/** @file * NetLabel userspace configuration library API. * * The Linux NetLabel subsystem manages network security labels for explicit * labeling protocols such as CIPSO as well as static security labels for * "unlabeled" network traffic. More information on NetLabel can be found at * the NetLabel SourceForge project site, http://netlabel.sf.net. * * Author: Paul Moore * */ /* * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 * * This program is free software: you can redistribute it and/or modify * it under the terms of version 2 of the GNU General Public License as * published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . * */ #ifndef _LIBNETLABEL_H #define _LIBNETLABEL_H #include #include #include #include #include #include #include /* * Types */ /* General Types */ /** * NetLabel communications handle * * Handle used for communicating with the NetLabel subsystem in the kernel via * generic netlink. * */ struct nlbl_handle; /** * NetLabel message * * NetLabel type used for sending and receiving messages with the NetLabel * kernel subsystem. * */ typedef struct nl_msg nlbl_msg; /** * NetLabel labeling protocol * * NetLabel type used to specify network labeling protocols. * */ typedef uint32_t nlbl_proto; /** * NetLabel network device * * NetLabel type used to specify network interfaces. * */ typedef char *nlbl_netdev; /** * NetLabel network address structure * @param type address family * @param addr.v4 IPv4 address * @param addr.v6 IPv6 address * @param mask.v4 IPv4 address mask * @param mask.v6 IPv6 address mask * * NetLabel type used to represent IP addresses. It can represent both single * hosts and entire networks using both IPv4 and IPv6. * */ struct nlbl_netaddr { short type; union { struct in_addr v4; struct in6_addr v6; } addr; union { struct in_addr v4; struct in6_addr v6; } mask; }; /** * NetLabel security label * * NetLabel type used to represent security labels. NetLabel itself does not * interpret the security labels, the individual LSMs are used to parse and * interpret the security labels. * */ typedef char *nlbl_secctx; /* CIPSO Types */ /** * NetLabel CIPSO Domain Of Interpretation (DOI) value * * NetLabel type used to represent a CIPSO Domian of Interpretation (DOI). * */ typedef uint32_t nlbl_cip_doi; /** * NetLabel CIPSO mapping type * * NetLabel type used to represent the CIPSO security label mapping method. * */ typedef uint32_t nlbl_cip_mtype; /** * NetLabel CIPSO tag type * * NetLabel type used to represent CIPSO tag types. * */ typedef uint8_t nlbl_cip_tag; /** * NetLabel CIPSO tag array * @param array array of tag types * @param size size of array * * NetLabel type used to represent an array of CIPSO tags in decreasing order * of preference. * */ struct nlbl_cip_tag_a { nlbl_cip_tag *array; size_t size; }; /** * NetLabel CIPSO MLS level * * NetLabel type used to represent the CIPSO MLS sensitivity level. * */ typedef uint32_t nlbl_cip_lvl; /** * NetLabel CIPSO MLS level array * @param array array of MLS levels * @param size size of array * * NetLabel type used to represent an array of CIPSO MLS sensitivity levels. * */ struct nlbl_cip_lvl_a { nlbl_cip_lvl *array; size_t size; }; /** * NetLabel CIPSO MLS category * * NetLabel type used to represent the CIPSO MLS category/compartment. * */ typedef uint32_t nlbl_cip_cat; /** * NetLabel CIPSO MLS category array * @param array array of MLS categories * @param size size of array * * NetLabel type used to represent an array of CIPSO MLS categories. * */ struct nlbl_cip_cat_a { nlbl_cip_cat *array; size_t size; }; /* CALIPSO Types */ /** * NetLabel CALIPSO Domain Of Interpretation (DOI) value * * NetLabel type used to represent a CALIPSO Domian of Interpretation (DOI). * */ typedef uint32_t nlbl_clp_doi; /** * NetLabel CALIPSO mapping type * * NetLabel type used to represent the CALIPSO security label mapping method. * */ typedef uint32_t nlbl_clp_mtype; /* NetLabel and LSM Mapping Types */ /** * NetLabel IP address selector structure * @param addr IP address * @param proto_type labeling protocol * @param proto.cip_doi CIPSO DOI * @param proto.clp_doi CALIPSO DOI * @param next next address selector * * NetLabel type used to map IP addresses to labeling protocol configurations. * */ struct nlbl_dommap_addr { struct nlbl_netaddr addr; nlbl_proto proto_type; union { nlbl_cip_doi cip_doi; nlbl_clp_doi clp_doi; } proto; struct nlbl_dommap_addr *next; }; /** * NetLabel LSM/Domain mapping structure * @param domain LSM domain * @param family address family * @param proto_type labeling protocol * @param proto.cip_doi CIPSO DOI * @param proto.cpl_doi CALIPSO DOI * @param proto.addrsel IP address selector(s) * * NetLabel type used to map LSM domains to labeling protocol configurations. * */ struct nlbl_dommap { char *domain; uint16_t family; nlbl_proto proto_type; union { nlbl_cip_doi cip_doi; nlbl_clp_doi clp_doi; struct nlbl_dommap_addr *addrsel; } proto; }; /** * NetLabel network address mapping structure * @param dev network device * @param addr network address * @param label security label * * NetLabel type used to map network interfaces and addresses to security * labels. * */ struct nlbl_addrmap { nlbl_netdev dev; struct nlbl_netaddr addr; nlbl_secctx label; }; /* * Functions */ /* Initialization and Termination */ int nlbl_init(void); void nlbl_exit(void); /* Low Level Communications */ /* Communications Control */ void nlbl_comm_timeout(uint32_t seconds); /* Raw NetLabel I/O API */ struct nlbl_handle *nlbl_comm_open(void); int nlbl_comm_close(struct nlbl_handle *hndl); int nlbl_comm_recv(struct nlbl_handle *hndl, nlbl_msg **msg); int nlbl_comm_recv_raw(struct nlbl_handle *hndl, unsigned char **data); int nlbl_comm_send(struct nlbl_handle *hndl, nlbl_msg *msg); /* Message Handling */ nlbl_msg *nlbl_msg_new(void); void nlbl_msg_free(nlbl_msg *msg); struct nlmsghdr *nlbl_msg_nlhdr(nlbl_msg *msg); struct genlmsghdr *nlbl_msg_genlhdr(nlbl_msg *msg); struct nlmsgerr *nlbl_msg_err(nlbl_msg *msg); /* Attribute Handling */ struct nlattr *nlbl_attr_head(nlbl_msg *msg); struct nlattr *nlbl_attr_find(nlbl_msg *msg, int nla_type); /* Configuration Operations */ /* Management */ int nlbl_mgmt_version(struct nlbl_handle *hndl, uint32_t *version); int nlbl_mgmt_protocols(struct nlbl_handle *hndl, nlbl_proto **protocols); int nlbl_mgmt_add(struct nlbl_handle *hndl, struct nlbl_dommap *domain, struct nlbl_netaddr *addr); int nlbl_mgmt_adddef(struct nlbl_handle *hndl, struct nlbl_dommap *domain, struct nlbl_netaddr *addr); int nlbl_mgmt_del(struct nlbl_handle *hndl, char *domain); int nlbl_mgmt_deldef(struct nlbl_handle *hndl); int nlbl_mgmt_listall(struct nlbl_handle *hndl, struct nlbl_dommap **domains); int nlbl_mgmt_listdef(struct nlbl_handle *hndl, uint16_t family, struct nlbl_dommap *domain); /* Unlabeled Traffic */ int nlbl_unlbl_accept(struct nlbl_handle *hndl, uint8_t allow_flag); int nlbl_unlbl_list(struct nlbl_handle *hndl, uint8_t *allow_flag); int nlbl_unlbl_staticadd(struct nlbl_handle *hndl, nlbl_netdev dev, struct nlbl_netaddr *addr, nlbl_secctx label); int nlbl_unlbl_staticadddef(struct nlbl_handle *hndl, struct nlbl_netaddr *addr, nlbl_secctx label); int nlbl_unlbl_staticdel(struct nlbl_handle *hndl, nlbl_netdev dev, struct nlbl_netaddr *addr); int nlbl_unlbl_staticdeldef(struct nlbl_handle *hndl, struct nlbl_netaddr *addr); int nlbl_unlbl_staticlist(struct nlbl_handle *hndl, struct nlbl_addrmap **addrs); int nlbl_unlbl_staticlistdef(struct nlbl_handle *hndl, struct nlbl_addrmap **addrs); /* CIPSO Protocol */ int nlbl_cipso_add_trans(struct nlbl_handle *hndl, nlbl_cip_doi doi, struct nlbl_cip_tag_a *tags, struct nlbl_cip_lvl_a *lvls, struct nlbl_cip_cat_a *cats); int nlbl_cipso_add_pass(struct nlbl_handle *hndl, nlbl_cip_doi doi, struct nlbl_cip_tag_a *tags); int nlbl_cipso_add_local(struct nlbl_handle *hndl, nlbl_cip_doi doi); int nlbl_cipso_del(struct nlbl_handle *hndl, nlbl_cip_doi doi); int nlbl_cipso_list(struct nlbl_handle *hndl, nlbl_cip_doi doi, nlbl_cip_mtype *mtype, struct nlbl_cip_tag_a *tags, struct nlbl_cip_lvl_a *lvls, struct nlbl_cip_cat_a *cats); int nlbl_cipso_listall(struct nlbl_handle *hndl, nlbl_cip_doi **dois, nlbl_cip_mtype **mtypes); /* CALIPSO Protocol */ int nlbl_calipso_add_pass(struct nlbl_handle *hndl, nlbl_clp_doi doi); int nlbl_calipso_del(struct nlbl_handle *hndl, nlbl_clp_doi doi); int nlbl_calipso_list(struct nlbl_handle *hndl, nlbl_clp_doi doi, nlbl_clp_mtype *mtype); int nlbl_calipso_listall(struct nlbl_handle *hndl, nlbl_clp_doi **dois, nlbl_clp_mtype **mtypes); #endif