162306a36Sopenharmony_ci/* SPDX-License-Identifier: GPL-2.0-or-later */
262306a36Sopenharmony_ci/*
362306a36Sopenharmony_ci * NetLabel Unlabeled Support
462306a36Sopenharmony_ci *
562306a36Sopenharmony_ci * This file defines functions for dealing with unlabeled packets for the
662306a36Sopenharmony_ci * NetLabel system.  The NetLabel system manages static and dynamic label
762306a36Sopenharmony_ci * mappings for network protocols such as CIPSO and RIPSO.
862306a36Sopenharmony_ci *
962306a36Sopenharmony_ci * Author: Paul Moore <paul@paul-moore.com>
1062306a36Sopenharmony_ci */
1162306a36Sopenharmony_ci
1262306a36Sopenharmony_ci/*
1362306a36Sopenharmony_ci * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
1462306a36Sopenharmony_ci */
1562306a36Sopenharmony_ci
1662306a36Sopenharmony_ci#ifndef _NETLABEL_UNLABELED_H
1762306a36Sopenharmony_ci#define _NETLABEL_UNLABELED_H
1862306a36Sopenharmony_ci
1962306a36Sopenharmony_ci#include <net/netlabel.h>
2062306a36Sopenharmony_ci
2162306a36Sopenharmony_ci/*
2262306a36Sopenharmony_ci * The following NetLabel payloads are supported by the Unlabeled subsystem.
2362306a36Sopenharmony_ci *
2462306a36Sopenharmony_ci * o STATICADD
2562306a36Sopenharmony_ci *   This message is sent from an application to add a new static label for
2662306a36Sopenharmony_ci *   incoming unlabeled connections.
2762306a36Sopenharmony_ci *
2862306a36Sopenharmony_ci *   Required attributes:
2962306a36Sopenharmony_ci *
3062306a36Sopenharmony_ci *     NLBL_UNLABEL_A_IFACE
3162306a36Sopenharmony_ci *     NLBL_UNLABEL_A_SECCTX
3262306a36Sopenharmony_ci *
3362306a36Sopenharmony_ci *   If IPv4 is specified the following attributes are required:
3462306a36Sopenharmony_ci *
3562306a36Sopenharmony_ci *     NLBL_UNLABEL_A_IPV4ADDR
3662306a36Sopenharmony_ci *     NLBL_UNLABEL_A_IPV4MASK
3762306a36Sopenharmony_ci *
3862306a36Sopenharmony_ci *   If IPv6 is specified the following attributes are required:
3962306a36Sopenharmony_ci *
4062306a36Sopenharmony_ci *     NLBL_UNLABEL_A_IPV6ADDR
4162306a36Sopenharmony_ci *     NLBL_UNLABEL_A_IPV6MASK
4262306a36Sopenharmony_ci *
4362306a36Sopenharmony_ci * o STATICREMOVE
4462306a36Sopenharmony_ci *   This message is sent from an application to remove an existing static
4562306a36Sopenharmony_ci *   label for incoming unlabeled connections.
4662306a36Sopenharmony_ci *
4762306a36Sopenharmony_ci *   Required attributes:
4862306a36Sopenharmony_ci *
4962306a36Sopenharmony_ci *     NLBL_UNLABEL_A_IFACE
5062306a36Sopenharmony_ci *
5162306a36Sopenharmony_ci *   If IPv4 is specified the following attributes are required:
5262306a36Sopenharmony_ci *
5362306a36Sopenharmony_ci *     NLBL_UNLABEL_A_IPV4ADDR
5462306a36Sopenharmony_ci *     NLBL_UNLABEL_A_IPV4MASK
5562306a36Sopenharmony_ci *
5662306a36Sopenharmony_ci *   If IPv6 is specified the following attributes are required:
5762306a36Sopenharmony_ci *
5862306a36Sopenharmony_ci *     NLBL_UNLABEL_A_IPV6ADDR
5962306a36Sopenharmony_ci *     NLBL_UNLABEL_A_IPV6MASK
6062306a36Sopenharmony_ci *
6162306a36Sopenharmony_ci * o STATICLIST
6262306a36Sopenharmony_ci *   This message can be sent either from an application or by the kernel in
6362306a36Sopenharmony_ci *   response to an application generated STATICLIST message.  When sent by an
6462306a36Sopenharmony_ci *   application there is no payload and the NLM_F_DUMP flag should be set.
