/* * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License (the "License"). * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. * See the License for the specific language governing permissions * and limitations under the License. * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file at usr/src/OPENSOLARIS.LICENSE. * If applicable, add the following below this CDDL HEADER, with the * fields enclosed by brackets "[]" replaced with your own identifying * information: Portions Copyright [yyyy] [name of copyright owner] * * CDDL HEADER END */ /* * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * * from "tndb.h 7.34 01/08/31 SMI; TSOL 2.x" */ #ifndef _SYS_TSOL_TNDB_H #define _SYS_TSOL_TNDB_H #pragma ident "%Z%%M% %I% %E% SMI" #include #include #include #include #ifdef _KERNEL #include #include #endif #ifdef __cplusplus extern "C" { #endif /* same on ILP32 and LP64 */ typedef union tnaddr { struct sockaddr_in ip_addr_v4; struct sockaddr_in6 ip_addr_v6; } tnaddr_t; #define ta_family ip_addr_v4.sin_family #define ta_addr_v4 ip_addr_v4.sin_addr #define ta_addr_v6 ip_addr_v6.sin6_addr #define ta_port_v4 ip_addr_v4.sin_port #define ta_port_v6 ip_addr_v6.sin6_port #define TNADDR_EQ(addr1, addr2) \ (((addr1)->ta_family == AF_INET && (addr2)->ta_family == AF_INET && \ (addr1)->ta_addr_v4.s_addr == (addr2)->ta_addr_v4.s_addr) || \ ((addr1)->ta_family == AF_INET6 && (addr2)->ta_family == AF_INET6 && \ IN6_ARE_ADDR_EQUAL(&(addr1)->ta_addr_v6, &(addr2)->ta_addr_v6))) /* * structure for TN database access routines and TN system calls */ typedef enum tsol_dbops { TNDB_NOOP = 0, TNDB_LOAD = 1, TNDB_DELETE = 2, TNDB_FLUSH = 3, TNDB_GET = 5 } tsol_dbops_t; #define TNTNAMSIZ 32 /* template name size */ #define IP_STR_SIZE 200 /* string ip address size */ #define TNRHDB_NCOL 2 /* # of columns in tnrhdb */ /* * For tnrhdb access library routines and tnrh(2TSOL) * same for both ILP32 and LP64. */ typedef struct tsol_rhent { short rh_prefix; /* length of subnet mask */ short rh_unused; /* padding */ tnaddr_t rh_address; /* IP address */ char rh_template[TNTNAMSIZ]; /* template name */ } tsol_rhent_t; typedef struct tsol_rhstr_s { int family; char *address; char *template; } tsol_rhstr_t; /* * host types recognized by tsol hosts */ typedef enum { UNLABELED = 1, SUN_CIPSO = 3 } tsol_host_type_t; typedef enum { OPT_NONE = 0, OPT_CIPSO = 1 } tsol_ip_label_t; typedef struct cipso_tag_type_1 { uchar_t tag_type; /* Tag Type (1) */ uchar_t tag_length; /* Length of Tag */ uchar_t tag_align; /* Alignment Octet */ uchar_t tag_sl; /* Sensitivity Level */ uchar_t tag_cat[1]; /* Categories */ } cipso_tag_type_1_t; #define TSOL_CIPSO_MIN_LENGTH 6 #define TSOL_CIPSO_MAX_LENGTH IP_MAX_OPT_LENGTH #define TSOL_TT1_MIN_LENGTH 4 #define TSOL_TT1_MAX_LENGTH 34 #define TSOL_CIPSO_DOI_OFFSET 2 #define TSOL_CIPSO_TAG_OFFSET 6 typedef struct cipso_option { uchar_t cipso_type; /* Type of option (134) */ uchar_t cipso_length; /* Length of option */ uchar_t cipso_doi[4]; /* Domain of Interpretation */ uchar_t cipso_tag_type[1]; /* variable length */ } cipso_option_t; /* * RIPSO classifications */ #define TSOL_CL_TOP_SECRET 0x3d #define TSOL_CL_SECRET 0x5a #define TSOL_CL_CONFIDENTIAL 0x96 #define TSOL_CL_UNCLASSIFIED 0xab /* * RIPSO protection authorities */ #define TSOL_PA_GENSER 0x80 #define TSOL_PA_SIOP_ESI 0x40 #define TSOL_PA_SCI 0x20 #define TSOL_PA_NSA 0x10 #define TSOL_PA_DOE 0x08 /* * this mask is only