1*4882a593Smuzhiyun /* SPDX-License-Identifier: GPL-2.0-or-later */ 2*4882a593Smuzhiyun /* 3*4882a593Smuzhiyun * NetLabel CIPSO/IPv4 Support 4*4882a593Smuzhiyun * 5*4882a593Smuzhiyun * This file defines the CIPSO/IPv4 functions for the NetLabel system. The 6*4882a593Smuzhiyun * NetLabel system manages static and dynamic label mappings for network 7*4882a593Smuzhiyun * protocols such as CIPSO and RIPSO. 8*4882a593Smuzhiyun * 9*4882a593Smuzhiyun * Author: Paul Moore <paul@paul-moore.com> 10*4882a593Smuzhiyun */ 11*4882a593Smuzhiyun 12*4882a593Smuzhiyun /* 13*4882a593Smuzhiyun * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 14*4882a593Smuzhiyun */ 15*4882a593Smuzhiyun 16*4882a593Smuzhiyun #ifndef _NETLABEL_CIPSO_V4 17*4882a593Smuzhiyun #define _NETLABEL_CIPSO_V4 18*4882a593Smuzhiyun 19*4882a593Smuzhiyun #include <net/netlabel.h> 20*4882a593Smuzhiyun 21*4882a593Smuzhiyun /* 22*4882a593Smuzhiyun * The following NetLabel payloads are supported by the CIPSO subsystem. 23*4882a593Smuzhiyun * 24*4882a593Smuzhiyun * o ADD: 25*4882a593Smuzhiyun * Sent by an application to add a new DOI mapping table. 26*4882a593Smuzhiyun * 27*4882a593Smuzhiyun * Required attributes: 28*4882a593Smuzhiyun * 29*4882a593Smuzhiyun * NLBL_CIPSOV4_A_DOI 30*4882a593Smuzhiyun * NLBL_CIPSOV4_A_MTYPE 31*4882a593Smuzhiyun * NLBL_CIPSOV4_A_TAGLST 32*4882a593Smuzhiyun * 33*4882a593Smuzhiyun * If using CIPSO_V4_MAP_TRANS the following attributes are required: 34*4882a593Smuzhiyun * 35*4882a593Smuzhiyun * NLBL_CIPSOV4_A_MLSLVLLST 36*4882a593Smuzhiyun * NLBL_CIPSOV4_A_MLSCATLST 37*4882a593Smuzhiyun * 38*4882a593Smuzhiyun * If using CIPSO_V4_MAP_PASS or CIPSO_V4_MAP_LOCAL no additional attributes 39*4882a593Smuzhiyun * are required. 40*4882a593Smuzhiyun * 41*4882a593Smuzhiyun * o REMOVE: 42*4882a593Smuzhiyun * Sent by an application to remove a specific DOI mapping table from the 43*4882a593Smuzhiyun * CIPSO V4 system. 44*4882a593Smuzhiyun * 45*4882a593Smuzhiyun * Required attributes: 46*4882a593Smuzhiyun * 47*4882a593Smuzhiyun * NLBL_CIPSOV4_A_DOI 48*4882a593Smuzhiyun * 49*4882a593Smuzhiyun * o LIST: 50*4882a593Smuzhiyun * Sent by an application to list the details of a DOI definition. On 51*4882a593Smuzhiyun * success the kernel should send a response using the following format. 52*4882a593Smuzhiyun * 53*4882a593Smuzhiyun * Required attributes: 54*4882a593Smuzhiyun * 55*4882a593Smuzhiyun * NLBL_CIPSOV4_A_DOI 56*4882a593Smuzhiyun * 57*4882a593Smuzhiyun * The valid response message format depends on the type of the DOI mapping, 58*4882a593Smuzhiyun * the defined formats are shown below. 59*4882a593Smuzhiyun * 60*4882a593Smuzhiyun * Required attributes: 61*4882a593Smuzhiyun * 62*4882a593Smuzhiyun * NLBL_CIPSOV4_A_MTYPE 63*4882a593Smuzhiyun * NLBL_CIPSOV4_A_TAGLST 64*4882a593Smuzhiyun * 65*4882a593Smuzhiyun * If using CIPSO_V4_MAP_TRANS the following attributes are required: 66*4882a593Smuzhiyun * 67*4882a593Smuzhiyun * NLBL_CIPSOV4_A_MLSLVLLST 68*4882a593Smuzhiyun * NLBL_CIPSOV4_A_MLSCATLST 69*4882a593Smuzhiyun * 70*4882a593Smuzhiyun * If using CIPSO_V4_MAP_PASS or CIPSO_V4_MAP_LOCAL no additional attributes 71*4882a593Smuzhiyun * are required. 72*4882a593Smuzhiyun * 73*4882a593Smuzhiyun * o LISTALL: 74*4882a593Smuzhiyun * This message is sent by an application to list the valid DOIs on the 75*4882a593Smuzhiyun * system. When sent by an application there is no payload and the 76*4882a593Smuzhiyun * NLM_F_DUMP flag should be set. The kernel should respond with a series of 77*4882a593Smuzhiyun * the following messages. 