct */

79
#define CIPSO_V4_TAG_MAXCNT           5

80
struct cipso_v4_doi {

81
	u32 doi;

82
	u32 type;

83
	union {

84
		struct cipso_v4_std_map_tbl *std;

85
	} map;

86
	u8 tags[CIPSO_V4_TAG_MAXCNT];

87


88
	atomic_t refcount;

89
	struct list_head list;

90
	struct rcu_head rcu;

91
};

92


93
/* Standard CIPSO mapping table */

94
/* NOTE: the highest order bit (i.e. 0x80000000) is an 'invalid' flag, if the

95
 *       bit is set then consider that value as unspecified, meaning the

96
 *       mapping for that particular level/category is invalid */

97
struct cipso_v4_std_map_tbl {

98
	struct {

99
		u32 *cipso;

100
		u32 *local;

101
		u32 cipso_size;

102
		u32 local_size;

103
	} lvl;

104
	struct {

105
		u32 *cipso;

106
		u32 *local;

107
		u32 cipso_size;

108
		u32 local_size;

109
	} cat;

110
};

111


112
/*

113
 * Sysctl Variables

114
 */

115


116
#ifdef CONFIG_NETLABEL

117
extern int cipso_v4_cache_enabled;

118
extern int cipso_v4_cache_bucketsize;

119
extern int cipso_v4_rbm_optfmt;

120
extern int cipso_v4_rbm_strictvalid;

121
#endif

122


123
/*

124
 * Helper Functions

125
 */

126


127
#define CIPSO_V4_OPTEXIST(x) (IPCB(x)->opt.cipso != 0)

128
#define CIPSO_V4_OPTPTR(x) (skb_network_header(x) + IPCB(x)->opt.cipso)

129


130
/*

131
 * DOI List Functions

132
 */

133


134
#ifdef CONFIG_NETLABEL

135
int cipso_v4_doi_add(struct cipso_v4_doi *doi_def,

136
		     struct netlbl_audit *audit_info);

137
void cipso_v4_doi_free(struct cipso_v4_doi *doi_def);

138
int cipso_v4_doi_remove(u32 doi, struct netlbl_audit *audit_info);

139
struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi);

140
void cipso_v4_doi_putdef(struct cipso_v4_doi *doi_def);

141
int cipso_v4_doi_walk(u32 *skip_cnt,

142
		     int (*callback) (struct cipso_v4_doi *doi_def, void *arg),

143
	             void *cb_arg);

144
#else

145
static inline int cipso_v4_doi_add(struct cipso_v4_doi *doi_def,

146
				   struct netlbl_audit *audit_info)

147
{

148
	return -ENOSYS;

149
}

150


151
static inline void cipso_v4_doi_free(struct cipso_v4_doi *doi_def)

152
{

153
	return;

154
}

155


156
static inline int cipso_v4_doi_remove(u32 doi,

157
				      struct netlbl_audit *audit_info)

158
{

159
	return 0;

160
}

161


162
static inline struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi)

163
{

164
	return NULL;

165
}

166


167
static inline int cipso_v4_doi_walk(u32 *skip_cnt,

168
		     int (*callback) (struct cipso_v4_doi *doi_def, void *arg),

169
		     void *cb_arg)

170
{

171
	return 0;

172
}

173


174
static inline int cipso_v4_doi_domhsh_add(struct cipso_v4_doi *doi_def,

175
					  const char *domain)

176
{

177
	return -ENOSYS;

178
}

179


180
static inline int cipso_v4_doi_domhsh_remove(struct cipso_v4_doi *doi_def,

181
					     const char *domain)

182
{

183
	return 0;

184
}

185
#endif /* CONFIG_NETLABEL */

186


187
/*

188
 * Label Mapping Cache Functions

189
 */

190


191
#ifdef CONFIG_NETLABEL

192
void cipso_v4_cache_invalidate(void);

193
int cipso_v4_cache_add(const struct sk_buff *skb,

194
		       const struct netlbl_lsm_secattr *secattr);

195
#else

196
static inline void cipso_v4_cache_invalidate(void)

197
{

198
	return;

199
}

200


201
static inline int cipso_v4_cache_add(const struct sk_buff *skb,

202
				     const struct netlbl_lsm_secattr *secattr)

203
{

204
	return 0;

205
}

206
#endif /* CONFIG_NETLABEL */

207


208
/*

209
 * Protocol Handling Functions

210
 */

211


212
#ifdef CONFIG_NETLABEL

213
void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway);

214
int cipso_v4_sock_setattr(struct sock *sk,

215
			  const struct cipso_v4_doi *doi_def,

216
			  const struct netlbl_lsm_secattr *secattr);

217
void cipso_v4_sock_delattr(struct sock *sk);

218
int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr);

219
int cipso_v4_req_setattr(struct request_sock *req,

220
			 const struct cipso_v4_doi *doi_def,

221
			 const struct netlbl_lsm_secattr *secattr);

222
void cipso_v4_req_delattr(struct request_sock *req);

223
int cipso_v4_skbuff_setattr(struct sk_buff *skb,

224
			    const struct cipso_v4_doi *doi_def,

225
			    const struct netlbl_lsm_secattr *secattr);

226
int cipso_v4_skbuff_delattr(struct sk_buff *skb);

227
int cipso_v4_skbuff_getattr(const struct sk_buff *skb,

228
			    struct netlbl_lsm_secattr *secattr);

229
int cipso_v4_validate(const struct sk_buff *skb, unsigned char **option);

230
#else

231
static inline void cipso_v4_error(struct sk_buff *skb,

232
				  int error,

233
				  u32 gateway)

234
{

235
	return;

236
}

237


238
static inline int cipso_v4_sock_setattr(struct sock *sk,

239
				      const struct cipso_v4_doi *doi_def,

240
				      const struct netlbl_lsm_secattr *secattr)

241
{

242
	return -ENOSYS;

243
}

244


245
static inline void cipso_v4_sock_delattr(struct sock *sk)

246
{

247
}

248


249
static inline int cipso_v4_sock_getattr(struct sock *sk,

250
					struct netlbl_lsm_secattr *secattr)

251
{

252
	return -ENOSYS;

253
}

254


255
static inline int cipso_v4_req_setattr(struct request_sock *req,

256
				       const struct cipso_v4_doi *doi_def,

257
				       const struct netlbl_lsm_secattr *secattr)

258
{

259
	return -ENOSYS;

260
}

261


262
static inline void cipso_v4_req_delattr(struct request_sock *req)

263
{

264
	return;

265
}

266


267
static inline int cipso_v4_skbuff_setattr(struct sk_buff *skb,

268
				      const struct cipso_v4_doi *doi_def,

269
				      const struct netlbl_lsm_secattr *secattr)

270
{

271
	return -ENOSYS;

272
}

273


274
static inline int cipso_v4_skbuff_delattr(struct sk_buff *skb)

275
{

276
	return -ENOSYS;

277
}

278


279
static inline int cipso_v4_skbuff_getattr(const struct sk_buff *skb,

280
					  struct netlbl_lsm_secattr *secattr)

281
{

282
	return -ENOSYS;

283
}

284


285
static inline int cipso_v4_validate(const struct sk_buff *skb,

286
				    unsigned char **option)

287
{

288
	return -ENOSYS;

289
}

290
#endif /* CONFIG_NETLABEL */

291


292
#endif /* _CIPSO_IPV4_H */

293


294