Root/
1 | /* |
2 | * CIPSO - Commercial IP Security Option |
3 | * |
4 | * This is an implementation of the CIPSO 2.2 protocol as specified in |
5 | * draft-ietf-cipso-ipsecurity-01.txt with additional tag types as found in |
6 | * FIPS-188, copies of both documents can be found in the Documentation |
7 | * directory. While CIPSO never became a full IETF RFC standard many vendors |
8 | * have chosen to adopt the protocol and over the years it has become a |
9 | * de-facto standard for labeled networking. |
10 | * |
11 | * Author: Paul Moore <paul.moore@hp.com> |
12 | * |
13 | */ |
14 | |
15 | /* |
16 | * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 |
17 | * |
18 | * This program is free software; you can redistribute it and/or modify |
19 | * it under the terms of the GNU General Public License as published by |
20 | * the Free Software Foundation; either version 2 of the License, or |
21 | * (at your option) any later version. |
22 | * |
23 | * This program is distributed in the hope that it will be useful, |
24 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
25 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See |
26 | * the GNU General Public License for more details. |
27 | * |
28 | * You should have received a copy of the GNU General Public License |
29 | * along with this program; if not, write to the Free Software |
30 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
31 | * |
32 | */ |
33 | |
34 | #ifndef _CIPSO_IPV4_H |
35 | #define _CIPSO_IPV4_H |
36 | |
37 | #include <linux/types.h> |
38 | #include <linux/rcupdate.h> |
39 | #include <linux/list.h> |
40 | #include <linux/net.h> |
41 | #include <linux/skbuff.h> |
42 | #include <net/netlabel.h> |
43 | #include <net/request_sock.h> |
44 | #include <asm/atomic.h> |
45 | |
46 | /* known doi values */ |
47 | #define CIPSO_V4_DOI_UNKNOWN 0x00000000 |
48 | |
49 | /* standard tag types */ |
50 | #define CIPSO_V4_TAG_INVALID 0 |
51 | #define CIPSO_V4_TAG_RBITMAP 1 |
52 | #define CIPSO_V4_TAG_ENUM 2 |
53 | #define CIPSO_V4_TAG_RANGE 5 |
54 | #define CIPSO_V4_TAG_PBITMAP 6 |
55 | #define CIPSO_V4_TAG_FREEFORM 7 |
56 | |
57 | /* non-standard tag types (tags > 127) */ |
58 | #define CIPSO_V4_TAG_LOCAL 128 |
59 | |
60 | /* doi mapping types */ |
61 | #define CIPSO_V4_MAP_UNKNOWN 0 |
62 | #define CIPSO_V4_MAP_TRANS 1 |
63 | #define CIPSO_V4_MAP_PASS 2 |
64 | #define CIPSO_V4_MAP_LOCAL 3 |
65 | |
66 | /* limits */ |
67 | #define CIPSO_V4_MAX_REM_LVLS 255 |
68 | #define CIPSO_V4_INV_LVL 0x80000000 |
69 | #define CIPSO_V4_MAX_LOC_LVLS (CIPSO_V4_INV_LVL - 1) |
70 | #define CIPSO_V4_MAX_REM_CATS 65534 |
71 | #define CIPSO_V4_INV_CAT 0x80000000 |
72 | #define CIPSO_V4_MAX_LOC_CATS (CIPSO_V4_INV_CAT - 1) |
73 | |
74 | /* |
75 | * CIPSO DOI definitions |
76 | */ |
77 | |
78 | /* DOI definition struct */ |
79 | #define CIPSO_V4_TAG_MAXCNT 5 |
80 | struct cipso_v4_doi { |
81 | u32 doi; |
82 | u32 type; |
83 | union { |
84 | struct cipso_v4_std_map_tbl *std; |
85 | } map; |
86 | u8 tags[CIPSO_V4_TAG_MAXCNT]; |
87 | |
88 | atomic_t refcount; |
89 | struct list_head list; |
90 | struct rcu_head rcu; |
91 | }; |
92 | |
93 | /* Standard CIPSO mapping table */ |
