CoCalc -- netlabel

GitHub Repository: awilliam/linux-vfio
Path: blob/master/net/netlabel/netlabel_unlabeled.h
¹⁵¹⁰⁹ views
1
/*
2
 * NetLabel Unlabeled Support
3
 *
4
 * This file defines functions for dealing with unlabeled packets for the
5
 * NetLabel system.  The NetLabel system manages static and dynamic label
6
 * mappings for network protocols such as CIPSO and RIPSO.
7
 *
8
 * Author: Paul Moore <[email protected]>
9
 *
10
 */
11

12
/*
13
 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
14
 *
15
 * This program is free software;  you can redistribute it and/or modify
16
 * it under the terms of the GNU General Public License as published by
17
 * the Free Software Foundation; either version 2 of the License, or
18
 * (at your option) any later version.
19
 *
20
 * This program is distributed in the hope that it will be useful,
21
 * but WITHOUT ANY WARRANTY;  without even the implied warranty of
22
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
23
 * the GNU General Public License for more details.
24
 *
25
 * You should have received a copy of the GNU General Public License
26
 * along with this program;  if not, write to the Free Software
27
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
28
 *
29
 */
30

31
#ifndef _NETLABEL_UNLABELED_H
32
#define _NETLABEL_UNLABELED_H
33

34
#include <net/netlabel.h>
35

36
/*
37
 * The following NetLabel payloads are supported by the Unlabeled subsystem.
38
 *
39
 * o STATICADD
40
 *   This message is sent from an application to add a new static label for
41
 *   incoming unlabeled connections.
42
 *
43
 *   Required attributes:
44
 *
45
 *     NLBL_UNLABEL_A_IFACE
46
 *     NLBL_UNLABEL_A_SECCTX
47
 *
48
 *   If IPv4 is specified the following attributes are required:
49
 *
50
 *     NLBL_UNLABEL_A_IPV4ADDR
51
 *     NLBL_UNLABEL_A_IPV4MASK
52
 *
53
 *   If IPv6 is specified the following attributes are required:
54
 *
55
 *     NLBL_UNLABEL_A_IPV6ADDR
56
 *     NLBL_UNLABEL_A_IPV6MASK
57
 *
58
 * o STATICREMOVE
59
 *   This message is sent from an application to remove an existing static
60
 *   label for incoming unlabeled connections.
61
 *
62
 *   Required attributes:
63
 *
64
 *     NLBL_UNLABEL_A_IFACE
65
 *
66
 *   If IPv4 is specified the following attributes are required:
67
 *
68
 *     NLBL_UNLABEL_A_IPV4ADDR
69
 *     NLBL_UNLABEL_A_IPV4MASK
70
 *
71
 *   If IPv6 is specified the following attributes are required:
72
 *
73
 *     NLBL_UNLABEL_A_IPV6ADDR
74
 *     NLBL_UNLABEL_A_IPV6MASK
75
 *
76
 * o STATICLIST
77
 *   This message can be sent either from an application or by the kernel in
78
 *   response to an application generated STATICLIST message.  When sent by an
79
 *   application there is no payload and the NLM_F_DUMP flag should be set.
80
 *   The kernel should response with a series of the following messages.
81
 *
82
 *   Required attributes:
83
 *
84
 *     NLBL_UNLABEL_A_IFACE
85
 *     NLBL_UNLABEL_A_SECCTX
86
 *
87
 *   If IPv4 is specified the following attributes are required:
88
 *
89
 *     NLBL_UNLABEL_A_IPV4ADDR
90
 *     NLBL_UNLABEL_A_IPV4MASK
91
 *
92
 *   If IPv6 is specified the following attributes are required:
93
 *
94
 *     NLBL_UNLABEL_A_IPV6ADDR
95
 *     NLBL_UNLABEL_A_IPV6MASK
96
 *
97
 * o STATICADDDEF
98
 *   This message is sent from an application to set the default static
99
 *   label for incoming unlabeled connections.
100
 *
101
 *   Required attribute:
102
 *
103
 *     NLBL_UNLABEL_A_SECCTX
104
 *
105
 *   If IPv4 is specified the following attributes are required:
106
 *
107
 *     NLBL_UNLABEL_A_IPV4ADDR
108
 *     NLBL_UNLABEL_A_IPV4MASK
109
 *
110
 *   If IPv6 is specified the following attributes are required:
111
 *
112
 *     NLBL_UNLABEL_A_IPV6ADDR
113
 *     NLBL_UNLABEL_A_IPV6MASK
114
 *
115
 * o STATICREMOVEDEF
116
 *   This message is sent from an application to remove the existing default
117
 *   static label for incoming unlabeled connections.
118
 *
119
 *   If IPv4 is specified the following attributes are required:
120
 *
121
 *     NLBL_UNLABEL_A_IPV4ADDR
122
 *     NLBL_UNLABEL_A_IPV4MASK
123
 *
124
 *   If IPv6 is specified the following attributes are required:
125
 *
126
 *     NLBL_UNLABEL_A_IPV6ADDR
127
 *     NLBL_UNLABEL_A_IPV6MASK
128
 *
129
 * o STATICLISTDEF
130
 *   This message can be sent either from an application or by the kernel in
131
 *   response to an application generated STATICLISTDEF message.  When sent by
132
 *   an application there is no payload and the NLM_F_DUMP flag should be set.
133
 *   The kernel should response with the following message.
134
 *
135
 *   Required attribute:
136
 *
137
 *     NLBL_UNLABEL_A_SECCTX
138
 *
139
 *   If IPv4 is specified the following attributes are required:
140
 *
141
 *     NLBL_UNLABEL_A_IPV4ADDR
142
 *     NLBL_UNLABEL_A_IPV4MASK
143
 *
144
 *   If IPv6 is specified the following attributes are required:
145
 *
146
 *     NLBL_UNLABEL_A_IPV6ADDR
147
 *     NLBL_UNLABEL_A_IPV6MASK
148
 *
149
 * o ACCEPT
150
 *   This message is sent from an application to specify if the kernel should
151
 *   allow unlabled packets to pass if they do not match any of the static
152
 *   mappings defined in the unlabeled module.
153
 *
154
 *   Required attributes:
155
 *
156
 *     NLBL_UNLABEL_A_ACPTFLG
157
 *
158
 * o LIST
159
 *   This message can be sent either from an application or by the kernel in
160
 *   response to an application generated LIST message.  When sent by an
161
 *   application there is no payload.  The kernel should respond to a LIST
162
 *   message with a LIST message on success.
163
 *
164
 *   Required attributes:
165
 *
166
 *     NLBL_UNLABEL_A_ACPTFLG
167
 *
168
 */
169

