1/* $NetBSD: policy.h,v 1.8 2008/12/05 06:02:20 tteras Exp $ */ 2 3/* Id: policy.h,v 1.5 2004/06/11 16:00:17 ludvigm Exp */ 4 5/* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34#ifndef _POLICY_H 35#define _POLICY_H 36 37#include <sys/queue.h> 38 39 40#ifdef HAVE_SECCTX 41#define MAX_CTXSTR_SIZE 50 42struct security_ctx { 43 u_int8_t ctx_doi; /* Security Context DOI */ 44 u_int8_t ctx_alg; /* Security Context Algorithm */ 45 u_int16_t ctx_strlen; /* Security Context stringlength 46 * (includes terminating NULL) 47 */ 48 char ctx_str[MAX_CTXSTR_SIZE]; /* Security Context string */ 49}; 50#endif 51 52/* refs. ipsec.h */ 53/* 54 * Security Policy Index 55 * NOTE: Ensure to be same address family and upper layer protocol. 56 * NOTE: ul_proto, port number, uid, gid: 57 * ANY: reserved for waldcard. 58 * 0 to (~0 - 1): is one of the number of each value. 59 */ 60struct policyindex { 61 u_int8_t dir; /* direction of packet flow, see blow */ 62 struct sockaddr_storage src; /* IP src address for SP */ 63 struct sockaddr_storage dst; /* IP dst address for SP */ 64 u_int8_t prefs; /* prefix length in bits for src */ 65 u_int8_t prefd; /* prefix length in bits for dst */ 66 u_int16_t ul_proto; /* upper layer Protocol */ 67 u_int32_t priority; /* priority for the policy */ 68 u_int64_t created; /* Used for generated SPD entries deletion */ 69#ifdef HAVE_SECCTX 70 struct security_ctx sec_ctx; /* Security Context */ 71#endif 72}; 73 74/* Security Policy Data Base */ 75struct secpolicy { 76 TAILQ_ENTRY(secpolicy) chain; 77 78 struct policyindex spidx; /* selector */ 79 u_int32_t id; /* It's unique number on the system. */ 80 81 u_int policy; /* DISCARD, NONE or IPSEC, see keyv2.h */ 82 struct ipsecrequest *req; 83 /* pointer to the ipsec request tree, */ 84 /* if policy == IPSEC else this value == NULL.*/ 85 86 /* MIPv6 needs to perform negotiation of SA using different addresses 87 * than the endpoints of the SA (CoA for the source). In that case, 88 * MIGRATE msg provides that info (before movement occurs on the MN) */ 89 struct sockaddr *local; 90 struct sockaddr *remote; 91}; 92 93/* Security Assocciation Index */ 94/* NOTE: Ensure to be same address family */ 95struct secasindex { 96 struct sockaddr_storage src; /* srouce address for SA */ 97 struct sockaddr_storage dst; /* destination address for SA */ 98 u_int16_t proto; /* IPPROTO_ESP or IPPROTO_AH */ 99 u_int8_t mode; /* mode of protocol, see ipsec.h */ 100 u_int32_t reqid; /* reqid id who owned this SA */ 101 /* see IPSEC_MANUAL_REQID_MAX. */ 102}; 103 104/* Request for IPsec */ 105struct ipsecrequest { 106 struct ipsecrequest *next; 107 /* pointer to next structure */ 108 /* If NULL, it means the end of chain. */ 109 110 struct secasindex saidx;/* hint for search proper SA */ 111 /* if __ss_len == 0 then no address specified.*/ 112 u_int level; /* IPsec level defined below. */ 113 114 struct secpolicy *sp; /* back pointer to SP */ 115}; 116 117#ifdef HAVE_PFKEY_POLICY_PRIORITY 118#define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, _priority, _created, idx) \ 119do { \ 120 bzero((idx), sizeof(struct policyindex)); \ 121 (idx)->dir = (_dir); \ 122 (idx)->prefs = (ps); \ 123 (idx)->prefd = (pd); \ 124 (idx)->ul_proto = (ulp); \ 125 (idx)->priority = (_priority); \ 126 (idx)->created = (_created); \ 127 memcpy(&(idx)->src, (s), sysdep_sa_len((struct sockaddr *)(s))); \ 128 memcpy(&(idx)->dst, (d), sysdep_sa_len((struct sockaddr *)(d))); \ 129} while (0) 130#else 131#define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, _created, idx) \ 132do { \ 133 bzero((idx), sizeof(struct policyindex)); \ 134 (idx)->dir = (_dir); \ 135 (idx)->prefs = (ps); \ 136 (idx)->prefd = (pd); \ 137 (idx)->ul_proto = (ulp); \ 138 (idx)->created = (_created); \ 139 memcpy(&(idx)->src, (s), sysdep_sa_len((struct sockaddr *)(s))); \ 140 memcpy(&(idx)->dst, (d), sysdep_sa_len((struct sockaddr *)(d))); \ 141} while (0) 142#endif 143 144struct ph2handle; 145struct policyindex; 146extern struct secpolicy *getsp __P((struct policyindex *)); 147extern struct secpolicy *getsp_r __P((struct policyindex *)); 148struct secpolicy *getspbyspid __P((u_int32_t)); 149extern int cmpspidxstrict __P((struct policyindex *, struct policyindex *)); 150extern int cmpspidxwild __P((struct policyindex *, struct policyindex *)); 151extern struct secpolicy *newsp __P((void)); 152extern void delsp __P((struct secpolicy *)); 153extern void delsp_bothdir __P((struct policyindex *)); 154extern void inssp __P((struct secpolicy *)); 155extern void remsp __P((struct secpolicy *)); 156extern void flushsp __P((void)); 157extern void initsp __P((void)); 158extern struct ipsecrequest *newipsecreq __P((void)); 159 160extern const char *spidx2str __P((const struct policyindex *)); 161#ifdef HAVE_SECCTX 162#include <selinux/selinux.h> 163extern int get_security_context __P((vchar_t *, struct policyindex *)); 164extern void init_avc __P((void)); 165extern int within_range __P((security_context_t, security_context_t)); 166extern void set_secctx_in_proposal __P((struct ph2handle *, struct policyindex)); 167#endif 168 169#endif /* _POLICY_H */ 170