xref: /titanic_44/usr/src/uts/common/sys/tsol/tndb.h (revision 1979231e1e29c981e5d1e6cee60f2db46d052b00)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  *
25  * from "tndb.h	7.34	01/08/31 SMI; TSOL 2.x"
26  */
27 
28 #ifndef	_SYS_TSOL_TNDB_H
29 #define	_SYS_TSOL_TNDB_H
30 
31 #pragma ident	"%Z%%M%	%I%	%E% SMI"
32 
33 #include <sys/types.h>
34 #include <sys/tsol/label.h>
35 #include <sys/tsol/label_macro.h>
36 #include <net/if.h>
37 
38 #ifdef _KERNEL
39 #include <net/route.h>
40 #include <sys/zone.h>
41 #endif
42 
43 #ifdef	__cplusplus
44 extern "C" {
45 #endif
46 
47 /* same on ILP32 and LP64 */
48 typedef union tnaddr {
49 	struct sockaddr_in	ip_addr_v4;
50 	struct sockaddr_in6	ip_addr_v6;
51 } tnaddr_t;
52 
53 #define	ta_family	ip_addr_v4.sin_family
54 #define	ta_addr_v4	ip_addr_v4.sin_addr
55 #define	ta_addr_v6	ip_addr_v6.sin6_addr
56 #define	ta_port_v4	ip_addr_v4.sin_port
57 #define	ta_port_v6	ip_addr_v6.sin6_port
58 
59 #define	TNADDR_EQ(addr1, addr2) \
60 	(((addr1)->ta_family == AF_INET && (addr2)->ta_family == AF_INET && \
61 	(addr1)->ta_addr_v4.s_addr == (addr2)->ta_addr_v4.s_addr) || \
62 	((addr1)->ta_family == AF_INET6 && (addr2)->ta_family == AF_INET6 && \
63 	IN6_ARE_ADDR_EQUAL(&(addr1)->ta_addr_v6, &(addr2)->ta_addr_v6)))
64 
65 /*
66  * structure for TN database access routines and TN system calls
67  */
68 
69 typedef enum tsol_dbops {
70 	TNDB_NOOP = 0,
71 	TNDB_LOAD = 1,
72 	TNDB_DELETE = 2,
73 	TNDB_FLUSH = 3,
74 	TNDB_GET = 5
75 } tsol_dbops_t;
76 
77 #define	TNTNAMSIZ 	32	/* template name size */
78 #define	IP_STR_SIZE 	200	/* string ip address size */
79 
80 #define	TNRHDB_NCOL	2	/* # of columns in tnrhdb */
81 
82 /*
83  * For tnrhdb access library routines and tnrh(2TSOL)
84  * same for both ILP32 and LP64.
85  */
86 typedef struct tsol_rhent {
87 	short rh_prefix;		/* length of subnet mask */
88 	short rh_unused;		/* padding */
89 	tnaddr_t rh_address;		/* IP address */
90 	char rh_template[TNTNAMSIZ];	/* template name */
91 } tsol_rhent_t;
92 
93 typedef struct tsol_rhstr_s {
94 	int	family;
95 	char	*address;
96 	char	*template;
97 } tsol_rhstr_t;
98 
99 /*
100  * host types recognized by tsol hosts
101  */
102 typedef enum {
103 	UNLABELED	= 1,
104 	SUN_CIPSO	= 3
105 } tsol_host_type_t;
106 
107 typedef enum {
108 	OPT_NONE	= 0,
109 	OPT_CIPSO	= 1
110 } tsol_ip_label_t;
111 
112 typedef struct cipso_tag_type_1 {
113 	uchar_t	tag_type;		/* Tag Type (1) */
114 	uchar_t	tag_length;		/* Length of Tag */
115 	uchar_t	tag_align;		/* Alignment Octet */
116 	uchar_t	tag_sl;			/* Sensitivity Level */
117 	uchar_t	tag_cat[1];		/* Categories */
118 } cipso_tag_type_1_t;
119 
120 #define	TSOL_CIPSO_MIN_LENGTH 6
121 #define	TSOL_CIPSO_MAX_LENGTH IP_MAX_OPT_LENGTH
122 #define	TSOL_TT1_MIN_LENGTH 4
123 #define	TSOL_TT1_MAX_LENGTH 34
124 
125 #define	TSOL_CIPSO_DOI_OFFSET 2
126 #define	TSOL_CIPSO_TAG_OFFSET 6
127 
128 typedef struct cipso_option {
129 	uchar_t	cipso_type;		/* Type of option (134) */
