cachepc-linux

Fork of AMDESE/linux with modifications for CachePC side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-linux
Log | Files | Refs | README | LICENSE | sfeed.txt

netlabel_unlabeled.h (6447B)

      1/* SPDX-License-Identifier: GPL-2.0-or-later */
      2/*
      3 * NetLabel Unlabeled Support
      4 *
      5 * This file defines functions for dealing with unlabeled packets for the
      6 * NetLabel system.  The NetLabel system manages static and dynamic label
      7 * mappings for network protocols such as CIPSO and RIPSO.
      8 *
      9 * Author: Paul Moore <paul@paul-moore.com>
     10 */
     11
     12/*
     13 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
     14 */
     15
     16#ifndef _NETLABEL_UNLABELED_H
     17#define _NETLABEL_UNLABELED_H
     18
     19#include <net/netlabel.h>
     20
     21/*
     22 * The following NetLabel payloads are supported by the Unlabeled subsystem.
     23 *
     24 * o STATICADD
     25 *   This message is sent from an application to add a new static label for
     26 *   incoming unlabeled connections.
     27 *
     28 *   Required attributes:
     29 *
     30 *     NLBL_UNLABEL_A_IFACE
     31 *     NLBL_UNLABEL_A_SECCTX
     32 *
     33 *   If IPv4 is specified the following attributes are required:
     34 *
     35 *     NLBL_UNLABEL_A_IPV4ADDR
     36 *     NLBL_UNLABEL_A_IPV4MASK
     37 *
     38 *   If IPv6 is specified the following attributes are required:
     39 *
     40 *     NLBL_UNLABEL_A_IPV6ADDR
     41 *     NLBL_UNLABEL_A_IPV6MASK
     42 *
     43 * o STATICREMOVE
     44 *   This message is sent from an application to remove an existing static
     45 *   label for incoming unlabeled connections.
     46 *
     47 *   Required attributes:
     48 *
     49 *     NLBL_UNLABEL_A_IFACE
     50 *
     51 *   If IPv4 is specified the following attributes are required:
     52 *
     53 *     NLBL_UNLABEL_A_IPV4ADDR
     54 *     NLBL_UNLABEL_A_IPV4MASK
     55 *
     56 *   If IPv6 is specified the following attributes are required:
     57 *
     58 *     NLBL_UNLABEL_A_IPV6ADDR
     59 *     NLBL_UNLABEL_A_IPV6MASK
     60 *
     61 * o STATICLIST
     62 *   This message can be sent either from an application or by the kernel in
     63 *   response to an application generated STATICLIST message.  When sent by an
     64 *   application there is no payload and the NLM_F_DUMP flag should be set.
     65 *   The kernel should response with a series of the following messages.
     66 *
     67 *   Required attributes:
     68 *
     69 *     NLBL_UNLABEL_A_IFACE
     70 *     NLBL_UNLABEL_A_SECCTX
     71 *
     72 *   If IPv4 is specified the following attributes are required:
     73 *
     74 *     NLBL_UNLABEL_A_IPV4ADDR
     75 *     NLBL_UNLABEL_A_IPV4MASK
     76 *
     77 *   If IPv6 is specified the following attributes are required:
     78 *
     79 *     NLBL_UNLABEL_A_IPV6ADDR
     80 *     NLBL_UNLABEL_A_IPV6MASK
     81 *
     82 * o STATICADDDEF
     83 *   This message is sent from an application to set the default static
     84 *   label for incoming unlabeled connections.
     85 *
     86 *   Required attribute:
     87 *
     88 *     NLBL_UNLABEL_A_SECCTX
     89 *
     90 *   If IPv4 is specified the following attributes are required:
     91 *
     92 *     NLBL_UNLABEL_A_IPV4ADDR
     93 *     NLBL_UNLABEL_A_IPV4MASK
     94 *
     95 *   If IPv6 is specified the following attributes are required:
     96 *
     97 *     NLBL_UNLABEL_A_IPV6ADDR
     98 *     NLBL_UNLABEL_A_IPV6MASK
     99 *
    100 * o STATICREMOVEDEF
    101 *   This message is sent from an application to remove the existing default
    102 *   static label for incoming unlabeled connections.
    103 *
    104 *   If IPv4 is specified the following attributes are required:
    105 *
    106 *     NLBL_UNLABEL_A_IPV4ADDR
    107 *     NLBL_UNLABEL_A_IPV4MASK
    108 *
    109 *   If IPv6 is specified the following attributes are required:
    110 *
    111 *     NLBL_UNLABEL_A_IPV6ADDR
    112 *     NLBL_UNLABEL_A_IPV6MASK
    113 *
    114 * o STATICLISTDEF
