Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
torvalds
GitHub Repository: torvalds/linux
 Path: blob/master/net/netlabel/netlabel_unlabeled.h
26278 views
1
/* SPDX-License-Identifier: GPL-2.0-or-later */

2
/*

3
 * NetLabel Unlabeled Support

4
 *

5
 * This file defines functions for dealing with unlabeled packets for the

6
 * NetLabel system.  The NetLabel system manages static and dynamic label

7
 * mappings for network protocols such as CIPSO and RIPSO.

8
 *

9
 * Author: Paul Moore <[email protected]>

10
 */

11


12
/*

13
 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006

14
 */

15


16
#ifndef _NETLABEL_UNLABELED_H

17
#define _NETLABEL_UNLABELED_H

18


19
#include <net/netlabel.h>

20


21
/*

22
 * The following NetLabel payloads are supported by the Unlabeled subsystem.

23
 *

24
 * o STATICADD

25
 *   This message is sent from an application to add a new static label for

26
 *   incoming unlabeled connections.

27
 *

28
 *   Required attributes:

29
 *

30
 *     NLBL_UNLABEL_A_IFACE

31
 *     NLBL_UNLABEL_A_SECCTX

32
 *

33
 *   If IPv4 is specified the following attributes are required:

34
 *

35
 *     NLBL_UNLABEL_A_IPV4ADDR

36
 *     NLBL_UNLABEL_A_IPV4MASK

37
 *

38
 *   If IPv6 is specified the following attributes are required:

39
 *

40
 *     NLBL_UNLABEL_A_IPV6ADDR

41
 *     NLBL_UNLABEL_A_IPV6MASK

42
 *

43
 * o STATICREMOVE

44
 *   This message is sent from an application to remove an existing static

45
 *   label for incoming unlabeled connections.

46
 *

47
 *   Required attributes:

48
 *

49
 *     NLBL_UNLABEL_A_IFACE

50
 *

51
 *   If IPv4 is specified the following attributes are required:

52
 *

53
 *     NLBL_UNLABEL_A_IPV4ADDR

54
 *     NLBL_UNLABEL_A_IPV4MASK

55
 *

56
 *   If IPv6 is specified the following attributes are required:

57
 *

58
 *     NLBL_UNLABEL_A_IPV6ADDR

59
 *     NLBL_UNLABEL_A_IPV6MASK

60
 *

61
 * o STATICLIST

62
 *   This message can be sent either from an application or by the kernel in

63
 *   response to an application generated STATICLIST message.  When sent by an

64
 *   application there is no payload and the NLM_F_DUMP flag should be set.

65
 *   The kernel should response with a series of the following messages.

66
 *

67
 *   Required attributes:

68
 *

69
 *     NLBL_UNLABEL_A_IFACE

70
 *     NLBL_UNLABEL_A_SECCTX

71
 *

72
 *   If IPv4 is specified the following attributes are required:

73
 *

74
 *     NLBL_UNLABEL_A_IPV4ADDR

75
 *     NLBL_UNLABEL_A_IPV4MASK

76
 *

77
 *   If IPv6 is specified the following attributes are required:

78
 *

79
 *     NLBL_UNLABEL_A_IPV6ADDR

80
 *     NLBL_UNLABEL_A_IPV6MASK

81
 *

82
 * o STATICADDDEF

83
 *   This message is sent from an application to set the default static

84
 *   label for incoming unlabeled connections.

85
 *

86
 *   Required attribute:

87
 *

88
 *     NLBL_UNLABEL_A_SECCTX

89
 *

90
 *   If IPv4 is specified the following attributes are required:

91
 *

92
 *     NLBL_UNLABEL_A_IPV4ADDR

93
 *     NLBL_UNLABEL_A_IPV4MASK

94
 *

95
 *   If IPv6 is specified the following attributes are required:

96
 *

97
 *     NLBL_UNLABEL_A_IPV6ADDR

98
 *     NLBL_UNLABEL_A_IPV6MASK

99
 *

100
 * o STATICREMOVEDEF

101
 *   This message is sent from an application to remove the existing default

102
 *   static label for incoming unlabeled connections.

103
 *

104
 *   If IPv4 is specified the following attributes are required:

105
 *

106
 *     NLBL_UNLABEL_A_IPV4ADDR

107
 *     NLBL_UNLABEL_A_IPV4MASK

108
 *

109
 *   If IPv6 is specified the following attributes are required:

110
 *

111
 *     NLBL_UNLABEL_A_IPV6ADDR

112
 *     NLBL_UNLABEL_A_IPV6MASK

113
 *

114
 * o STATICLISTDEF

115
 *   This message can be sent either from an application or by the kernel in

116
 *   response to an application generated STATICLISTDEF message.  When sent by

117
 *   an application there is no payload and the NLM_F_DUMP flag should be set.

