netlabel: Initial support for the CALIPSO netlink protocol.

/*

 * CALIPSO - Common Architecture Label IPv6 Security Option

 *

 * This is an implementation of the CALIPSO protocol as specified in

 * RFC 5570.

 *

 * Authors: Paul Moore <paul@paul-moore.com>

 *          Huw Davies <huw@codeweavers.com>

 *

 */

/*

 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006

 * (c) Copyright Huw Davies <huw@codeweavers.com>, 2015

 *

 * This program is free software;  you can redistribute it and/or modify

 * it under the terms of the GNU General Public License as published by

 * the Free Software Foundation; either version 2 of the License, or

 * (at your option) any later version.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY;  without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See

 * the GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * along with this program;  if not, see <http://www.gnu.org/licenses/>.

 *

 */

#ifndef _CALIPSO_H

#define _CALIPSO_H

#include <linux/types.h>

#include <linux/rcupdate.h>

#include <linux/list.h>

#include <linux/net.h>

#include <linux/skbuff.h>

#include <net/netlabel.h>

#include <net/request_sock.h>

#include <linux/atomic.h>

#include <asm/unaligned.h>

/* known doi values */

#define CALIPSO_DOI_UNKNOWN          0x00000000

/* doi mapping types */

#define CALIPSO_MAP_UNKNOWN          0

#define CALIPSO_MAP_PASS             2

/*

 * CALIPSO DOI definitions

 */

/* DOI definition struct */

struct calipso_doi {

	u32 doi;

	u32 type;

	atomic_t refcount;

	struct list_head list;

	struct rcu_head rcu;

};

#ifdef CONFIG_NETLABEL

int __init calipso_init(void);

void calipso_exit(void);

#else

static inline int __init calipso_init(void)

{

	return 0;

}

static inline void calipso_exit(void)

{

}

#endif /* CONFIG_NETLABEL */

#endif /* _CALIPSO_H */

#include <linux/atomic.h>

#include <linux/atomic.h>

struct cipso_v4_doi;

struct cipso_v4_doi;

struct calipso_doi;

/*

/*

 * NetLabel - A management interface for maintaining network packet label

 * NetLabel - A management interface for maintaining network packet label

#define NETLBL_NLTYPE_UNLABELED_NAME    "NLBL_UNLBL"

#define NETLBL_NLTYPE_UNLABELED_NAME    "NLBL_UNLBL"

#define NETLBL_NLTYPE_ADDRSELECT        6

#define NETLBL_NLTYPE_ADDRSELECT        6

#define NETLBL_NLTYPE_ADDRSELECT_NAME   "NLBL_ADRSEL"

#define NETLBL_NLTYPE_ADDRSELECT_NAME   "NLBL_ADRSEL"

#define NETLBL_NLTYPE_CALIPSO           7

#define NETLBL_NLTYPE_CALIPSO_NAME      "NLBL_CALIPSO"

/*

/*

 * NetLabel - Kernel API for accessing the network packet label mappings.

 * NetLabel - Kernel API for accessing the network packet label mappings.

	} attr;

	} attr;

};

};

/**

 * struct netlbl_calipso_ops - NetLabel CALIPSO operations

 * @doi_add: add a CALIPSO DOI

 * @doi_free: free a CALIPSO DOI

 *

 * Description:

 * This structure is filled out by the CALIPSO engine and passed

 * to the NetLabel core via a call to netlbl_calipso_ops_register().

 * It enables the CALIPSO engine (and hence IPv6) to be compiled

 * as a module.

 */

struct netlbl_calipso_ops {

	int (*doi_add)(struct calipso_doi *doi_def,

		       struct netlbl_audit *audit_info);

	void (*doi_free)(struct calipso_doi *doi_def);

};

/*

/*

 * LSM security attribute operations (inline)

 * LSM security attribute operations (inline)

 */

 */

}

}

#endif /* CONFIG_NETLABEL */

#endif /* CONFIG_NETLABEL */

const struct netlbl_calipso_ops *

netlbl_calipso_ops_register(const struct netlbl_calipso_ops *ops);

#endif /* _NETLABEL_H */

#endif /* _NETLABEL_H */

#define AUDIT_MAC_IPSEC_EVENT	1415	/* Audit an IPSec event */

#define AUDIT_MAC_IPSEC_EVENT	1415	/* Audit an IPSec event */

#define AUDIT_MAC_UNLBL_STCADD	1416	/* NetLabel: add a static label */

#define AUDIT_MAC_UNLBL_STCADD	1416	/* NetLabel: add a static label */

#define AUDIT_MAC_UNLBL_STCDEL	1417	/* NetLabel: del a static label */

#define AUDIT_MAC_UNLBL_STCDEL	1417	/* NetLabel: del a static label */

#define AUDIT_MAC_CALIPSO_ADD	1418	/* NetLabel: add CALIPSO DOI entry */

#define AUDIT_MAC_CALIPSO_DEL	1419	/* NetLabel: del CALIPSO DOI entry */

#define AUDIT_FIRST_KERN_ANOM_MSG   1700

#define AUDIT_FIRST_KERN_ANOM_MSG   1700

#define AUDIT_LAST_KERN_ANOM_MSG    1799

#define AUDIT_LAST_KERN_ANOM_MSG    1799

ipv6-$(CONFIG_IPV6_MULTIPLE_TABLES) += fib6_rules.o

ipv6-$(CONFIG_IPV6_MULTIPLE_TABLES) += fib6_rules.o

ipv6-$(CONFIG_PROC_FS) += proc.o

ipv6-$(CONFIG_PROC_FS) += proc.o

ipv6-$(CONFIG_SYN_COOKIES) += syncookies.o

ipv6-$(CONFIG_SYN_COOKIES) += syncookies.o

ipv6-$(CONFIG_NETLABEL) += calipso.o

ipv6-objs += $(ipv6-y)

ipv6-objs += $(ipv6-y)

#ifdef CONFIG_IPV6_TUNNEL

#ifdef CONFIG_IPV6_TUNNEL

#include <net/ip6_tunnel.h>

#include <net/ip6_tunnel.h>

#endif

#endif

#include <net/calipso.h>

#include <asm/uaccess.h>

#include <asm/uaccess.h>

#include <linux/mroute6.h>

#include <linux/mroute6.h>

	if (err)

	if (err)

		goto pingv6_fail;

		goto pingv6_fail;

	err = calipso_init();

	if (err)

		goto calipso_fail;

#ifdef CONFIG_SYSCTL

#ifdef CONFIG_SYSCTL

	err = ipv6_sysctl_register();

	err = ipv6_sysctl_register();

	if (err)

	if (err)

#ifdef CONFIG_SYSCTL

#ifdef CONFIG_SYSCTL

sysctl_fail:

sysctl_fail:

	pingv6_exit();

	calipso_exit();

#endif

#endif

calipso_fail:

	pingv6_exit();

pingv6_fail:

pingv6_fail:

	ipv6_packet_cleanup();

	ipv6_packet_cleanup();

ipv6_packet_fail:

ipv6_packet_fail: