• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*	$NetBSD: policy.h,v 1.5.4.2 2007/06/07 20:34:19 manu Exp $	*/
2 
3 /* Id: policy.h,v 1.5 2004/06/11 16:00:17 ludvigm Exp */
4 
5 /*
6  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  * 3. Neither the name of the project nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #ifndef _POLICY_H
35 #define _POLICY_H
36 
37 #include <sys/queue.h>
38 
39 
40 #ifdef HAVE_SECCTX
41 #define MAX_CTXSTR_SIZE 50
42 struct security_ctx {
43 	u_int8_t ctx_doi;       /* Security Context DOI */
44 	u_int8_t ctx_alg;       /* Security Context Algorithm */
45 	u_int16_t ctx_strlen;   /* Security Context stringlength
46 				 * (includes terminating NULL)
47 				 */
48 	char ctx_str[MAX_CTXSTR_SIZE];  /* Security Context string */
49 };
50 #endif
51 
52 /* refs. ipsec.h */
53 /*
54  * Security Policy Index
55  * NOTE: Ensure to be same address family and upper layer protocol.
56  * NOTE: ul_proto, port number, uid, gid:
57  *	ANY: reserved for waldcard.
58  *	0 to (~0 - 1): is one of the number of each value.
59  */
60 struct policyindex {
61 	u_int8_t dir;			/* direction of packet flow, see blow */
62 	struct sockaddr_storage src;	/* IP src address for SP */
63 	struct sockaddr_storage dst;	/* IP dst address for SP */
64 	u_int8_t prefs;			/* prefix length in bits for src */
65 	u_int8_t prefd;			/* prefix length in bits for dst */
66 	u_int16_t ul_proto;		/* upper layer Protocol */
67 	u_int32_t priority;		/* priority for the policy */
68  	u_int64_t created;		/* Used for generated SPD entries deletion */
69 #ifdef HAVE_SECCTX
70 	struct security_ctx sec_ctx;    /* Security Context */
71 #endif
72 };
73 
74 /* Security Policy Data Base */
75 struct secpolicy {
76 	TAILQ_ENTRY(secpolicy) chain;
77 
78 	struct policyindex spidx;	/* selector */
79 	u_int32_t id;			/* It's unique number on the system. */
80 
81 	u_int policy;		/* DISCARD, NONE or IPSEC, see keyv2.h */
82 	struct ipsecrequest *req;
83 				/* pointer to the ipsec request tree, */
84 				/* if policy == IPSEC else this value == NULL.*/
85 };
86 
87 /* Security Assocciation Index */
88 /* NOTE: Ensure to be same address family */
89 struct secasindex {
90 	struct sockaddr_storage src;	/* srouce address for SA */
91 	struct sockaddr_storage dst;	/* destination address for SA */
92 	u_int16_t proto;		/* IPPROTO_ESP or IPPROTO_AH */
93 	u_int8_t mode;			/* mode of protocol, see ipsec.h */
94 	u_int32_t reqid;		/* reqid id who owned this SA */
95 					/* see IPSEC_MANUAL_REQID_MAX. */
96 };
97 
98 /* Request for IPsec */
99 struct ipsecrequest {
100 	struct ipsecrequest *next;
101 				/* pointer to next structure */
102 				/* If NULL, it means the end of chain. */
103 
104 	struct secasindex saidx;/* hint for search proper SA */
105 				/* if __ss_len == 0 then no address specified.*/
106 	u_int level;		/* IPsec level defined below. */
107 
108 	struct secpolicy *sp;	/* back pointer to SP */
109 };
110 
111 #ifdef HAVE_PFKEY_POLICY_PRIORITY
112 #define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, _priority, _created, idx)              \
113 do {                                                                         \
114 	memset((idx), 0, sizeof(struct policyindex));                        \
115 	(idx)->dir = (_dir);                                                 \
116 	(idx)->prefs = (ps);                                                 \
117 	(idx)->prefd = (pd);                                                 \
118 	(idx)->ul_proto = (ulp);                                             \
119 	(idx)->priority = (_priority);                                        \
120 	(idx)->created = (_created);                                        \
121 	memcpy(&(idx)->src, (s), sysdep_sa_len((struct sockaddr *)(s)));          \
122 	memcpy(&(idx)->dst, (d), sysdep_sa_len((struct sockaddr *)(d)));          \
123 } while (0)
124 #else
125 #define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, _created, idx)              \
126 do {                                                                         \
127 	memset((idx), 0, sizeof(struct policyindex));                        \
128 	(idx)->dir = (_dir);                                                 \
129 	(idx)->prefs = (ps);                                                 \
130 	(idx)->prefd = (pd);                                                 \
131 	(idx)->ul_proto = (ulp);                                             \
132 	(idx)->created = (_created);                                        \
133 	memcpy(&(idx)->src, (s), sysdep_sa_len((struct sockaddr *)(s)));          \
134 	memcpy(&(idx)->dst, (d), sysdep_sa_len((struct sockaddr *)(d)));          \
135 } while (0)
136 #endif
137 
138 struct ph2handle;
139 struct policyindex;
140 extern struct secpolicy *getsp __P((struct policyindex *));
141 extern struct secpolicy *getsp_r __P((struct policyindex *));
142 struct secpolicy *getspbyspid __P((u_int32_t));
143 extern int cmpspidxstrict __P((struct policyindex *, struct policyindex *));
144 extern int cmpspidxwild __P((struct policyindex *, struct policyindex *));
145 extern struct secpolicy *newsp __P((void));
146 extern void delsp __P((struct secpolicy *));
147 extern void delsp_bothdir __P((struct policyindex *));
148 extern void inssp __P((struct secpolicy *));
149 extern void remsp __P((struct secpolicy *));
150 extern void flushsp __P((void));
151 extern void initsp __P((void));
152 extern struct ipsecrequest *newipsecreq __P((void));
153 
154 extern const char *spidx2str __P((const struct policyindex *));
155 #ifdef HAVE_SECCTX
156 #include <selinux/selinux.h>
157 extern int get_security_context __P((vchar_t *, struct policyindex *));
158 extern void init_avc __P((void));
159 extern int within_range __P((security_context_t, security_context_t));
160 extern void set_secctx_in_proposal __P((struct ph2handle *, struct policyindex));
161 #endif
162 
163 #endif /* _POLICY_H */
164