[NetLabel]: core NetLabel subsystem

Add a new kernel subsystem, NetLabel, to provide explicit packet labeling services (CIPSO, RIPSO, etc.) to LSM developers. NetLabel is designed to work in conjunction with a LSM to intercept and decode security labels on incoming network packets as well as ensure that outgoing network packets are labeled according to the security mechanism employed by the LSM. The NetLabel subsystem is configured through a Generic NETLINK interface described in the header files included in this patch. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Paul Moore <paul.moore@hp.com> 2006-08-03 19:48:37 -0400
committer: David S. Miller <davem@sunset.davemloft.net> 2006-09-22 17:53:34 -0400
commit: d15c345fe3b8dfda0fa5a1d2143a35fffa746a43 (patch)
tree: 7de6afd5f4de2fca01eaca879e342ab493dc0bba /net/netlabel/netlabel_cipso_v4.h
parent: 446fda4f26822b2d42ab3396aafcedf38a9ff2b6 (diff)
1 files changed, 217 insertions, 0 deletions
diff --git a/net/netlabel/netlabel_cipso_v4.h b/net/netlabel/netlabel_cipso_v4.h
new file mode 100644
index 000000000000..4c6ff4b93004
--- /dev/null
+++ b/net/netlabel/netlabel_cipso_v4.h
@@ -0,0 +1,217 @@
+/*
+ * NetLabel CIPSO/IPv4 Support
+ *
+ * This file defines the CIPSO/IPv4 functions for the NetLabel system.  The
+ * NetLabel system manages static and dynamic label mappings for network
+ * protocols such as CIPSO and RIPSO.
+ *
+ * Author: Paul Moore <paul.moore@hp.com>
+ *
+ */
+/*
+ * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
+ *
+ * This program is free software;  you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY;  without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
+ * the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program;  if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ */
+#ifndef _NETLABEL_CIPSO_V4
+#define _NETLABEL_CIPSO_V4
+#include <net/netlabel.h>
+/*
+ * The following NetLabel payloads are supported by the CIPSO subsystem, all
+ * of which are preceeded by the nlmsghdr struct.
+ *
+ * o ACK:
+ *   Sent by the kernel in response to an applications message, applications
+ *   should never send this message.
+ *
+ *   +----------------------+-----------------------+
+ *   | seq number (32 bits) | return code (32 bits) |
+ *   +----------------------+-----------------------+
+ *
+ *     seq number:  the sequence number of the original message, taken from the
+ *                  nlmsghdr structure
+ *     return code: return value, based on errno values
+ *
+ * o ADD:
+ *   Sent by an application to add a new DOI mapping table, after completion
+ *   of the task the kernel should ACK this message.
+ *
+ *   +---------------+--------------------+---------------------+
+ *   | DOI (32 bits) | map type (32 bits) | tag count (32 bits) | ...
+ *   +---------------+--------------------+---------------------+
+ *
+ *   +-----------------+
+ *   | tag #X (8 bits) | ... repeated
+ *   +-----------------+
+ *
+ *   +-------------- ---- --- -- -
+ *   | mapping data
+ *   +-------------- ---- --- -- -
+ *
+ *     DOI:          the DOI value
+ *     map type:     the mapping table type (defined in the cipso_ipv4.h header
+ *                   as CIPSO_V4_MAP_*)
+ *     tag count:    the number of tags, must be greater than zero
+ *     tag:          the CIPSO tag for the DOI, tags listed first are given
+ *                   higher priorirty when sending packets
+ *     mapping data: specific to the map type (see below)
+ *
+ *   CIPSO_V4_MAP_STD
+ *
+ *   +------------------+-----------------------+----------------------+
+ *   | levels (32 bits) | max l level (32 bits) | max r level (8 bits) | ...
+ *   +------------------+-----------------------+----------------------+
+ *
+ *   +----------------------+---------------------+---------------------+
+ *   | categories (32 bits) | max l cat (32 bits) | max r cat (16 bits) | ...
+ *   +----------------------+---------------------+---------------------+
+ *
+ *   +--------------------------+-------------------------+
+ *   | local level #X (32 bits) | CIPSO level #X (8 bits) | ... repeated
+ *   +--------------------------+-------------------------+
+ *
+ *   +-----------------------------+-----------------------------+
+ *   | local category #X (32 bits) | CIPSO category #X (16 bits) | ... repeated
+ *   +-----------------------------+-----------------------------+
+ *
+ *     levels:         the number of level mappings
+ *     max l level:    the highest local level
+ *     max r level:    the highest remote/CIPSO level
+ *     categories:     the number of category mappings
+ *     max l cat:      the highest local category
+ *     max r cat:      the highest remote/CIPSO category
+ *     local level:    the local part of a level mapping
+ *     CIPSO level:    the remote/CIPSO part of a level mapping
+ *     local category: the local part of a category mapping
+ *     CIPSO category: the remote/CIPSO part of a category mapping
+ *
+ *   CIPSO_V4_MAP_PASS
+ *
+ *   No mapping data is needed for this map type.