6562306a36Sopenharmony_ci *   The kernel should response with a series of the following messages.
6662306a36Sopenharmony_ci *
6762306a36Sopenharmony_ci *   Required attributes:
6862306a36Sopenharmony_ci *
6962306a36Sopenharmony_ci *     NLBL_UNLABEL_A_IFACE
7062306a36Sopenharmony_ci *     NLBL_UNLABEL_A_SECCTX
7162306a36Sopenharmony_ci *
7262306a36Sopenharmony_ci *   If IPv4 is specified the following attributes are required:
7362306a36Sopenharmony_ci *
7462306a36Sopenharmony_ci *     NLBL_UNLABEL_A_IPV4ADDR
7562306a36Sopenharmony_ci *     NLBL_UNLABEL_A_IPV4MASK
7662306a36Sopenharmony_ci *
7762306a36Sopenharmony_ci *   If IPv6 is specified the following attributes are required:
7862306a36Sopenharmony_ci *
7962306a36Sopenharmony_ci *     NLBL_UNLABEL_A_IPV6ADDR
8062306a36Sopenharmony_ci *     NLBL_UNLABEL_A_IPV6MASK
8162306a36Sopenharmony_ci *
8262306a36Sopenharmony_ci * o STATICADDDEF
8362306a36Sopenharmony_ci *   This message is sent from an application to set the default static
8462306a36Sopenharmony_ci *   label for incoming unlabeled connections.
8562306a36Sopenharmony_ci *
8662306a36Sopenharmony_ci *   Required attribute:
8762306a36Sopenharmony_ci *
8862306a36Sopenharmony_ci *     NLBL_UNLABEL_A_SECCTX
8962306a36Sopenharmony_ci *
9062306a36Sopenharmony_ci *   If IPv4 is specified the following attributes are required:
9162306a36Sopenharmony_ci *
9262306a36Sopenharmony_ci *     NLBL_UNLABEL_A_IPV4ADDR
9362306a36Sopenharmony_ci *     NLBL_UNLABEL_A_IPV4MASK
9462306a36Sopenharmony_ci *
9562306a36Sopenharmony_ci *   If IPv6 is specified the following attributes are required:
9662306a36Sopenharmony_ci *
9762306a36Sopenharmony_ci *     NLBL_UNLABEL_A_IPV6ADDR
9862306a36Sopenharmony_ci *     NLBL_UNLABEL_A_IPV6MASK
9962306a36Sopenharmony_ci *
10062306a36Sopenharmony_ci * o STATICREMOVEDEF
10162306a36Sopenharmony_ci *   This message is sent from an application to remove the existing default
10262306a36Sopenharmony_ci *   static label for incoming unlabeled connections.
10362306a36Sopenharmony_ci *
10462306a36Sopenharmony_ci *   If IPv4 is specified the following attributes are required:
10562306a36Sopenharmony_ci *
10662306a36Sopenharmony_ci *     NLBL_UNLABEL_A_IPV4ADDR
10762306a36Sopenharmony_ci *     NLBL_UNLABEL_A_IPV4MASK
10862306a36Sopenharmony_ci *
10962306a36Sopenharmony_ci *   If IPv6 is specified the following attributes are required:
11062306a36Sopenharmony_ci *
11162306a36Sopenharmony_ci *     NLBL_UNLABEL_A_IPV6ADDR
11262306a36Sopenharmony_ci *     NLBL_UNLABEL_A_IPV6MASK
11362306a36Sopenharmony_ci *
11462306a36Sopenharmony_ci * o STATICLISTDEF
11562306a36Sopenharmony_ci *   This message can be sent either from an application or by the kernel in
11662306a36Sopenharmony_ci *   response to an application generated STATICLISTDEF message.  When sent by
11762306a36Sopenharmony_ci *   an application there is no payload and the NLM_F_DUMP flag should be set.
11862306a36Sopenharmony_ci *   The kernel should response with the following message.
