netlabel: Initial support for the CALIPSO netlink protocol.

CALIPSO is a packet labelling protocol for IPv6 which is very similar to CIPSO. It is specified in RFC 5570. Much of the code is based on the current CIPSO code. This adds support for adding passthrough-type CALIPSO DOIs through the NLBL_CALIPSO_C_ADD command. It requires attributes: NLBL_CALIPSO_A_TYPE which must be CALIPSO_MAP_PASS. NLBL_CALIPSO_A_DOI. In passthrough mode the CALIPSO engine will map MLS secattr levels and categories directly to the packet label. At this stage, the major difference between this and the CIPSO code is that IPv6 may be compiled as a module. To allow for this the CALIPSO functions are registered at module init time. Signed-off-by: Huw Davies <huw@codeweavers.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
author: Huw Davies <huw@codeweavers.com> 2016-06-27 15:02:46 -0400
committer: Paul Moore <paul@paul-moore.com> 2016-06-27 15:02:46 -0400
commit: cb72d38211eacda2dd90b09540542b6582da614e (patch)
tree: 2a9be751e1917ede6f9a56f547eafacfa202d1e7 /include/net
parent: 8f18e675c3335b5f113dbabc4afbab6da41ff61f (diff)
2 files changed, 102 insertions, 0 deletions
diff --git a/include/net/calipso.h b/include/net/calipso.h
new file mode 100644
index 000000000000..38dbb4707150
--- /dev/null
+++ b/include/net/calipso.h
@@ -0,0 +1,79 @@
+/*
+ * CALIPSO - Common Architecture Label IPv6 Security Option
+ *
+ * This is an implementation of the CALIPSO protocol as specified in
+ * RFC 5570.
+ *
+ * Authors: Paul Moore <paul@paul-moore.com>
+ *          Huw Davies <huw@codeweavers.com>
+ *
+ */
+/*
+ * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
+ * (c) Copyright Huw Davies <huw@codeweavers.com>, 2015
+ *
+ * This program is free software;  you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY;  without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
+ * the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program;  if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+#ifndef _CALIPSO_H
+#define _CALIPSO_H
+#include <linux/types.h>
+#include <linux/rcupdate.h>
+#include <linux/list.h>
+#include <linux/net.h>
+#include <linux/skbuff.h>
+#include <net/netlabel.h>
+#include <net/request_sock.h>
+#include <linux/atomic.h>
+#include <asm/unaligned.h>
+/* known doi values */
+#define CALIPSO_DOI_UNKNOWN          0x00000000
+/* doi mapping types */
+#define CALIPSO_MAP_UNKNOWN          0
+#define CALIPSO_MAP_PASS             2
+/*
+ * CALIPSO DOI definitions
+ */
+/* DOI definition struct */
+struct calipso_doi {
+        u32 doi;
+        u32 type;
+        atomic_t refcount;
+        struct list_head list;
+        struct rcu_head rcu;
+};
+#ifdef CONFIG_NETLABEL
+int __init calipso_init(void);
+void calipso_exit(void);
+#else
+static inline int __init calipso_init(void)
+{
+        return 0;
+}
+static inline void calipso_exit(void)
+{
+}
+#endif /* CONFIG_NETLABEL */
+#endif /* _CALIPSO_H */
diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 7b5a300de7f5..6af1bb6df4ab 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -40,6 +40,7 @@
 #include <linux/atomic.h>
 struct cipso_v4_doi;
+struct calipso_doi;
 /*
 * NetLabel - A management interface for maintaining network packet label
@@ -94,6 +95,8 @@ struct cipso_v4_doi;
 #define NETLBL_NLTYPE_UNLABELED_NAME    "NLBL_UNLBL"
 #define NETLBL_NLTYPE_ADDRSELECT        6
 #define NETLBL_NLTYPE_ADDRSELECT_NAME   "NLBL_ADRSEL"
+#define NETLBL_NLTYPE_CALIPSO           7
+#define NETLBL_NLTYPE_CALIPSO_NAME      "NLBL_CALIPSO"
 /*
 * NetLabel - Kernel API for accessing the network packet label mappings.
@@ -216,6 +219,23 @@ struct netlbl_lsm_secattr {
        } attr;
 };
+/**
+ * struct netlbl_calipso_ops - NetLabel CALIPSO operations
+ * @doi_add: add a CALIPSO DOI
+ * @doi_free: free a CALIPSO DOI
+ *
+ * Description:
+ * This structure is filled out by the CALIPSO engine and passed
+ * to the NetLabel core via a call to netlbl_calipso_ops_register().
+ * It enables the CALIPSO engine (and hence IPv6) to be compiled
+ * as a module.
+ */
+struct netlbl_calipso_ops {
+        int (*doi_add)(struct calipso_doi *doi_def,
+                       struct netlbl_audit *audit_info);
+        void (*doi_free)(struct calipso_doi *doi_def);
+};
 /*
 * LSM security attribute operations (inline)
 */
@@ -598,4 +618,7 @@ static inline struct audit_buffer *netlbl_audit_start(int type,
 }
 #endif /* CONFIG_NETLABEL */
+const struct netlbl_calipso_ops *
+netlbl_calipso_ops_register(const struct netlbl_calipso_ops *ops);
 #endif /* _NETLABEL_H */
author	Huw Davies <huw@codeweavers.com>	2016-06-27 15:02:46 -0400
committer	Paul Moore <paul@paul-moore.com>	2016-06-27 15:02:46 -0400
commit	cb72d38211eacda2dd90b09540542b6582da614e (patch)
tree	2a9be751e1917ede6f9a56f547eafacfa202d1e7 /include/net
parent	8f18e675c3335b5f113dbabc4afbab6da41ff61f (diff)

