Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
netlabel.h
Go to the documentation of this file.
1 /*
2  * NetLabel System
3  *
4  * The NetLabel system manages static and dynamic label mappings for network
5  * protocols such as CIPSO and RIPSO.
6  *
7  * Author: Paul Moore <[email protected]>
8  *
9  */
10 
11 /*
12  * (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2008
13  *
14  * This program is free software; you can redistribute it and/or modify
15  * it under the terms of the GNU General Public License as published by
16  * the Free Software Foundation; either version 2 of the License, or
17  * (at your option) any later version.
18  *
19  * This program is distributed in the hope that it will be useful,
20  * but WITHOUT ANY WARRANTY; without even the implied warranty of
21  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
22  * the GNU General Public License for more details.
23  *
24  * You should have received a copy of the GNU General Public License
25  * along with this program; if not, write to the Free Software
26  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
27  *
28  */
29 
30 #ifndef _NETLABEL_H
31 #define _NETLABEL_H
32 
33 #include <linux/types.h>
34 #include <linux/slab.h>
35 #include <linux/net.h>
36 #include <linux/skbuff.h>
37 #include <linux/in.h>
38 #include <linux/in6.h>
39 #include <net/netlink.h>
40 #include <net/request_sock.h>
41 #include <linux/atomic.h>
42 
43 struct cipso_v4_doi;
44 
45 /*
46  * NetLabel - A management interface for maintaining network packet label
47  * mapping tables for explicit packet labling protocols.
48  *
49  * Network protocols such as CIPSO and RIPSO require a label translation layer
50  * to convert the label on the packet into something meaningful on the host
51  * machine. In the current Linux implementation these mapping tables live
52  * inside the kernel; NetLabel provides a mechanism for user space applications
53  * to manage these mapping tables.
54  *
55  * NetLabel makes use of the Generic NETLINK mechanism as a transport layer to
56  * send messages between kernel and user space. The general format of a
57  * NetLabel message is shown below:
58  *
59  * +-----------------+-------------------+--------- --- -- -
60  * | struct nlmsghdr | struct genlmsghdr | payload
61  * +-----------------+-------------------+--------- --- -- -
62  *
63  * The 'nlmsghdr' and 'genlmsghdr' structs should be dealt with like normal.
64  * The payload is dependent on the subsystem specified in the
65  * 'nlmsghdr->nlmsg_type' and should be defined below, supporting functions
66  * should be defined in the corresponding net/netlabel/netlabel_<subsys>.h|c
67  * file. All of the fields in the NetLabel payload are NETLINK attributes, see
68  * the include/net/netlink.h file for more information on NETLINK attributes.
69  *
70  */
71 
72 /*
73  * NetLabel NETLINK protocol
74  */
75 
76 /* NetLabel NETLINK protocol version
77  * 1: initial version
78  * 2: added static labels for unlabeled connections
79  * 3: network selectors added to the NetLabel/LSM domain mapping and the
80  * CIPSO_V4_MAP_LOCAL CIPSO mapping was added
81  */
82 #define NETLBL_PROTO_VERSION 3
83 
84 /* NetLabel NETLINK types/families */
85 #define NETLBL_NLTYPE_NONE 0
86 #define NETLBL_NLTYPE_MGMT 1
87 #define NETLBL_NLTYPE_MGMT_NAME "NLBL_MGMT"
88 #define NETLBL_NLTYPE_RIPSO 2
89 #define NETLBL_NLTYPE_RIPSO_NAME "NLBL_RIPSO"
90 #define NETLBL_NLTYPE_CIPSOV4 3
91 #define NETLBL_NLTYPE_CIPSOV4_NAME "NLBL_CIPSOv4"
92 #define NETLBL_NLTYPE_CIPSOV6 4
93 #define NETLBL_NLTYPE_CIPSOV6_NAME "NLBL_CIPSOv6"
94 #define NETLBL_NLTYPE_UNLABELED 5
95 #define NETLBL_NLTYPE_UNLABELED_NAME "NLBL_UNLBL"
96 #define NETLBL_NLTYPE_ADDRSELECT 6
97 #define NETLBL_NLTYPE_ADDRSELECT_NAME "NLBL_ADRSEL"
98 
99 /*
100  * NetLabel - Kernel API for accessing the network packet label mappings.