    115 *   This message can be sent either from an application or by the kernel in
    116 *   response to an application generated STATICLISTDEF message.  When sent by
    117 *   an application there is no payload and the NLM_F_DUMP flag should be set.
    118 *   The kernel should response with the following message.
    119 *
    120 *   Required attribute:
    121 *
    122 *     NLBL_UNLABEL_A_SECCTX
    123 *
    124 *   If IPv4 is specified the following attributes are required:
    125 *
    126 *     NLBL_UNLABEL_A_IPV4ADDR
    127 *     NLBL_UNLABEL_A_IPV4MASK
    128 *
    129 *   If IPv6 is specified the following attributes are required:
    130 *
    131 *     NLBL_UNLABEL_A_IPV6ADDR
    132 *     NLBL_UNLABEL_A_IPV6MASK
    133 *
    134 * o ACCEPT
    135 *   This message is sent from an application to specify if the kernel should
    136 *   allow unlabled packets to pass if they do not match any of the static
    137 *   mappings defined in the unlabeled module.
    138 *
    139 *   Required attributes:
    140 *
    141 *     NLBL_UNLABEL_A_ACPTFLG
    142 *
    143 * o LIST
    144 *   This message can be sent either from an application or by the kernel in
    145 *   response to an application generated LIST message.  When sent by an
    146 *   application there is no payload.  The kernel should respond to a LIST
    147 *   message with a LIST message on success.
    148 *
    149 *   Required attributes:
    150 *
    151 *     NLBL_UNLABEL_A_ACPTFLG
    152 *
    153 */
    154
    155/* NetLabel Unlabeled commands */
    156enum {
    157	NLBL_UNLABEL_C_UNSPEC,
    158	NLBL_UNLABEL_C_ACCEPT,
    159	NLBL_UNLABEL_C_LIST,
    160	NLBL_UNLABEL_C_STATICADD,
    161	NLBL_UNLABEL_C_STATICREMOVE,
    162	NLBL_UNLABEL_C_STATICLIST,
    163	NLBL_UNLABEL_C_STATICADDDEF,
    164	NLBL_UNLABEL_C_STATICREMOVEDEF,
    165	NLBL_UNLABEL_C_STATICLISTDEF,
    166	__NLBL_UNLABEL_C_MAX,
    167};
    168
    169/* NetLabel Unlabeled attributes */
    170enum {
    171	NLBL_UNLABEL_A_UNSPEC,
    172	NLBL_UNLABEL_A_ACPTFLG,
    173	/* (NLA_U8)
    174	 * if true then unlabeled packets are allowed to pass, else unlabeled
    175	 * packets are rejected */
    176	NLBL_UNLABEL_A_IPV6ADDR,
    177	/* (NLA_BINARY, struct in6_addr)
    178	 * an IPv6 address */
    179	NLBL_UNLABEL_A_IPV6MASK,
    180	/* (NLA_BINARY, struct in6_addr)
    181	 * an IPv6 address mask */
    182	NLBL_UNLABEL_A_IPV4ADDR,
    183	/* (NLA_BINARY, struct in_addr)
    184	 * an IPv4 address */
    185	NLBL_UNLABEL_A_IPV4MASK,
    186	/* (NLA_BINARY, struct in_addr)
    187	 * and IPv4 address mask */
    188	NLBL_UNLABEL_A_IFACE,
    189	/* (NLA_NULL_STRING)
    190	 * network interface */
    191	NLBL_UNLABEL_A_SECCTX,
    192	/* (NLA_BINARY)
    193	 * a LSM specific security context */
    194	__NLBL_UNLABEL_A_MAX,
    195};
    196#define NLBL_UNLABEL_A_MAX (__NLBL_UNLABEL_A_MAX - 1)
    197
    198/* NetLabel protocol functions */
    199int netlbl_unlabel_genl_init(void);
    200
    201/* Unlabeled connection hash table size */
    202/* XXX - currently this number is an uneducated guess */
    203#define NETLBL_UNLHSH_BITSIZE       7
    204
    205/* General Unlabeled init function */
    206int netlbl_unlabel_init(u32 size);
    207
    208/* Static/Fallback label management functions */
    209int netlbl_unlhsh_add(struct net *net,
    210		      const char *dev_name,
    211		      const void *addr,
    212		      const void *mask,
    213		      u32 addr_len,
    214		      u32 secid,
    215		      struct netlbl_audit *audit_info);
    216int netlbl_unlhsh_remove(struct net *net,
    217			 const char *dev_name,
    218			 const void *addr,
    219			 const void *mask,
    220			 u32 addr_len,
    221			 struct netlbl_audit *audit_info);
    222
    223/* Process Unlabeled incoming network packets */
    224int netlbl_unlabel_getattr(const struct sk_buff *skb,
    225			   u16 family,
    226			   struct netlbl_lsm_secattr *secattr);
    227
    228/* Set the default configuration to allow Unlabeled packets */
    229int netlbl_unlabel_defconf(void);
    230
    231#endif