+ *
+ * o REMOVE:
+ *   Sent by an application to remove a specific DOI mapping table from the
+ *   CIPSO V4 system.  The kernel should ACK this message.
+ *
+ *   +---------------+
+ *   | DOI (32 bits) |
+ *   +---------------+
+ *
+ *     DOI:          the DOI value
+ *
+ * o LIST:
+ *   Sent by an application to list the details of a DOI definition.  The
+ *   kernel should send an ACK on error or a response as indicated below.  The
+ *   application generated message format is shown below.
+ *
+ *   +---------------+
+ *   | DOI (32 bits) |
+ *   +---------------+
+ *
+ *     DOI:          the DOI value
+ *
+ *   The valid response message format depends on the type of the DOI mapping,
+ *   the known formats are shown below.
+ *
+ *   +--------------------+
+ *   | map type (32 bits) | ...
+ *   +--------------------+
+ *
+ *     map type:       the DOI mapping table type (defined in the cipso_ipv4.h
+ *                     header as CIPSO_V4_MAP_*)
+ *
+ *   (map type == CIPSO_V4_MAP_STD)
+ *
+ *   +----------------+------------------+----------------------+
+ *   | tags (32 bits) | levels (32 bits) | categories (32 bits) | ...
+ *   +----------------+------------------+----------------------+
+ *
+ *   +-----------------+
+ *   | tag #X (8 bits) | ... repeated
+ *   +-----------------+
+ *
+ *   +--------------------------+-------------------------+
+ *   | local level #X (32 bits) | CIPSO level #X (8 bits) | ... repeated
+ *   +--------------------------+-------------------------+
+ *
+ *   +-----------------------------+-----------------------------+
+ *   | local category #X (32 bits) | CIPSO category #X (16 bits) | ... repeated
+ *   +-----------------------------+-----------------------------+
+ *
+ *     tags:           the number of CIPSO tag types
+ *     levels:         the number of level mappings
+ *     categories:     the number of category mappings
+ *     tag:            the tag number, tags listed first are given higher
+ *                     priority when sending packets
+ *     local level:    the local part of a level mapping
+ *     CIPSO level:    the remote/CIPSO part of a level mapping
+ *     local category: the local part of a category mapping
+ *     CIPSO category: the remote/CIPSO part of a category mapping
+ *
+ *   (map type == CIPSO_V4_MAP_PASS)
+ *
+ *   +----------------+
+ *   | tags (32 bits) | ...
+ *   +----------------+
+ *
+ *   +-----------------+
+ *   | tag #X (8 bits) | ... repeated
+ *   +-----------------+
+ *
+ *     tags:           the number of CIPSO tag types
+ *     tag:            the tag number, tags listed first are given higher
+ *                     priority when sending packets
+ *
+ * o LISTALL:
+ *   This message is sent by an application to list the valid DOIs on the
+ *   system.  There is no payload and the kernel should respond with an ACK
+ *   or the following message.
+ *
+ *   +---------------------+------------------+-----------------------+
+ *   | DOI count (32 bits) | DOI #X (32 bits) | map type #X (32 bits) |
+ *   +---------------------+------------------+-----------------------+
+ *
+ *   +-----------------------+
+ *   | map type #X (32 bits) | ...
+ *   +-----------------------+
+ *
+ *     DOI count:      the number of DOIs
+ *     DOI:            the DOI value
+ *     map type:       the DOI mapping table type (defined in the cipso_ipv4.h
+ *                     header as CIPSO_V4_MAP_*)
+ *
+ */
+/* NetLabel CIPSOv4 commands */
+enum {
+        NLBL_CIPSOV4_C_UNSPEC,
+        NLBL_CIPSOV4_C_ACK,
+        NLBL_CIPSOV4_C_ADD,
+        NLBL_CIPSOV4_C_REMOVE,
+        NLBL_CIPSOV4_C_LIST,
+        NLBL_CIPSOV4_C_LISTALL,
+        __NLBL_CIPSOV4_C_MAX,
+};
+#define NLBL_CIPSOV4_C_MAX (__NLBL_CIPSOV4_C_MAX - 1)
+/* NetLabel protocol functions */
+int netlbl_cipsov4_genl_init(void);
+#endif
author	Paul Moore <paul.moore@hp.com>	2006-08-03 19:48:37 -0400
committer	David S. Miller <davem@sunset.davemloft.net>	2006-09-22 17:53:34 -0400
commit	d15c345fe3b8dfda0fa5a1d2143a35fffa746a43 (patch)
tree	7de6afd5f4de2fca01eaca879e342ab493dc0bba /net/netlabel/netlabel_cipso_v4.h
parent	446fda4f26822b2d42ab3396aafcedf38a9ff2b6 (diff)

diff --git a/net/netlabel/netlabel_cipso_v4.h b/net/netlabel/netlabel_cipso_v4.h new file mode 100644 index 000000000000..4c6ff4b93004 --- /dev/null +++ b/net/netlabel/netlabel_cipso_v4.h
@@ -0,0 +1,217 @@
	1	/*
	2	* NetLabel CIPSO/IPv4 Support
	3	*
	4	* This file defines the CIPSO/IPv4 functions for the NetLabel system. The
	5	* NetLabel system manages static and dynamic label mappings for network
	6	* protocols such as CIPSO and RIPSO.