101  *
102  * The following functions are provided for use by other kernel modules,
103  * specifically kernel LSM modules, to provide a consistent, transparent API
104  * for dealing with explicit packet labeling protocols such as CIPSO and
105  * RIPSO. The functions defined here are implemented in the
106  * net/netlabel/netlabel_kapi.c file.
107  *
108  */
109 
110 /* NetLabel audit information */
111 struct netlbl_audit {
112  u32 secid;
113  kuid_t loginuid;
114  u32 sessionid;
115 };
116 
117 /*
118  * LSM security attributes
119  */
120 
136 struct netlbl_lsm_cache {
137  atomic_t refcount;
138  void (*free) (const void *data);
139  void *data;
140 };
141 
160 #define NETLBL_CATMAP_MAPTYPE u64
161 #define NETLBL_CATMAP_MAPCNT 4
162 #define NETLBL_CATMAP_MAPSIZE (sizeof(NETLBL_CATMAP_MAPTYPE) * 8)
163 #define NETLBL_CATMAP_SIZE (NETLBL_CATMAP_MAPSIZE * \
164  NETLBL_CATMAP_MAPCNT)
165 #define NETLBL_CATMAP_BIT (NETLBL_CATMAP_MAPTYPE)0x01
166 struct netlbl_lsm_secattr_catmap {
167  u32 startbit;
168  NETLBL_CATMAP_MAPTYPE bitmap[NETLBL_CATMAP_MAPCNT];
169  struct netlbl_lsm_secattr_catmap *next;
170 };
171 
192 struct netlbl_lsm_secattr {
193  u32 flags;
194  /* bitmap values for 'flags' */
195 #define NETLBL_SECATTR_NONE 0x00000000
196 #define NETLBL_SECATTR_DOMAIN 0x00000001
197 #define NETLBL_SECATTR_DOMAIN_CPY (NETLBL_SECATTR_DOMAIN | \
198  NETLBL_SECATTR_FREE_DOMAIN)
199 #define NETLBL_SECATTR_CACHE 0x00000002
200 #define NETLBL_SECATTR_MLS_LVL 0x00000004
201 #define NETLBL_SECATTR_MLS_CAT 0x00000008
202 #define NETLBL_SECATTR_SECID 0x00000010
203  /* bitmap meta-values for 'flags' */
204 #define NETLBL_SECATTR_FREE_DOMAIN 0x01000000
205 #define NETLBL_SECATTR_CACHEABLE (NETLBL_SECATTR_MLS_LVL | \
206  NETLBL_SECATTR_MLS_CAT | \
207  NETLBL_SECATTR_SECID)
208  u32 type;
209  char *domain;
210  struct netlbl_lsm_cache *cache;
211  struct {
212  struct {
213  struct netlbl_lsm_secattr_catmap *cat;
214  u32 lvl;
215  } mls;
216  u32 secid;
217  } attr;
218 };
219 
220 /*
221  * LSM security attribute operations (inline)
222  */
223 
233 static inline struct netlbl_lsm_cache *netlbl_secattr_cache_alloc(gfp_t flags)
234 {
235  struct netlbl_lsm_cache *cache;
236 
237  cache = kzalloc(sizeof(*cache), flags);
238  if (cache)
239  atomic_set(&cache->refcount, 1);
240  return cache;
241 }
242 
251 static inline void netlbl_secattr_cache_free(struct netlbl_lsm_cache *cache)
252 {
253  if (!atomic_dec_and_test(&cache->refcount))
254  return;
255 
256  if (cache->free)
257  cache->free(cache->data);
258  kfree(cache);
259 }
260 
270 static inline struct netlbl_lsm_secattr_catmap *netlbl_secattr_catmap_alloc(
271  gfp_t flags)
272 {
273  return kzalloc(sizeof(struct netlbl_lsm_secattr_catmap), flags);
274 }
275 
284 static inline void netlbl_secattr_catmap_free(
285  struct netlbl_lsm_secattr_catmap *catmap)
286 {
287  struct netlbl_lsm_secattr_catmap *iter;
288 
289  do {
290  iter = catmap;
291  catmap = catmap->next;
292  kfree(iter);
293  } while (catmap);
294 }
295 
304 static inline void netlbl_secattr_init(struct netlbl_lsm_secattr *secattr)
305 {
306  memset(secattr, 0, sizeof(*secattr));
307 }
308 
318 static inline void netlbl_secattr_destroy(struct netlbl_lsm_secattr *secattr)
319 {
320  if (secattr->flags & NETLBL_SECATTR_FREE_DOMAIN)
321  kfree(secattr->domain);
322  if (secattr->flags & NETLBL_SECATTR_CACHE)
323  netlbl_secattr_cache_free(secattr->cache);
324  if (secattr->flags & NETLBL_SECATTR_MLS_CAT)
