1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 * 25 * from "tndb.h 7.34 01/08/31 SMI; TSOL 2.x" 26 */ 27 28 #ifndef _SYS_TSOL_TNDB_H 29 #define _SYS_TSOL_TNDB_H 30 31 #include <sys/types.h> 32 #include <sys/zone.h> 33 #include <sys/tsol/label.h> 34 #include <sys/tsol/label_macro.h> 35 #include <net/if.h> 36 37 #ifdef _KERNEL 38 #include <net/route.h> 39 #endif 40 41 #ifdef __cplusplus 42 extern "C" { 43 #endif 44 45 /* same on ILP32 and LP64 */ 46 typedef union tnaddr { 47 struct sockaddr_in ip_addr_v4; 48 struct sockaddr_in6 ip_addr_v6; 49 } tnaddr_t; 50 51 #define ta_family ip_addr_v4.sin_family 52 #define ta_addr_v4 ip_addr_v4.sin_addr 53 #define ta_addr_v6 ip_addr_v6.sin6_addr 54 #define ta_port_v4 ip_addr_v4.sin_port 55 #define ta_port_v6 ip_addr_v6.sin6_port 56 57 #define TNADDR_EQ(addr1, addr2) \ 58 (((addr1)->ta_family == AF_INET && (addr2)->ta_family == AF_INET && \ 59 (addr1)->ta_addr_v4.s_addr == (addr2)->ta_addr_v4.s_addr) || \ 60 ((addr1)->ta_family == AF_INET6 && (addr2)->ta_family == AF_INET6 && \ 61 IN6_ARE_ADDR_EQUAL(&(addr1)->ta_addr_v6, &(addr2)->ta_addr_v6))) 62 63 /* 64 * structure for TN database access routines and TN system calls 65 */ 66 67 typedef enum tsol_dbops { 68 TNDB_NOOP = 0, 69 TNDB_LOAD = 1, 70 TNDB_DELETE = 2, 71 TNDB_FLUSH = 3, 72 TNDB_GET = 5 73 } tsol_dbops_t; 74 75 #define TNTNAMSIZ ZONENAME_MAX /* template name size */ 76 #define IP_STR_SIZE 200 /* string ip address size */ 77 78 #define TNRHDB_NCOL 2 /* # of columns in tnrhdb */ 79 80 /* 81 * For tnrhdb access library routines and tnrh(2TSOL) 82 * same for both ILP32 and LP64. 83 */ 84 typedef struct tsol_rhent { 85 short rh_prefix; /* length of subnet mask */ 86 short rh_unused; /* padding */ 87 tnaddr_t rh_address; /* IP address */ 88 char rh_template[TNTNAMSIZ]; /* template name */ 89 } tsol_rhent_t; 90 91 typedef struct tsol_rhstr_s { 92 int family; 93 char *address; 94 char *template; 95 } tsol_rhstr_t; 96 97 /* 98 * host types recognized by tsol hosts 99 */ 100 typedef enum { 101 UNLABELED = 1, 102 SUN_CIPSO = 3 103 } tsol_host_type_t; 104 105 typedef enum { 106 OPT_NONE = 0, 107 OPT_CIPSO = 1 108 } tsol_ip_label_t; 109 110 typedef struct cipso_tag_type_1 { 111 uchar_t tag_type; /* Tag Type (1) */ 112 uchar_t tag_length; /* Length of Tag */ 113 uchar_t tag_align; /* Alignment Octet */ 114 uchar_t tag_sl; /* Sensitivity Level */ 115 uchar_t tag_cat[1]; /* Categories */ 116 } cipso_tag_type_1_t; 117 118 #define TSOL_CIPSO_MIN_LENGTH 6 119 #define TSOL_CIPSO_MAX_LENGTH IP_MAX_OPT_LENGTH 120 #define TSOL_TT1_MIN_LENGTH 4 121 #define TSOL_TT1_MAX_LENGTH 34 122 123 #define TSOL_CIPSO_DOI_OFFSET 2 124 #define TSOL_CIPSO_TAG_OFFSET 6 125 126 typedef struct cipso_option { 127 uchar_t cipso_type; /* Type of option (134) */ 128 uchar_t cipso_length; /* Length of option */ 129 uchar_t cipso_doi[4]; /* Domain of Interpretation */ 130 uchar_t cipso_tag_type[1]; /* variable length */ 131 } cipso_option_t; 132 133 /* 134 * RIPSO classifications 135 */ 136 #define TSOL_CL_TOP_SECRET 0x3d 137 #define TSOL_CL_SECRET 0x5a 138 #define TSOL_CL_CONFIDENTIAL 0x96 139 #define TSOL_CL_UNCLASSIFIED 0xab 140 141 /* 142 * RIPSO protection authorities 143 */ 144 #define TSOL_PA_GENSER 0x80 145 #define TSOL_PA_SIOP_ESI 0x40 146 #define TSOL_PA_SCI 0x20 147 #define TSOL_PA_NSA 0x10 148 #define TSOL_PA_DOE 0x08 149 150 /* 151 * this mask is only used for tndb structures, and is different 152 * from t6mask_t bits definitions 153 */ 154 155 typedef unsigned int tnmask_t; 156 157 /* 158 * unlabeled host structure for the tnrhtp template. 159 * same for both ILP32 and LP64. 160 */ 161 struct tsol_unl { 162 tnmask_t mask; /* tells which attributes are returned by the library */ 163 bslabel_t def_label; /* default label */ 164 brange_t gw_sl_range; /* for routing only */ 165 blset_t sl_set; /* label set */ 166 }; 167 168 /* 169 * CIPSO host structure for the tnrhtp template 170 * same for both ILP32 and LP64. 171 */ 172 struct tsol_cipso { 173 tnmask_t mask; /* tells which attributes are returned by the library */ 174 bclear_t def_cl; /* default clearance */ 175 brange_t sl_range; /* min/max SL range */ 176 blset_t sl_set; /* label set */ 177 }; 178 179 /* 180 * Valid keys and values of the key=value pairs for tnrhtp 181 */ 182 #define TP_UNLABELED "unlabeled" 183 #define TP_CIPSO "cipso" 184 #define TP_ZONE "zone" 185 #define TP_HOSTTYPE "host_type" 186 #define TP_DOI "doi" 187 #define TP_DEFLABEL "def_label" 188 #define TP_MINLABEL "min_sl" 189 #define TP_MAXLABEL "max_sl" 190 #define TP_SET "sl_set" 191 192 #define TP_COMMA "," 193 194 #define TNRHTP_NCOL 2 /* # of columns in tnrhtp */ 195 196 /* 197 * For tnrhtp access library routines and tnrhtp(2TSOL) 198 * same for both ILP32 and LP64. 199 */ 200 typedef struct tsol_tpent { 201 char name[TNTNAMSIZ]; /* template name */ 202 tsol_host_type_t host_type; /* specifies host type */ 203 int tp_doi; /* Domain of Interpretation */ 204 #define tp_cipso_doi_unl tp_doi 205 #define tp_cipso_doi_cipso tp_doi 206 union { 207 struct tsol_unl unl; /* template for unlabeled */ 208 #define tp_mask_unl un.unl.mask 209 #define tp_def_label un.unl.def_label 210 #define tp_gw_sl_range un.unl.gw_sl_range 211 #define tp_gw_sl_set un.unl.sl_set 212 213 struct tsol_cipso cipso; /* template for CIPSO */ 214 #define tp_mask_cipso un.cipso.mask 215 #define tp_def_cl_cipso un.cipso.def_cl 216 #define tp_sl_range_cipso un.cipso.sl_range 217 #define tp_sl_set_cipso un.cipso.sl_set 218 } un; 219 } tsol_tpent_t; 220 221 typedef struct tsol_tpstr_s { 222 char *template; 223 char *attrs; 224 } tsol_tpstr_t; 225 226 /* 227 * For tnmlp(2TSOL); same for both ILP32 and LP64. 