used for tndb structures, and is different * from t6mask_t bits definitions */ typedef unsigned int tnmask_t; /* * unlabeled host structure for the tnrhtp template. * same for both ILP32 and LP64. */ struct tsol_unl { tnmask_t mask; /* tells which attributes are returned by the library */ bslabel_t def_label; /* default label */ brange_t gw_sl_range; /* for routing only */ blset_t sl_set; /* label set */ }; /* * CIPSO host structure for the tnrhtp template * same for both ILP32 and LP64. */ struct tsol_cipso { tnmask_t mask; /* tells which attributes are returned by the library */ bclear_t def_cl; /* default clearance */ brange_t sl_range; /* min/max SL range */ blset_t sl_set; /* label set */ }; /* * Valid keys and values of the key=value pairs for tnrhtp */ #define TP_UNLABELED "unlabeled" #define TP_CIPSO "cipso" #define TP_ZONE "zone" #define TP_HOSTTYPE "host_type" #define TP_DOI "doi" #define TP_DEFLABEL "def_label" #define TP_MINLABEL "min_sl" #define TP_MAXLABEL "max_sl" #define TP_SET "sl_set" #define TP_COMMA "," #define TNRHTP_NCOL 2 /* # of columns in tnrhtp */ /* * For tnrhtp access library routines and tnrhtp(2TSOL) * same for both ILP32 and LP64. */ typedef struct tsol_tpent { char name[TNTNAMSIZ]; /* template name */ tsol_host_type_t host_type; /* specifies host type */ int tp_doi; /* Domain of Interpretation */ #define tp_cipso_doi_unl tp_doi #define tp_cipso_doi_cipso tp_doi union { struct tsol_unl unl; /* template for unlabeled */ #define tp_mask_unl un.unl.mask #define tp_def_label un.unl.def_label #define tp_gw_sl_range un.unl.gw_sl_range #define tp_gw_sl_set un.unl.sl_set struct tsol_cipso cipso; /* template for CIPSO */ #define tp_mask_cipso un.cipso.mask #define tp_def_cl_cipso un.cipso.def_cl #define tp_sl_range_cipso un.cipso.sl_range #define tp_sl_set_cipso un.cipso.sl_set } un; } tsol_tpent_t; typedef struct tsol_tpstr_s { char *template; char *attrs; } tsol_tpstr_t; /* * For tnmlp(2TSOL); same for both ILP32 and LP64. */ typedef struct tsol_mlpent { zoneid_t tsme_zoneid; uint_t tsme_flags; /* TSOL_MEF_* */ tsol_mlp_t tsme_mlp; } tsol_mlpent_t; #define TSOL_MEF_SHARED 0x00000001 /* MLP defined on shared addresses */ /* * For tnzonecfg access library routines. * List of MLPs ends with null entry, where protocol and port are both zero. */ typedef struct tsol_zcent { char zc_name[TNTNAMSIZ]; int zc_doi; bslabel_t zc_label; int zc_match; tsol_mlp_t *zc_private_mlp; tsol_mlp_t *zc_shared_mlp; } tsol_zcent_t; #define TSOL_MLP_END(mlp) ((mlp)->mlp_ipp == 0 && (mlp)->mlp_port == 0) typedef struct tsol_tpc { kmutex_t tpc_lock; /* lock for structure */ uint_t tpc_refcnt; /* reference count */ boolean_t tpc_invalid; /* entry has been deleted */ struct tsol_tpent tpc_tp; /* template */ } tsol_tpc_t; typedef struct tsol_tnrhc { struct tsol_tnrhc *rhc_next; /* link to next entry */ kmutex_t rhc_lock; /* lock for structure */ tnaddr_t rhc_host; /* IPv4/IPv6 host address */ tsol_tpc_t *rhc_tpc; /* pointer to template */ uint_t rhc_refcnt; /* Number of references */ char rhc_invalid; /* out-of-date rhc */ char rhc_isbcast; /* broadcast address */ char rhc_local; /* loopback or local interace */ } tsol_tnrhc_t; /* Size of remote host hash tables in kernel */ #define TNRHC_SIZE 256 #define TSOL_MASK_TABLE_SIZE 33 #define TSOL_MASK_TABLE_SIZE_V6 129 #ifdef _KERNEL #define TNRHC_HOLD(a) { \ mutex_enter(&(a)->rhc_lock); \ (a)->rhc_refcnt++; \ ASSERT((a)->rhc_refcnt > 