sys/tsol/tndb.h

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 *
 * from "tndb.h	7.34	01/08/31 SMI; TSOL 2.x"
 */

#ifndef	_SYS_TSOL_TNDB_H
#define	_SYS_TSOL_TNDB_H

#include <sys/types.h>
#include <sys/zone.h>
#include <sys/tsol/label.h>
#include <sys/tsol/label_macro.h>
#include <net/if.h>

#ifdef _KERNEL
#include <net/route.h>
#endif

#ifdef	__cplusplus
extern "C" {
#endif

/* same on ILP32 and LP64 */
typedef union tnaddr {
	struct sockaddr_in	ip_addr_v4;
	struct sockaddr_in6	ip_addr_v6;
} tnaddr_t;

#define	ta_family	ip_addr_v4.sin_family
#define	ta_addr_v4	ip_addr_v4.sin_addr
#define	ta_addr_v6	ip_addr_v6.sin6_addr
#define	ta_port_v4	ip_addr_v4.sin_port
#define	ta_port_v6	ip_addr_v6.sin6_port

#define	TNADDR_EQ(addr1, addr2) \
	(((addr1)->ta_family == AF_INET && (addr2)->ta_family == AF_INET && \
	(addr1)->ta_addr_v4.s_addr == (addr2)->ta_addr_v4.s_addr) || \
	((addr1)->ta_family == AF_INET6 && (addr2)->ta_family == AF_INET6 && \
	IN6_ARE_ADDR_EQUAL(&(addr1)->ta_addr_v6, &(addr2)->ta_addr_v6)))

/*
 * structure for TN database access routines and TN system calls
 */

typedef enum tsol_dbops {
	TNDB_NOOP = 0,
	TNDB_LOAD = 1,
	TNDB_DELETE = 2,
	TNDB_FLUSH = 3,
	TNDB_GET = 5
} tsol_dbops_t;

#define	TNTNAMSIZ 	ZONENAME_MAX	/* template name size */
#define	IP_STR_SIZE 	200		/* string ip address size */

#define	TNRHDB_NCOL	2		/* # of columns in tnrhdb */

/*
 * For tnrhdb access library routines and tnrh(2TSOL)
 * same for both ILP32 and LP64.
 */
typedef struct tsol_rhent {
	short rh_prefix;		/* length of subnet mask */
	short rh_unused;		/* padding */
	tnaddr_t rh_address;		/* IP address */
	char rh_template[TNTNAMSIZ];	/* template name */
} tsol_rhent_t;

typedef struct tsol_rhstr_s {
	int	family;
	char	*address;
	char	*template;
} tsol_rhstr_t;

/*
 * host types recognized by tsol hosts
 */
typedef enum {
	UNLABELED	= 1,
	SUN_CIPSO	= 3
} tsol_host_type_t;

typedef enum {
	OPT_NONE	= 0,
	OPT_CIPSO	= 1
} tsol_ip_label_t;

typedef struct cipso_tag_type_1 {
	uchar_t	tag_type;		/* Tag Type (1) */
	uchar_t	tag_length;		/* Length of Tag */
	uchar_t	tag_align;		/* Alignment Octet */
	uchar_t	tag_sl;			/* Sensitivity Level */
	uchar_t	tag_cat[1];		/* Categories */
} cipso_tag_type_1_t;

#define	TSOL_CIPSO_MIN_LENGTH 6
#define	TSOL_CIPSO_MAX_LENGTH IP_MAX_OPT_LENGTH
#define	TSOL_TT1_MIN_LENGTH 4
#define	TSOL_TT1_MAX_LENGTH 34

#define	TSOL_CIPSO_DOI_OFFSET 2
#define	TSOL_CIPSO_TAG_OFFSET 6

typedef struct cipso_option {
	uchar_t	cipso_type;		/* Type of option (134) */
	uchar_t	cipso_length;		/* Length of option */
	uchar_t	cipso_doi[4];		/* Domain of Interpretation */
	uchar_t	cipso_tag_type[1];	/* variable length */
} cipso_option_t;

/*
 * RIPSO classifications
 */
#define	TSOL_CL_TOP_SECRET 0x3d
#define	TSOL_CL_SECRET 0x5a
#define	TSOL_CL_CONFIDENTIAL 0x96
#define	TSOL_CL_UNCLASSIFIED 0xab

/*
 * RIPSO protection authorities
 */
#define	TSOL_PA_GENSER 0x80
#define	TSOL_PA_SIOP_ESI 0x40
#define	TSOL_PA_SCI 0x20
#define	TSOL_PA_NSA 0x10
#define	TSOL_PA_DOE 0x08

/*
 * this mask is only used for tndb structures, and is different
 * from t6mask_t bits definitions
 */

typedef unsigned int tnmask_t;

/*
 * unlabeled host structure for the tnrhtp template.
 * same for both ILP32 and LP64.
 */
struct tsol_unl {
	tnmask_t mask; /* tells which attributes are returned by the library */
	bslabel_t def_label;	/* default label */
	brange_t gw_sl_range;	/* for routing only */
	blset_t sl_set;		/* label set */
};