118
 *   The kernel should response with the following message.

119
 *

120
 *   Required attribute:

121
 *

122
 *     NLBL_UNLABEL_A_SECCTX

123
 *

124
 *   If IPv4 is specified the following attributes are required:

125
 *

126
 *     NLBL_UNLABEL_A_IPV4ADDR

127
 *     NLBL_UNLABEL_A_IPV4MASK

128
 *

129
 *   If IPv6 is specified the following attributes are required:

130
 *

131
 *     NLBL_UNLABEL_A_IPV6ADDR

132
 *     NLBL_UNLABEL_A_IPV6MASK

133
 *

134
 * o ACCEPT

135
 *   This message is sent from an application to specify if the kernel should

136
 *   allow unlabled packets to pass if they do not match any of the static

137
 *   mappings defined in the unlabeled module.

138
 *

139
 *   Required attributes:

140
 *

141
 *     NLBL_UNLABEL_A_ACPTFLG

142
 *

143
 * o LIST

144
 *   This message can be sent either from an application or by the kernel in

145
 *   response to an application generated LIST message.  When sent by an

146
 *   application there is no payload.  The kernel should respond to a LIST

147
 *   message with a LIST message on success.

148
 *

149
 *   Required attributes:

150
 *

151
 *     NLBL_UNLABEL_A_ACPTFLG

152
 *

153
 */

154


155
/* NetLabel Unlabeled commands */

156
enum {

157
	NLBL_UNLABEL_C_UNSPEC,

158
	NLBL_UNLABEL_C_ACCEPT,

159
	NLBL_UNLABEL_C_LIST,

160
	NLBL_UNLABEL_C_STATICADD,

161
	NLBL_UNLABEL_C_STATICREMOVE,

162
	NLBL_UNLABEL_C_STATICLIST,

163
	NLBL_UNLABEL_C_STATICADDDEF,

164
	NLBL_UNLABEL_C_STATICREMOVEDEF,

165
	NLBL_UNLABEL_C_STATICLISTDEF,

166
	__NLBL_UNLABEL_C_MAX,

167
};

168


169
/* NetLabel Unlabeled attributes */

170
enum {

171
	NLBL_UNLABEL_A_UNSPEC,

172
	NLBL_UNLABEL_A_ACPTFLG,

173
	/* (NLA_U8)

174
	 * if true then unlabeled packets are allowed to pass, else unlabeled

175
	 * packets are rejected */

176
	NLBL_UNLABEL_A_IPV6ADDR,

177
	/* (NLA_BINARY, struct in6_addr)

178
	 * an IPv6 address */

179
	NLBL_UNLABEL_A_IPV6MASK,

180
	/* (NLA_BINARY, struct in6_addr)

181
	 * an IPv6 address mask */

182
	NLBL_UNLABEL_A_IPV4ADDR,

183
	/* (NLA_BINARY, struct in_addr)

184
	 * an IPv4 address */

185
	NLBL_UNLABEL_A_IPV4MASK,

186
	/* (NLA_BINARY, struct in_addr)

187
	 * and IPv4 address mask */

188
	NLBL_UNLABEL_A_IFACE,

189
	/* (NLA_NULL_STRING)

190
	 * network interface */

191
	NLBL_UNLABEL_A_SECCTX,

192
	/* (NLA_BINARY)

193
	 * a LSM specific security context */

194
	__NLBL_UNLABEL_A_MAX,

195
};

196
#define NLBL_UNLABEL_A_MAX (__NLBL_UNLABEL_A_MAX - 1)

197


198
/* NetLabel protocol functions */

199
int netlbl_unlabel_genl_init(void);

200


201
/* Unlabeled connection hash table size */

202
/* XXX - currently this number is an uneducated guess */

203
#define NETLBL_UNLHSH_BITSIZE       7

204


205
/* General Unlabeled init function */

206
int netlbl_unlabel_init(u32 size);

207


208
/* Static/Fallback label management functions */

209
int netlbl_unlhsh_add(struct net *net,

210
		      const char *dev_name,

211
		      const void *addr,

212
		      const void *mask,

213
		      u32 addr_len,

214
		      u32 secid,

215
		      struct netlbl_audit *audit_info);

216
int netlbl_unlhsh_remove(struct net *net,

217
			 const char *dev_name,

218
			 const void *addr,

219
			 const void *mask,

220
			 u32 addr_len,

221
			 struct netlbl_audit *audit_info);

222


223
/* Process Unlabeled incoming network packets */

224
int netlbl_unlabel_getattr(const struct sk_buff *skb,

225
			   u16 family,

226
			   struct netlbl_lsm_secattr *secattr);

227


228
/* Set the default configuration to allow Unlabeled packets */

229
int netlbl_unlabel_defconf(void);

230


231
#endif

232


233