1 files changed, 246 insertions, 0 deletions
diff --git a/include/net/cipso_ipv4.h b/include/net/cipso_ipv4.h
new file mode 100644
index 000000000000..59406e0dc5b2
--- /dev/null
+++ b/include/net/cipso_ipv4.h
@@ -0,0 +1,246 @@
+/*
+ * CIPSO - Commercial IP Security Option
+ *
+ * This is an implementation of the CIPSO 2.2 protocol as specified in
+ * draft-ietf-cipso-ipsecurity-01.txt with additional tag types as found in
+ * FIPS-188, copies of both documents can be found in the Documentation
+ * directory.  While CIPSO never became a full IETF RFC standard many vendors
+ * have chosen to adopt the protocol and over the years it has become a
+ * de-facto standard for labeled networking.
+ *
+ * Author: Paul Moore <paul.moore@hp.com>
+ *
+ */
+/*
+ * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
+ *
+ * This program is free software;  you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY;  without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
+ * the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program;  if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ */
+#ifndef _CIPSO_IPV4_H
+#define _CIPSO_IPV4_H
+#include <linux/types.h>
+#include <linux/rcupdate.h>
+#include <linux/list.h>
+#include <linux/net.h>
+#include <linux/skbuff.h>
+#include <net/netlabel.h>
+/* known doi values */
+#define CIPSO_V4_DOI_UNKNOWN          0x00000000
+/* tag types */
+#define CIPSO_V4_TAG_INVALID          0
+#define CIPSO_V4_TAG_RBITMAP          1
+#define CIPSO_V4_TAG_ENUM             2
+#define CIPSO_V4_TAG_RANGE            5
+#define CIPSO_V4_TAG_PBITMAP          6
+#define CIPSO_V4_TAG_FREEFORM         7
+/* doi mapping types */
+#define CIPSO_V4_MAP_UNKNOWN          0
+#define CIPSO_V4_MAP_STD              1
+#define CIPSO_V4_MAP_PASS             2
+/* limits */
+#define CIPSO_V4_MAX_REM_LVLS         256
+#define CIPSO_V4_INV_LVL              0x80000000
+#define CIPSO_V4_MAX_LOC_LVLS         (CIPSO_V4_INV_LVL - 1)
+#define CIPSO_V4_MAX_REM_CATS         65536
+#define CIPSO_V4_INV_CAT              0x80000000
+#define CIPSO_V4_MAX_LOC_CATS         (CIPSO_V4_INV_CAT - 1)
+/*
+ * CIPSO DOI definitions
+ */
+/* DOI definition struct */
+#define CIPSO_V4_TAG_MAXCNT           5
+struct cipso_v4_doi {
+        u32 doi;
+        u32 type;
+        union {
+                struct cipso_v4_std_map_tbl *std;
+        } map;
+        u8 tags[CIPSO_V4_TAG_MAXCNT];
+        u32 valid;
+        struct list_head list;
+        struct rcu_head rcu;
+        struct list_head dom_list;
+};
+/* Standard CIPSO mapping table */
+/* NOTE: the highest order bit (i.e. 0x80000000) is an 'invalid' flag, if the
+ *       bit is set then consider that value as unspecified, meaning the
+ *       mapping for that particular level/category is invalid */
+struct cipso_v4_std_map_tbl {
+        struct {
+                u32 *cipso;
+                u32 *local;
+                u32 cipso_size;
+                u32 local_size;
+        } lvl;
+        struct {
+                u32 *cipso;
+                u32 *local;
+                u32 cipso_size;
+                u32 local_size;
+        } cat;
+};
+/*
+ * Sysctl Variables
+ */
+#ifdef CONFIG_NETLABEL
+extern int cipso_v4_cache_enabled;
+extern int cipso_v4_cache_bucketsize;
+extern int cipso_v4_rbm_optfmt;
+extern int cipso_v4_rbm_strictvalid;
+#endif
+/*
+ * Helper Functions
+ */
+#define CIPSO_V4_OPTEXIST(x) (IPCB(x)->opt.cipso != 0)
+#define CIPSO_V4_OPTPTR(x) ((x)->nh.raw + IPCB(x)->opt.cipso)
+/*
+ * DOI List Functions
+ */
+#ifdef CONFIG_NETLABEL
+int cipso_v4_doi_add(struct cipso_v4_doi *doi_def);
+int cipso_v4_doi_remove(u32 doi, void (*callback) (struct rcu_head * head));
+struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi);
+struct sk_buff *cipso_v4_doi_dump_all(size_t headroom);
+struct sk_buff *cipso_v4_doi_dump(u32 doi, size_t headroom);