78*4882a593Smuzhiyun * 79*4882a593Smuzhiyun * Required attributes: 80*4882a593Smuzhiyun * 81*4882a593Smuzhiyun * NLBL_CIPSOV4_A_DOI 82*4882a593Smuzhiyun * NLBL_CIPSOV4_A_MTYPE 83*4882a593Smuzhiyun * 84*4882a593Smuzhiyun */ 85*4882a593Smuzhiyun 86*4882a593Smuzhiyun /* NetLabel CIPSOv4 commands */ 87*4882a593Smuzhiyun enum { 88*4882a593Smuzhiyun NLBL_CIPSOV4_C_UNSPEC, 89*4882a593Smuzhiyun NLBL_CIPSOV4_C_ADD, 90*4882a593Smuzhiyun NLBL_CIPSOV4_C_REMOVE, 91*4882a593Smuzhiyun NLBL_CIPSOV4_C_LIST, 92*4882a593Smuzhiyun NLBL_CIPSOV4_C_LISTALL, 93*4882a593Smuzhiyun __NLBL_CIPSOV4_C_MAX, 94*4882a593Smuzhiyun }; 95*4882a593Smuzhiyun 96*4882a593Smuzhiyun /* NetLabel CIPSOv4 attributes */ 97*4882a593Smuzhiyun enum { 98*4882a593Smuzhiyun NLBL_CIPSOV4_A_UNSPEC, 99*4882a593Smuzhiyun NLBL_CIPSOV4_A_DOI, 100*4882a593Smuzhiyun /* (NLA_U32) 101*4882a593Smuzhiyun * the DOI value */ 102*4882a593Smuzhiyun NLBL_CIPSOV4_A_MTYPE, 103*4882a593Smuzhiyun /* (NLA_U32) 104*4882a593Smuzhiyun * the mapping table type (defined in the cipso_ipv4.h header as 105*4882a593Smuzhiyun * CIPSO_V4_MAP_*) */ 106*4882a593Smuzhiyun NLBL_CIPSOV4_A_TAG, 107*4882a593Smuzhiyun /* (NLA_U8) 108*4882a593Smuzhiyun * a CIPSO tag type, meant to be used within a NLBL_CIPSOV4_A_TAGLST 109*4882a593Smuzhiyun * attribute */ 110*4882a593Smuzhiyun NLBL_CIPSOV4_A_TAGLST, 111*4882a593Smuzhiyun /* (NLA_NESTED) 112*4882a593Smuzhiyun * the CIPSO tag list for the DOI, there must be at least one 113*4882a593Smuzhiyun * NLBL_CIPSOV4_A_TAG attribute, tags listed first are given higher 114*4882a593Smuzhiyun * priorirty when sending packets */ 115*4882a593Smuzhiyun NLBL_CIPSOV4_A_MLSLVLLOC, 116*4882a593Smuzhiyun /* (NLA_U32) 117*4882a593Smuzhiyun * the local MLS sensitivity level */ 118*4882a593Smuzhiyun NLBL_CIPSOV4_A_MLSLVLREM, 119*4882a593Smuzhiyun /* (NLA_U32) 120*4882a593Smuzhiyun * the remote MLS sensitivity level */ 121*4882a593Smuzhiyun NLBL_CIPSOV4_A_MLSLVL, 122*4882a593Smuzhiyun /* (NLA_NESTED) 123*4882a593Smuzhiyun * a MLS sensitivity level mapping, must contain only one attribute of 124*4882a593Smuzhiyun * each of the following types: NLBL_CIPSOV4_A_MLSLVLLOC and 125*4882a593Smuzhiyun * NLBL_CIPSOV4_A_MLSLVLREM */ 126*4882a593Smuzhiyun NLBL_CIPSOV4_A_MLSLVLLST, 127*4882a593Smuzhiyun /* (NLA_NESTED) 128*4882a593Smuzhiyun * the CIPSO level mappings, there must be at least one 129*4882a593Smuzhiyun * NLBL_CIPSOV4_A_MLSLVL attribute */ 130*4882a593Smuzhiyun NLBL_CIPSOV4_A_MLSCATLOC, 131*4882a593Smuzhiyun /* (NLA_U32) 132*4882a593Smuzhiyun * the local MLS category */ 133*4882a593Smuzhiyun NLBL_CIPSOV4_A_MLSCATREM, 134*4882a593Smuzhiyun /* (NLA_U32) 135*4882a593Smuzhiyun * the remote MLS category */ 136*4882a593Smuzhiyun NLBL_CIPSOV4_A_MLSCAT, 137*4882a593Smuzhiyun /* (NLA_NESTED) 138*4882a593Smuzhiyun * a MLS category mapping, must contain only one attribute of each of 139*4882a593Smuzhiyun * the following types: NLBL_CIPSOV4_A_MLSCATLOC and 140*4882a593Smuzhiyun * NLBL_CIPSOV4_A_MLSCATREM */ 141*4882a593Smuzhiyun NLBL_CIPSOV4_A_MLSCATLST, 142*4882a593Smuzhiyun /* (NLA_NESTED) 143*4882a593Smuzhiyun * the CIPSO category mappings, there must be at least one 144*4882a593Smuzhiyun * NLBL_CIPSOV4_A_MLSCAT attribute */ 145*4882a593Smuzhiyun __NLBL_CIPSOV4_A_MAX, 146*4882a593Smuzhiyun }; 147*4882a593Smuzhiyun #define NLBL_CIPSOV4_A_MAX (__NLBL_CIPSOV4_A_MAX - 1) 148*4882a593Smuzhiyun 149*4882a593Smuzhiyun /* NetLabel protocol functions */ 150*4882a593Smuzhiyun int netlbl_cipsov4_genl_init(void); 151*4882a593Smuzhiyun 152*4882a593Smuzhiyun /* Free the memory associated with a CIPSOv4 DOI definition */ 153*4882a593Smuzhiyun void netlbl_cipsov4_doi_free(struct rcu_head *entry); 154*4882a593Smuzhiyun 155*4882a593Smuzhiyun #endif 156