1 /*
2  * NetLabel Unlabeled Support
3  *
4  * This file defines functions for dealing with unlabeled packets for the
5  * NetLabel system.  The NetLabel system manages static and dynamic label
6  * mappings for network protocols such as CIPSO and RIPSO.
7  *
8  * Author: Paul Moore <paul@paul-moore.com>
9  *
10  */
11 
12 /*
13  * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
14  *
15  * This program is free software;  you can redistribute it and/or modify
16  * it under the terms of the GNU General Public License as published by
17  * the Free Software Foundation; either version 2 of the License, or
18  * (at your option) any later version.
19  *
20  * This program is distributed in the hope that it will be useful,
21  * but WITHOUT ANY WARRANTY;  without even the implied warranty of
22  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
23  * the GNU General Public License for more details.
24  *
25  * You should have received a copy of the GNU General Public License
26  * along with this program;  if not, write to the Free Software
27  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
28  *
29  */
30 
31 #ifndef _NETLABEL_UNLABELED_H
32 #define _NETLABEL_UNLABELED_H
33 
34 #include <net/netlabel.h>
35 
36 /*
37  * The following NetLabel payloads are supported by the Unlabeled subsystem.
38  *
39  * o STATICADD
40  *   This message is sent from an application to add a new static label for
41  *   incoming unlabeled connections.
42  *
43  *   Required attributes:
44  *
45  *     NLBL_UNLABEL_A_IFACE
46  *     NLBL_UNLABEL_A_SECCTX
47  *
48  *   If IPv4 is specified the following attributes are required:
49  *
50  *     NLBL_UNLABEL_A_IPV4ADDR
51  *     NLBL_UNLABEL_A_IPV4MASK
52  *
53  *   If IPv6 is specified the following attributes are required:
54  *
55  *     NLBL_UNLABEL_A_IPV6ADDR
56  *     NLBL_UNLABEL_A_IPV6MASK
57  *
58  * o STATICREMOVE
59  *   This message is sent from an application to remove an existing static
60  *   label for incoming unlabeled connections.
61  *
62  *   Required attributes:
63  *
64  *     NLBL_UNLABEL_A_IFACE
65  *
66  *   If IPv4 is specified the following attributes are required:
67  *
68  *     NLBL_UNLABEL_A_IPV4ADDR
69  *     NLBL_UNLABEL_A_IPV4MASK
70  *
71  *   If IPv6 is specified the following attributes are required:
72  *
73  *     NLBL_UNLABEL_A_IPV6ADDR
74  *     NLBL_UNLABEL_A_IPV6MASK
75  *
76  * o STATICLIST
77  *   This message can be sent either from an application or by the kernel in
78  *   response to an application generated STATICLIST message.  When sent by an
79  *   application there is no payload and the NLM_F_DUMP flag should be set.
80  *   The kernel should response with a series of the following messages.
81  *
82  *   Required attributes:
83  *
84  *     NLBL_UNLABEL_A_IFACE
85  *     NLBL_UNLABEL_A_SECCTX
86  *
87  *   If IPv4 is specified the following attributes are required:
88  *
89  *     NLBL_UNLABEL_A_IPV4ADDR
90  *     NLBL_UNLABEL_A_IPV4MASK
91  *
92  *   If IPv6 is specified the following attributes are required:
93  *
94  *     NLBL_UNLABEL_A_IPV6ADDR
95  *     NLBL_UNLABEL_A_IPV6MASK
96  *
97  * o STATICADDDEF
98  *   This message is sent from an application to set the default static
99  *   label for incoming unlabeled connections.
100  *
101  *   Required attribute:
102  *
103  *     NLBL_UNLABEL_A_SECCTX
104  *
105  *   If IPv4 is specified the following attributes are required:
106  *
107  *     NLBL_UNLABEL_A_IPV4ADDR
108  *     NLBL_UNLABEL_A_IPV4MASK
109  *
110  *   If IPv6 is specified the following attributes are required:
111  *
112  *     NLBL_UNLABEL_A_IPV6ADDR
113  *     NLBL_UNLABEL_A_IPV6MASK
114  *
115  * o STATICREMOVEDEF
116  *   This message is sent from an application to remove the existing default
117  *   static label for incoming unlabeled connections.
118  *
119  *   If IPv4 is specified the following attributes are required:
120  *
121  *     NLBL_UNLABEL_A_IPV4ADDR
122  *     NLBL_UNLABEL_A_IPV4MASK
123  *
124  *   If IPv6 is specified the following attributes are required:
125  *
126  *     NLBL_UNLABEL_A_IPV6ADDR
127  *     NLBL_UNLABEL_A_IPV6MASK
128  *
129  * o STATICLISTDEF
130  *   This message can be sent either from an application or by the kernel in
131  *   response to an application generated STATICLISTDEF message.  When sent by
132  *   an application there is no payload and the NLM_F_DUMP flag should be set.