/*
 * CIPSO host structure for the tnrhtp template
 * same for both ILP32 and LP64.
 */
struct tsol_cipso {
	tnmask_t mask; /* tells which attributes are returned by the library */
	bclear_t def_cl;	/* default clearance */
	brange_t sl_range;	/* min/max SL range */
	blset_t sl_set;		/* label set */
};

/*
 * Valid keys and values of the key=value pairs for tnrhtp
 */
#define	TP_UNLABELED	"unlabeled"
#define	TP_CIPSO	"cipso"
#define	TP_ZONE		"zone"
#define	TP_HOSTTYPE	"host_type"
#define	TP_DOI		"doi"
#define	TP_DEFLABEL	"def_label"
#define	TP_MINLABEL	"min_sl"
#define	TP_MAXLABEL	"max_sl"
#define	TP_SET		"sl_set"

#define	TP_COMMA	","

#define	TNRHTP_NCOL	2	/* # of columns in tnrhtp */

/*
 * For tnrhtp access library routines and tnrhtp(2TSOL)
 * same for both ILP32 and LP64.
 */
typedef struct tsol_tpent {
	char name[TNTNAMSIZ]; /* template name */
	tsol_host_type_t host_type; /* specifies host type */
	int tp_doi;		/* Domain of Interpretation */
#define	tp_cipso_doi_unl	tp_doi
#define	tp_cipso_doi_cipso	tp_doi
	union {
		struct tsol_unl unl; /* template for unlabeled */
#define	tp_mask_unl		un.unl.mask
#define	tp_def_label		un.unl.def_label
#define	tp_gw_sl_range		un.unl.gw_sl_range
#define	tp_gw_sl_set		un.unl.sl_set

		struct tsol_cipso cipso; /* template for CIPSO */
#define	tp_mask_cipso		un.cipso.mask
#define	tp_def_cl_cipso		un.cipso.def_cl
#define	tp_sl_range_cipso	un.cipso.sl_range
#define	tp_sl_set_cipso		un.cipso.sl_set
	} un;
} tsol_tpent_t;

typedef struct tsol_tpstr_s {
	char	*template;
	char	*attrs;
} tsol_tpstr_t;

/*
 * For tnmlp(2TSOL); same for both ILP32 and LP64.
 */
typedef struct tsol_mlpent {
	zoneid_t	tsme_zoneid;
	uint_t		tsme_flags;	/* TSOL_MEF_* */
	tsol_mlp_t	tsme_mlp;
} tsol_mlpent_t;

#define	TSOL_MEF_SHARED	0x00000001	/* MLP defined on shared addresses */

/*
 * For tnzonecfg access library routines.
 * List of MLPs ends with null entry, where protocol and port are both zero.
 */
typedef struct tsol_zcent {
	char		zc_name[ZONENAME_MAX];
	int		zc_doi;
	bslabel_t	zc_label;
	int		zc_match;
	tsol_mlp_t	*zc_private_mlp;
	tsol_mlp_t	*zc_shared_mlp;
} tsol_zcent_t;
#define	TSOL_MLP_END(mlp)	((mlp)->mlp_ipp == 0 && (mlp)->mlp_port == 0)

typedef struct tsol_tpc {
	kmutex_t		tpc_lock;	/* lock for structure */
	uint_t			tpc_refcnt;	/* reference count */
	boolean_t		tpc_invalid;	/* entry has been deleted */
	struct tsol_tpent	tpc_tp;		/* template */
} tsol_tpc_t;

typedef struct tsol_tnrhc {
	struct tsol_tnrhc 	*rhc_next;	/* link to next entry */
	kmutex_t		rhc_lock;	/* lock for structure */
	tnaddr_t		rhc_host;	/* IPv4/IPv6 host address */
	tsol_tpc_t		*rhc_tpc;	/* pointer to template */
	uint_t			rhc_refcnt;	/* Number of references */
	char			rhc_invalid;	/* out-of-date rhc */
	char			rhc_isbcast;	/* broadcast address */
	char			rhc_local;	/* loopback or local interace */
} tsol_tnrhc_t;

/* Size of remote host hash tables in kernel */
#define	TNRHC_SIZE 256
#define	TSOL_MASK_TABLE_SIZE	33
#define	TSOL_MASK_TABLE_SIZE_V6	129

