source-git / netlabel_tools

Clone
Source Code
GIT

Files

  1.   3ebe9547d7888ad67dab40b855e871be777f8045
  2.   include
  3.   libnetlabel.h
Blob Blame History Raw 
/** @file
 * NetLabel userspace configuration library API.
 *
 * The Linux NetLabel subsystem manages network security labels for explicit
 * labeling protocols such as CIPSO as well as static security labels for
 * "unlabeled" network traffic.  More information on NetLabel can be found at
 * the NetLabel SourceForge project site, http://netlabel.sf.net.
 *
 * Author: Paul Moore <paul@paul-moore.com>
 *
 */

/*
 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of version 2 of the GNU General Public License as
 * published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 */

#ifndef _LIBNETLABEL_H
#define _LIBNETLABEL_H

#include <sys/types.h>
#include <linux/types.h>
#include <netinet/in.h>
#include <netlink/netlink.h>
#include <netlink/msg.h>
#include <netlink/attr.h>

#include <netlabel.h>

/*
 * Types
 */

/* General Types */

/**
 * NetLabel communications handle
 *
 * Handle used for communicating with the NetLabel subsystem in the kernel via
 * generic netlink.
 *
 */
struct nlbl_handle;

/**
 * NetLabel message
 *
 * NetLabel type used for sending and receiving messages with the NetLabel
 * kernel subsystem.
 *
 */
typedef struct nl_msg nlbl_msg;

/**
 * NetLabel labeling protocol
 *
 * NetLabel type used to specify network labeling protocols.
 *
 */
typedef uint32_t nlbl_proto;

/**
 * NetLabel network device
 *
 * NetLabel type used to specify network interfaces.
 *
 */
typedef char *nlbl_netdev;

/**
 * NetLabel network address structure
 * @param type address family
 * @param addr.v4 IPv4 address
 * @param addr.v6 IPv6 address
 * @param mask.v4 IPv4 address mask
 * @param mask.v6 IPv6 address mask
 *
 * NetLabel type used to represent IP addresses.  It can represent both single
 * hosts and entire networks using both IPv4 and IPv6.
 *
 */
struct nlbl_netaddr {
	short type;
	union {
		struct in_addr v4;
		struct in6_addr v6;
	} addr;
	union {
		struct in_addr v4;
		struct in6_addr v6;
	} mask;
};

/**
 * NetLabel security label
 *
 * NetLabel type used to represent security labels.  NetLabel itself does not
 * interpret the security labels, the individual LSMs are used to parse and
 * interpret the security labels.
 *
 */
typedef char *nlbl_secctx;

/* CIPSO Types */

/**
 * NetLabel CIPSO Domain Of Interpretation (DOI) value
 *
 * NetLabel type used to represent a CIPSO Domian of Interpretation (DOI).
 *
 */
typedef uint32_t nlbl_cip_doi;

/**
 * NetLabel CIPSO mapping type
 *
 * NetLabel type used to represent the CIPSO security label mapping method.
 *
 */
typedef uint32_t nlbl_cip_mtype;

/**
 * NetLabel CIPSO tag type
 *
 * NetLabel type used to represent CIPSO tag types.
 *
 */
typedef uint8_t nlbl_cip_tag;

/**
 * NetLabel CIPSO tag array
 * @param array array of tag types
 * @param size size of array
 *
 * NetLabel type used to represent an array of CIPSO tags in decreasing order
 * of preference.
 *
 */
struct nlbl_cip_tag_a {
	nlbl_cip_tag *array;
	size_t size;
};

/**
 * NetLabel CIPSO MLS level
 *
 * NetLabel type used to represent the CIPSO MLS sensitivity level.
 *
 */
typedef uint32_t nlbl_cip_lvl;

/**
 * NetLabel CIPSO MLS level array
 * @param array array of MLS levels
 * @param size size of array
 *
 * NetLabel type used to represent an array of CIPSO MLS sensitivity levels.
 *
 */
struct nlbl_cip_lvl_a {
	nlbl_cip_lvl *array;
	size_t size;
};