133  *   The kernel should response with the following message.
134  *
135  *   Required attribute:
136  *
137  *     NLBL_UNLABEL_A_SECCTX
138  *
139  *   If IPv4 is specified the following attributes are required:
140  *
141  *     NLBL_UNLABEL_A_IPV4ADDR
142  *     NLBL_UNLABEL_A_IPV4MASK
143  *
144  *   If IPv6 is specified the following attributes are required:
145  *
146  *     NLBL_UNLABEL_A_IPV6ADDR
147  *     NLBL_UNLABEL_A_IPV6MASK
148  *
149  * o ACCEPT
150  *   This message is sent from an application to specify if the kernel should
151  *   allow unlabled packets to pass if they do not match any of the static
152  *   mappings defined in the unlabeled module.
153  *
154  *   Required attributes:
155  *
156  *     NLBL_UNLABEL_A_ACPTFLG
157  *
158  * o LIST
159  *   This message can be sent either from an application or by the kernel in
160  *   response to an application generated LIST message.  When sent by an
161  *   application there is no payload.  The kernel should respond to a LIST
162  *   message with a LIST message on success.
163  *
164  *   Required attributes:
165  *
166  *     NLBL_UNLABEL_A_ACPTFLG
167  *
168  */
169 
170 /* NetLabel Unlabeled commands */
171 enum {
172 	NLBL_UNLABEL_C_UNSPEC,
173 	NLBL_UNLABEL_C_ACCEPT,
174 	NLBL_UNLABEL_C_LIST,
175 	NLBL_UNLABEL_C_STATICADD,
176 	NLBL_UNLABEL_C_STATICREMOVE,
177 	NLBL_UNLABEL_C_STATICLIST,
178 	NLBL_UNLABEL_C_STATICADDDEF,
179 	NLBL_UNLABEL_C_STATICREMOVEDEF,
180 	NLBL_UNLABEL_C_STATICLISTDEF,
181 	__NLBL_UNLABEL_C_MAX,
182 };
183 
184 /* NetLabel Unlabeled attributes */
185 enum {
186 	NLBL_UNLABEL_A_UNSPEC,
187 	NLBL_UNLABEL_A_ACPTFLG,
188 	/* (NLA_U8)
189 	 * if true then unlabeled packets are allowed to pass, else unlabeled
190 	 * packets are rejected */
191 	NLBL_UNLABEL_A_IPV6ADDR,
192 	/* (NLA_BINARY, struct in6_addr)
193 	 * an IPv6 address */
194 	NLBL_UNLABEL_A_IPV6MASK,
195 	/* (NLA_BINARY, struct in6_addr)
196 	 * an IPv6 address mask */
197 	NLBL_UNLABEL_A_IPV4ADDR,
198 	/* (NLA_BINARY, struct in_addr)
199 	 * an IPv4 address */
200 	NLBL_UNLABEL_A_IPV4MASK,
201 	/* (NLA_BINARY, struct in_addr)
202 	 * and IPv4 address mask */
203 	NLBL_UNLABEL_A_IFACE,
204 	/* (NLA_NULL_STRING)
205 	 * network interface */
206 	NLBL_UNLABEL_A_SECCTX,
207 	/* (NLA_BINARY)
208 	 * a LSM specific security context */
209 	__NLBL_UNLABEL_A_MAX,
210 };
211 #define NLBL_UNLABEL_A_MAX (__NLBL_UNLABEL_A_MAX - 1)
212 
213 /* NetLabel protocol functions */
214 int netlbl_unlabel_genl_init(void);
215 
216 /* Unlabeled connection hash table size */
217 /* XXX - currently this number is an uneducated guess */
218 #define NETLBL_UNLHSH_BITSIZE       7
219 
220 /* General Unlabeled init function */
221 int netlbl_unlabel_init(u32 size);
222 
223 /* Static/Fallback label management functions */
224 int netlbl_unlhsh_add(struct net *net,
225 		      const char *dev_name,
226 		      const void *addr,
227 		      const void *mask,
228 		      u32 addr_len,
229 		      u32 secid,
230 		      struct netlbl_audit *audit_info);
231 int netlbl_unlhsh_remove(struct net *net,
232 			 const char *dev_name,
233 			 const void *addr,
234 			 const void *mask,
235 			 u32 addr_len,
236 			 struct netlbl_audit *audit_info);
237 
238 /* Process Unlabeled incoming network packets */
239 int netlbl_unlabel_getattr(const struct sk_buff *skb,
240 			   u16 family,
241 			   struct netlbl_lsm_secattr *secattr);
242 
243 /* Set the default configuration to allow Unlabeled packets */
244 int netlbl_unlabel_defconf(void);
245 
246 #endif
247