1 /* SPDX-License-Identifier: GPL-2.0-or-later */ 2 /* 3 * NetLabel Unlabeled Support 4 * 5 * This file defines functions for dealing with unlabeled packets for the 6 * NetLabel system. The NetLabel system manages static and dynamic label 7 * mappings for network protocols such as CIPSO and RIPSO. 8 * 9 * Author: Paul Moore <paul@paul-moore.com> 10 */ 11 12 /* 13 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 14 */ 15 16 #ifndef _NETLABEL_UNLABELED_H 17 #define _NETLABEL_UNLABELED_H 18 19 #include <net/netlabel.h> 20 21 /* 22 * The following NetLabel payloads are supported by the Unlabeled subsystem. 23 * 24 * o STATICADD 25 * This message is sent from an application to add a new static label for 26 * incoming unlabeled connections. 27 * 28 * Required attributes: 29 * 30 * NLBL_UNLABEL_A_IFACE 31 * NLBL_UNLABEL_A_SECCTX 32 * 33 * If IPv4 is specified the following attributes are required: 34 * 35 * NLBL_UNLABEL_A_IPV4ADDR 36 * NLBL_UNLABEL_A_IPV4MASK 37 * 38 * If IPv6 is specified the following attributes are required: 39 * 40 * NLBL_UNLABEL_A_IPV6ADDR 41 * NLBL_UNLABEL_A_IPV6MASK 42 * 43 * o STATICREMOVE 44 * This message is sent from an application to remove an existing static 45 * label for incoming unlabeled connections. 46 * 47 * Required attributes: 48 * 49 * NLBL_UNLABEL_A_IFACE 50 * 51 * If IPv4 is specified the following attributes are required: 52 * 53 * NLBL_UNLABEL_A_IPV4ADDR 54 * NLBL_UNLABEL_A_IPV4MASK 55 * 56 * If IPv6 is specified the following attributes are required: 57 * 58 * NLBL_UNLABEL_A_IPV6ADDR 59 * NLBL_UNLABEL_A_IPV6MASK 60 * 61 * o STATICLIST 62 * This message can be sent either from an application or by the kernel in 63 * response to an application generated STATICLIST message. When sent by an 64 * application there is no payload and the NLM_F_DUMP flag should be set. 65 * The kernel should response with a series of the following messages. 66 * 67 * Required attributes: 68 * 69 * NLBL_UNLABEL_A_IFACE 70 * NLBL_UNLABEL_A_SECCTX 71 * 72 * If IPv4 is specified the following attributes are required: 73 * 74 * NLBL_UNLABEL_A_IPV4ADDR 75 * NLBL_UNLABEL_A_IPV4MASK 76 * 77 * If IPv6 is specified the following attributes are required: 78 * 79 * NLBL_UNLABEL_A_IPV6ADDR 80 * NLBL_UNLABEL_A_IPV6MASK 81 * 82 * o STATICADDDEF 83 * This message is sent from an application to set the default static 84 * label for incoming unlabeled connections. 85 * 86 * Required attribute: 87 * 88 * NLBL_UNLABEL_A_SECCTX 89 * 90 * If IPv4 is specified the following attributes are required: 91 * 92 * NLBL_UNLABEL_A_IPV4ADDR 93 * NLBL_UNLABEL_A_IPV4MASK 94 * 95 * If IPv6 is specified the following attributes are required: 96 * 97 * NLBL_UNLABEL_A_IPV6ADDR 98 * NLBL_UNLABEL_A_IPV6MASK 99 * 100 * o STATICREMOVEDEF 101 * This message is sent from an application to remove the existing default 102 * static label for incoming unlabeled connections. 103 * 104 * If IPv4 is specified the following attributes are required: 105 * 106 * NLBL_UNLABEL_A_IPV4ADDR 107 * NLBL_UNLABEL_A_IPV4MASK 108 * 109 * If IPv6 is specified the following attributes are required: 110 * 111 * NLBL_UNLABEL_A_IPV6ADDR 112 * NLBL_UNLABEL_A_IPV6MASK 113 * 114 * o STATICLISTDEF 115 * This message can be sent either from an application or by the kernel in 116 * response to an application generated STATICLISTDEF message. When sent by 117 * an application there is no payload and the NLM_F_DUMP flag should be set. 118 * The kernel should response with the following message. 119 * 120 * Required attribute: 121 * 122 * NLBL_UNLABEL_A_SECCTX 123 * 124 * If IPv4 is specified the following attributes are required: 125 * 126 * NLBL_UNLABEL_A_IPV4ADDR 127 * NLBL_UNLABEL_A_IPV4MASK 128 * 129 * If IPv6 is specified the following attributes are required: 130 * 131 * NLBL_UNLABEL_A_IPV6ADDR 132 * NLBL_UNLABEL_A_IPV6MASK 133 * 134 * o ACCEPT 135 * This message is sent from an application to specify if the kernel should 136 * allow unlabled packets to pass if they do not match any of the static 137 * mappings defined in the unlabeled module. 138 * 139 * Required attributes: 140 * 141 * NLBL_UNLABEL_A_ACPTFLG 142 * 143 * o LIST 144 * This message can be sent either from an application or by the kernel in 145 * response to an application generated LIST message. When sent by an 146 * application there is no payload. The kernel should respond to a LIST 147 * message with a LIST message on success. 148 * 149 * Required attributes: 150 * 151 * NLBL_UNLABEL_A_ACPTFLG 152 * 153 */ 154 155 /* NetLabel Unlabeled commands */ 156 enum { 157 NLBL_UNLABEL_C_UNSPEC, 158 NLBL_UNLABEL_C_ACCEPT, 159 NLBL_UNLABEL_C_LIST, 160 NLBL_UNLABEL_C_STATICADD, 161 NLBL_UNLABEL_C_STATICREMOVE, 162 NLBL_UNLABEL_C_STATICLIST, 163 NLBL_UNLABEL_C_STATICADDDEF, 164 NLBL_UNLABEL_C_STATICREMOVEDEF, 165 NLBL_UNLABEL_C_STATICLISTDEF, 166 __NLBL_UNLABEL_C_MAX, 167 }; 168 169 /* NetLabel Unlabeled attributes */ 170 enum { 171 NLBL_UNLABEL_A_UNSPEC, 172 NLBL_UNLABEL_A_ACPTFLG, 173 /* (NLA_U8) 174 * if true then unlabeled packets are allowed to pass, else unlabeled 175 * packets are rejected */ 176 NLBL_UNLABEL_A_IPV6ADDR, 177 /* (NLA_BINARY, struct in6_addr) 178 * an IPv6 address */ 179 NLBL_UNLABEL_A_IPV6MASK, 180 /* (NLA_BINARY, struct in6_addr) 181 * an IPv6 address mask */ 182 NLBL_UNLABEL_A_IPV4ADDR, 183 /* (NLA_BINARY, struct in_addr) 184 * an IPv4 address */ 185 NLBL_UNLABEL_A_IPV4MASK, 186 /* (NLA_BINARY, struct in_addr) 187 * and IPv4 address mask */ 188 NLBL_UNLABEL_A_IFACE, 189 /* (NLA_NULL_STRING) 190 * network interface */ 191 NLBL_UNLABEL_A_SECCTX, 192 /* (NLA_BINARY) 193 * a LSM specific security context */ 194 __NLBL_UNLABEL_A_MAX, 195 }; 196 #define NLBL_UNLABEL_A_MAX (__NLBL_UNLABEL_A_MAX - 1) 197 198 /* NetLabel protocol functions */ 199 int netlbl_unlabel_genl_init(void); 200 201 /* Unlabeled connection hash table size */ 202 /* XXX - currently this number is an uneducated guess */ 203 #define NETLBL_UNLHSH_BITSIZE 7 204 205 /* General Unlabeled init function */ 206 int netlbl_unlabel_init(u32 size); 207 208 /* Static/Fallback label management functions */ 209 int netlbl_unlhsh_add(struct net *net, 210 const char *dev_name, 211 const void *addr, 212 const void *mask, 213 u32 addr_len, 214 u32 secid, 215 struct netlbl_audit *audit_info); 216 int netlbl_unlhsh_remove(struct net *net, 217 const char *dev_name, 218 const void *addr, 219 const void *mask, 220 u32 addr_len, 221 struct netlbl_audit *audit_info); 222 223 /* Process Unlabeled incoming network packets */ 224 int netlbl_unlabel_getattr(const struct sk_buff *skb, 225 u16 family, 226 struct netlbl_lsm_secattr *secattr); 227 228 /* Set the default configuration to allow Unlabeled packets */ 229 int netlbl_unlabel_defconf(void); 230 231 #endif 232