/**
 * NetLabel CIPSO MLS category
 *
 * NetLabel type used to represent the CIPSO MLS category/compartment.
 *
 */
typedef uint32_t nlbl_cip_cat;

/**
 * NetLabel CIPSO MLS category array
 * @param array array of MLS categories
 * @param size size of array
 *
 * NetLabel type used to represent an array of CIPSO MLS categories.
 *
 */
struct nlbl_cip_cat_a {
	nlbl_cip_cat *array;
	size_t size;
};

/* CALIPSO Types */

/**
 * NetLabel CALIPSO Domain Of Interpretation (DOI) value
 *
 * NetLabel type used to represent a CALIPSO Domian of Interpretation (DOI).
 *
 */
typedef uint32_t nlbl_clp_doi;

/**
 * NetLabel CALIPSO mapping type
 *
 * NetLabel type used to represent the CALIPSO security label mapping method.
 *
 */
typedef uint32_t nlbl_clp_mtype;

/* NetLabel and LSM Mapping Types */

/**
 * NetLabel IP address selector structure
 * @param addr IP address
 * @param proto_type labeling protocol
 * @param proto.cip_doi CIPSO DOI
 * @param proto.clp_doi CALIPSO DOI
 * @param next next address selector
 *
 * NetLabel type used to map IP addresses to labeling protocol configurations.
 *
 */
struct nlbl_dommap_addr {
	struct nlbl_netaddr addr;
	nlbl_proto proto_type;
	union {
		nlbl_cip_doi cip_doi;
		nlbl_clp_doi clp_doi;
	} proto;

	struct nlbl_dommap_addr *next;
};

/**
 * NetLabel LSM/Domain mapping structure
 * @param domain LSM domain
 * @param family address family
 * @param proto_type labeling protocol
 * @param proto.cip_doi CIPSO DOI
 * @param proto.cpl_doi CALIPSO DOI
 * @param proto.addrsel IP address selector(s)
 *
 * NetLabel type used to map LSM domains to labeling protocol configurations.
 *
 */
struct nlbl_dommap {
	char *domain;
	uint16_t family;
	nlbl_proto proto_type;
	union {
		nlbl_cip_doi cip_doi;
		nlbl_clp_doi clp_doi;
		struct nlbl_dommap_addr *addrsel;
	} proto;
};

/**
 * NetLabel network address mapping structure
 * @param dev network device
 * @param addr network address
 * @param label security label
 *
 * NetLabel type used to map network interfaces and addresses to security
 * labels.
 *
 */
struct nlbl_addrmap {
	nlbl_netdev dev;
	struct nlbl_netaddr addr;
	nlbl_secctx label;
};

/*
 * Functions
 */

/* Initialization and Termination */

int nlbl_init(void);
void nlbl_exit(void);

/* Low Level Communications */

/* Communications Control */
void nlbl_comm_timeout(uint32_t seconds);

/* Raw NetLabel I/O API */
struct nlbl_handle *nlbl_comm_open(void);
int nlbl_comm_close(struct nlbl_handle *hndl);
int nlbl_comm_recv(struct nlbl_handle *hndl, nlbl_msg **msg);
int nlbl_comm_recv_raw(struct nlbl_handle *hndl, unsigned char **data);
int nlbl_comm_send(struct nlbl_handle *hndl, nlbl_msg *msg);

/* Message Handling */
nlbl_msg *nlbl_msg_new(void);
void nlbl_msg_free(nlbl_msg *msg);
struct nlmsghdr *nlbl_msg_nlhdr(nlbl_msg *msg);
struct genlmsghdr *nlbl_msg_genlhdr(nlbl_msg *msg);
struct nlmsgerr *nlbl_msg_err(nlbl_msg *msg);

/* Attribute Handling */
struct nlattr *nlbl_attr_head(nlbl_msg *msg);
struct nlattr *nlbl_attr_find(nlbl_msg *msg, int nla_type);

