[NetLabel]: core NetLabel subsystem

Add a new kernel subsystem, NetLabel, to provide explicit packet labeling services (CIPSO, RIPSO, etc.) to LSM developers. NetLabel is designed to work in conjunction with a LSM to intercept and decode security labels on incoming network packets as well as ensure that outgoing network packets are labeled according to the security mechanism employed by the LSM. The NetLabel subsystem is configured through a Generic NETLINK interface described in the header files included in this patch. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Paul Moore <paul.moore@hp.com> 2006-08-03 19:48:37 -0400
committer: David S. Miller <davem@sunset.davemloft.net> 2006-09-22 17:53:34 -0400
commit: d15c345fe3b8dfda0fa5a1d2143a35fffa746a43 (patch)
tree: 7de6afd5f4de2fca01eaca879e342ab493dc0bba /net/netlabel/netlabel_mgmt.h
parent: 446fda4f26822b2d42ab3396aafcedf38a9ff2b6 (diff)
1 files changed, 246 insertions, 0 deletions
diff --git a/net/netlabel/netlabel_mgmt.h b/net/netlabel/netlabel_mgmt.h
new file mode 100644
index 000000000000..fd6c6acbfa08
--- /dev/null
+++ b/net/netlabel/netlabel_mgmt.h
@@ -0,0 +1,246 @@
+/*
+ * NetLabel Management Support
+ *
+ * This file defines the management functions for the NetLabel system.  The
+ * NetLabel system manages static and dynamic label mappings for network
+ * protocols such as CIPSO and RIPSO.
+ *
+ * Author: Paul Moore <paul.moore@hp.com>
+ *
+ */
+/*
+ * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
+ *
+ * This program is free software;  you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY;  without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
+ * the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program;  if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ */
+#ifndef _NETLABEL_MGMT_H
+#define _NETLABEL_MGMT_H
+#include <net/netlabel.h>
+/*
+ * The following NetLabel payloads are supported by the management interface,
+ * all of which are preceeded by the nlmsghdr struct.
+ *
+ * o ACK:
+ *   Sent by the kernel in response to an applications message, applications
+ *   should never send this message.
+ *
+ *   +----------------------+-----------------------+
+ *   | seq number (32 bits) | return code (32 bits) |
+ *   +----------------------+-----------------------+
+ *
+ *     seq number:  the sequence number of the original message, taken from the
+ *                  nlmsghdr structure
+ *     return code: return value, based on errno values
+ *
+ * o ADD:
+ *   Sent by an application to add a domain mapping to the NetLabel system.
+ *   The kernel should respond with an ACK.
+ *
+ *   +-------------------+
+ *   | domains (32 bits) | ...
+ *   +-------------------+
+ *
+ *     domains: the number of domains in the message
+ *
+ *   +--------------------------+-------------------------+
+ *   | domain string (variable) | protocol type (32 bits) | ...
+ *   +--------------------------+-------------------------+
+ *
+ *   +-------------- ---- --- -- -
+ *   | mapping data                ... repeated
+ *   +-------------- ---- --- -- -
+ *
+ *     domain string: the domain string, NULL terminated
+ *     protocol type: the protocol type (defined by NETLBL_NLTYPE_*)
+ *     mapping data:  specific to the map type (see below)
+ *
+ *   NETLBL_NLTYPE_UNLABELED
+ *
+ *     No mapping data for this protocol type.
+ *
+ *   NETLBL_NLTYPE_CIPSOV4
+ *
+ *   +---------------+
+ *   | doi (32 bits) |
+ *   +---------------+
+ *
+ *     doi:  the CIPSO DOI value
+ *
+ * o REMOVE:
+ *   Sent by an application to remove a domain mapping from the NetLabel
+ *   system.  The kernel should ACK this message.
+ *
+ *   +-------------------+
+ *   | domains (32 bits) | ...
+ *   +-------------------+
+ *
+ *     domains: the number of domains in the message
+ *
+ *   +--------------------------+
+ *   | domain string (variable) | ...
+ *   +--------------------------+
+ *
+ *     domain string: the domain string, NULL terminated
+ *
+ * o LIST:
+ *   This message can be sent either from an application or by the kernel in
+ *   response to an application generated LIST message.  When sent by an
+ *   application there is no payload.  The kernel should respond to a LIST
+ *   message either with a LIST message on success or an ACK message on
+ *   failure.
+ *
+ *   +-------------------+
+ *   | domains (32 bits) | ...
+ *   +-------------------+
+ *
+ *     domains: the number of domains in the message
+ *
+ *   +--------------------------+
+ *   | domain string (variable) | ...
+ *   +--------------------------+
+ *
+ *   +-------------------------+-------------- ---- --- -- -
+ *   | protocol type (32 bits) | mapping data                ... repeated
+ *   +-------------------------+-------------- ---- --- -- -
+ *
+ *     domain string: the domain string, NULL terminated
+ *     protocol type: the protocol type (defined by NETLBL_NLTYPE_*)
+ *     mapping data:  specific to the map type (see below)
+ *
+ *   NETLBL_NLTYPE_UNLABELED
+ *
+ *     No mapping data for this protocol type.
+ *
+ *   NETLBL_NLTYPE_CIPSOV4
+ *
+ *   +----------------+---------------+
+ *   | type (32 bits) | doi (32 bits) |
+ *   +----------------+---------------+
+ *
+ *     type: the CIPSO mapping table type (defined in the cipso_ipv4.h header
+ *           as CIPSO_V4_MAP_*)
+ *     doi:  the CIPSO DOI value
+ *
+ * o ADDDEF:
+ *   Sent by an application to set the default domain mapping for the NetLabel
+ *   system.  The kernel should respond with an ACK.
+ *
+ *   +-------------------------+-------------- ---- --- -- -
+ *   | protocol type (32 bits) | mapping data                ... repeated
+ *   +-------------------------+-------------- ---- --- -- -
+ *
+ *     protocol type: the protocol type (defined by NETLBL_NLTYPE_*)
+ *     mapping data:  specific to the map type (see below)
+ *
+ *   NETLBL_NLTYPE_UNLABELED
+ *
+ *     No mapping data for this protocol type.
+ *
+ *   NETLBL_NLTYPE_CIPSOV4
+ *
+ *   +---------------+
+ *   | doi (32 bits) |
+ *   +---------------+
+ *
+ *     doi:  the CIPSO DOI value
+ *
+ * o REMOVEDEF:
+ *   Sent by an application to remove the default domain mapping from the
+ *   NetLabel system, there is no payload.  The kernel should ACK this message.
+ *
+ * o LISTDEF:
+ *   This message can be sent either from an application or by the kernel in
+ *   response to an application generated LISTDEF message.  When sent by an
+ *   application there is no payload.  The kernel should respond to a
+ *   LISTDEF message either with a LISTDEF message on success or an ACK message
+ *   on failure.
+ *
+ *   +-------------------------+-------------- ---- --- -- -
+ *   | protocol type (32 bits) | mapping data                ... repeated
+ *   +-------------------------+-------------- ---- --- -- -
+ *
+ *     protocol type: the protocol type (defined by NETLBL_NLTYPE_*)
+ *     mapping data:  specific to the map type (see below)
+ *
+ *   NETLBL_NLTYPE_UNLABELED
+ *
+ *     No mapping data for this protocol type.
+ *
+ *   NETLBL_NLTYPE_CIPSOV4
+ *
+ *   +----------------+---------------+
+ *   | type (32 bits) | doi (32 bits) |
+ *   +----------------+---------------+
+ *
+ *     type: the CIPSO mapping table type (defined in the cipso_ipv4.h header
+ *           as CIPSO_V4_MAP_*)
+ *     doi:  the CIPSO DOI value
+ *
+ * o MODULES:
+ *   Sent by an application to request a list of configured NetLabel modules
+ *   in the kernel.  When sent by an application there is no payload.
+ *
+ *   +-------------------+
+ *   | modules (32 bits) | ...
+ *   +-------------------+
+ *
+ *     modules: the number of modules in the message, if this is an application
+ *              generated message and the value is zero then return a list of
+ *              the configured modules
+ *
+ *   +------------------+
+ *   | module (32 bits) | ... repeated
+ *   +------------------+
+ *
+ *     module: the module number as defined by NETLBL_NLTYPE_*
+ *
+ * o VERSION:
+ *   Sent by an application to request the NetLabel version string.  When sent
+ *   by an application there is no payload.  This message type is also used by
+ *   the kernel to respond to an VERSION request.
+ *
+ *   +-------------------+
+ *   | version (32 bits) |
+ *   +-------------------+
+ *
+ *     version: the protocol version number
+ *
+ */
+/* NetLabel Management commands */
+enum {
+        NLBL_MGMT_C_UNSPEC,
+        NLBL_MGMT_C_ACK,
+        NLBL_MGMT_C_ADD,
+        NLBL_MGMT_C_REMOVE,
+        NLBL_MGMT_C_LIST,
+        NLBL_MGMT_C_ADDDEF,
+        NLBL_MGMT_C_REMOVEDEF,
+        NLBL_MGMT_C_LISTDEF,
+        NLBL_MGMT_C_MODULES,
+        NLBL_MGMT_C_VERSION,
+        __NLBL_MGMT_C_MAX,
+};
+#define NLBL_MGMT_C_MAX (__NLBL_MGMT_C_MAX - 1)
+/* NetLabel protocol functions */
+int netlbl_mgmt_genl_init(void);
+#endif
author	Paul Moore <paul.moore@hp.com>	2006-08-03 19:48:37 -0400
committer	David S. Miller <davem@sunset.davemloft.net>	2006-09-22 17:53:34 -0400
commit	d15c345fe3b8dfda0fa5a1d2143a35fffa746a43 (patch)
tree	7de6afd5f4de2fca01eaca879e342ab493dc0bba /net/netlabel/netlabel_mgmt.h
parent	446fda4f26822b2d42ab3396aafcedf38a9ff2b6 (diff)

diff --git a/net/netlabel/netlabel_mgmt.h b/net/netlabel/netlabel_mgmt.h new file mode 100644 index 000000000000..fd6c6acbfa08 --- /dev/null +++ b/net/netlabel/netlabel_mgmt.h
@@ -0,0 +1,246 @@
	1	/*
	2	* NetLabel Management Support
	3	*
	4	* This file defines the management functions for the NetLabel system. The
	5	* NetLabel system manages static and dynamic label mappings for network
	6	* protocols such as CIPSO and RIPSO.
	7	*
	8	* Author: Paul Moore <paul.moore@hp.com>
	9	*
	10	*/
	11
	12	/*
	13	* (c) Copyright Hewlett-Packard Development Company, L.P., 2006
	14	*
	15	* This program is free software; you can redistribute it and/or modify
	16	* it under the terms of the GNU General Public License as published by
	17	* the Free Software Foundation; either version 2 of the License, or
	18	* (at your option) any later version.
	19	*
	20	* This program is distributed in the hope that it will be useful,
	21	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	22	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
	23	* the GNU General Public License for more details.
	24	*
	25	* You should have received a copy of the GNU General Public License
	26	* along with this program; if not, write to the Free Software
	27	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
	28	*
	29	*/
	30
	31	#ifndef _NETLABEL_MGMT_H
	32	#define _NETLABEL_MGMT_H
	33
	34	#include <net/netlabel.h>
	35
	36	/*
	37	* The following NetLabel payloads are supported by the management interface,
	38	* all of which are preceeded by the nlmsghdr struct.
	39	*
	40	* o ACK:
	41	* Sent by the kernel in response to an applications message, applications
	42	* should never send this message.
	43	*
	44	* +----------------------+-----------------------+
	45	* \| seq number (32 bits) \| return code (32 bits) \|
	46	* +----------------------+-----------------------+
	47	*
	48	* seq number: the sequence number of the original message, taken from the
	49	* nlmsghdr structure
	50	* return code: return value, based on errno values
	51	*
	52	* o ADD:
	53	* Sent by an application to add a domain mapping to the NetLabel system.
	54	* The kernel should respond with an ACK.
	55	*
	56	* +-------------------+
	57	* \| domains (32 bits) \| ...
	58	* +-------------------+
	59	*
	60	* domains: the number of domains in the message
	61	*
	62	* +--------------------------+-------------------------+
	63	* \| domain string (variable) \| protocol type (32 bits) \| ...
	64	* +--------------------------+-------------------------+
	65	*
	66	* +-------------- ---- --- -- -
	67	* \| mapping data ... repeated
	68	* +-------------- ---- --- -- -
	69	*
	70	* domain string: the domain string, NULL terminated
	71	* protocol type: the protocol type (defined by NETLBL_NLTYPE_*)
	72	* mapping data: specific to the map type (see below)
	73	*
	74	* NETLBL_NLTYPE_UNLABELED
	75	*
	76	* No mapping data for this protocol type.
	77	*
	78	* NETLBL_NLTYPE_CIPSOV4
	79	*
	80	* +---------------+
	81	* \| doi (32 bits) \|
	82	* +---------------+
	83	*
	84	* doi: the CIPSO DOI value
	85	*
	86	* o REMOVE:
	87	* Sent by an application to remove a domain mapping from the NetLabel
	88	* system. The kernel should ACK this message.
	89	*
	90	* +-------------------+
	91	* \| domains (32 bits) \| ...
	92	* +-------------------+
	93	*
	94	* domains: the number of domains in the message
	95	*
	96	* +--------------------------+
	97	* \| domain string (variable) \| ...
	98	* +--------------------------+
	99	*
	100	* domain string: the domain string, NULL terminated
	101	*
	102	* o LIST:
	103	* This message can be sent either from an application or by the kernel in
	104	* response to an application generated LIST message. When sent by an
	105	* application there is no payload. The kernel should respond to a LIST
	106	* message either with a LIST message on success or an ACK message on
	107	* failure.
	108	*
	109	* +-------------------+
	110	* \| domains (32 bits) \| ...
	111	* +-------------------+
	112	*
	113	* domains: the number of domains in the message
	114	*
	115	* +--------------------------+
	116	* \| domain string (variable) \| ...
	117	* +--------------------------+
	118	*
	119	* +-------------------------+-------------- ---- --- -- -
	120	* \| protocol type (32 bits) \| mapping data ... repeated
	121	* +-------------------------+-------------- ---- --- -- -
	122	*
	123	* domain string: the domain string, NULL terminated
	124	* protocol type: the protocol type (defined by NETLBL_NLTYPE_*)
	125	* mapping data: specific to the map type (see below)
	126	*
	127	* NETLBL_NLTYPE_UNLABELED
	128	*
	129	* No mapping data for this protocol type.
	130	*
	131	* NETLBL_NLTYPE_CIPSOV4
	132	*
	133	* +----------------+---------------+
	134	* \| type (32 bits) \| doi (32 bits) \|
	135	* +----------------+---------------+
	136	*
	137	* type: the CIPSO mapping table type (defined in the cipso_ipv4.h header
	138	* as CIPSO_V4_MAP_*)
	139	* doi: the CIPSO DOI value
	140	*
	141	* o ADDDEF:
	142	* Sent by an application to set the default domain mapping for the NetLabel
	143	* system. The kernel should respond with an ACK.
