xref: /OK3568_Linux_fs/kernel/net/netlabel/netlabel_unlabeled.h (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1*4882a593Smuzhiyun /* SPDX-License-Identifier: GPL-2.0-or-later */
2*4882a593Smuzhiyun /*
3*4882a593Smuzhiyun  * NetLabel Unlabeled Support
4*4882a593Smuzhiyun  *
5*4882a593Smuzhiyun  * This file defines functions for dealing with unlabeled packets for the
6*4882a593Smuzhiyun  * NetLabel system.  The NetLabel system manages static and dynamic label
7*4882a593Smuzhiyun  * mappings for network protocols such as CIPSO and RIPSO.
8*4882a593Smuzhiyun  *
9*4882a593Smuzhiyun  * Author: Paul Moore <paul@paul-moore.com>
10*4882a593Smuzhiyun  */
11*4882a593Smuzhiyun 
12*4882a593Smuzhiyun /*
13*4882a593Smuzhiyun  * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
14*4882a593Smuzhiyun  */
15*4882a593Smuzhiyun 
16*4882a593Smuzhiyun #ifndef _NETLABEL_UNLABELED_H
17*4882a593Smuzhiyun #define _NETLABEL_UNLABELED_H
18*4882a593Smuzhiyun 
19*4882a593Smuzhiyun #include <net/netlabel.h>
20*4882a593Smuzhiyun 
21*4882a593Smuzhiyun /*
22*4882a593Smuzhiyun  * The following NetLabel payloads are supported by the Unlabeled subsystem.
23*4882a593Smuzhiyun  *
24*4882a593Smuzhiyun  * o STATICADD
25*4882a593Smuzhiyun  *   This message is sent from an application to add a new static label for
26*4882a593Smuzhiyun  *   incoming unlabeled connections.
27*4882a593Smuzhiyun  *
28*4882a593Smuzhiyun  *   Required attributes:
29*4882a593Smuzhiyun  *
30*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_IFACE
31*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_SECCTX
32*4882a593Smuzhiyun  *
33*4882a593Smuzhiyun  *   If IPv4 is specified the following attributes are required:
34*4882a593Smuzhiyun  *
35*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_IPV4ADDR
36*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_IPV4MASK
37*4882a593Smuzhiyun  *
38*4882a593Smuzhiyun  *   If IPv6 is specified the following attributes are required:
39*4882a593Smuzhiyun  *
40*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_IPV6ADDR
41*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_IPV6MASK
42*4882a593Smuzhiyun  *
43*4882a593Smuzhiyun  * o STATICREMOVE
44*4882a593Smuzhiyun  *   This message is sent from an application to remove an existing static
45*4882a593Smuzhiyun  *   label for incoming unlabeled connections.
46*4882a593Smuzhiyun  *
47*4882a593Smuzhiyun  *   Required attributes:
48*4882a593Smuzhiyun  *
49*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_IFACE
50*4882a593Smuzhiyun  *
51*4882a593Smuzhiyun  *   If IPv4 is specified the following attributes are required:
52*4882a593Smuzhiyun  *
53*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_IPV4ADDR
54*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_IPV4MASK
55*4882a593Smuzhiyun  *
56*4882a593Smuzhiyun  *   If IPv6 is specified the following attributes are required:
57*4882a593Smuzhiyun  *
58*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_IPV6ADDR
59*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_IPV6MASK
60*4882a593Smuzhiyun  *
61*4882a593Smuzhiyun  * o STATICLIST
62*4882a593Smuzhiyun  *   This message can be sent either from an application or by the kernel in
63*4882a593Smuzhiyun  *   response to an application generated STATICLIST message.  When sent by an
64*4882a593Smuzhiyun  *   application there is no payload and the NLM_F_DUMP flag should be set.
65*4882a593Smuzhiyun  *   The kernel should response with a series of the following messages.
66*4882a593Smuzhiyun  *
67*4882a593Smuzhiyun  *   Required attributes:
68*4882a593Smuzhiyun  *
69*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_IFACE
70*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_SECCTX
71*4882a593Smuzhiyun  *
72*4882a593Smuzhiyun  *   If IPv4 is specified the following attributes are required:
73*4882a593Smuzhiyun  *
74*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_IPV4ADDR
75*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_IPV4MASK
76*4882a593Smuzhiyun  *
77*4882a593Smuzhiyun  *   If IPv6 is specified the following attributes are required:
78*4882a593Smuzhiyun  *
79*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_IPV6ADDR
80*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_IPV6MASK
81*4882a593Smuzhiyun  *
82*4882a593Smuzhiyun  * o STATICADDDEF
83*4882a593Smuzhiyun  *   This message is sent from an application to set the default static
84*4882a593Smuzhiyun  *   label for incoming unlabeled connections.
85*4882a593Smuzhiyun  *
86*4882a593Smuzhiyun  *   Required attribute:
87*4882a593Smuzhiyun  *
88*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_SECCTX
89*4882a593Smuzhiyun  *
90*4882a593Smuzhiyun  *   If IPv4 is specified the following attributes are required:
91*4882a593Smuzhiyun  *
92*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_IPV4ADDR
93*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_IPV4MASK
94*4882a593Smuzhiyun  *
95*4882a593Smuzhiyun  *   If IPv6 is specified the following attributes are required:
96*4882a593Smuzhiyun  *
97*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_IPV6ADDR
98*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_IPV6MASK
99*4882a593Smuzhiyun  *
100*4882a593Smuzhiyun  * o STATICREMOVEDEF
101*4882a593Smuzhiyun  *   This message is sent from an application to remove the existing default
102*4882a593Smuzhiyun  *   static label for incoming unlabeled connections.
103*4882a593Smuzhiyun  *
104*4882a593Smuzhiyun  *   If IPv4 is specified the following attributes are required:
105*4882a593Smuzhiyun  *
106*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_IPV4ADDR
107*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_IPV4MASK
108*4882a593Smuzhiyun  *
109*4882a593Smuzhiyun  *   If IPv6 is specified the following attributes are required:
110*4882a593Smuzhiyun  *
111*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_IPV6ADDR
112*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_IPV6MASK
113*4882a593Smuzhiyun  *
114*4882a593Smuzhiyun  * o STATICLISTDEF
115*4882a593Smuzhiyun  *   This message can be sent either from an application or by the kernel in
116*4882a593Smuzhiyun  *   response to an application generated STATICLISTDEF message.  When sent by
117*4882a593Smuzhiyun  *   an application there is no payload and the NLM_F_DUMP flag should be set.
118*4882a593Smuzhiyun  *   The kernel should response with the following message.
119*4882a593Smuzhiyun  *
120*4882a593Smuzhiyun  *   Required attribute:
121*4882a593Smuzhiyun  *
122*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_SECCTX
123*4882a593Smuzhiyun  *
124*4882a593Smuzhiyun  *   If IPv4 is specified the following attributes are required:
125*4882a593Smuzhiyun  *
126*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_IPV4ADDR
127*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_IPV4MASK
128*4882a593Smuzhiyun  *
129*4882a593Smuzhiyun  *   If IPv6 is specified the following attributes are required:
130*4882a593Smuzhiyun  *
131*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_IPV6ADDR
132*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_IPV6MASK
133*4882a593Smuzhiyun  *
134*4882a593Smuzhiyun  * o ACCEPT
135*4882a593Smuzhiyun  *   This message is sent from an application to specify if the kernel should
136*4882a593Smuzhiyun  *   allow unlabled packets to pass if they do not match any of the static
137*4882a593Smuzhiyun  *   mappings defined in the unlabeled module.
138*4882a593Smuzhiyun  *
139*4882a593Smuzhiyun  *   Required attributes:
140*4882a593Smuzhiyun  *
141*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_ACPTFLG
142*4882a593Smuzhiyun  *
143*4882a593Smuzhiyun  * o LIST
144*4882a593Smuzhiyun  *   This message can be sent either from an application or by the kernel in
145*4882a593Smuzhiyun  *   response to an application generated LIST message.  When sent by an
146*4882a593Smuzhiyun  *   application there is no payload.  The kernel should respond to a LIST
147*4882a593Smuzhiyun  *   message with a LIST message on success.
