1 /* SPDX-License-Identifier: GPL-2.0-or-later */
2 /*
3 * NetLabel CIPSO/IPv4 Support
4 *
5 * This file defines the CIPSO/IPv4 functions for the NetLabel system. The
6 * NetLabel system manages static and dynamic label mappings for network
7 * protocols such as CIPSO and RIPSO.
8 *
9 * Author: Paul Moore <paul@paul-moore.com>
10 */
11
12 /*
13 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
14 */
15
16 #ifndef _NETLABEL_CIPSO_V4
17 #define _NETLABEL_CIPSO_V4
18
19 #include <net/netlabel.h>
20
21 /*
22 * The following NetLabel payloads are supported by the CIPSO subsystem.
23 *
24 * o ADD:
25 * Sent by an application to add a new DOI mapping table.
26 *
27 * Required attributes:
28 *
29 * NLBL_CIPSOV4_A_DOI
30 * NLBL_CIPSOV4_A_MTYPE
31 * NLBL_CIPSOV4_A_TAGLST
32 *
33 * If using CIPSO_V4_MAP_TRANS the following attributes are required:
34 *
35 * NLBL_CIPSOV4_A_MLSLVLLST
36 * NLBL_CIPSOV4_A_MLSCATLST
37 *
38 * If using CIPSO_V4_MAP_PASS or CIPSO_V4_MAP_LOCAL no additional attributes
39 * are required.
40 *
41 * o REMOVE:
42 * Sent by an application to remove a specific DOI mapping table from the
43 * CIPSO V4 system.
44 *
45 * Required attributes:
46 *
47 * NLBL_CIPSOV4_A_DOI
48 *
49 * o LIST:
50 * Sent by an application to list the details of a DOI definition. On
51 * success the kernel should send a response using the following format.
52 *
53 * Required attributes:
54 *
55 * NLBL_CIPSOV4_A_DOI
56 *
57 * The valid response message format depends on the type of the DOI mapping,
58 * the defined formats are shown below.
59 *
60 * Required attributes:
61 *
62 * NLBL_CIPSOV4_A_MTYPE
63 * NLBL_CIPSOV4_A_TAGLST
64 *
65 * If using CIPSO_V4_MAP_TRANS the following attributes are required:
66 *
67 * NLBL_CIPSOV4_A_MLSLVLLST
68 * NLBL_CIPSOV4_A_MLSCATLST
69 *
70 * If using CIPSO_V4_MAP_PASS or CIPSO_V4_MAP_LOCAL no additional attributes
71 * are required.
72 *
73 * o LISTALL:
74 * This message is sent by an application to list the valid DOIs on the
75 * system. When sent by an application there is no payload and the
76 * NLM_F_DUMP flag should be set. The kernel should respond with a series of
77 * the following messages.
78 *
79 * Required attributes:
80 *
81 * NLBL_CIPSOV4_A_DOI
82 * NLBL_CIPSOV4_A_MTYPE
83 *
84 */
85
86 /* NetLabel CIPSOv4 commands */
87 enum {
88 NLBL_CIPSOV4_C_UNSPEC,
89 NLBL_CIPSOV4_C_ADD,
90 NLBL_CIPSOV4_C_REMOVE,
91 NLBL_CIPSOV4_C_LIST,
92 NLBL_CIPSOV4_C_LISTALL,
93 __NLBL_CIPSOV4_C_MAX,
94 };
95
96 /* NetLabel CIPSOv4 attributes */
97 enum {
98 NLBL_CIPSOV4_A_UNSPEC,
99 NLBL_CIPSOV4_A_DOI,
100 /* (NLA_U32)
101 * the DOI value */
102 NLBL_CIPSOV4_A_MTYPE,
103 /* (NLA_U32)
104 * the mapping table type (defined in the cipso_ipv4.h header as
105 * CIPSO_V4_MAP_*) */
106 NLBL_CIPSOV4_A_TAG,
107 /* (NLA_U8)
108 * a CIPSO tag type, meant to be used within a NLBL_CIPSOV4_A_TAGLST
109 * attribute */
110 NLBL_CIPSOV4_A_TAGLST,
111 /* (NLA_NESTED)
112 * the CIPSO tag list for the DOI, there must be at least one
113 * NLBL_CIPSOV4_A_TAG attribute, tags listed first are given higher
114 * priorirty when sending packets */
115 NLBL_CIPSOV4_A_MLSLVLLOC,
116 /* (NLA_U32)
117 * the local MLS sensitivity level */
118 NLBL_CIPSOV4_A_MLSLVLREM,
119 /* (NLA_U32)
120 * the remote MLS sensitivity level */
121 NLBL_CIPSOV4_A_MLSLVL,
122 /* (NLA_NESTED)
123 * a MLS sensitivity level mapping, must contain only one attribute of
124 * each of the following types: NLBL_CIPSOV4_A_MLSLVLLOC and
125 * NLBL_CIPSOV4_A_MLSLVLREM */
126 NLBL_CIPSOV4_A_MLSLVLLST,
127 /* (NLA_NESTED)
128 * the CIPSO level mappings, there must be at least one
129 * NLBL_CIPSOV4_A_MLSLVL attribute */
130 NLBL_CIPSOV4_A_MLSCATLOC,
131 /* (NLA_U32)
132 * the local MLS category */
133 NLBL_CIPSOV4_A_MLSCATREM,
134 /* (NLA_U32)
135 * the remote MLS category */
136 NLBL_CIPSOV4_A_MLSCAT,
137 /* (NLA_NESTED)
138 * a MLS category mapping, must contain only one attribute of each of
139 * the following types: NLBL_CIPSOV4_A_MLSCATLOC and
140 * NLBL_CIPSOV4_A_MLSCATREM */
141 NLBL_CIPSOV4_A_MLSCATLST,
142 /* (NLA_NESTED)
143 * the CIPSO category mappings, there must be at least one
144 * NLBL_CIPSOV4_A_MLSCAT attribute */
145 __NLBL_CIPSOV4_A_MAX,
146 };
147 #define NLBL_CIPSOV4_A_MAX (__NLBL_CIPSOV4_A_MAX - 1)
148
149 /* NetLabel protocol functions */
150 int netlbl_cipsov4_genl_init(void);
151
152 /* Free the memory associated with a CIPSOv4 DOI definition */
153 void netlbl_cipsov4_doi_free(struct rcu_head *entry);
154
155 #endif