94 | /* NOTE: the highest order bit (i.e. 0x80000000) is an 'invalid' flag, if the |
95 | * bit is set then consider that value as unspecified, meaning the |
96 | * mapping for that particular level/category is invalid */ |
97 | struct cipso_v4_std_map_tbl { |
98 | struct { |
99 | u32 *cipso; |
100 | u32 *local; |
101 | u32 cipso_size; |
102 | u32 local_size; |
103 | } lvl; |
104 | struct { |
105 | u32 *cipso; |
106 | u32 *local; |
107 | u32 cipso_size; |
108 | u32 local_size; |
109 | } cat; |
110 | }; |
111 | |
112 | /* |
113 | * Sysctl Variables |
114 | */ |
115 | |
116 | #ifdef CONFIG_NETLABEL |
117 | extern int cipso_v4_cache_enabled; |
118 | extern int cipso_v4_cache_bucketsize; |
119 | extern int cipso_v4_rbm_optfmt; |
120 | extern int cipso_v4_rbm_strictvalid; |
121 | #endif |
122 | |
123 | /* |
124 | * Helper Functions |
125 | */ |
126 | |
127 | #define CIPSO_V4_OPTEXIST(x) (IPCB(x)->opt.cipso != 0) |
128 | #define CIPSO_V4_OPTPTR(x) (skb_network_header(x) + IPCB(x)->opt.cipso) |
129 | |
130 | /* |
131 | * DOI List Functions |
132 | */ |
133 | |
134 | #ifdef CONFIG_NETLABEL |
135 | int cipso_v4_doi_add(struct cipso_v4_doi *doi_def, |
136 | struct netlbl_audit *audit_info); |
137 | void cipso_v4_doi_free(struct cipso_v4_doi *doi_def); |
138 | int cipso_v4_doi_remove(u32 doi, struct netlbl_audit *audit_info); |
139 | struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi); |
140 | void cipso_v4_doi_putdef(struct cipso_v4_doi *doi_def); |
141 | int cipso_v4_doi_walk(u32 *skip_cnt, |
142 | int (*callback) (struct cipso_v4_doi *doi_def, void *arg), |
143 | void *cb_arg); |
144 | #else |
145 | static inline int cipso_v4_doi_add(struct cipso_v4_doi *doi_def, |
146 | struct netlbl_audit *audit_info) |
147 | { |
148 | return -ENOSYS; |
149 | } |
150 | |
151 | static inline void cipso_v4_doi_free(struct cipso_v4_doi *doi_def) |
152 | { |
153 | return; |
154 | } |
155 | |
156 | static inline int cipso_v4_doi_remove(u32 doi, |
157 | struct netlbl_audit *audit_info) |
158 | { |
159 | return 0; |
160 | } |
161 | |
162 | static inline struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi) |
163 | { |
164 | return NULL; |
165 | } |
166 | |
167 | static inline int cipso_v4_doi_walk(u32 *skip_cnt, |
168 | int (*callback) (struct cipso_v4_doi *doi_def, void *arg), |
169 | void *cb_arg) |
170 | { |
171 | return 0; |
172 | } |
173 | |
174 | static inline int cipso_v4_doi_domhsh_add(struct cipso_v4_doi *doi_def, |
175 | const char *domain) |
176 | { |
177 | return -ENOSYS; |
178 | } |
179 | |
180 | static inline int cipso_v4_doi_domhsh_remove(struct cipso_v4_doi *doi_def, |
181 | const char *domain) |
182 | { |
183 | return 0; |
184 | } |
185 | #endif /* CONFIG_NETLABEL */ |
186 | |
187 | /* |
188 | * Label Mapping Cache Functions |
189 | */ |
190 | |
191 | #ifdef CONFIG_NETLABEL |
192 | void cipso_v4_cache_invalidate(void); |
193 | int cipso_v4_cache_add(const struct sk_buff *skb, |
194 | const struct netlbl_lsm_secattr *secattr); |
195 | #else |
196 | static inline void cipso_v4_cache_invalidate(void) |
197 | { |
198 | return; |
199 | } |
200 | |
201 | static inline int cipso_v4_cache_add(const struct sk_buff *skb, |
202 | const struct netlbl_lsm_secattr *secattr) |
203 | { |
204 | return 0; |