	7	*
	8	* Author: Paul Moore <paul.moore@hp.com>
	9	*
	10	*/
	11
	12	/*
	13	* (c) Copyright Hewlett-Packard Development Company, L.P., 2006
	14	*
	15	* This program is free software; you can redistribute it and/or modify
	16	* it under the terms of the GNU General Public License as published by
	17	* the Free Software Foundation; either version 2 of the License, or
	18	* (at your option) any later version.
	19	*
	20	* This program is distributed in the hope that it will be useful,
	21	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	22	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
	23	* the GNU General Public License for more details.
	24	*
	25	* You should have received a copy of the GNU General Public License
	26	* along with this program; if not, write to the Free Software
	27	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
	28	*
	29	*/
	30
	31	#ifndef _NETLABEL_CIPSO_V4
	32	#define _NETLABEL_CIPSO_V4
	33
	34	#include <net/netlabel.h>
	35
	36	/*
	37	* The following NetLabel payloads are supported by the CIPSO subsystem, all
	38	* of which are preceeded by the nlmsghdr struct.
	39	*
	40	* o ACK:
	41	* Sent by the kernel in response to an applications message, applications
	42	* should never send this message.
	43	*
	44	* +----------------------+-----------------------+
	45	* \| seq number (32 bits) \| return code (32 bits) \|
	46	* +----------------------+-----------------------+
	47	*
	48	* seq number: the sequence number of the original message, taken from the
	49	* nlmsghdr structure
	50	* return code: return value, based on errno values
	51	*
	52	* o ADD:
	53	* Sent by an application to add a new DOI mapping table, after completion
	54	* of the task the kernel should ACK this message.
	55	*
	56	* +---------------+--------------------+---------------------+
	57	* \| DOI (32 bits) \| map type (32 bits) \| tag count (32 bits) \| ...
	58	* +---------------+--------------------+---------------------+
	59	*
	60	* +-----------------+
	61	* \| tag #X (8 bits) \| ... repeated
	62	* +-----------------+
	63	*
	64	* +-------------- ---- --- -- -
	65	* \| mapping data
	66	* +-------------- ---- --- -- -
	67	*
	68	* DOI: the DOI value
	69	* map type: the mapping table type (defined in the cipso_ipv4.h header
	70	* as CIPSO_V4_MAP_*)
	71	* tag count: the number of tags, must be greater than zero
	72	* tag: the CIPSO tag for the DOI, tags listed first are given
	73	* higher priorirty when sending packets
	74	* mapping data: specific to the map type (see below)
	75	*
	76	* CIPSO_V4_MAP_STD
	77	*
	78	* +------------------+-----------------------+----------------------+
	79	* \| levels (32 bits) \| max l level (32 bits) \| max r level (8 bits) \| ...
	80	* +------------------+-----------------------+----------------------+
	81	*
	82	* +----------------------+---------------------+---------------------+
	83	* \| categories (32 bits) \| max l cat (32 bits) \| max r cat (16 bits) \| ...
	84	* +----------------------+---------------------+---------------------+
	85	*
	86	* +--------------------------+-------------------------+
	87	* \| local level #X (32 bits) \| CIPSO level #X (8 bits) \| ... repeated
	88	* +--------------------------+-------------------------+
	89	*
	90	* +-----------------------------+-----------------------------+
	91	* \| local category #X (32 bits) \| CIPSO category #X (16 bits) \| ... repeated
	92	* +-----------------------------+-----------------------------+
	93	*
	94	* levels: the number of level mappings
	95	* max l level: the highest local level
	96	* max r level: the highest remote/CIPSO level
	97	* categories: the number of category mappings
	98	* max l cat: the highest local category
	99	* max r cat: the highest remote/CIPSO category
	100	* local level: the local part of a level mapping
	101	* CIPSO level: the remote/CIPSO part of a level mapping
	102	* local category: the local part of a category mapping
	103	* CIPSO category: the remote/CIPSO part of a category mapping
	104	*
	105	* CIPSO_V4_MAP_PASS
	106	*
	107	* No mapping data is needed for this map type.
