18c2ecf20Sopenharmony_ci/* SPDX-License-Identifier: GPL-2.0-or-later */
28c2ecf20Sopenharmony_ci/*
38c2ecf20Sopenharmony_ci * NetLabel Unlabeled Support
48c2ecf20Sopenharmony_ci *
58c2ecf20Sopenharmony_ci * This file defines functions for dealing with unlabeled packets for the
68c2ecf20Sopenharmony_ci * NetLabel system.  The NetLabel system manages static and dynamic label
78c2ecf20Sopenharmony_ci * mappings for network protocols such as CIPSO and RIPSO.
88c2ecf20Sopenharmony_ci *
98c2ecf20Sopenharmony_ci * Author: Paul Moore <paul@paul-moore.com>
108c2ecf20Sopenharmony_ci */
118c2ecf20Sopenharmony_ci
128c2ecf20Sopenharmony_ci/*
138c2ecf20Sopenharmony_ci * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
148c2ecf20Sopenharmony_ci */
158c2ecf20Sopenharmony_ci
168c2ecf20Sopenharmony_ci#ifndef _NETLABEL_UNLABELED_H
178c2ecf20Sopenharmony_ci#define _NETLABEL_UNLABELED_H
188c2ecf20Sopenharmony_ci
198c2ecf20Sopenharmony_ci#include <net/netlabel.h>
208c2ecf20Sopenharmony_ci
218c2ecf20Sopenharmony_ci/*
228c2ecf20Sopenharmony_ci * The following NetLabel payloads are supported by the Unlabeled subsystem.
238c2ecf20Sopenharmony_ci *
248c2ecf20Sopenharmony_ci * o STATICADD
258c2ecf20Sopenharmony_ci *   This message is sent from an application to add a new static label for
268c2ecf20Sopenharmony_ci *   incoming unlabeled connections.
278c2ecf20Sopenharmony_ci *
288c2ecf20Sopenharmony_ci *   Required attributes:
298c2ecf20Sopenharmony_ci *
308c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_IFACE
318c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_SECCTX
328c2ecf20Sopenharmony_ci *
338c2ecf20Sopenharmony_ci *   If IPv4 is specified the following attributes are required:
348c2ecf20Sopenharmony_ci *
358c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_IPV4ADDR
368c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_IPV4MASK
378c2ecf20Sopenharmony_ci *
388c2ecf20Sopenharmony_ci *   If IPv6 is specified the following attributes are required:
398c2ecf20Sopenharmony_ci *
408c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_IPV6ADDR
418c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_IPV6MASK
428c2ecf20Sopenharmony_ci *
438c2ecf20Sopenharmony_ci * o STATICREMOVE
448c2ecf20Sopenharmony_ci *   This message is sent from an application to remove an existing static
458c2ecf20Sopenharmony_ci *   label for incoming unlabeled connections.
468c2ecf20Sopenharmony_ci *
478c2ecf20Sopenharmony_ci *   Required attributes:
488c2ecf20Sopenharmony_ci *
498c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_IFACE
508c2ecf20Sopenharmony_ci *
518c2ecf20Sopenharmony_ci *   If IPv4 is specified the following attributes are required:
528c2ecf20Sopenharmony_ci *
538c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_IPV4ADDR
548c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_IPV4MASK
558c2ecf20Sopenharmony_ci *
568c2ecf20Sopenharmony_ci *   If IPv6 is specified the following attributes are required:
578c2ecf20Sopenharmony_ci *
588c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_IPV6ADDR
598c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_IPV6MASK
608c2ecf20Sopenharmony_ci *
618c2ecf20Sopenharmony_ci * o STATICLIST
628c2ecf20Sopenharmony_ci *   This message can be sent either from an application or by the kernel in
638c2ecf20Sopenharmony_ci *   response to an application generated STATICLIST message.  When sent by an
648c2ecf20Sopenharmony_ci *   application there is no payload and the NLM_F_DUMP flag should be set.
