Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
netlabel_unlabeled.h
Go to the documentation of this file.
1 /*
2  * NetLabel Unlabeled Support
3  *
4  * This file defines functions for dealing with unlabeled packets for the
5  * NetLabel system. The NetLabel system manages static and dynamic label
6  * mappings for network protocols such as CIPSO and RIPSO.
7  *
8  * Author: Paul Moore <[email protected]>
9  *
10  */
11 
12 /*
13  * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
14  *
15  * This program is free software; you can redistribute it and/or modify
16  * it under the terms of the GNU General Public License as published by
17  * the Free Software Foundation; either version 2 of the License, or
18  * (at your option) any later version.
19  *
20  * This program is distributed in the hope that it will be useful,
21  * but WITHOUT ANY WARRANTY; without even the implied warranty of
22  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
23  * the GNU General Public License for more details.
24  *
25  * You should have received a copy of the GNU General Public License
26  * along with this program; if not, write to the Free Software
27  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
28  *
29  */
30 
31 #ifndef _NETLABEL_UNLABELED_H
32 #define _NETLABEL_UNLABELED_H
33 
34 #include <net/netlabel.h>
35 
36 /*
37  * The following NetLabel payloads are supported by the Unlabeled subsystem.
38  *
39  * o STATICADD
40  * This message is sent from an application to add a new static label for
41  * incoming unlabeled connections.
42  *
43  * Required attributes:
44  *
45  * NLBL_UNLABEL_A_IFACE
46  * NLBL_UNLABEL_A_SECCTX
47  *
48  * If IPv4 is specified the following attributes are required:
49  *
50  * NLBL_UNLABEL_A_IPV4ADDR
51  * NLBL_UNLABEL_A_IPV4MASK
52  *
53  * If IPv6 is specified the following attributes are required:
54  *
55  * NLBL_UNLABEL_A_IPV6ADDR
56  * NLBL_UNLABEL_A_IPV6MASK
57  *
58  * o STATICREMOVE
59  * This message is sent from an application to remove an existing static
60  * label for incoming unlabeled connections.
61  *
62  * Required attributes:
63  *
64  * NLBL_UNLABEL_A_IFACE
65  *
66  * If IPv4 is specified the following attributes are required:
67  *
68  * NLBL_UNLABEL_A_IPV4ADDR
69  * NLBL_UNLABEL_A_IPV4MASK
70  *
71  * If IPv6 is specified the following attributes are required:
72  *
73  * NLBL_UNLABEL_A_IPV6ADDR
74  * NLBL_UNLABEL_A_IPV6MASK
75  *
76  * o STATICLIST
77  * This message can be sent either from an application or by the kernel in
78  * response to an application generated STATICLIST message. When sent by an
79  * application there is no payload and the NLM_F_DUMP flag should be set.
80  * The kernel should response with a series of the following messages.
81  *
82  * Required attributes:
83  *
84  * NLBL_UNLABEL_A_IFACE
85  * NLBL_UNLABEL_A_SECCTX
86  *
87  * If IPv4 is specified the following attributes are required:
88  *
89  * NLBL_UNLABEL_A_IPV4ADDR
90  * NLBL_UNLABEL_A_IPV4MASK
91  *
92  * If IPv6 is specified the following attributes are required:
93  *
94  * NLBL_UNLABEL_A_IPV6ADDR
95  * NLBL_UNLABEL_A_IPV6MASK
96  *
97  * o STATICADDDEF
98  * This message is sent from an application to set the default static
99  * label for incoming unlabeled connections.
100  *
101  * Required attribute:
102  *
103  * NLBL_UNLABEL_A_SECCTX
104  *
105  * If IPv4 is specified the following attributes are required:
106  *
107  * NLBL_UNLABEL_A_IPV4ADDR
108  * NLBL_UNLABEL_A_IPV4MASK
109  *
110  * If IPv6 is specified the following attributes are required:
111  *
112  * NLBL_UNLABEL_A_IPV6ADDR
113  * NLBL_UNLABEL_A_IPV6MASK
114  *
115  * o STATICREMOVEDEF
116  * This message is sent from an application to remove the existing default
117  * static label for incoming unlabeled connections.
118  *
119  * If IPv4 is specified the following attributes are required:
120  *
121  * NLBL_UNLABEL_A_IPV4ADDR
122  * NLBL_UNLABEL_A_IPV4MASK
123  *
124  * If IPv6 is specified the following attributes are required:
125  *
126  * NLBL_UNLABEL_A_IPV6ADDR
127  * NLBL_UNLABEL_A_IPV6MASK
128  *
129  * o STATICLISTDEF
130  * This message can be sent either from an application or by the kernel in
131  * response to an application generated STATICLISTDEF message. When sent by
132  * an application there is no payload and the NLM_F_DUMP flag should be set.