11962306a36Sopenharmony_ci *
12062306a36Sopenharmony_ci *   Required attribute:
12162306a36Sopenharmony_ci *
12262306a36Sopenharmony_ci *     NLBL_UNLABEL_A_SECCTX
12362306a36Sopenharmony_ci *
12462306a36Sopenharmony_ci *   If IPv4 is specified the following attributes are required:
12562306a36Sopenharmony_ci *
12662306a36Sopenharmony_ci *     NLBL_UNLABEL_A_IPV4ADDR
12762306a36Sopenharmony_ci *     NLBL_UNLABEL_A_IPV4MASK
12862306a36Sopenharmony_ci *
12962306a36Sopenharmony_ci *   If IPv6 is specified the following attributes are required:
13062306a36Sopenharmony_ci *
13162306a36Sopenharmony_ci *     NLBL_UNLABEL_A_IPV6ADDR
13262306a36Sopenharmony_ci *     NLBL_UNLABEL_A_IPV6MASK
13362306a36Sopenharmony_ci *
13462306a36Sopenharmony_ci * o ACCEPT
13562306a36Sopenharmony_ci *   This message is sent from an application to specify if the kernel should
13662306a36Sopenharmony_ci *   allow unlabled packets to pass if they do not match any of the static
13762306a36Sopenharmony_ci *   mappings defined in the unlabeled module.
13862306a36Sopenharmony_ci *
13962306a36Sopenharmony_ci *   Required attributes:
14062306a36Sopenharmony_ci *
14162306a36Sopenharmony_ci *     NLBL_UNLABEL_A_ACPTFLG
14262306a36Sopenharmony_ci *
14362306a36Sopenharmony_ci * o LIST
14462306a36Sopenharmony_ci *   This message can be sent either from an application or by the kernel in
14562306a36Sopenharmony_ci *   response to an application generated LIST message.  When sent by an
14662306a36Sopenharmony_ci *   application there is no payload.  The kernel should respond to a LIST
14762306a36Sopenharmony_ci *   message with a LIST message on success.
14862306a36Sopenharmony_ci *
14962306a36Sopenharmony_ci *   Required attributes:
15062306a36Sopenharmony_ci *
15162306a36Sopenharmony_ci *     NLBL_UNLABEL_A_ACPTFLG
15262306a36Sopenharmony_ci *
15362306a36Sopenharmony_ci */
15462306a36Sopenharmony_ci
15562306a36Sopenharmony_ci/* NetLabel Unlabeled commands */
15662306a36Sopenharmony_cienum {
15762306a36Sopenharmony_ci	NLBL_UNLABEL_C_UNSPEC,
15862306a36Sopenharmony_ci	NLBL_UNLABEL_C_ACCEPT,
15962306a36Sopenharmony_ci	NLBL_UNLABEL_C_LIST,
16062306a36Sopenharmony_ci	NLBL_UNLABEL_C_STATICADD,
16162306a36Sopenharmony_ci	NLBL_UNLABEL_C_STATICREMOVE,
16262306a36Sopenharmony_ci	NLBL_UNLABEL_C_STATICLIST,
16362306a36Sopenharmony_ci	NLBL_UNLABEL_C_STATICADDDEF,
16462306a36Sopenharmony_ci	NLBL_UNLABEL_C_STATICREMOVEDEF,
16562306a36Sopenharmony_ci	NLBL_UNLABEL_C_STATICLISTDEF,
16662306a36Sopenharmony_ci	__NLBL_UNLABEL_C_MAX,
16762306a36Sopenharmony_ci};
16862306a36Sopenharmony_ci
16962306a36Sopenharmony_ci/* NetLabel Unlabeled attributes */
17062306a36Sopenharmony_cienum {
17162306a36Sopenharmony_ci	NLBL_UNLABEL_A_UNSPEC,
17262306a36Sopenharmony_ci	NLBL_UNLABEL_A_ACPTFLG,
17362306a36Sopenharmony_ci	/* (NLA_U8)
17462306a36Sopenharmony_ci	 * if true then unlabeled packets are allowed to pass, else unlabeled
17562306a36Sopenharmony_ci	 * packets are rejected */