/* Configuration Operations */

/* Management */
int nlbl_mgmt_version(struct nlbl_handle *hndl, uint32_t *version);
int nlbl_mgmt_protocols(struct nlbl_handle *hndl, nlbl_proto **protocols);
int nlbl_mgmt_add(struct nlbl_handle *hndl,
		  struct nlbl_dommap *domain,
		  struct nlbl_netaddr *addr);
int nlbl_mgmt_adddef(struct nlbl_handle *hndl,
		     struct nlbl_dommap *domain,
		     struct nlbl_netaddr *addr);
int nlbl_mgmt_del(struct nlbl_handle *hndl, char *domain);
int nlbl_mgmt_deldef(struct nlbl_handle *hndl);
int nlbl_mgmt_listall(struct nlbl_handle *hndl, struct nlbl_dommap **domains);
int nlbl_mgmt_listdef(struct nlbl_handle *hndl, uint16_t family,
		      struct nlbl_dommap *domain);

/* Unlabeled Traffic */
int nlbl_unlbl_accept(struct nlbl_handle *hndl, uint8_t allow_flag);
int nlbl_unlbl_list(struct nlbl_handle *hndl, uint8_t *allow_flag);
int nlbl_unlbl_staticadd(struct nlbl_handle *hndl,
			 nlbl_netdev dev,
			 struct nlbl_netaddr *addr,
			 nlbl_secctx label);
int nlbl_unlbl_staticadddef(struct nlbl_handle *hndl,
			    struct nlbl_netaddr *addr,
			    nlbl_secctx label);
int nlbl_unlbl_staticdel(struct nlbl_handle *hndl,
			 nlbl_netdev dev,
			 struct nlbl_netaddr *addr);
int nlbl_unlbl_staticdeldef(struct nlbl_handle *hndl,
			    struct nlbl_netaddr *addr);
int nlbl_unlbl_staticlist(struct nlbl_handle *hndl,
			  struct nlbl_addrmap **addrs);
int nlbl_unlbl_staticlistdef(struct nlbl_handle *hndl,
			     struct nlbl_addrmap **addrs);

/* CIPSO Protocol */
int nlbl_cipso_add_trans(struct nlbl_handle *hndl,
			 nlbl_cip_doi doi,
			 struct nlbl_cip_tag_a *tags,
			 struct nlbl_cip_lvl_a *lvls,
			 struct nlbl_cip_cat_a *cats);
int nlbl_cipso_add_pass(struct nlbl_handle *hndl,
			nlbl_cip_doi doi,
			struct nlbl_cip_tag_a *tags);
int nlbl_cipso_add_local(struct nlbl_handle *hndl, nlbl_cip_doi doi);
int nlbl_cipso_del(struct nlbl_handle *hndl, nlbl_cip_doi doi);
int nlbl_cipso_list(struct nlbl_handle *hndl,
		    nlbl_cip_doi doi,
		    nlbl_cip_mtype *mtype,
		    struct nlbl_cip_tag_a *tags,
		    struct nlbl_cip_lvl_a *lvls,
		    struct nlbl_cip_cat_a *cats);
int nlbl_cipso_listall(struct nlbl_handle *hndl,
		       nlbl_cip_doi **dois,
		       nlbl_cip_mtype **mtypes);
/* CALIPSO Protocol */
int nlbl_calipso_add_pass(struct nlbl_handle *hndl,
			  nlbl_clp_doi doi);
int nlbl_calipso_del(struct nlbl_handle *hndl, nlbl_clp_doi doi);
int nlbl_calipso_list(struct nlbl_handle *hndl,
		      nlbl_clp_doi doi,
		      nlbl_clp_mtype *mtype);
int nlbl_calipso_listall(struct nlbl_handle *hndl,
			 nlbl_clp_doi **dois,
			 nlbl_clp_mtype **mtypes);

#endif

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation