/** @file
* NetLabel userspace configuration library API.
*
* The Linux NetLabel subsystem manages network security labels for explicit
* labeling protocols such as CIPSO as well as static security labels for
* "unlabeled" network traffic. More information on NetLabel can be found at
* the NetLabel SourceForge project site, http://netlabel.sf.net.
*
* Author: Paul Moore <paul@paul-moore.com>
*
*/
/*
* (c) Copyright Hewlett-Packard Development Company, L.P., 2006
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of version 2 of the GNU General Public License as
* published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
#ifndef _LIBNETLABEL_H
#define _LIBNETLABEL_H
#include <sys/types.h>
#include <linux/types.h>
#include <netinet/in.h>
#include <netlink/netlink.h>
#include <netlink/msg.h>
#include <netlink/attr.h>
#include <netlabel.h>
/*
* Types
*/
/* General Types */
/**
* NetLabel communications handle
*
* Handle used for communicating with the NetLabel subsystem in the kernel via
* generic netlink.
*
*/
struct nlbl_handle;
/**
* NetLabel message
*
* NetLabel type used for sending and receiving messages with the NetLabel
* kernel subsystem.
*
*/
typedef struct nl_msg nlbl_msg;
/**
* NetLabel labeling protocol
*
* NetLabel type used to specify network labeling protocols.
*
*/
typedef uint32_t nlbl_proto;
/**
* NetLabel network device
*
* NetLabel type used to specify network interfaces.
*
*/
typedef char *nlbl_netdev;
/**
* NetLabel network address structure
* @param type address family
* @param addr.v4 IPv4 address
* @param addr.v6 IPv6 address
* @param mask.v4 IPv4 address mask
* @param mask.v6 IPv6 address mask
*
* NetLabel type used to represent IP addresses. It can represent both single
* hosts and entire networks using both IPv4 and IPv6.
*
*/
struct nlbl_netaddr {
short type;
union {
struct in_addr v4;
struct in6_addr v6;
} addr;
union {
struct in_addr v4;
struct in6_addr v6;
} mask;
};
/**
* NetLabel security label
*
* NetLabel type used to represent security labels. NetLabel itself does not
* interpret the security labels, the individual LSMs are used to parse and
* interpret the security labels.
*
*/
typedef char *nlbl_secctx;
/* CIPSO Types */
/**
* NetLabel CIPSO Domain Of Interpretation (DOI) value
*
* NetLabel type used to represent a CIPSO Domian of Interpretation (DOI).
*
*/
typedef uint32_t nlbl_cip_doi;
/**
* NetLabel CIPSO mapping type
*
* NetLabel type used to represent the CIPSO security label mapping method.
*
*/
typedef uint32_t nlbl_cip_mtype;
/**
* NetLabel CIPSO tag type
*
* NetLabel type used to represent CIPSO tag types.
*
*/
typedef uint8_t nlbl_cip_tag;
/**
* NetLabel CIPSO tag array
* @param array array of tag types
* @param size size of array
*
* NetLabel type used to represent an array of CIPSO tags in decreasing order
* of preference.
*
*/
struct nlbl_cip_tag_a {
nlbl_cip_tag *array;
size_t size;
};
/**
* NetLabel CIPSO MLS level
*
* NetLabel type used to represent the CIPSO MLS sensitivity level.
*
*/
typedef uint32_t nlbl_cip_lvl;
/**
* NetLabel CIPSO MLS level array
* @param array array of MLS levels
* @param size size of array
*
* NetLabel type used to represent an array of CIPSO MLS sensitivity levels.
*
*/
struct nlbl_cip_lvl_a {
nlbl_cip_lvl *array;
size_t size;
};
/**
* NetLabel CIPSO MLS category
*
* NetLabel type used to represent the CIPSO MLS category/compartment.
*
*/
typedef uint32_t nlbl_cip_cat;
/**
* NetLabel CIPSO MLS category array
* @param array array of MLS categories
* @param size size of array
*
* NetLabel type used to represent an array of CIPSO MLS categories.
*
*/
struct nlbl_cip_cat_a {
nlbl_cip_cat *array;
size_t size;
};
/* CALIPSO Types */
/**
* NetLabel CALIPSO Domain Of Interpretation (DOI) value
*
* NetLabel type used to represent a CALIPSO Domian of Interpretation (DOI).
*
*/
typedef uint32_t nlbl_clp_doi;
/**
* NetLabel CALIPSO mapping type
*
* NetLabel type used to represent the CALIPSO security label mapping method.
*
*/
typedef uint32_t nlbl_clp_mtype;
/* NetLabel and LSM Mapping Types */
/**
* NetLabel IP address selector structure
* @param addr IP address
* @param proto_type labeling protocol
* @param proto.cip_doi CIPSO DOI
* @param proto.clp_doi CALIPSO DOI
* @param next next address selector
*
* NetLabel type used to map IP addresses to labeling protocol configurations.
*
*/
struct nlbl_dommap_addr {
struct nlbl_netaddr addr;
nlbl_proto proto_type;
union {
nlbl_cip_doi cip_doi;
nlbl_clp_doi clp_doi;
} proto;
struct nlbl_dommap_addr *next;
};
/**
* NetLabel LSM/Domain mapping structure
* @param domain LSM domain
* @param family address family
* @param proto_type labeling protocol
* @param proto.cip_doi CIPSO DOI
* @param proto.cpl_doi CALIPSO DOI
* @param proto.addrsel IP address selector(s)
*
* NetLabel type used to map LSM domains to labeling protocol configurations.
*
*/
struct nlbl_dommap {
char *domain;
uint16_t family;
nlbl_proto proto_type;
union {
nlbl_cip_doi cip_doi;
nlbl_clp_doi clp_doi;
struct nlbl_dommap_addr *addrsel;
} proto;
};
/**
* NetLabel network address mapping structure
* @param dev network device
* @param addr network address
* @param label security label
*
* NetLabel type used to map network interfaces and addresses to security
* labels.
*
*/
struct nlbl_addrmap {
nlbl_netdev dev;
struct nlbl_netaddr addr;
nlbl_secctx label;
};
/*
* Functions
*/
/* Initialization and Termination */
int nlbl_init(void);
void nlbl_exit(void);
/* Low Level Communications */
/* Communications Control */
void nlbl_comm_timeout(uint32_t seconds);
/* Raw NetLabel I/O API */
struct nlbl_handle *nlbl_comm_open(void);
int nlbl_comm_close(struct nlbl_handle *hndl);
int nlbl_comm_recv(struct nlbl_handle *hndl, nlbl_msg **msg);
int nlbl_comm_recv_raw(struct nlbl_handle *hndl, unsigned char **data);
int nlbl_comm_send(struct nlbl_handle *hndl, nlbl_msg *msg);
/* Message Handling */
nlbl_msg *nlbl_msg_new(void);
void nlbl_msg_free(nlbl_msg *msg);
struct nlmsghdr *nlbl_msg_nlhdr(nlbl_msg *msg);
struct genlmsghdr *nlbl_msg_genlhdr(nlbl_msg *msg);
struct nlmsgerr *nlbl_msg_err(nlbl_msg *msg);
/* Attribute Handling */
struct nlattr *nlbl_attr_head(nlbl_msg *msg);
struct nlattr *nlbl_attr_find(nlbl_msg *msg, int nla_type);
/* Configuration Operations */
/* Management */
int nlbl_mgmt_version(struct nlbl_handle *hndl, uint32_t *version);
int nlbl_mgmt_protocols(struct nlbl_handle *hndl, nlbl_proto **protocols);
int nlbl_mgmt_add(struct nlbl_handle *hndl,
struct nlbl_dommap *domain,
struct nlbl_netaddr *addr);
int nlbl_mgmt_adddef(struct nlbl_handle *hndl,
struct nlbl_dommap *domain,
struct nlbl_netaddr *addr);
int nlbl_mgmt_del(struct nlbl_handle *hndl, char *domain);
int nlbl_mgmt_deldef(struct nlbl_handle *hndl);
int nlbl_mgmt_listall(struct nlbl_handle *hndl, struct nlbl_dommap **domains);
int nlbl_mgmt_listdef(struct nlbl_handle *hndl, uint16_t family,
struct nlbl_dommap *domain);
/* Unlabeled Traffic */
int nlbl_unlbl_accept(struct nlbl_handle *hndl, uint8_t allow_flag);
int nlbl_unlbl_list(struct nlbl_handle *hndl, uint8_t *allow_flag);
int nlbl_unlbl_staticadd(struct nlbl_handle *hndl,
nlbl_netdev dev,
struct nlbl_netaddr *addr,
nlbl_secctx label);
int nlbl_unlbl_staticadddef(struct nlbl_handle *hndl,
struct nlbl_netaddr *addr,
nlbl_secctx label);
int nlbl_unlbl_staticdel(struct nlbl_handle *hndl,
nlbl_netdev dev,
struct nlbl_netaddr *addr);
int nlbl_unlbl_staticdeldef(struct nlbl_handle *hndl,
struct nlbl_netaddr *addr);
int nlbl_unlbl_staticlist(struct nlbl_handle *hndl,
struct nlbl_addrmap **addrs);
int nlbl_unlbl_staticlistdef(struct nlbl_handle *hndl,
struct nlbl_addrmap **addrs);
/* CIPSO Protocol */
int nlbl_cipso_add_trans(struct nlbl_handle *hndl,
nlbl_cip_doi doi,
struct nlbl_cip_tag_a *tags,
struct nlbl_cip_lvl_a *lvls,
struct nlbl_cip_cat_a *cats);
int nlbl_cipso_add_pass(struct nlbl_handle *hndl,
nlbl_cip_doi doi,
struct nlbl_cip_tag_a *tags);
int nlbl_cipso_add_local(struct nlbl_handle *hndl, nlbl_cip_doi doi);
int nlbl_cipso_del(struct nlbl_handle *hndl, nlbl_cip_doi doi);
int nlbl_cipso_list(struct nlbl_handle *hndl,
nlbl_cip_doi doi,
nlbl_cip_mtype *mtype,
struct nlbl_cip_tag_a *tags,
struct nlbl_cip_lvl_a *lvls,
struct nlbl_cip_cat_a *cats);
int nlbl_cipso_listall(struct nlbl_handle *hndl,
nlbl_cip_doi **dois,
nlbl_cip_mtype **mtypes);
/* CALIPSO Protocol */
int nlbl_calipso_add_pass(struct nlbl_handle *hndl,
nlbl_clp_doi doi);
int nlbl_calipso_del(struct nlbl_handle *hndl, nlbl_clp_doi doi);
int nlbl_calipso_list(struct nlbl_handle *hndl,
nlbl_clp_doi doi,
nlbl_clp_mtype *mtype);
int nlbl_calipso_listall(struct nlbl_handle *hndl,
nlbl_clp_doi **dois,
nlbl_clp_mtype **mtypes);
#endif