148*4882a593Smuzhiyun  *
149*4882a593Smuzhiyun  *   Required attributes:
150*4882a593Smuzhiyun  *
151*4882a593Smuzhiyun  *     NLBL_UNLABEL_A_ACPTFLG
152*4882a593Smuzhiyun  *
153*4882a593Smuzhiyun  */
154*4882a593Smuzhiyun 
155*4882a593Smuzhiyun /* NetLabel Unlabeled commands */
156*4882a593Smuzhiyun enum {
157*4882a593Smuzhiyun 	NLBL_UNLABEL_C_UNSPEC,
158*4882a593Smuzhiyun 	NLBL_UNLABEL_C_ACCEPT,
159*4882a593Smuzhiyun 	NLBL_UNLABEL_C_LIST,
160*4882a593Smuzhiyun 	NLBL_UNLABEL_C_STATICADD,
161*4882a593Smuzhiyun 	NLBL_UNLABEL_C_STATICREMOVE,
162*4882a593Smuzhiyun 	NLBL_UNLABEL_C_STATICLIST,
163*4882a593Smuzhiyun 	NLBL_UNLABEL_C_STATICADDDEF,
164*4882a593Smuzhiyun 	NLBL_UNLABEL_C_STATICREMOVEDEF,
165*4882a593Smuzhiyun 	NLBL_UNLABEL_C_STATICLISTDEF,
166*4882a593Smuzhiyun 	__NLBL_UNLABEL_C_MAX,
167*4882a593Smuzhiyun };
168*4882a593Smuzhiyun 
169*4882a593Smuzhiyun /* NetLabel Unlabeled attributes */
170*4882a593Smuzhiyun enum {
171*4882a593Smuzhiyun 	NLBL_UNLABEL_A_UNSPEC,
172*4882a593Smuzhiyun 	NLBL_UNLABEL_A_ACPTFLG,
173*4882a593Smuzhiyun 	/* (NLA_U8)
174*4882a593Smuzhiyun 	 * if true then unlabeled packets are allowed to pass, else unlabeled
175*4882a593Smuzhiyun 	 * packets are rejected */
176*4882a593Smuzhiyun 	NLBL_UNLABEL_A_IPV6ADDR,
177*4882a593Smuzhiyun 	/* (NLA_BINARY, struct in6_addr)
178*4882a593Smuzhiyun 	 * an IPv6 address */
179*4882a593Smuzhiyun 	NLBL_UNLABEL_A_IPV6MASK,
180*4882a593Smuzhiyun 	/* (NLA_BINARY, struct in6_addr)
181*4882a593Smuzhiyun 	 * an IPv6 address mask */
182*4882a593Smuzhiyun 	NLBL_UNLABEL_A_IPV4ADDR,
183*4882a593Smuzhiyun 	/* (NLA_BINARY, struct in_addr)
184*4882a593Smuzhiyun 	 * an IPv4 address */
185*4882a593Smuzhiyun 	NLBL_UNLABEL_A_IPV4MASK,
186*4882a593Smuzhiyun 	/* (NLA_BINARY, struct in_addr)
187*4882a593Smuzhiyun 	 * and IPv4 address mask */
188*4882a593Smuzhiyun 	NLBL_UNLABEL_A_IFACE,
189*4882a593Smuzhiyun 	/* (NLA_NULL_STRING)
190*4882a593Smuzhiyun 	 * network interface */
191*4882a593Smuzhiyun 	NLBL_UNLABEL_A_SECCTX,
192*4882a593Smuzhiyun 	/* (NLA_BINARY)
193*4882a593Smuzhiyun 	 * a LSM specific security context */
194*4882a593Smuzhiyun 	__NLBL_UNLABEL_A_MAX,
195*4882a593Smuzhiyun };
196*4882a593Smuzhiyun #define NLBL_UNLABEL_A_MAX (__NLBL_UNLABEL_A_MAX - 1)
197*4882a593Smuzhiyun 
198*4882a593Smuzhiyun /* NetLabel protocol functions */
199*4882a593Smuzhiyun int netlbl_unlabel_genl_init(void);
200*4882a593Smuzhiyun 
201*4882a593Smuzhiyun /* Unlabeled connection hash table size */
202*4882a593Smuzhiyun /* XXX - currently this number is an uneducated guess */
203*4882a593Smuzhiyun #define NETLBL_UNLHSH_BITSIZE       7
204*4882a593Smuzhiyun 
205*4882a593Smuzhiyun /* General Unlabeled init function */
206*4882a593Smuzhiyun int netlbl_unlabel_init(u32 size);
207*4882a593Smuzhiyun 
208*4882a593Smuzhiyun /* Static/Fallback label management functions */
209*4882a593Smuzhiyun int netlbl_unlhsh_add(struct net *net,
210*4882a593Smuzhiyun 		      const char *dev_name,
211*4882a593Smuzhiyun 		      const void *addr,
212*4882a593Smuzhiyun 		      const void *mask,
213*4882a593Smuzhiyun 		      u32 addr_len,
214*4882a593Smuzhiyun 		      u32 secid,
215*4882a593Smuzhiyun 		      struct netlbl_audit *audit_info);
216*4882a593Smuzhiyun int netlbl_unlhsh_remove(struct net *net,
217*4882a593Smuzhiyun 			 const char *dev_name,
218*4882a593Smuzhiyun 			 const void *addr,
219*4882a593Smuzhiyun 			 const void *mask,
220*4882a593Smuzhiyun 			 u32 addr_len,
221*4882a593Smuzhiyun 			 struct netlbl_audit *audit_info);
222*4882a593Smuzhiyun 
223*4882a593Smuzhiyun /* Process Unlabeled incoming network packets */
224*4882a593Smuzhiyun int netlbl_unlabel_getattr(const struct sk_buff *skb,
225*4882a593Smuzhiyun 			   u16 family,
226*4882a593Smuzhiyun 			   struct netlbl_lsm_secattr *secattr);
227*4882a593Smuzhiyun 
228*4882a593Smuzhiyun /* Set the default configuration to allow Unlabeled packets */
229*4882a593Smuzhiyun int netlbl_unlabel_defconf(void);
230*4882a593Smuzhiyun 
231*4882a593Smuzhiyun #endif
232