+int cipso_v4_doi_domhsh_add(struct cipso_v4_doi *doi_def, const char *domain);
+int cipso_v4_doi_domhsh_remove(struct cipso_v4_doi *doi_def,
+                               const char *domain);
+#else
+static inline int cipso_v4_doi_add(struct cipso_v4_doi *doi_def)
+{
+        return -ENOSYS;
+}
+static inline int cipso_v4_doi_remove(u32 doi,
+                                    void (*callback) (struct rcu_head * head))
+{
+        return 0;
+}
+static inline struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi)
+{
+        return NULL;
+}
+static inline struct sk_buff *cipso_v4_doi_dump_all(size_t headroom)
+{
+        return NULL;
+}
+static inline struct sk_buff *cipso_v4_doi_dump(u32 doi, size_t headroom)
+{
+        return NULL;
+}
+static inline int cipso_v4_doi_domhsh_add(struct cipso_v4_doi *doi_def,
+                                          const char *domain)
+{
+        return -ENOSYS;
+}
+static inline int cipso_v4_doi_domhsh_remove(struct cipso_v4_doi *doi_def,
+                                             const char *domain)
+{
+        return 0;
+}
+#endif /* CONFIG_NETLABEL */
+/*
+ * Label Mapping Cache Functions
+ */
+#ifdef CONFIG_NETLABEL
+void cipso_v4_cache_invalidate(void);
+int cipso_v4_cache_add(const struct sk_buff *skb,
+                       const struct netlbl_lsm_secattr *secattr);
+#else
+static inline void cipso_v4_cache_invalidate(void)
+{
+        return;
+}
+static inline int cipso_v4_cache_add(const struct sk_buff *skb,
+                                     const struct netlbl_lsm_secattr *secattr)
+{
+        return 0;
+}
+#endif /* CONFIG_NETLABEL */
+/*
+ * Protocol Handling Functions
+ */
+#ifdef CONFIG_NETLABEL
+void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway);
+int cipso_v4_socket_setattr(const struct socket *sock,
+                            const struct cipso_v4_doi *doi_def,
+                            const struct netlbl_lsm_secattr *secattr);
+int cipso_v4_socket_getattr(const struct socket *sock,
+                            struct netlbl_lsm_secattr *secattr);
+int cipso_v4_skbuff_getattr(const struct sk_buff *skb,
+                            struct netlbl_lsm_secattr *secattr);
+int cipso_v4_validate(unsigned char **option);
+#else
+static inline void cipso_v4_error(struct sk_buff *skb,
+                                  int error,
+                                  u32 gateway)
+{
+        return;
+}
+static inline int cipso_v4_socket_setattr(const struct socket *sock,
+                                  const struct cipso_v4_doi *doi_def,
+                                  const struct netlbl_lsm_secattr *secattr)
+{
+        return -ENOSYS;
+}
+static inline int cipso_v4_socket_getattr(const struct socket *sock,
+                                          struct netlbl_lsm_secattr *secattr)
+{
+        return -ENOSYS;
+}
+static inline int cipso_v4_skbuff_getattr(const struct sk_buff *skb,
+                                          struct netlbl_lsm_secattr *secattr)
+{
+        return -ENOSYS;
+}
+static inline int cipso_v4_validate(unsigned char **option)
+{
+        return -ENOSYS;
+}
+#endif /* CONFIG_NETLABEL */
+#endif /* _CIPSO_IPV4_H */

diff --git a/include/net/cipso_ipv4.h b/include/net/cipso_ipv4.h new file mode 100644 index 000000000000..59406e0dc5b2 --- /dev/null +++ b/include/net/cipso_ipv4.h
@@ -0,0 +1,246 @@
	1	/*
	2	* CIPSO - Commercial IP Security Option
	3	*
	4	* This is an implementation of the CIPSO 2.2 protocol as specified in
	5	* draft-ietf-cipso-ipsecurity-01.txt with additional tag types as found in
	6	* FIPS-188, copies of both documents can be found in the Documentation
	7	* directory. While CIPSO never became a full IETF RFC standard many vendors
	8	* have chosen to adopt the protocol and over the years it has become a
	9	* de-facto standard for labeled networking.