	108	*
	109	* o REMOVE:
	110	* Sent by an application to remove a specific DOI mapping table from the
	111	* CIPSO V4 system. The kernel should ACK this message.
	112	*
	113	* +---------------+
	114	* \| DOI (32 bits) \|
	115	* +---------------+
	116	*
	117	* DOI: the DOI value
	118	*
	119	* o LIST:
	120	* Sent by an application to list the details of a DOI definition. The
	121	* kernel should send an ACK on error or a response as indicated below. The
	122	* application generated message format is shown below.
	123	*
	124	* +---------------+
	125	* \| DOI (32 bits) \|
	126	* +---------------+
	127	*
	128	* DOI: the DOI value
	129	*
	130	* The valid response message format depends on the type of the DOI mapping,
	131	* the known formats are shown below.
	132	*
	133	* +--------------------+
	134	* \| map type (32 bits) \| ...
	135	* +--------------------+
	136	*
	137	* map type: the DOI mapping table type (defined in the cipso_ipv4.h
	138	* header as CIPSO_V4_MAP_*)
	139	*
	140	* (map type == CIPSO_V4_MAP_STD)
	141	*
	142	* +----------------+------------------+----------------------+
	143	* \| tags (32 bits) \| levels (32 bits) \| categories (32 bits) \| ...
	144	* +----------------+------------------+----------------------+
	145	*
	146	* +-----------------+
	147	* \| tag #X (8 bits) \| ... repeated
	148	* +-----------------+
	149	*
	150	* +--------------------------+-------------------------+
	151	* \| local level #X (32 bits) \| CIPSO level #X (8 bits) \| ... repeated
	152	* +--------------------------+-------------------------+
	153	*
	154	* +-----------------------------+-----------------------------+
	155	* \| local category #X (32 bits) \| CIPSO category #X (16 bits) \| ... repeated
	156	* +-----------------------------+-----------------------------+
	157	*
	158	* tags: the number of CIPSO tag types
	159	* levels: the number of level mappings
	160	* categories: the number of category mappings
	161	* tag: the tag number, tags listed first are given higher
	162	* priority when sending packets
	163	* local level: the local part of a level mapping
	164	* CIPSO level: the remote/CIPSO part of a level mapping
	165	* local category: the local part of a category mapping
	166	* CIPSO category: the remote/CIPSO part of a category mapping
	167	*
	168	* (map type == CIPSO_V4_MAP_PASS)
	169	*
	170	* +----------------+
	171	* \| tags (32 bits) \| ...
	172	* +----------------+
	173	*
	174	* +-----------------+
	175	* \| tag #X (8 bits) \| ... repeated
	176	* +-----------------+
	177	*
	178	* tags: the number of CIPSO tag types
	179	* tag: the tag number, tags listed first are given higher
	180	* priority when sending packets
	181	*
	182	* o LISTALL:
	183	* This message is sent by an application to list the valid DOIs on the
	184	* system. There is no payload and the kernel should respond with an ACK
	185	* or the following message.
	186	*
	187	* +---------------------+------------------+-----------------------+
	188	* \| DOI count (32 bits) \| DOI #X (32 bits) \| map type #X (32 bits) \|
	189	* +---------------------+------------------+-----------------------+
	190	*
	191	* +-----------------------+
	192	* \| map type #X (32 bits) \| ...
	193	* +-----------------------+
	194	*
	195	* DOI count: the number of DOIs
	196	* DOI: the DOI value
	197	* map type: the DOI mapping table type (defined in the cipso_ipv4.h
	198	* header as CIPSO_V4_MAP_*)
	199	*
	200	*/
	201
	202	/* NetLabel CIPSOv4 commands */
	203	enum {
	204	NLBL_CIPSOV4_C_UNSPEC,
	205	NLBL_CIPSOV4_C_ACK,
	206	NLBL_CIPSOV4_C_ADD,
	207	NLBL_CIPSOV4_C_REMOVE,
	208	NLBL_CIPSOV4_C_LIST,
	209	NLBL_CIPSOV4_C_LISTALL,
	210	__NLBL_CIPSOV4_C_MAX,
	211	};
	212	#define NLBL_CIPSOV4_C_MAX (__NLBL_CIPSOV4_C_MAX - 1)
	213
	214	/* NetLabel protocol functions */
	215	int netlbl_cipsov4_genl_init(void);
	216
	217	#endif