130 	uchar_t	cipso_length;		/* Length of option */
131 	uchar_t	cipso_doi[4];		/* Domain of Interpretation */
132 	uchar_t	cipso_tag_type[1];	/* variable length */
133 } cipso_option_t;
134 
135 /*
136  * RIPSO classifications
137  */
138 #define	TSOL_CL_TOP_SECRET 0x3d
139 #define	TSOL_CL_SECRET 0x5a
140 #define	TSOL_CL_CONFIDENTIAL 0x96
141 #define	TSOL_CL_UNCLASSIFIED 0xab
142 
143 /*
144  * RIPSO protection authorities
145  */
146 #define	TSOL_PA_GENSER 0x80
147 #define	TSOL_PA_SIOP_ESI 0x40
148 #define	TSOL_PA_SCI 0x20
149 #define	TSOL_PA_NSA 0x10
150 #define	TSOL_PA_DOE 0x08
151 
152 /*
153  * this mask is only used for tndb structures, and is different
154  * from t6mask_t bits definitions
155  */
156 
157 typedef unsigned int tnmask_t;
158 
159 /*
160  * unlabeled host structure for the tnrhtp template.
161  * same for both ILP32 and LP64.
162  */
163 struct tsol_unl {
164 	tnmask_t mask; /* tells which attributes are returned by the library */
165 	bslabel_t def_label;	/* default label */
166 	brange_t gw_sl_range;	/* for routing only */
167 	blset_t sl_set;		/* label set */
168 };
169 
170 /*
171  * CIPSO host structure for the tnrhtp template
172  * same for both ILP32 and LP64.
173  */
174 struct tsol_cipso {
175 	tnmask_t mask; /* tells which attributes are returned by the library */
176 	bclear_t def_cl;	/* default clearance */
177 	brange_t sl_range;	/* min/max SL range */
178 	blset_t sl_set;		/* label set */
179 };
180 
181 /*
182  * Valid keys and values of the key=value pairs for tnrhtp
183  */
184 #define	TP_UNLABELED	"unlabeled"
185 #define	TP_CIPSO	"cipso"
186 #define	TP_ZONE		"zone"
187 #define	TP_HOSTTYPE	"host_type"
188 #define	TP_DOI		"doi"
189 #define	TP_DEFLABEL	"def_label"
190 #define	TP_MINLABEL	"min_sl"
191 #define	TP_MAXLABEL	"max_sl"
192 #define	TP_SET		"sl_set"
193 
194 #define	TP_COMMA	","
195 
196 #define	TNRHTP_NCOL	2	/* # of columns in tnrhtp */
197 
198 /*
199  * For tnrhtp access library routines and tnrhtp(2TSOL)
200  * same for both ILP32 and LP64.
201  */
202 typedef struct tsol_tpent {
203 	char name[TNTNAMSIZ]; /* template name */
204 	tsol_host_type_t host_type; /* specifies host type */
205 	int tp_doi;		/* Domain of Interpretation */
206 #define	tp_cipso_doi_unl	tp_doi
207 #define	tp_cipso_doi_cipso	tp_doi
208 	union {
209 		struct tsol_unl unl; /* template for unlabeled */
210 #define	tp_mask_unl		un.unl.mask
211 #define	tp_def_label		un.unl.def_label
212 #define	tp_gw_sl_range		un.unl.gw_sl_range
213 #define	tp_gw_sl_set		un.unl.sl_set
214 
215 		struct tsol_cipso cipso; /* template for CIPSO */
216 #define	tp_mask_cipso		un.cipso.mask
217 #define	tp_def_cl_cipso		un.cipso.def_cl
218 #define	tp_sl_range_cipso	un.cipso.sl_range
219 #define	tp_sl_set_cipso		un.cipso.sl_set
220 	} un;
221 } tsol_tpent_t;
222 
223 typedef struct tsol_tpstr_s {
224 	char	*template;
225 	char	*attrs;
226 } tsol_tpstr_t;
227 
228 /*
229  * For tnmlp(2TSOL); same for both ILP32 and LP64.