	10	*
	11	* Author: Paul Moore <paul.moore@hp.com>
	12	*
	13	*/
	14
	15	/*
	16	* (c) Copyright Hewlett-Packard Development Company, L.P., 2006
	17	*
	18	* This program is free software; you can redistribute it and/or modify
	19	* it under the terms of the GNU General Public License as published by
	20	* the Free Software Foundation; either version 2 of the License, or
	21	* (at your option) any later version.
	22	*
	23	* This program is distributed in the hope that it will be useful,
	24	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	25	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
	26	* the GNU General Public License for more details.
	27	*
	28	* You should have received a copy of the GNU General Public License
	29	* along with this program; if not, write to the Free Software
	30	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
	31	*
	32	*/
	33
	34	#ifndef _CIPSO_IPV4_H
	35	#define _CIPSO_IPV4_H
	36
	37	#include <linux/types.h>
	38	#include <linux/rcupdate.h>
	39	#include <linux/list.h>
	40	#include <linux/net.h>
	41	#include <linux/skbuff.h>
	42	#include <net/netlabel.h>
	43
	44	/* known doi values */
	45	#define CIPSO_V4_DOI_UNKNOWN 0x00000000
	46
	47	/* tag types */
	48	#define CIPSO_V4_TAG_INVALID 0
	49	#define CIPSO_V4_TAG_RBITMAP 1
	50	#define CIPSO_V4_TAG_ENUM 2
	51	#define CIPSO_V4_TAG_RANGE 5
	52	#define CIPSO_V4_TAG_PBITMAP 6
	53	#define CIPSO_V4_TAG_FREEFORM 7
	54
	55	/* doi mapping types */
	56	#define CIPSO_V4_MAP_UNKNOWN 0
	57	#define CIPSO_V4_MAP_STD 1
	58	#define CIPSO_V4_MAP_PASS 2
	59
	60	/* limits */
	61	#define CIPSO_V4_MAX_REM_LVLS 256
	62	#define CIPSO_V4_INV_LVL 0x80000000
	63	#define CIPSO_V4_MAX_LOC_LVLS (CIPSO_V4_INV_LVL - 1)
	64	#define CIPSO_V4_MAX_REM_CATS 65536
	65	#define CIPSO_V4_INV_CAT 0x80000000
	66	#define CIPSO_V4_MAX_LOC_CATS (CIPSO_V4_INV_CAT - 1)
	67
	68	/*
	69	* CIPSO DOI definitions
	70	*/
	71
	72	/* DOI definition struct */
	73	#define CIPSO_V4_TAG_MAXCNT 5
	74	struct cipso_v4_doi {
	75	u32 doi;
	76	u32 type;
	77	union {
	78	struct cipso_v4_std_map_tbl *std;
	79	} map;
	80	u8 tags[CIPSO_V4_TAG_MAXCNT];
	81
	82	u32 valid;
	83	struct list_head list;
	84	struct rcu_head rcu;
	85	struct list_head dom_list;
	86	};
	87
	88	/* Standard CIPSO mapping table */
	89	/* NOTE: the highest order bit (i.e. 0x80000000) is an 'invalid' flag, if the
	90	* bit is set then consider that value as unspecified, meaning the
	91	* mapping for that particular level/category is invalid */
	92	struct cipso_v4_std_map_tbl {
	93	struct {
	94	u32 *cipso;
	95	u32 *local;
	96	u32 cipso_size;
	97	u32 local_size;
	98	} lvl;
	99	struct {
	100	u32 *cipso;
	101	u32 *local;
	102	u32 cipso_size;
	103	u32 local_size;
	104	} cat;
	105	};
	106
	107	/*
	108	* Sysctl Variables
	109	*/
	110
	111	#ifdef CONFIG_NETLABEL
	112	extern int cipso_v4_cache_enabled;
	113	extern int cipso_v4_cache_bucketsize;
	114	extern int cipso_v4_rbm_optfmt;
	115	extern int cipso_v4_rbm_strictvalid;
	116	#endif
	117
	118	/*
	119	* Helper Functions
	120	*/
	121
	122	#define CIPSO_V4_OPTEXIST(x) (IPCB(x)->opt.cipso != 0)
	123	#define CIPSO_V4_OPTPTR(x) ((x)->nh.raw + IPCB(x)->opt.cipso)
	124
	125	/*
	126	* DOI List Functions
	127	*/
	128
	129	#ifdef CONFIG_NETLABEL
	130	int cipso_v4_doi_add(struct cipso_v4_doi *doi_def);