17662306a36Sopenharmony_ci	NLBL_UNLABEL_A_IPV6ADDR,
17762306a36Sopenharmony_ci	/* (NLA_BINARY, struct in6_addr)
17862306a36Sopenharmony_ci	 * an IPv6 address */
17962306a36Sopenharmony_ci	NLBL_UNLABEL_A_IPV6MASK,
18062306a36Sopenharmony_ci	/* (NLA_BINARY, struct in6_addr)
18162306a36Sopenharmony_ci	 * an IPv6 address mask */
18262306a36Sopenharmony_ci	NLBL_UNLABEL_A_IPV4ADDR,
18362306a36Sopenharmony_ci	/* (NLA_BINARY, struct in_addr)
18462306a36Sopenharmony_ci	 * an IPv4 address */
18562306a36Sopenharmony_ci	NLBL_UNLABEL_A_IPV4MASK,
18662306a36Sopenharmony_ci	/* (NLA_BINARY, struct in_addr)
18762306a36Sopenharmony_ci	 * and IPv4 address mask */
18862306a36Sopenharmony_ci	NLBL_UNLABEL_A_IFACE,
18962306a36Sopenharmony_ci	/* (NLA_NULL_STRING)
19062306a36Sopenharmony_ci	 * network interface */
19162306a36Sopenharmony_ci	NLBL_UNLABEL_A_SECCTX,
19262306a36Sopenharmony_ci	/* (NLA_BINARY)
19362306a36Sopenharmony_ci	 * a LSM specific security context */
19462306a36Sopenharmony_ci	__NLBL_UNLABEL_A_MAX,
19562306a36Sopenharmony_ci};
19662306a36Sopenharmony_ci#define NLBL_UNLABEL_A_MAX (__NLBL_UNLABEL_A_MAX - 1)
19762306a36Sopenharmony_ci
19862306a36Sopenharmony_ci/* NetLabel protocol functions */
19962306a36Sopenharmony_ciint netlbl_unlabel_genl_init(void);
20062306a36Sopenharmony_ci
20162306a36Sopenharmony_ci/* Unlabeled connection hash table size */
20262306a36Sopenharmony_ci/* XXX - currently this number is an uneducated guess */
20362306a36Sopenharmony_ci#define NETLBL_UNLHSH_BITSIZE       7
20462306a36Sopenharmony_ci
20562306a36Sopenharmony_ci/* General Unlabeled init function */
20662306a36Sopenharmony_ciint netlbl_unlabel_init(u32 size);
20762306a36Sopenharmony_ci
20862306a36Sopenharmony_ci/* Static/Fallback label management functions */
20962306a36Sopenharmony_ciint netlbl_unlhsh_add(struct net *net,
21062306a36Sopenharmony_ci		      const char *dev_name,
21162306a36Sopenharmony_ci		      const void *addr,
21262306a36Sopenharmony_ci		      const void *mask,
21362306a36Sopenharmony_ci		      u32 addr_len,
21462306a36Sopenharmony_ci		      u32 secid,
21562306a36Sopenharmony_ci		      struct netlbl_audit *audit_info);
21662306a36Sopenharmony_ciint netlbl_unlhsh_remove(struct net *net,
21762306a36Sopenharmony_ci			 const char *dev_name,
21862306a36Sopenharmony_ci			 const void *addr,
21962306a36Sopenharmony_ci			 const void *mask,
22062306a36Sopenharmony_ci			 u32 addr_len,
22162306a36Sopenharmony_ci			 struct netlbl_audit *audit_info);
22262306a36Sopenharmony_ci
22362306a36Sopenharmony_ci/* Process Unlabeled incoming network packets */
22462306a36Sopenharmony_ciint netlbl_unlabel_getattr(const struct sk_buff *skb,
22562306a36Sopenharmony_ci			   u16 family,
22662306a36Sopenharmony_ci			   struct netlbl_lsm_secattr *secattr);
22762306a36Sopenharmony_ci
22862306a36Sopenharmony_ci/* Set the default configuration to allow Unlabeled packets */
22962306a36Sopenharmony_ciint netlbl_unlabel_defconf(void);
23062306a36Sopenharmony_ci
23162306a36Sopenharmony_ci#endif
232