325  netlbl_secattr_catmap_free(secattr->attr.mls.cat);
326 }
327 
337 static inline struct netlbl_lsm_secattr *netlbl_secattr_alloc(gfp_t flags)
338 {
339  return kzalloc(sizeof(struct netlbl_lsm_secattr), flags);
340 }
341 
350 static inline void netlbl_secattr_free(struct netlbl_lsm_secattr *secattr)
351 {
352  netlbl_secattr_destroy(secattr);
353  kfree(secattr);
354 }
355 
356 #ifdef CONFIG_NETLABEL
357 /*
358  * LSM configuration operations
359  */
360 int netlbl_cfg_map_del(const char *domain,
361  u16 family,
362  const void *addr,
363  const void *mask,
364  struct netlbl_audit *audit_info);
365 int netlbl_cfg_unlbl_map_add(const char *domain,
366  u16 family,
367  const void *addr,
368  const void *mask,
369  struct netlbl_audit *audit_info);
370 int netlbl_cfg_unlbl_static_add(struct net *net,
371  const char *dev_name,
372  const void *addr,
373  const void *mask,
374  u16 family,
375  u32 secid,
376  struct netlbl_audit *audit_info);
377 int netlbl_cfg_unlbl_static_del(struct net *net,
378  const char *dev_name,
379  const void *addr,
380  const void *mask,
381  u16 family,
382  struct netlbl_audit *audit_info);
383 int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def,
384  struct netlbl_audit *audit_info);
385 void netlbl_cfg_cipsov4_del(u32 doi, struct netlbl_audit *audit_info);
386 int netlbl_cfg_cipsov4_map_add(u32 doi,
387  const char *domain,
388  const struct in_addr *addr,
389  const struct in_addr *mask,
390  struct netlbl_audit *audit_info);
391 /*
392  * LSM security attribute operations
393  */
394 int netlbl_secattr_catmap_walk(struct netlbl_lsm_secattr_catmap *catmap,
395  u32 offset);
396 int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap,
397  u32 offset);
398 int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap *catmap,
399  u32 bit,
400  gfp_t flags);
401 int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap,
402  u32 start,
403  u32 end,
404  gfp_t flags);
405 
406 /*
407  * LSM protocol operations (NetLabel LSM/kernel API)
408  */
409 int netlbl_enabled(void);
410 int netlbl_sock_setattr(struct sock *sk,
411  u16 family,
412  const struct netlbl_lsm_secattr *secattr);
413 void netlbl_sock_delattr(struct sock *sk);
414 int netlbl_sock_getattr(struct sock *sk,
415  struct netlbl_lsm_secattr *secattr);
416 int netlbl_conn_setattr(struct sock *sk,
417  struct sockaddr *addr,
418  const struct netlbl_lsm_secattr *secattr);
419 int netlbl_req_setattr(struct request_sock *req,
420  const struct netlbl_lsm_secattr *secattr);
421 void netlbl_req_delattr(struct request_sock *req);
422 int netlbl_skbuff_setattr(struct sk_buff *skb,
423  u16 family,
424  const struct netlbl_lsm_secattr *secattr);
425 int netlbl_skbuff_getattr(const struct sk_buff *skb,
426  u16 family,
427  struct netlbl_lsm_secattr *secattr);
428 void netlbl_skbuff_err(struct sk_buff *skb, int error, int gateway);
429 
430 /*
431  * LSM label mapping cache operations
432  */
433 void netlbl_cache_invalidate(void);
434 int netlbl_cache_add(const struct sk_buff *skb,
435  const struct netlbl_lsm_secattr *secattr);
436 
437 /*
438  * Protocol engine operations
439  */
440 struct audit_buffer *netlbl_audit_start(int type,
441  struct netlbl_audit *audit_info);
442 #else
443 static inline int netlbl_cfg_map_del(const char *domain,
444  u16 family,
445  const void *addr,
446  const void *mask,
447  struct netlbl_audit *audit_info)
448 {
449  return -ENOSYS;
450 }
451 static inline int netlbl_cfg_unlbl_map_add(const char *domain,