	131	int cipso_v4_doi_remove(u32 doi, void (callback) (struct rcu_head head));
	132	struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi);
	133	struct sk_buff *cipso_v4_doi_dump_all(size_t headroom);
	134	struct sk_buff *cipso_v4_doi_dump(u32 doi, size_t headroom);
	135	int cipso_v4_doi_domhsh_add(struct cipso_v4_doi doi_def, const char domain);
	136	int cipso_v4_doi_domhsh_remove(struct cipso_v4_doi *doi_def,
	137	const char *domain);
	138	#else
	139	static inline int cipso_v4_doi_add(struct cipso_v4_doi *doi_def)
	140	{
	141	return -ENOSYS;
	142	}
	143
	144	static inline int cipso_v4_doi_remove(u32 doi,
	145	void (callback) (struct rcu_head head))
	146	{
	147	return 0;
	148	}
	149
	150	static inline struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi)
	151	{
	152	return NULL;
	153	}
	154
	155	static inline struct sk_buff *cipso_v4_doi_dump_all(size_t headroom)
	156	{
	157	return NULL;
	158	}
	159
	160	static inline struct sk_buff *cipso_v4_doi_dump(u32 doi, size_t headroom)
	161	{
	162	return NULL;
	163	}
	164
	165	static inline int cipso_v4_doi_domhsh_add(struct cipso_v4_doi *doi_def,
	166	const char *domain)
	167	{
	168	return -ENOSYS;
	169	}
	170
	171	static inline int cipso_v4_doi_domhsh_remove(struct cipso_v4_doi *doi_def,
	172	const char *domain)
	173	{
	174	return 0;
	175	}
	176	#endif /* CONFIG_NETLABEL */
	177
	178	/*
	179	* Label Mapping Cache Functions
	180	*/
	181
	182	#ifdef CONFIG_NETLABEL
	183	void cipso_v4_cache_invalidate(void);
	184	int cipso_v4_cache_add(const struct sk_buff *skb,
	185	const struct netlbl_lsm_secattr *secattr);
	186	#else
	187	static inline void cipso_v4_cache_invalidate(void)
	188	{
	189	return;
	190	}
	191
	192	static inline int cipso_v4_cache_add(const struct sk_buff *skb,
	193	const struct netlbl_lsm_secattr *secattr)
	194	{
	195	return 0;
	196	}
	197	#endif /* CONFIG_NETLABEL */
	198
	199	/*
	200	* Protocol Handling Functions
	201	*/
	202
	203	#ifdef CONFIG_NETLABEL
	204	void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway);
	205	int cipso_v4_socket_setattr(const struct socket *sock,
	206	const struct cipso_v4_doi *doi_def,
	207	const struct netlbl_lsm_secattr *secattr);
	208	int cipso_v4_socket_getattr(const struct socket *sock,
	209	struct netlbl_lsm_secattr *secattr);
	210	int cipso_v4_skbuff_getattr(const struct sk_buff *skb,
	211	struct netlbl_lsm_secattr *secattr);
	212	int cipso_v4_validate(unsigned char **option);
	213	#else
	214	static inline void cipso_v4_error(struct sk_buff *skb,
	215	int error,
	216	u32 gateway)
	217	{
	218	return;
	219	}
	220
	221	static inline int cipso_v4_socket_setattr(const struct socket *sock,
	222	const struct cipso_v4_doi *doi_def,
	223	const struct netlbl_lsm_secattr *secattr)
	224	{
	225	return -ENOSYS;
	226	}
	227
	228	static inline int cipso_v4_socket_getattr(const struct socket *sock,
	229	struct netlbl_lsm_secattr *secattr)
	230	{
	231	return -ENOSYS;
	232	}
	233
	234	static inline int cipso_v4_skbuff_getattr(const struct sk_buff *skb,
	235	struct netlbl_lsm_secattr *secattr)
	236	{
	237	return -ENOSYS;
	238	}
	239
	240	static inline int cipso_v4_validate(unsigned char **option)
	241	{
	242	return -ENOSYS;
	243	}
	244	#endif /* CONFIG_NETLABEL */
	245
	246	#endif /* _CIPSO_IPV4_H */