	144	*
	145	* +-------------------------+-------------- ---- --- -- -
	146	* \| protocol type (32 bits) \| mapping data ... repeated
	147	* +-------------------------+-------------- ---- --- -- -
	148	*
	149	* protocol type: the protocol type (defined by NETLBL_NLTYPE_*)
	150	* mapping data: specific to the map type (see below)
	151	*
	152	* NETLBL_NLTYPE_UNLABELED
	153	*
	154	* No mapping data for this protocol type.
	155	*
	156	* NETLBL_NLTYPE_CIPSOV4
	157	*
	158	* +---------------+
	159	* \| doi (32 bits) \|
	160	* +---------------+
	161	*
	162	* doi: the CIPSO DOI value
	163	*
	164	* o REMOVEDEF:
	165	* Sent by an application to remove the default domain mapping from the
	166	* NetLabel system, there is no payload. The kernel should ACK this message.
	167	*
	168	* o LISTDEF:
	169	* This message can be sent either from an application or by the kernel in
	170	* response to an application generated LISTDEF message. When sent by an
	171	* application there is no payload. The kernel should respond to a
	172	* LISTDEF message either with a LISTDEF message on success or an ACK message
	173	* on failure.
	174	*
	175	* +-------------------------+-------------- ---- --- -- -
	176	* \| protocol type (32 bits) \| mapping data ... repeated
	177	* +-------------------------+-------------- ---- --- -- -
	178	*
	179	* protocol type: the protocol type (defined by NETLBL_NLTYPE_*)
	180	* mapping data: specific to the map type (see below)
	181	*
	182	* NETLBL_NLTYPE_UNLABELED
	183	*
	184	* No mapping data for this protocol type.
	185	*
	186	* NETLBL_NLTYPE_CIPSOV4
	187	*
	188	* +----------------+---------------+
	189	* \| type (32 bits) \| doi (32 bits) \|
	190	* +----------------+---------------+
	191	*
	192	* type: the CIPSO mapping table type (defined in the cipso_ipv4.h header
	193	* as CIPSO_V4_MAP_*)
	194	* doi: the CIPSO DOI value
	195	*
	196	* o MODULES:
	197	* Sent by an application to request a list of configured NetLabel modules
	198	* in the kernel. When sent by an application there is no payload.
	199	*
	200	* +-------------------+
	201	* \| modules (32 bits) \| ...
	202	* +-------------------+
	203	*
	204	* modules: the number of modules in the message, if this is an application
	205	* generated message and the value is zero then return a list of
	206	* the configured modules
	207	*
	208	* +------------------+
	209	* \| module (32 bits) \| ... repeated
	210	* +------------------+
	211	*
	212	* module: the module number as defined by NETLBL_NLTYPE_*
	213	*
	214	* o VERSION:
	215	* Sent by an application to request the NetLabel version string. When sent
	216	* by an application there is no payload. This message type is also used by
	217	* the kernel to respond to an VERSION request.
	218	*
	219	* +-------------------+
	220	* \| version (32 bits) \|
	221	* +-------------------+
	222	*
	223	* version: the protocol version number
	224	*
	225	*/
	226
	227	/* NetLabel Management commands */
	228	enum {
	229	NLBL_MGMT_C_UNSPEC,
	230	NLBL_MGMT_C_ACK,
	231	NLBL_MGMT_C_ADD,
	232	NLBL_MGMT_C_REMOVE,
	233	NLBL_MGMT_C_LIST,
	234	NLBL_MGMT_C_ADDDEF,
	235	NLBL_MGMT_C_REMOVEDEF,
	236	NLBL_MGMT_C_LISTDEF,
	237	NLBL_MGMT_C_MODULES,
	238	NLBL_MGMT_C_VERSION,
	239	__NLBL_MGMT_C_MAX,
	240	};
	241	#define NLBL_MGMT_C_MAX (__NLBL_MGMT_C_MAX - 1)
	242
	243	/* NetLabel protocol functions */
	244	int netlbl_mgmt_genl_init(void);
	245
	246	#endif