230  */
231 typedef struct tsol_mlpent {
232 	zoneid_t	tsme_zoneid;
233 	uint_t		tsme_flags;	/* TSOL_MEF_* */
234 	tsol_mlp_t	tsme_mlp;
235 } tsol_mlpent_t;
236 
237 #define	TSOL_MEF_SHARED	0x00000001	/* MLP defined on shared addresses */
238 
239 /*
240  * For tnzonecfg access library routines.
241  * List of MLPs ends with null entry, where protocol and port are both zero.
242  */
243 typedef struct tsol_zcent {
244 	char		zc_name[TNTNAMSIZ];
245 	int		zc_doi;
246 	bslabel_t	zc_label;
247 	int		zc_match;
248 	tsol_mlp_t	*zc_private_mlp;
249 	tsol_mlp_t	*zc_shared_mlp;
250 } tsol_zcent_t;
251 #define	TSOL_MLP_END(mlp)	((mlp)->mlp_ipp == 0 && (mlp)->mlp_port == 0)
252 
253 typedef struct tsol_tpc {
254 	kmutex_t		tpc_lock;	/* lock for structure */
255 	uint_t			tpc_refcnt;	/* reference count */
256 	boolean_t		tpc_invalid;	/* entry has been deleted */
257 	struct tsol_tpent	tpc_tp;		/* template */
258 } tsol_tpc_t;
259 
260 typedef struct tsol_tnrhc {
261 	struct tsol_tnrhc 	*rhc_next;	/* link to next entry */
262 	kmutex_t		rhc_lock;	/* lock for structure */
263 	tnaddr_t		rhc_host;	/* IPv4/IPv6 host address */
264 	tsol_tpc_t		*rhc_tpc;	/* pointer to template */
265 	uint_t			rhc_refcnt;	/* Number of references */
266 	char			rhc_invalid;	/* out-of-date rhc */
267 	char			rhc_isbcast;	/* broadcast address */
268 	char			rhc_local;	/* loopback or local interace */
269 } tsol_tnrhc_t;
270 
271 /* Size of remote host hash tables in kernel */
272 #define	TNRHC_SIZE 256
273 #define	TSOL_MASK_TABLE_SIZE	33
274 #define	TSOL_MASK_TABLE_SIZE_V6	129
275 
276 #ifdef	_KERNEL
277 #define	TNRHC_HOLD(a)	{					\
278 	mutex_enter(&(a)->rhc_lock);				\
279 	(a)->rhc_refcnt++;					\
280 	ASSERT((a)->rhc_refcnt > 0);				\
281 	mutex_exit(&(a)->rhc_lock);				\
282 }
283 #define	TNRHC_RELE(a)	{					\
284 	mutex_enter(&(a)->rhc_lock);				\
285 	ASSERT((a)->rhc_refcnt > 0);				\
286 	if (--(a)->rhc_refcnt <= 0)				\
287 		tnrhc_free(a);					\
288 	else							\
289 		mutex_exit(&(a)->rhc_lock);			\
290 }
291 extern void tnrhc_free(tsol_tnrhc_t *);
292 #define	TPC_HOLD(a)	{					\
293 	mutex_enter(&(a)->tpc_lock);				\
294 	(a)->tpc_refcnt++;					\
295 	ASSERT((a)->tpc_refcnt > 0);				\
296 	mutex_exit(&(a)->tpc_lock);				\
297 }
298 #define	TPC_RELE(a)	{					\
299 	mutex_enter(&(a)->tpc_lock);				\
300 	ASSERT((a)->tpc_refcnt > 0);				\
301 	if (--(a)->tpc_refcnt <= 0)				\
302 		tpc_free(a);					\
303 	else							\
304 		mutex_exit(&(a)->tpc_lock);			\
305 }
306 extern void tpc_free(tsol_tpc_t *);
307 #endif	/* _KERNEL */
308 
309 /*
310  * The next three hashing macros are copied from macros in ip_ire.h.