diff --git a/include/net/calipso.h b/include/net/calipso.h new file mode 100644 index 000000000000..38dbb4707150 --- /dev/null +++ b/include/net/calipso.h
@@ -0,0 +1,79 @@
		1	/*
		2	* CALIPSO - Common Architecture Label IPv6 Security Option
		3	*
		4	* This is an implementation of the CALIPSO protocol as specified in
		5	* RFC 5570.
		6	*
		7	* Authors: Paul Moore <paul@paul-moore.com>
		8	* Huw Davies <huw@codeweavers.com>
		9	*
		10	*/
		11
		12	/*
		13	* (c) Copyright Hewlett-Packard Development Company, L.P., 2006
		14	* (c) Copyright Huw Davies <huw@codeweavers.com>, 2015
		15	*
		16	* This program is free software; you can redistribute it and/or modify
		17	* it under the terms of the GNU General Public License as published by
		18	* the Free Software Foundation; either version 2 of the License, or
		19	* (at your option) any later version.
		20	*
		21	* This program is distributed in the hope that it will be useful,
		22	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		23	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
		24	* the GNU General Public License for more details.
		25	*
		26	* You should have received a copy of the GNU General Public License
		27	* along with this program; if not, see <http://www.gnu.org/licenses/>.
		28	*
		29	*/
		30
		31	#ifndef _CALIPSO_H
		32	#define _CALIPSO_H
		33
		34	#include <linux/types.h>
		35	#include <linux/rcupdate.h>
		36	#include <linux/list.h>
		37	#include <linux/net.h>
		38	#include <linux/skbuff.h>
		39	#include <net/netlabel.h>
		40	#include <net/request_sock.h>
		41	#include <linux/atomic.h>
		42	#include <asm/unaligned.h>
		43
		44	/* known doi values */
		45	#define CALIPSO_DOI_UNKNOWN 0x00000000
		46
		47	/* doi mapping types */
		48	#define CALIPSO_MAP_UNKNOWN 0
		49	#define CALIPSO_MAP_PASS 2
		50
		51	/*
		52	* CALIPSO DOI definitions
		53	*/
		54
		55	/* DOI definition struct */
		56	struct calipso_doi {
		57	u32 doi;
		58	u32 type;
		59
		60	atomic_t refcount;
		61	struct list_head list;
		62	struct rcu_head rcu;
		63	};
		64
		65	#ifdef CONFIG_NETLABEL
		66	int __init calipso_init(void);
		67	void calipso_exit(void);
		68	#else
		69	static inline int __init calipso_init(void)
		70	{
		71	return 0;
		72	}
		73
		74	static inline void calipso_exit(void)
		75	{
		76	}
		77	#endif /* CONFIG_NETLABEL */
		78
		79	#endif /* _CALIPSO_H */


diff --git a/include/net/netlabel.h b/include/net/netlabel.h index 7b5a300de7f5..6af1bb6df4ab 100644 --- a/include/net/netlabel.h +++ b/include/net/netlabel.h
@@ -40,6 +40,7 @@
40	#include <linux/atomic.h>	40	#include <linux/atomic.h>
41		41
42	struct cipso_v4_doi;	42	struct cipso_v4_doi;
		43	struct calipso_doi;
43		44
44	/*	45	/*
45	* NetLabel - A management interface for maintaining network packet label	46	* NetLabel - A management interface for maintaining network packet label
@@ -94,6 +95,8 @@ struct cipso_v4_doi;
94	#define NETLBL_NLTYPE_UNLABELED_NAME "NLBL_UNLBL"	95	#define NETLBL_NLTYPE_UNLABELED_NAME "NLBL_UNLBL"
95	#define NETLBL_NLTYPE_ADDRSELECT 6	96	#define NETLBL_NLTYPE_ADDRSELECT 6
96	#define NETLBL_NLTYPE_ADDRSELECT_NAME "NLBL_ADRSEL"	97	#define NETLBL_NLTYPE_ADDRSELECT_NAME "NLBL_ADRSEL"
		98	#define NETLBL_NLTYPE_CALIPSO 7
		99	#define NETLBL_NLTYPE_CALIPSO_NAME "NLBL_CALIPSO"
97		100
98	/*	101	/*
99	* NetLabel - Kernel API for accessing the network packet label mappings.	102	* NetLabel - Kernel API for accessing the network packet label mappings.
@@ -216,6 +219,23 @@ struct netlbl_lsm_secattr {
216	} attr;	219	} attr;
217	};	220	};
218		221
		222	/**
		223	* struct netlbl_calipso_ops - NetLabel CALIPSO operations
		224	* @doi_add: add a CALIPSO DOI
		225	* @doi_free: free a CALIPSO DOI
		226	*
		227	* Description:
		228	* This structure is filled out by the CALIPSO engine and passed
		229	* to the NetLabel core via a call to netlbl_calipso_ops_register().
		230	* It enables the CALIPSO engine (and hence IPv6) to be compiled
		231	* as a module.
		232	*/
		233	struct netlbl_calipso_ops {
		234	int (doi_add)(struct calipso_doi doi_def,
		235	struct netlbl_audit *audit_info);
		236	void (doi_free)(struct calipso_doi doi_def);
		237	};
		238
219	/*	239	/*
220	* LSM security attribute operations (inline)	240	* LSM security attribute operations (inline)
221	*/	241	*/
@@ -598,4 +618,7 @@ static inline struct audit_buffer *netlbl_audit_start(int type,
598	}	618	}
599	#endif /* CONFIG_NETLABEL */	619	#endif /* CONFIG_NETLABEL */
600		620
		621	const struct netlbl_calipso_ops *
		622	netlbl_calipso_ops_register(const struct netlbl_calipso_ops *ops);
		623
601	#endif /* _NETLABEL_H */	624	#endif /* _NETLABEL_H */