1c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh/* $NetBSD: policy.h,v 1.5.4.2 2007/06/07 20:34:19 manu Exp $ */ 20a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 30a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* Id: policy.h,v 1.5 2004/06/11 16:00:17 ludvigm Exp */ 40a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 50a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* 60a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 70a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * All rights reserved. 80a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 90a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * Redistribution and use in source and binary forms, with or without 100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * modification, are permitted provided that the following conditions 110a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * are met: 120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 1. Redistributions of source code must retain the above copyright 130a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * notice, this list of conditions and the following disclaimer. 140a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 2. Redistributions in binary form must reproduce the above copyright 150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * notice, this list of conditions and the following disclaimer in the 160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * documentation and/or other materials provided with the distribution. 170a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 3. Neither the name of the project nor the names of its contributors 180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * may be used to endorse or promote products derived from this software 190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * without specific prior written permission. 200a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 210a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * SUCH DAMAGE. 320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifndef _POLICY_H 350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#define _POLICY_H 360a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 370a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <sys/queue.h> 380a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 390a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 400a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_SECCTX 410a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#define MAX_CTXSTR_SIZE 50 420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstruct security_ctx { 430a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang u_int8_t ctx_doi; /* Security Context DOI */ 440a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang u_int8_t ctx_alg; /* Security Context Algorithm */ 450a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang u_int16_t ctx_strlen; /* Security Context stringlength 460a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * (includes terminating NULL) 470a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 480a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang char ctx_str[MAX_CTXSTR_SIZE]; /* Security Context string */ 490a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang}; 500a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 510a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 520a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* refs. ipsec.h */ 530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* 540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * Security Policy Index 550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * NOTE: Ensure to be same address family and upper layer protocol. 560a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * NOTE: ul_proto, port number, uid, gid: 570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * ANY: reserved for waldcard. 580a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 0 to (~0 - 1): is one of the number of each value. 590a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 600a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstruct policyindex { 610a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang u_int8_t dir; /* direction of packet flow, see blow */ 620a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct sockaddr_storage src; /* IP src address for SP */ 630a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct sockaddr_storage dst; /* IP dst address for SP */ 640a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang u_int8_t prefs; /* prefix length in bits for src */ 650a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang u_int8_t prefd; /* prefix length in bits for dst */ 660a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang u_int16_t ul_proto; /* upper layer Protocol */ 670a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang u_int32_t priority; /* priority for the policy */ 680a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang u_int64_t created; /* Used for generated SPD entries deletion */ 690a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_SECCTX 700a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct security_ctx sec_ctx; /* Security Context */ 710a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 720a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang}; 730a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 740a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* Security Policy Data Base */ 750a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstruct secpolicy { 760a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang TAILQ_ENTRY(secpolicy) chain; 770a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 780a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct policyindex spidx; /* selector */ 790a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang u_int32_t id; /* It's unique number on the system. */ 800a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 810a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang u_int policy; /* DISCARD, NONE or IPSEC, see keyv2.h */ 820a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct ipsecrequest *req; 830a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* pointer to the ipsec request tree, */ 840a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* if policy == IPSEC else this value == NULL.*/ 850a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang}; 860a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 870a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* Security Assocciation Index */ 880a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* NOTE: Ensure to be same address family */ 890a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstruct secasindex { 900a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct sockaddr_storage src; /* srouce address for SA */ 910a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct sockaddr_storage dst; /* destination address for SA */ 920a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang u_int16_t proto; /* IPPROTO_ESP or IPPROTO_AH */ 930a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang u_int8_t mode; /* mode of protocol, see ipsec.h */ 940a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang u_int32_t reqid; /* reqid id who owned this SA */ 950a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* see IPSEC_MANUAL_REQID_MAX. */ 960a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang}; 970a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 980a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* Request for IPsec */ 990a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstruct ipsecrequest { 1000a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct ipsecrequest *next; 1010a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* pointer to next structure */ 1020a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* If NULL, it means the end of chain. */ 1030a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1040a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct secasindex saidx;/* hint for search proper SA */ 1050a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* if __ss_len == 0 then no address specified.*/ 1060a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang u_int level; /* IPsec level defined below. */ 1070a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1080a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct secpolicy *sp; /* back pointer to SP */ 1090a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang}; 1100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1110a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_PFKEY_POLICY_PRIORITY 1120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, _priority, _created, idx) \ 1130a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangdo { \ 114c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh memset((idx), 0, sizeof(struct policyindex)); \ 1150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang (idx)->dir = (_dir); \ 1160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang (idx)->prefs = (ps); \ 1170a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang (idx)->prefd = (pd); \ 1180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang (idx)->ul_proto = (ulp); \ 1190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang (idx)->priority = (_priority); \ 1200a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang (idx)->created = (_created); \ 1210a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang memcpy(&(idx)->src, (s), sysdep_sa_len((struct sockaddr *)(s))); \ 1220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang memcpy(&(idx)->dst, (d), sysdep_sa_len((struct sockaddr *)(d))); \ 1230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} while (0) 1240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#else 1250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, _created, idx) \ 1260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangdo { \ 127c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh memset((idx), 0, sizeof(struct policyindex)); \ 1280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang (idx)->dir = (_dir); \ 1290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang (idx)->prefs = (ps); \ 1300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang (idx)->prefd = (pd); \ 1310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang (idx)->ul_proto = (ulp); \ 1320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang (idx)->created = (_created); \ 1330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang memcpy(&(idx)->src, (s), sysdep_sa_len((struct sockaddr *)(s))); \ 1340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang memcpy(&(idx)->dst, (d), sysdep_sa_len((struct sockaddr *)(d))); \ 1350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} while (0) 1360a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 1370a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1380a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstruct ph2handle; 1390a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstruct policyindex; 1400a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangextern struct secpolicy *getsp __P((struct policyindex *)); 1410a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangextern struct secpolicy *getsp_r __P((struct policyindex *)); 1420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstruct secpolicy *getspbyspid __P((u_int32_t)); 1430a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangextern int cmpspidxstrict __P((struct policyindex *, struct policyindex *)); 1440a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangextern int cmpspidxwild __P((struct policyindex *, struct policyindex *)); 1450a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangextern struct secpolicy *newsp __P((void)); 1460a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangextern void delsp __P((struct secpolicy *)); 1470a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangextern void delsp_bothdir __P((struct policyindex *)); 1480a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangextern void inssp __P((struct secpolicy *)); 1490a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangextern void remsp __P((struct secpolicy *)); 1500a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangextern void flushsp __P((void)); 1510a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangextern void initsp __P((void)); 1520a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangextern struct ipsecrequest *newipsecreq __P((void)); 1530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangextern const char *spidx2str __P((const struct policyindex *)); 1550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_SECCTX 1560a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <selinux/selinux.h> 1570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangextern int get_security_context __P((vchar_t *, struct policyindex *)); 1580a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangextern void init_avc __P((void)); 1590a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangextern int within_range __P((security_context_t, security_context_t)); 1600a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangextern void set_secctx_in_proposal __P((struct ph2handle *, struct policyindex)); 1610a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 1620a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1630a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif /* _POLICY_H */ 164