170
/* NetLabel Unlabeled commands */
171
enum {
172
	NLBL_UNLABEL_C_UNSPEC,
173
	NLBL_UNLABEL_C_ACCEPT,
174
	NLBL_UNLABEL_C_LIST,
175
	NLBL_UNLABEL_C_STATICADD,
176
	NLBL_UNLABEL_C_STATICREMOVE,
177
	NLBL_UNLABEL_C_STATICLIST,
178
	NLBL_UNLABEL_C_STATICADDDEF,
179
	NLBL_UNLABEL_C_STATICREMOVEDEF,
180
	NLBL_UNLABEL_C_STATICLISTDEF,
181
	__NLBL_UNLABEL_C_MAX,
182
};
183

184
/* NetLabel Unlabeled attributes */
185
enum {
186
	NLBL_UNLABEL_A_UNSPEC,
187
	NLBL_UNLABEL_A_ACPTFLG,
188
	/* (NLA_U8)
189
	 * if true then unlabeled packets are allowed to pass, else unlabeled
190
	 * packets are rejected */
191
	NLBL_UNLABEL_A_IPV6ADDR,
192
	/* (NLA_BINARY, struct in6_addr)
193
	 * an IPv6 address */
194
	NLBL_UNLABEL_A_IPV6MASK,
195
	/* (NLA_BINARY, struct in6_addr)
196
	 * an IPv6 address mask */
197
	NLBL_UNLABEL_A_IPV4ADDR,
198
	/* (NLA_BINARY, struct in_addr)
199
	 * an IPv4 address */
200
	NLBL_UNLABEL_A_IPV4MASK,
201
	/* (NLA_BINARY, struct in_addr)
202
	 * and IPv4 address mask */
203
	NLBL_UNLABEL_A_IFACE,
204
	/* (NLA_NULL_STRING)
205
	 * network interface */
206
	NLBL_UNLABEL_A_SECCTX,
207
	/* (NLA_BINARY)
208
	 * a LSM specific security context */
209
	__NLBL_UNLABEL_A_MAX,
210
};
211
#define NLBL_UNLABEL_A_MAX (__NLBL_UNLABEL_A_MAX - 1)
212

213
/* NetLabel protocol functions */
214
int netlbl_unlabel_genl_init(void);
215

216
/* Unlabeled connection hash table size */
217
/* XXX - currently this number is an uneducated guess */
218
#define NETLBL_UNLHSH_BITSIZE       7
219

220
/* General Unlabeled init function */
221
int netlbl_unlabel_init(u32 size);
222

223
/* Static/Fallback label management functions */
224
int netlbl_unlhsh_add(struct net *net,
225
		      const char *dev_name,
226
		      const void *addr,
227
		      const void *mask,
228
		      u32 addr_len,
229
		      u32 secid,
230
		      struct netlbl_audit *audit_info);
231
int netlbl_unlhsh_remove(struct net *net,
232
			 const char *dev_name,
233
			 const void *addr,
234
			 const void *mask,
235
			 u32 addr_len,
236
			 struct netlbl_audit *audit_info);
237

238
/* Process Unlabeled incoming network packets */
239
int netlbl_unlabel_getattr(const struct sk_buff *skb,
240
			   u16 family,
241
			   struct netlbl_lsm_secattr *secattr);
242

243
/* Set the default configuration to allow Unlabeled packets */
244
int netlbl_unlabel_defconf(void);
245

246
#endif
247

248
Product

Resources

Company