228 */ 229 typedef struct tsol_mlpent { 230 zoneid_t tsme_zoneid; 231 uint_t tsme_flags; /* TSOL_MEF_* */ 232 tsol_mlp_t tsme_mlp; 233 } tsol_mlpent_t; 234 235 #define TSOL_MEF_SHARED 0x00000001 /* MLP defined on shared addresses */ 236 237 /* 238 * For tnzonecfg access library routines. 239 * List of MLPs ends with null entry, where protocol and port are both zero. 240 */ 241 typedef struct tsol_zcent { 242 char zc_name[ZONENAME_MAX]; 243 int zc_doi; 244 bslabel_t zc_label; 245 int zc_match; 246 tsol_mlp_t *zc_private_mlp; 247 tsol_mlp_t *zc_shared_mlp; 248 } tsol_zcent_t; 249 #define TSOL_MLP_END(mlp) ((mlp)->mlp_ipp == 0 && (mlp)->mlp_port == 0) 250 251 #if (defined(_KERNEL) || defined(_KMEMUSER)) 252 typedef struct tsol_tpc { 253 kmutex_t tpc_lock; /* lock for structure */ 254 uint_t tpc_refcnt; /* reference count */ 255 boolean_t tpc_invalid; /* entry has been deleted */ 256 struct tsol_tpent tpc_tp; /* template */ 257 } tsol_tpc_t; 258 259 typedef struct tsol_tnrhc { 260 struct tsol_tnrhc *rhc_next; /* link to next entry */ 261 kmutex_t rhc_lock; /* lock for structure */ 262 tnaddr_t rhc_host; /* IPv4/IPv6 host address */ 263 tsol_tpc_t *rhc_tpc; /* pointer to template */ 264 uint_t rhc_refcnt; /* Number of references */ 265 char rhc_invalid; /* out-of-date rhc */ 266 char rhc_isbcast; /* broadcast address */ 267 char rhc_local; /* loopback or local interace */ 268 } tsol_tnrhc_t; 269 #endif /* _KERNEL || _KMEMUSER */ 270 271 /* Size of remote host hash tables in kernel */ 272 #define TNRHC_SIZE 256 273 #define TSOL_MASK_TABLE_SIZE 33 274 #define TSOL_MASK_TABLE_SIZE_V6 129 275 276 #ifdef _KERNEL 277 #define TNRHC_HOLD(a) { \ 278 mutex_enter(&(a)->rhc_lock); \ 279 (a)->rhc_refcnt++; \ 280 ASSERT((a)->rhc_refcnt > 0); \ 281 mutex_exit(&(a)->rhc_lock); \ 282 } 283 #define TNRHC_RELE(a) { \ 284 mutex_enter(&(a)->rhc_lock); \ 285 ASSERT((a)->rhc_refcnt > 0); \ 286 if (--(a)->rhc_refcnt <= 0) \ 287 tnrhc_free(a); \ 288 else \ 289 mutex_exit(&(a)->rhc_lock); \ 290 } 291 extern void tnrhc_free(tsol_tnrhc_t *); 292 #define TPC_HOLD(a) { \ 293 mutex_enter(&(a)->tpc_lock); \ 294 (a)->tpc_refcnt++; \ 295 ASSERT((a)->tpc_refcnt > 0); \ 296 mutex_exit(&(a)->tpc_lock); \ 297 } 298 #define TPC_RELE(a) { \ 299 mutex_enter(&(a)->tpc_lock); \ 300 ASSERT((a)->tpc_refcnt > 0); \ 301 if (--(a)->tpc_refcnt <= 0) \ 302 tpc_free(a); \ 303 else \ 304 mutex_exit(&(a)->tpc_lock); \ 305 } 306 extern void tpc_free(tsol_tpc_t *); 307 #endif /* _KERNEL */ 308 309 /* 310 * The next three hashing macros are copied from macros in ip_ire.h. 311 */ 312 #define TSOL_ADDR_HASH(addr, table_size) \ 313 (((((addr) >> 16) ^ (addr)) ^ ((((addr) >> 16) ^ (addr))>> 8)) \ 314 % (table_size)) 315 316 #define TSOL_ADDR_HASH_V6(addr, table_size) \ 317 (((addr).s6_addr8[8] ^ (addr).s6_addr8[9] ^ \ 318 (addr).s6_addr8[10] ^ (addr).s6_addr8[13] ^ \ 319 (addr).s6_addr8[14] ^ (addr).s6_addr8[15]) % (table_size)) 