311  */
312 #define	TSOL_ADDR_HASH(addr, table_size)				\
313 	(((((addr) >> 16) ^ (addr)) ^ ((((addr) >> 16) ^ (addr))>> 8))	\
314 	% (table_size))
315 
316 #define	TSOL_ADDR_HASH_V6(addr, table_size)				\
317 	(((addr).s6_addr8[8] ^ (addr).s6_addr8[9] ^			\
318 	(addr).s6_addr8[10] ^ (addr).s6_addr8[13] ^			\
319 	(addr).s6_addr8[14] ^ (addr).s6_addr8[15]) % (table_size))
320 
321 /* This assumes that table_size is a power of 2. */
322 #define	TSOL_ADDR_MASK_HASH_V6(addr, mask, table_size)                   \
323 	((((addr).s6_addr8[8] & (mask).s6_addr8[8]) ^                   \
324 	((addr).s6_addr8[9] & (mask).s6_addr8[9]) ^                     \
325 	((addr).s6_addr8[10] & (mask).s6_addr8[10]) ^                   \
326 	((addr).s6_addr8[13] & (mask).s6_addr8[13]) ^                   \
327 	((addr).s6_addr8[14] & (mask).s6_addr8[14]) ^                   \
328 	((addr).s6_addr8[15] & (mask).s6_addr8[15])) & ((table_size) - 1))
329 
330 
331 /*
332  * Constants used for getting the mask value in struct tsol_tpent
333  */
334 enum {
335 	TNT_DEF_LABEL,
336 	TNT_DEF_CL,
337 	TNT_SL_RANGE_TSOL, /* use this for both unl and zone */
338 	TNT_CIPSO_DOI
339 };
340 
341 /*
342  * mask definitions
343  */
344 #define	tsol_tntmask(value) ((unsigned int)(1<<(value)))
345 
346 #define	TSOL_MSK_DEF_LABEL tsol_tntmask(TNT_DEF_LABEL)
347 #define	TSOL_MSK_DEF_CL tsol_tntmask(TNT_DEF_CL)
348 #define	TSOL_MSK_SL_RANGE_TSOL tsol_tntmask(TNT_SL_RANGE_TSOL)
349 #define	TSOL_MSK_CIPSO_DOI tsol_tntmask(TNT_CIPSO_DOI)
350 
351 /*
352  * TN errors
353  */
354 #define	TSOL_PARSE_ERANGE 1 /* result buffer not allocated */
355 #define	TSOL_NOT_SUPPORTED 2 /* address family not supported */
356 #define	TSOL_NOT_FOUND 3 /* search by * routines target not found */
357 
358 /*
359  * Structure used to hold a list of IP addresses.
360  */
361 typedef struct tsol_address {
362 	struct tsol_address	*next;
363 	in_addr_t		ip_address;
364 } tsol_address_t;
365 
366 /* This is shared between tcache and mdb */
367 typedef struct tnrhc_hash_s {
368 	tsol_tnrhc_t *tnrh_list;
369 	kmutex_t tnrh_lock;
370 } tnrhc_hash_t;
371 
372 #ifdef _KERNEL
373 typedef enum {
374 	mlptSingle,
375 	mlptPrivate,
376 	mlptShared,
377 	mlptBoth
378 } mlp_type_t;
379 
380 extern tsol_tpc_t *find_tpc(const void *, uchar_t, boolean_t);
381 extern void tcache_init(void);
382 extern in_port_t tsol_next_port(zone_t *, in_port_t, int, boolean_t);
383 extern mlp_type_t tsol_mlp_port_type(zone_t *, uchar_t, uint16_t, mlp_type_t);
384 extern zoneid_t tsol_mlp_findzone(uchar_t, uint16_t);
385 extern int tsol_mlp_anon(zone_t *, mlp_type_t, uchar_t, uint16_t, boolean_t);
386 extern void tsol_print_label(const blevel_t *, const char *);
387 
388 struct tsol_gc_s;
389 struct tsol_gcgrp_s;
390 struct tsol_gcgrp_addr_s;
391 
392 extern struct tsol_gc_s *gc_create(struct rtsa_s *, struct tsol_gcgrp_s *,
393     boolean_t *);
394 extern void gc_inactive(struct tsol_gc_s *);
395 extern int rtsa_validate(const struct rtsa_s *);
396 extern struct tsol_gcgrp_s *gcgrp_lookup(struct tsol_gcgrp_addr_s *, boolean_t);
397 extern void gcgrp_inactive(struct tsol_gcgrp_s *);
398 extern int tnrh_load(const tsol_rhent_t *);
399 #endif /* _KERNEL */
400 
401 #ifdef	__cplusplus
402 }
403 #endif
404 
405 #endif	/* _SYS_TSOL_TNDB_H */
406