#ifdef	_KERNEL
#define	TNRHC_HOLD(a)	{					\
	mutex_enter(&(a)->rhc_lock);				\
	(a)->rhc_refcnt++;					\
	ASSERT((a)->rhc_refcnt > 0);				\
	mutex_exit(&(a)->rhc_lock);				\
}
#define	TNRHC_RELE(a)	{					\
	mutex_enter(&(a)->rhc_lock);				\
	ASSERT((a)->rhc_refcnt > 0);				\
	if (--(a)->rhc_refcnt <= 0)				\
		tnrhc_free(a);					\
	else							\
		mutex_exit(&(a)->rhc_lock);			\
}
extern void tnrhc_free(tsol_tnrhc_t *);
#define	TPC_HOLD(a)	{					\
	mutex_enter(&(a)->tpc_lock);				\
	(a)->tpc_refcnt++;					\
	ASSERT((a)->tpc_refcnt > 0);				\
	mutex_exit(&(a)->tpc_lock);				\
}
#define	TPC_RELE(a)	{					\
	mutex_enter(&(a)->tpc_lock);				\
	ASSERT((a)->tpc_refcnt > 0);				\
	if (--(a)->tpc_refcnt <= 0)				\
		tpc_free(a);					\
	else							\
		mutex_exit(&(a)->tpc_lock);			\
}
extern void tpc_free(tsol_tpc_t *);
#endif	/* _KERNEL */

/*
 * The next three hashing macros are copied from macros in ip_ire.h.
 */
#define	TSOL_ADDR_HASH(addr, table_size)				\
	(((((addr) >> 16) ^ (addr)) ^ ((((addr) >> 16) ^ (addr))>> 8))	\
	% (table_size))

#define	TSOL_ADDR_HASH_V6(addr, table_size)				\
	(((addr).s6_addr8[8] ^ (addr).s6_addr8[9] ^			\
	(addr).s6_addr8[10] ^ (addr).s6_addr8[13] ^			\
	(addr).s6_addr8[14] ^ (addr).s6_addr8[15]) % (table_size))

/* This assumes that table_size is a power of 2. */
#define	TSOL_ADDR_MASK_HASH_V6(addr, mask, table_size)                   \
	((((addr).s6_addr8[8] & (mask).s6_addr8[8]) ^                   \
	((addr).s6_addr8[9] & (mask).s6_addr8[9]) ^                     \
	((addr).s6_addr8[10] & (mask).s6_addr8[10]) ^                   \
	((addr).s6_addr8[13] & (mask).s6_addr8[13]) ^                   \
	((addr).s6_addr8[14] & (mask).s6_addr8[14]) ^                   \
	((addr).s6_addr8[15] & (mask).s6_addr8[15])) & ((table_size) - 1))


/*
 * Constants used for getting the mask value in struct tsol_tpent
 */
enum {
	TNT_DEF_LABEL,
	TNT_DEF_CL,
	TNT_SL_RANGE_TSOL, /* use this for both unl and zone */
	TNT_CIPSO_DOI
};

/*
 * mask definitions
 */
#define	tsol_tntmask(value) ((unsigned int)(1<<(value)))

#define	TSOL_MSK_DEF_LABEL tsol_tntmask(TNT_DEF_LABEL)
#define	TSOL_MSK_DEF_CL tsol_tntmask(TNT_DEF_CL)
#define	TSOL_MSK_SL_RANGE_TSOL tsol_tntmask(TNT_SL_RANGE_TSOL)
#define	TSOL_MSK_CIPSO_DOI tsol_tntmask(TNT_CIPSO_DOI)

/*
 * TN errors
 */
#define	TSOL_PARSE_ERANGE 1 /* result buffer not allocated */
#define	TSOL_NOT_SUPPORTED 2 /* address family not supported */
#define	TSOL_NOT_FOUND 3 /* search by * routines target not found */

/*
 * Structure used to hold a list of IP addresses.
 */
typedef struct tsol_address {
	struct tsol_address	*next;
	in_addr_t		ip_address;
} tsol_address_t;

/* This is shared between tcache and mdb */
typedef struct tnrhc_hash_s {
	tsol_tnrhc_t *tnrh_list;
	kmutex_t tnrh_lock;
} tnrhc_hash_t;

#ifdef _KERNEL
typedef enum {
	mlptSingle,
	mlptPrivate,
	mlptShared,
	mlptBoth
} mlp_type_t;

extern tsol_tpc_t *find_tpc(const void *, uchar_t, boolean_t);
extern void tcache_init(void);
extern in_port_t tsol_next_port(zone_t *, in_port_t, int, boolean_t);
extern mlp_type_t tsol_mlp_port_type(zone_t *, uchar_t, uint16_t, mlp_type_t);
extern zoneid_t tsol_mlp_findzone(uchar_t, uint16_t);
extern int tsol_mlp_anon(zone_t *, mlp_type_t, uchar_t, uint16_t, boolean_t);
extern void tsol_print_label(const blevel_t *, const char *);

struct tsol_gc_s;
struct tsol_gcgrp_s;
struct tsol_gcgrp_addr_s;

extern struct tsol_gc_s *gc_create(struct rtsa_s *, struct tsol_gcgrp_s *,
    boolean_t *);
extern void gc_inactive(struct tsol_gc_s *);
extern int rtsa_validate(const struct rtsa_s *);
extern struct tsol_gcgrp_s *gcgrp_lookup(struct tsol_gcgrp_addr_s *, boolean_t);
extern void gcgrp_inactive(struct tsol_gcgrp_s *);
extern int tnrh_load(const tsol_rhent_t *);
#endif /* _KERNEL */

#ifdef	__cplusplus
}
#endif

#endif	/* _SYS_TSOL_TNDB_H */