320 321 /* This assumes that table_size is a power of 2. */ 322 #define TSOL_ADDR_MASK_HASH_V6(addr, mask, table_size) \ 323 ((((addr).s6_addr8[8] & (mask).s6_addr8[8]) ^ \ 324 ((addr).s6_addr8[9] & (mask).s6_addr8[9]) ^ \ 325 ((addr).s6_addr8[10] & (mask).s6_addr8[10]) ^ \ 326 ((addr).s6_addr8[13] & (mask).s6_addr8[13]) ^ \ 327 ((addr).s6_addr8[14] & (mask).s6_addr8[14]) ^ \ 328 ((addr).s6_addr8[15] & (mask).s6_addr8[15])) & ((table_size) - 1)) 329 330 331 /* 332 * Constants used for getting the mask value in struct tsol_tpent 333 */ 334 enum { 335 TNT_DEF_LABEL, 336 TNT_DEF_CL, 337 TNT_SL_RANGE_TSOL, /* use this for both unl and zone */ 338 TNT_CIPSO_DOI 339 }; 340 341 /* 342 * mask definitions 343 */ 344 #define tsol_tntmask(value) ((unsigned int)(1<<(value))) 345 346 #define TSOL_MSK_DEF_LABEL tsol_tntmask(TNT_DEF_LABEL) 347 #define TSOL_MSK_DEF_CL tsol_tntmask(TNT_DEF_CL) 348 #define TSOL_MSK_SL_RANGE_TSOL tsol_tntmask(TNT_SL_RANGE_TSOL) 349 #define TSOL_MSK_CIPSO_DOI tsol_tntmask(TNT_CIPSO_DOI) 350 351 /* 352 * TN errors 353 */ 354 #define TSOL_PARSE_ERANGE 1 /* result buffer not allocated */ 355 #define TSOL_NOT_SUPPORTED 2 /* address family not supported */ 356 #define TSOL_NOT_FOUND 3 /* search by * routines target not found */ 357 358 /* 359 * Structure used to hold a list of IP addresses. 360 */ 361 typedef struct tsol_address { 362 struct tsol_address *next; 363 in_addr_t ip_address; 364 } tsol_address_t; 365 366 #if (defined(_KERNEL) || defined(_KMEMUSER)) 367 /* This is shared between tcache and mdb */ 368 typedef struct tnrhc_hash_s { 369 tsol_tnrhc_t *tnrh_list; 370 kmutex_t tnrh_lock; 371 } tnrhc_hash_t; 372 #endif /* _KERNEL || _KMEMUSER */ 373 374 #ifdef _KERNEL 375 typedef enum { 376 mlptSingle, 377 mlptPrivate, 378 mlptShared, 379 mlptBoth 380 } mlp_type_t; 381 382 extern tsol_tpc_t *find_tpc(const void *, uchar_t, boolean_t); 383 extern void tcache_init(void); 384 extern in_port_t tsol_next_port(zone_t *, in_port_t, int, boolean_t); 385 extern mlp_type_t tsol_mlp_port_type(zone_t *, uchar_t, uint16_t, mlp_type_t); 386 extern zoneid_t tsol_mlp_findzone(uchar_t, uint16_t); 387 extern int tsol_mlp_anon(zone_t *, mlp_type_t, uchar_t, uint16_t, boolean_t); 388 extern void tsol_print_label(const blevel_t *, const char *); 389 390 struct tsol_gc_s; 391 struct tsol_gcgrp_s; 392 struct tsol_gcgrp_addr_s; 393 394 extern struct tsol_gc_s *gc_create(struct rtsa_s *, struct tsol_gcgrp_s *, 395 boolean_t *); 396 extern void gc_inactive(struct tsol_gc_s *); 397 extern int rtsa_validate(const struct rtsa_s *); 398 extern struct tsol_gcgrp_s *gcgrp_lookup(struct tsol_gcgrp_addr_s *, boolean_t); 399 extern void gcgrp_inactive(struct tsol_gcgrp_s *); 400 extern int tnrh_load(const tsol_rhent_t *); 401 #endif /* _KERNEL */ 402 403 #ifdef __cplusplus 404 } 405 #endif 406 407 #endif /* _SYS_TSOL_TNDB_H */ 408