0); \ mutex_exit(&(a)->rhc_lock); \ } #define TNRHC_RELE(a) { \ mutex_enter(&(a)->rhc_lock); \ ASSERT((a)->rhc_refcnt > 0); \ if (--(a)->rhc_refcnt <= 0) \ tnrhc_free(a); \ else \ mutex_exit(&(a)->rhc_lock); \ } extern void tnrhc_free(tsol_tnrhc_t *); #define TPC_HOLD(a) { \ mutex_enter(&(a)->tpc_lock); \ (a)->tpc_refcnt++; \ ASSERT((a)->tpc_refcnt > 0); \ mutex_exit(&(a)->tpc_lock); \ } #define TPC_RELE(a) { \ mutex_enter(&(a)->tpc_lock); \ ASSERT((a)->tpc_refcnt > 0); \ if (--(a)->tpc_refcnt <= 0) \ tpc_free(a); \ else \ mutex_exit(&(a)->tpc_lock); \ } extern void tpc_free(tsol_tpc_t *); #endif /* _KERNEL */ /* * The next three hashing macros are copied from macros in ip_ire.h. */ #define TSOL_ADDR_HASH(addr, table_size) \ (((((addr) >> 16) ^ (addr)) ^ ((((addr) >> 16) ^ (addr))>> 8)) \ % (table_size)) #define TSOL_ADDR_HASH_V6(addr, table_size) \ (((addr).s6_addr8[8] ^ (addr).s6_addr8[9] ^ \ (addr).s6_addr8[10] ^ (addr).s6_addr8[13] ^ \ (addr).s6_addr8[14] ^ (addr).s6_addr8[15]) % (table_size)) /* This assumes that table_size is a power of 2. */ #define TSOL_ADDR_MASK_HASH_V6(addr, mask, table_size) \ ((((addr).s6_addr8[8] & (mask).s6_addr8[8]) ^ \ ((addr).s6_addr8[9] & (mask).s6_addr8[9]) ^ \ ((addr).s6_addr8[10] & (mask).s6_addr8[10]) ^ \ ((addr).s6_addr8[13] & (mask).s6_addr8[13]) ^ \ ((addr).s6_addr8[14] & (mask).s6_addr8[14]) ^ \ ((addr).s6_addr8[15] & (mask).s6_addr8[15])) & ((table_size) - 1)) /* * Constants used for getting the mask value in struct tsol_tpent */ enum { TNT_DEF_LABEL, TNT_DEF_CL, TNT_SL_RANGE_TSOL, /* use this for both unl and zone */ TNT_CIPSO_DOI }; /* * mask definitions */ #define tsol_tntmask(value) ((unsigned int)(1<<(value))) #define TSOL_MSK_DEF_LABEL tsol_tntmask(TNT_DEF_LABEL) #define TSOL_MSK_DEF_CL tsol_tntmask(TNT_DEF_CL) #define TSOL_MSK_SL_RANGE_TSOL tsol_tntmask(TNT_SL_RANGE_TSOL) #define TSOL_MSK_CIPSO_DOI tsol_tntmask(TNT_CIPSO_DOI) /* * TN errors */ #define TSOL_PARSE_ERANGE 1 /* result buffer not allocated */ #define TSOL_NOT_SUPPORTED 2 /* address family not supported */ #define TSOL_NOT_FOUND 3 /* search by * routines target not found */ /* * Structure used to hold a list of IP addresses. */ typedef struct tsol_address { struct tsol_address *next; in_addr_t ip_address; } tsol_address_t; /* This is shared between tcache and mdb */ typedef struct tnrhc_hash_s { tsol_tnrhc_t *tnrh_list; kmutex_t tnrh_lock; } tnrhc_hash_t; #ifdef _KERNEL typedef enum { mlptSingle, mlptPrivate, mlptShared, mlptBoth } mlp_type_t; extern tsol_tpc_t *find_tpc(const void *, uchar_t, boolean_t); extern void tcache_init(void); extern in_port_t tsol_next_port(zone_t *, in_port_t, int, boolean_t); extern mlp_type_t tsol_mlp_port_type(zone_t *, uchar_t, uint16_t, mlp_type_t); extern zoneid_t tsol_mlp_findzone(uchar_t, uint16_t); extern int tsol_mlp_anon(zone_t *, mlp_type_t, uchar_t, uint16_t, boolean_t); extern void tsol_print_label(const blevel_t *, const char *); struct tsol_gc_s; struct tsol_gcgrp_s; struct tsol_gcgrp_addr_s; extern struct tsol_gc_s *gc_create(struct rtsa_s *, struct tsol_gcgrp_s *, boolean_t *); extern void gc_inactive(struct tsol_gc_s *); extern int rtsa_validate(const struct rtsa_s *); extern struct tsol_gcgrp_s *gcgrp_lookup(struct tsol_gcgrp_addr_s *, boolean_t); extern void gcgrp_inactive(struct tsol_gcgrp_s *); extern int tnrh_load(const tsol_rhent_t *); #endif /* _KERNEL */ #ifdef __cplusplus } #endif #endif /* _SYS_TSOL_TNDB_H */