658c2ecf20Sopenharmony_ci *   The kernel should response with a series of the following messages.
668c2ecf20Sopenharmony_ci *
678c2ecf20Sopenharmony_ci *   Required attributes:
688c2ecf20Sopenharmony_ci *
698c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_IFACE
708c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_SECCTX
718c2ecf20Sopenharmony_ci *
728c2ecf20Sopenharmony_ci *   If IPv4 is specified the following attributes are required:
738c2ecf20Sopenharmony_ci *
748c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_IPV4ADDR
758c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_IPV4MASK
768c2ecf20Sopenharmony_ci *
778c2ecf20Sopenharmony_ci *   If IPv6 is specified the following attributes are required:
788c2ecf20Sopenharmony_ci *
798c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_IPV6ADDR
808c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_IPV6MASK
818c2ecf20Sopenharmony_ci *
828c2ecf20Sopenharmony_ci * o STATICADDDEF
838c2ecf20Sopenharmony_ci *   This message is sent from an application to set the default static
848c2ecf20Sopenharmony_ci *   label for incoming unlabeled connections.
858c2ecf20Sopenharmony_ci *
868c2ecf20Sopenharmony_ci *   Required attribute:
878c2ecf20Sopenharmony_ci *
888c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_SECCTX
898c2ecf20Sopenharmony_ci *
908c2ecf20Sopenharmony_ci *   If IPv4 is specified the following attributes are required:
918c2ecf20Sopenharmony_ci *
928c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_IPV4ADDR
938c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_IPV4MASK
948c2ecf20Sopenharmony_ci *
958c2ecf20Sopenharmony_ci *   If IPv6 is specified the following attributes are required:
968c2ecf20Sopenharmony_ci *
978c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_IPV6ADDR
988c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_IPV6MASK
998c2ecf20Sopenharmony_ci *
1008c2ecf20Sopenharmony_ci * o STATICREMOVEDEF
1018c2ecf20Sopenharmony_ci *   This message is sent from an application to remove the existing default
1028c2ecf20Sopenharmony_ci *   static label for incoming unlabeled connections.
1038c2ecf20Sopenharmony_ci *
1048c2ecf20Sopenharmony_ci *   If IPv4 is specified the following attributes are required:
1058c2ecf20Sopenharmony_ci *
1068c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_IPV4ADDR
1078c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_IPV4MASK
1088c2ecf20Sopenharmony_ci *
1098c2ecf20Sopenharmony_ci *   If IPv6 is specified the following attributes are required:
1108c2ecf20Sopenharmony_ci *
1118c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_IPV6ADDR
1128c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_IPV6MASK
1138c2ecf20Sopenharmony_ci *
1148c2ecf20Sopenharmony_ci * o STATICLISTDEF
1158c2ecf20Sopenharmony_ci *   This message can be sent either from an application or by the kernel in
1168c2ecf20Sopenharmony_ci *   response to an application generated STATICLISTDEF message.  When sent by
1178c2ecf20Sopenharmony_ci *   an application there is no payload and the NLM_F_DUMP flag should be set.
1188c2ecf20Sopenharmony_ci *   The kernel should response with the following message.
1198c2ecf20Sopenharmony_ci *
1208c2ecf20Sopenharmony_ci *   Required attribute:
1218c2ecf20Sopenharmony_ci *
1228c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_SECCTX
1238c2ecf20Sopenharmony_ci *
1248c2ecf20Sopenharmony_ci *   If IPv4 is specified the following attributes are required:
1258c2ecf20Sopenharmony_ci *
1268c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_IPV4ADDR
1278c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_IPV4MASK
1288c2ecf20Sopenharmony_ci *
1298c2ecf20Sopenharmony_ci *   If IPv6 is specified the following attributes are required:
1308c2ecf20Sopenharmony_ci *
1318c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_IPV6ADDR
1328c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_IPV6MASK
1338c2ecf20Sopenharmony_ci *
1348c2ecf20Sopenharmony_ci * o ACCEPT
1358c2ecf20Sopenharmony_ci *   This message is sent from an application to specify if the kernel should
1368c2ecf20Sopenharmony_ci *   allow unlabled packets to pass if they do not match any of the static
1378c2ecf20Sopenharmony_ci *   mappings defined in the unlabeled module.
1388c2ecf20Sopenharmony_ci *
1398c2ecf20Sopenharmony_ci *   Required attributes:
1408c2ecf20Sopenharmony_ci *
1418c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_ACPTFLG
1428c2ecf20Sopenharmony_ci *
1438c2ecf20Sopenharmony_ci * o LIST
1448c2ecf20Sopenharmony_ci *   This message can be sent either from an application or by the kernel in
1458c2ecf20Sopenharmony_ci *   response to an application generated LIST message.  When sent by an
1468c2ecf20Sopenharmony_ci *   application there is no payload.  The kernel should respond to a LIST
1478c2ecf20Sopenharmony_ci *   message with a LIST message on success.
1488c2ecf20Sopenharmony_ci *
1498c2ecf20Sopenharmony_ci *   Required attributes:
1508c2ecf20Sopenharmony_ci *
1518c2ecf20Sopenharmony_ci *     NLBL_UNLABEL_A_ACPTFLG
1528c2ecf20Sopenharmony_ci *
1538c2ecf20Sopenharmony_ci */
1548c2ecf20Sopenharmony_ci
1558c2ecf20Sopenharmony_ci/* NetLabel Unlabeled commands */
1568c2ecf20Sopenharmony_cienum {
1578c2ecf20Sopenharmony_ci	NLBL_UNLABEL_C_UNSPEC,
1588c2ecf20Sopenharmony_ci	NLBL_UNLABEL_C_ACCEPT,
1598c2ecf20Sopenharmony_ci	NLBL_UNLABEL_C_LIST,
1608c2ecf20Sopenharmony_ci	NLBL_UNLABEL_C_STATICADD,
1618c2ecf20Sopenharmony_ci	NLBL_UNLABEL_C_STATICREMOVE,
1628c2ecf20Sopenharmony_ci	NLBL_UNLABEL_C_STATICLIST,
1638c2ecf20Sopenharmony_ci	NLBL_UNLABEL_C_STATICADDDEF,
1648c2ecf20Sopenharmony_ci	NLBL_UNLABEL_C_STATICREMOVEDEF,
1658c2ecf20Sopenharmony_ci	NLBL_UNLABEL_C_STATICLISTDEF,
1668c2ecf20Sopenharmony_ci	__NLBL_UNLABEL_C_MAX,
1678c2ecf20Sopenharmony_ci};
1688c2ecf20Sopenharmony_ci
1698c2ecf20Sopenharmony_ci/* NetLabel Unlabeled attributes */
1708c2ecf20Sopenharmony_cienum {
1718c2ecf20Sopenharmony_ci	NLBL_UNLABEL_A_UNSPEC,
1728c2ecf20Sopenharmony_ci	NLBL_UNLABEL_A_ACPTFLG,
1738c2ecf20Sopenharmony_ci	/* (NLA_U8)
1748c2ecf20Sopenharmony_ci	 * if true then unlabeled packets are allowed to pass, else unlabeled
1758c2ecf20Sopenharmony_ci	 * packets are rejected */
1768c2ecf20Sopenharmony_ci	NLBL_UNLABEL_A_IPV6ADDR,
1778c2ecf20Sopenharmony_ci	/* (NLA_BINARY, struct in6_addr)
1788c2ecf20Sopenharmony_ci	 * an IPv6 address */
1798c2ecf20Sopenharmony_ci	NLBL_UNLABEL_A_IPV6MASK,
1808c2ecf20Sopenharmony_ci	/* (NLA_BINARY, struct in6_addr)
1818c2ecf20Sopenharmony_ci	 * an IPv6 address mask */
1828c2ecf20Sopenharmony_ci	NLBL_UNLABEL_A_IPV4ADDR,
1838c2ecf20Sopenharmony_ci	/* (NLA_BINARY, struct in_addr)
1848c2ecf20Sopenharmony_ci	 * an IPv4 address */
1858c2ecf20Sopenharmony_ci	NLBL_UNLABEL_A_IPV4MASK,