205 | } |
206 | #endif /* CONFIG_NETLABEL */ |
207 | |
208 | /* |
209 | * Protocol Handling Functions |
210 | */ |
211 | |
212 | #ifdef CONFIG_NETLABEL |
213 | void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway); |
214 | int cipso_v4_sock_setattr(struct sock *sk, |
215 | const struct cipso_v4_doi *doi_def, |
216 | const struct netlbl_lsm_secattr *secattr); |
217 | void cipso_v4_sock_delattr(struct sock *sk); |
218 | int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr); |
219 | int cipso_v4_req_setattr(struct request_sock *req, |
220 | const struct cipso_v4_doi *doi_def, |
221 | const struct netlbl_lsm_secattr *secattr); |
222 | void cipso_v4_req_delattr(struct request_sock *req); |
223 | int cipso_v4_skbuff_setattr(struct sk_buff *skb, |
224 | const struct cipso_v4_doi *doi_def, |
225 | const struct netlbl_lsm_secattr *secattr); |
226 | int cipso_v4_skbuff_delattr(struct sk_buff *skb); |
227 | int cipso_v4_skbuff_getattr(const struct sk_buff *skb, |
228 | struct netlbl_lsm_secattr *secattr); |
229 | int cipso_v4_validate(const struct sk_buff *skb, unsigned char **option); |
230 | #else |
231 | static inline void cipso_v4_error(struct sk_buff *skb, |
232 | int error, |
233 | u32 gateway) |
234 | { |
235 | return; |
236 | } |
237 | |
238 | static inline int cipso_v4_sock_setattr(struct sock *sk, |
239 | const struct cipso_v4_doi *doi_def, |
240 | const struct netlbl_lsm_secattr *secattr) |
241 | { |
242 | return -ENOSYS; |
243 | } |
244 | |
245 | static inline void cipso_v4_sock_delattr(struct sock *sk) |
246 | { |
247 | } |
248 | |
249 | static inline int cipso_v4_sock_getattr(struct sock *sk, |
250 | struct netlbl_lsm_secattr *secattr) |
251 | { |
252 | return -ENOSYS; |
253 | } |
254 | |
255 | static inline int cipso_v4_req_setattr(struct request_sock *req, |
256 | const struct cipso_v4_doi *doi_def, |
257 | const struct netlbl_lsm_secattr *secattr) |
258 | { |
259 | return -ENOSYS; |
260 | } |
261 | |
262 | static inline void cipso_v4_req_delattr(struct request_sock *req) |
263 | { |
264 | return; |
265 | } |
266 | |
267 | static inline int cipso_v4_skbuff_setattr(struct sk_buff *skb, |
268 | const struct cipso_v4_doi *doi_def, |
269 | const struct netlbl_lsm_secattr *secattr) |
270 | { |
271 | return -ENOSYS; |
272 | } |
273 | |
274 | static inline int cipso_v4_skbuff_delattr(struct sk_buff *skb) |
275 | { |
276 | return -ENOSYS; |
277 | } |
278 | |
279 | static inline int cipso_v4_skbuff_getattr(const struct sk_buff *skb, |
280 | struct netlbl_lsm_secattr *secattr) |
281 | { |
282 | return -ENOSYS; |
283 | } |
284 | |
285 | static inline int cipso_v4_validate(const struct sk_buff *skb, |
286 | unsigned char **option) |
287 | { |
288 | return -ENOSYS; |
289 | } |
290 | #endif /* CONFIG_NETLABEL */ |
291 | |
292 | #endif /* _CIPSO_IPV4_H */ |
293 |
Branches:
ben-wpan
ben-wpan-stefan
javiroman/ks7010
jz-2.6.34
jz-2.6.34-rc5
jz-2.6.34-rc6
jz-2.6.34-rc7
jz-2.6.35
jz-2.6.36
jz-2.6.37
jz-2.6.38
jz-2.6.39
jz-3.0
jz-3.1
jz-3.11
jz-3.12
jz-3.13
jz-3.15
jz-3.16
jz-3.18-dt
jz-3.2
jz-3.3
jz-3.4
jz-3.5
jz-3.6
jz-3.6-rc2-pwm
jz-3.9
jz-3.9-clk
jz-3.9-rc8
jz47xx
jz47xx-2.6.38
master
Tags:
od-2011-09-04
od-2011-09-18
v2.6.34-rc5
v2.6.34-rc6
v2.6.34-rc7
v3.9