1 /*        $NetBSD: policy.h,v 1.9 2025/03/07 15:55:29 christos Exp $  */
2 
3 /* Id: policy.h,v 1.5 2004/06/11 16:00:17 ludvigm Exp */
4 
5 /*
6  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  * 3. Neither the name of the project nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #ifndef _POLICY_H
35 #define _POLICY_H
36 
37 #include <sys/queue.h>
38 
39 
40 #ifdef HAVE_SECCTX
41 #define MAX_CTXSTR_SIZE 50
42 struct security_ctx {
43           uint8_t ctx_doi;       /* Security Context DOI */
44           uint8_t ctx_alg;       /* Security Context Algorithm */
45           uint16_t ctx_strlen;   /* Security Context stringlength
46                                          * (includes terminating NULL)
47                                          */
48           char ctx_str[MAX_CTXSTR_SIZE];  /* Security Context string */
49 };
50 #endif
51 
52 /* refs. ipsec.h */
53 /*
54  * Security Policy Index
55  * NOTE: Ensure to be same address family and upper layer protocol.
56  * NOTE: ul_proto, port number, uid, gid:
57  *        ANY: reserved for waldcard.
58  *        0 to (~0 - 1): is one of the number of each value.
59  */
60 struct policyindex {
61           uint8_t dir;                            /* direction of packet flow, see blow */
62           struct sockaddr_storage src;  /* IP src address for SP */
63           struct sockaddr_storage dst;  /* IP dst address for SP */
64           uint8_t prefs;                          /* prefix length in bits for src */
65           uint8_t prefd;                          /* prefix length in bits for dst */
66           uint16_t ul_proto;            /* upper layer Protocol */
67           uint32_t priority;            /* priority for the policy */
68           u_int64_t created;            /* Used for generated SPD entries deletion */
69 #ifdef HAVE_SECCTX
70           struct security_ctx sec_ctx;    /* Security Context */
71 #endif
72 };
73 
74 /* Security Policy Data Base */
75 struct secpolicy {
76           TAILQ_ENTRY(secpolicy) chain;
77 
78           struct policyindex spidx;     /* selector */
79           uint32_t id;                            /* It's unique number on the system. */
80 
81           u_int policy;                 /* DISCARD, NONE or IPSEC, see keyv2.h */
82           struct ipsecrequest *req;
83                                         /* pointer to the ipsec request tree, */
84                                         /* if policy == IPSEC else this value == NULL.*/
85 
86           /* MIPv6 needs to perform negotiation of SA using different addresses
87            * than the endpoints of the SA (CoA for the source). In that case,
88            * MIGRATE msg provides that info (before movement occurs on the MN) */
89           struct sockaddr *local;
90           struct sockaddr *remote;
91 };
92 
93 /* Security Assocciation Index */
94 /* NOTE: Ensure to be same address family */
95 struct secasindex {
96           struct sockaddr_storage src;  /* srouce address for SA */
97           struct sockaddr_storage dst;  /* destination address for SA */
98           uint16_t proto;               /* IPPROTO_ESP or IPPROTO_AH */
99           uint8_t mode;                           /* mode of protocol, see ipsec.h */
100           uint32_t reqid;               /* reqid id who owned this SA */
101                                                   /* see IPSEC_MANUAL_REQID_MAX. */
102 };
103 
104 /* Request for IPsec */
105 struct ipsecrequest {
106           struct ipsecrequest *next;
107                                         /* pointer to next structure */
108                                         /* If NULL, it means the end of chain. */
109 
110           struct secasindex saidx;/* hint for search proper SA */
111                                         /* if __ss_len == 0 then no address specified.*/
112           u_int level;                  /* IPsec level defined below. */
113 
114           struct secpolicy *sp;         /* back pointer to SP */
115 };
116 
117 #ifdef HAVE_PFKEY_POLICY_PRIORITY
118 #define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, _priority, _created, idx)              \
119 do {                                                                         \
120           bzero((idx), sizeof(struct policyindex));                            \
121           (idx)->dir = (_dir);                                                 \
122           (idx)->prefs = (ps);                                                 \
123           (idx)->prefd = (pd);                                                 \
124           (idx)->ul_proto = (ulp);                                             \
125           (idx)->priority = (_priority);                                        \
126           (idx)->created = (_created);                                        \
127           memcpy(&(idx)->src, (s), sysdep_sa_len((struct sockaddr *)(s)));          \
128           memcpy(&(idx)->dst, (d), sysdep_sa_len((struct sockaddr *)(d)));          \
129 } while (0)
130 #else
131 #define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, _created, idx)              \
132 do {                                                                         \
133           bzero((idx), sizeof(struct policyindex));                            \
134           (idx)->dir = (_dir);                                                 \
135           (idx)->prefs = (ps);                                                 \
136           (idx)->prefd = (pd);                                                 \
137           (idx)->ul_proto = (ulp);                                             \
138           (idx)->created = (_created);                                        \
139           memcpy(&(idx)->src, (s), sysdep_sa_len((struct sockaddr *)(s)));          \
140           memcpy(&(idx)->dst, (d), sysdep_sa_len((struct sockaddr *)(d)));          \
141 } while (0)
142 #endif
143 
144 struct ph2handle;
145 struct policyindex;
146 extern struct secpolicy *getsp(struct policyindex *);
147 extern struct secpolicy *getsp_r(struct policyindex *);
148 struct secpolicy *getspbyspid(uint32_t);
149 extern int cmpspidxstrict(struct policyindex *, struct policyindex *);
150 extern int cmpspidxwild(struct policyindex *, struct policyindex *);
151 extern struct secpolicy *newsp(void);
152 extern void delsp(struct secpolicy *);
153 extern void delsp_bothdir(struct policyindex *);
154 extern void inssp(struct secpolicy *);
155 extern void remsp(struct secpolicy *);
156 extern void flushsp(void);
157 extern void initsp(void);
158 extern struct ipsecrequest *newipsecreq(void);
159 
160 extern const char *spidx2str(const struct policyindex *);
161 #ifdef HAVE_SECCTX
162 #include <selinux/selinux.h>
163 extern int get_security_context(vchar_t *, struct policyindex *);
164 extern void init_avc(void);
165 extern int within_range(security_context_t, security_context_t);
166 extern void set_secctx_in_proposal(struct ph2handle *, struct policyindex);
167 #endif
168 
169 #endif /* _POLICY_H */
170