452  u16 family,
453  void *addr,
454  void *mask,
455  struct netlbl_audit *audit_info)
456 {
457  return -ENOSYS;
458 }
459 static inline int netlbl_cfg_unlbl_static_add(struct net *net,
460  const char *dev_name,
461  const void *addr,
462  const void *mask,
463  u16 family,
464  u32 secid,
465  struct netlbl_audit *audit_info)
466 {
467  return -ENOSYS;
468 }
469 static inline int netlbl_cfg_unlbl_static_del(struct net *net,
470  const char *dev_name,
471  const void *addr,
472  const void *mask,
473  u16 family,
474  struct netlbl_audit *audit_info)
475 {
476  return -ENOSYS;
477 }
478 static inline int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def,
479  struct netlbl_audit *audit_info)
480 {
481  return -ENOSYS;
482 }
483 static inline void netlbl_cfg_cipsov4_del(u32 doi,
484  struct netlbl_audit *audit_info)
485 {
486  return;
487 }
488 static inline int netlbl_cfg_cipsov4_map_add(u32 doi,
489  const char *domain,
490  const struct in_addr *addr,
491  const struct in_addr *mask,
492  struct netlbl_audit *audit_info)
493 {
494  return -ENOSYS;
495 }
496 static inline int netlbl_secattr_catmap_walk(
497  struct netlbl_lsm_secattr_catmap *catmap,
498  u32 offset)
499 {
500  return -ENOENT;
501 }
502 static inline int netlbl_secattr_catmap_walk_rng(
503  struct netlbl_lsm_secattr_catmap *catmap,
504  u32 offset)
505 {
506  return -ENOENT;
507 }
508 static inline int netlbl_secattr_catmap_setbit(
509  struct netlbl_lsm_secattr_catmap *catmap,
510  u32 bit,
511  gfp_t flags)
512 {
513  return 0;
514 }
515 static inline int netlbl_secattr_catmap_setrng(
516  struct netlbl_lsm_secattr_catmap *catmap,
517  u32 start,
518  u32 end,
519  gfp_t flags)
520 {
521  return 0;
522 }
523 static inline int netlbl_enabled(void)
524 {
525  return 0;
526 }
527 static inline int netlbl_sock_setattr(struct sock *sk,
528  u16 family,
529  const struct netlbl_lsm_secattr *secattr)
530 {
531  return -ENOSYS;
532 }
533 static inline void netlbl_sock_delattr(struct sock *sk)
534 {
535 }
536 static inline int netlbl_sock_getattr(struct sock *sk,
537  struct netlbl_lsm_secattr *secattr)
538 {
539  return -ENOSYS;
540 }
541 static inline int netlbl_conn_setattr(struct sock *sk,
542  struct sockaddr *addr,
543  const struct netlbl_lsm_secattr *secattr)
544 {
545  return -ENOSYS;
546 }
547 static inline int netlbl_req_setattr(struct request_sock *req,
548  const struct netlbl_lsm_secattr *secattr)
549 {
550  return -ENOSYS;
551 }
552 static inline void netlbl_req_delattr(struct request_sock *req)
553 {
554  return;
555 }
556 static inline int netlbl_skbuff_setattr(struct sk_buff *skb,
557  u16 family,
558  const struct netlbl_lsm_secattr *secattr)
559 {
560  return -ENOSYS;
561 }
562 static inline int netlbl_skbuff_getattr(const struct sk_buff *skb,
563  u16 family,
564  struct netlbl_lsm_secattr *secattr)
565 {
566  return -ENOSYS;
567 }
568 static inline void netlbl_skbuff_err(struct sk_buff *skb,
569  int error,
570  int gateway)
571 {
572  return;
573 }
574 static inline void netlbl_cache_invalidate(void)
575 {
576  return;
577 }
578 static inline int netlbl_cache_add(const struct sk_buff *skb,
579  const struct netlbl_lsm_secattr *secattr)
580 {
581  return 0;
582 }
583 static inline struct audit_buffer *netlbl_audit_start(int type,
584  struct netlbl_audit *audit_info)
585 {
586  return NULL;
587 }
588 #endif /* CONFIG_NETLABEL */
589 
590 #endif /* _NETLABEL_H */
Generated on Thu Jan 10 2013 14:53:12 for Linux Kernel by   doxygen 1.8.2