1868c2ecf20Sopenharmony_ci	/* (NLA_BINARY, struct in_addr)
1878c2ecf20Sopenharmony_ci	 * and IPv4 address mask */
1888c2ecf20Sopenharmony_ci	NLBL_UNLABEL_A_IFACE,
1898c2ecf20Sopenharmony_ci	/* (NLA_NULL_STRING)
1908c2ecf20Sopenharmony_ci	 * network interface */
1918c2ecf20Sopenharmony_ci	NLBL_UNLABEL_A_SECCTX,
1928c2ecf20Sopenharmony_ci	/* (NLA_BINARY)
1938c2ecf20Sopenharmony_ci	 * a LSM specific security context */
1948c2ecf20Sopenharmony_ci	__NLBL_UNLABEL_A_MAX,
1958c2ecf20Sopenharmony_ci};
1968c2ecf20Sopenharmony_ci#define NLBL_UNLABEL_A_MAX (__NLBL_UNLABEL_A_MAX - 1)
1978c2ecf20Sopenharmony_ci
1988c2ecf20Sopenharmony_ci/* NetLabel protocol functions */
1998c2ecf20Sopenharmony_ciint netlbl_unlabel_genl_init(void);
2008c2ecf20Sopenharmony_ci
2018c2ecf20Sopenharmony_ci/* Unlabeled connection hash table size */
2028c2ecf20Sopenharmony_ci/* XXX - currently this number is an uneducated guess */
2038c2ecf20Sopenharmony_ci#define NETLBL_UNLHSH_BITSIZE       7
2048c2ecf20Sopenharmony_ci
2058c2ecf20Sopenharmony_ci/* General Unlabeled init function */
2068c2ecf20Sopenharmony_ciint netlbl_unlabel_init(u32 size);
2078c2ecf20Sopenharmony_ci
2088c2ecf20Sopenharmony_ci/* Static/Fallback label management functions */
2098c2ecf20Sopenharmony_ciint netlbl_unlhsh_add(struct net *net,
2108c2ecf20Sopenharmony_ci		      const char *dev_name,
2118c2ecf20Sopenharmony_ci		      const void *addr,
2128c2ecf20Sopenharmony_ci		      const void *mask,
2138c2ecf20Sopenharmony_ci		      u32 addr_len,
2148c2ecf20Sopenharmony_ci		      u32 secid,
2158c2ecf20Sopenharmony_ci		      struct netlbl_audit *audit_info);
2168c2ecf20Sopenharmony_ciint netlbl_unlhsh_remove(struct net *net,
2178c2ecf20Sopenharmony_ci			 const char *dev_name,
2188c2ecf20Sopenharmony_ci			 const void *addr,
2198c2ecf20Sopenharmony_ci			 const void *mask,
2208c2ecf20Sopenharmony_ci			 u32 addr_len,
2218c2ecf20Sopenharmony_ci			 struct netlbl_audit *audit_info);
2228c2ecf20Sopenharmony_ci
2238c2ecf20Sopenharmony_ci/* Process Unlabeled incoming network packets */
2248c2ecf20Sopenharmony_ciint netlbl_unlabel_getattr(const struct sk_buff *skb,
2258c2ecf20Sopenharmony_ci			   u16 family,
2268c2ecf20Sopenharmony_ci			   struct netlbl_lsm_secattr *secattr);
2278c2ecf20Sopenharmony_ci
2288c2ecf20Sopenharmony_ci/* Set the default configuration to allow Unlabeled packets */
2298c2ecf20Sopenharmony_ciint netlbl_unlabel_defconf(void);
2308c2ecf20Sopenharmony_ci
2318c2ecf20Sopenharmony_ci#endif
232