133  * The kernel should response with the following message.
134  *
135  * Required attribute:
136  *
137  * NLBL_UNLABEL_A_SECCTX
138  *
139  * If IPv4 is specified the following attributes are required:
140  *
141  * NLBL_UNLABEL_A_IPV4ADDR
142  * NLBL_UNLABEL_A_IPV4MASK
143  *
144  * If IPv6 is specified the following attributes are required:
145  *
146  * NLBL_UNLABEL_A_IPV6ADDR
147  * NLBL_UNLABEL_A_IPV6MASK
148  *
149  * o ACCEPT
150  * This message is sent from an application to specify if the kernel should
151  * allow unlabled packets to pass if they do not match any of the static
152  * mappings defined in the unlabeled module.
153  *
154  * Required attributes:
155  *
156  * NLBL_UNLABEL_A_ACPTFLG
157  *
158  * o LIST
159  * This message can be sent either from an application or by the kernel in
160  * response to an application generated LIST message. When sent by an
161  * application there is no payload. The kernel should respond to a LIST
162  * message with a LIST message on success.
163  *
164  * Required attributes:
165  *
166  * NLBL_UNLABEL_A_ACPTFLG
167  *
168  */
169 
170 /* NetLabel Unlabeled commands */
171 enum {
172  NLBL_UNLABEL_C_UNSPEC,
173  NLBL_UNLABEL_C_ACCEPT,
174  NLBL_UNLABEL_C_LIST,
175  NLBL_UNLABEL_C_STATICADD,
176  NLBL_UNLABEL_C_STATICREMOVE,
177  NLBL_UNLABEL_C_STATICLIST,
178  NLBL_UNLABEL_C_STATICADDDEF,
179  NLBL_UNLABEL_C_STATICREMOVEDEF,
180  NLBL_UNLABEL_C_STATICLISTDEF,
181  __NLBL_UNLABEL_C_MAX,
182 };
183 
184 /* NetLabel Unlabeled attributes */
185 enum {
186  NLBL_UNLABEL_A_UNSPEC,
187  NLBL_UNLABEL_A_ACPTFLG,
188  /* (NLA_U8)
189  * if true then unlabeled packets are allowed to pass, else unlabeled
190  * packets are rejected */
191  NLBL_UNLABEL_A_IPV6ADDR,
192  /* (NLA_BINARY, struct in6_addr)
193  * an IPv6 address */
194  NLBL_UNLABEL_A_IPV6MASK,
195  /* (NLA_BINARY, struct in6_addr)
196  * an IPv6 address mask */
197  NLBL_UNLABEL_A_IPV4ADDR,
198  /* (NLA_BINARY, struct in_addr)
199  * an IPv4 address */
200  NLBL_UNLABEL_A_IPV4MASK,
201  /* (NLA_BINARY, struct in_addr)
202  * and IPv4 address mask */
203  NLBL_UNLABEL_A_IFACE,
204  /* (NLA_NULL_STRING)
205  * network interface */
206  NLBL_UNLABEL_A_SECCTX,
207  /* (NLA_BINARY)
208  * a LSM specific security context */
209  __NLBL_UNLABEL_A_MAX,
210 };
211 #define NLBL_UNLABEL_A_MAX (__NLBL_UNLABEL_A_MAX - 1)
212 
213 /* NetLabel protocol functions */
214 int netlbl_unlabel_genl_init(void);
215 
216 /* Unlabeled connection hash table size */
217 /* XXX - currently this number is an uneducated guess */
218 #define NETLBL_UNLHSH_BITSIZE 7
219 
220 /* General Unlabeled init function */
221 int netlbl_unlabel_init(u32 size);
222 
223 /* Static/Fallback label management functions */
224 int netlbl_unlhsh_add(struct net *net,
225  const char *dev_name,
226  const void *addr,
227  const void *mask,
228  u32 addr_len,
229  u32 secid,
230  struct netlbl_audit *audit_info);
231 int netlbl_unlhsh_remove(struct net *net,
232  const char *dev_name,
233  const void *addr,
234  const void *mask,
235  u32 addr_len,
236  struct netlbl_audit *audit_info);
237 
238 /* Process Unlabeled incoming network packets */
239 int netlbl_unlabel_getattr(const struct sk_buff *skb,
240  u16 family,
241  struct netlbl_lsm_secattr *secattr);
242 
243 /* Set the default configuration to allow Unlabeled packets */
244 int netlbl_unlabel_defconf(void);
245 
246 #endif
Generated on Thu Jan 10 2013 15:01:03 for Linux Kernel by   doxygen 1.8.2