git: 30af2c131bb0 - main - IfAPI: Add if_get/setmaclabel() and use it.

From: Justin Hibbits <jhibbits_at_FreeBSD.org>
Date: Tue, 31 Jan 2023 20:03:15 UTC
The branch main has been updated by jhibbits:

URL: https://cgit.FreeBSD.org/src/commit/?id=30af2c131bb05528f9b14518a7ed3e98c590b55e

commit 30af2c131bb05528f9b14518a7ed3e98c590b55e
Author:     Justin Hibbits <jhibbits@FreeBSD.org>
AuthorDate: 2023-01-23 14:34:43 +0000
Commit:     Justin Hibbits <jhibbits@FreeBSD.org>
CommitDate: 2023-01-31 20:02:15 +0000

    IfAPI: Add if_get/setmaclabel() and use it.
    
    Summary:
    Port the MAC modules to use the IfAPI APIs as part of this.
    
    Sponsored by:   Juniper Networks, Inc.
    Reviewed by:    glebius
    Differential Revision: https://reviews.freebsd.org/D38197
---
 sys/net/if.c                       | 12 ++++++++++++
 sys/net/if_var.h                   |  2 ++
 sys/security/mac/mac_inet.c        |  8 ++++----
 sys/security/mac/mac_inet6.c       |  2 +-
 sys/security/mac/mac_net.c         | 26 +++++++++++++-------------
 sys/security/mac_biba/mac_biba.c   |  4 ++--
 sys/security/mac_ifoff/mac_ifoff.c |  8 ++++----
 sys/security/mac_lomac/mac_lomac.c |  4 ++--
 sys/security/mac_mls/mac_mls.c     |  2 +-
 9 files changed, 41 insertions(+), 27 deletions(-)

diff --git a/sys/net/if.c b/sys/net/if.c
index 96093d0a2aa3..a6cf6d050875 100644
--- a/sys/net/if.c
+++ b/sys/net/if.c
@@ -4809,6 +4809,18 @@ if_setdebugnet_methods(if_t ifp, struct debugnet_methods *m)
 	ifp->if_debugnet_methods = m;
 }
 
+struct label *
+if_getmaclabel(if_t ifp)
+{
+	return (ifp->if_label);
+}
+
+void
+if_setmaclabel(if_t ifp, struct label *label)
+{
+	ifp->if_label = label;
+}
+
 int
 if_gettype(if_t ifp)
 {
diff --git a/sys/net/if_var.h b/sys/net/if_var.h
index 4c54d26a921d..e9e6086bfa89 100644
--- a/sys/net/if_var.h
+++ b/sys/net/if_var.h
@@ -627,6 +627,8 @@ void if_etherbpfmtap(if_t ifp, struct mbuf *m);
 void if_vlancap(if_t ifp);
 int if_transmit(if_t ifp, struct mbuf *m);
 int if_init(if_t ifp, void *ctx);
+struct label *if_getmaclabel(if_t ifp);
+void if_setmaclabel(if_t ifp, struct label *label);
 
 /*
  * Traversing through interface address lists.
diff --git a/sys/security/mac/mac_inet.c b/sys/security/mac/mac_inet.c
index 2b6a70fdf1bf..dd77a6825204 100644
--- a/sys/security/mac/mac_inet.c
+++ b/sys/security/mac/mac_inet.c
@@ -274,8 +274,8 @@ mac_netinet_arp_send(struct ifnet *ifp, struct mbuf *m)
 	mlabel = mac_mbuf_to_label(m);
 
 	MAC_IFNET_LOCK(ifp, locked);
-	MAC_POLICY_PERFORM_NOSLEEP(netinet_arp_send, ifp, ifp->if_label, m,
-	    mlabel);
+	MAC_POLICY_PERFORM_NOSLEEP(netinet_arp_send, ifp, if_getmaclabel(ifp),
+	    m, mlabel);
 	MAC_IFNET_UNLOCK(ifp, locked);
 }
 
@@ -319,8 +319,8 @@ mac_netinet_igmp_send(struct ifnet *ifp, struct mbuf *m)
 	mlabel = mac_mbuf_to_label(m);
 
 	MAC_IFNET_LOCK(ifp, locked);
-	MAC_POLICY_PERFORM_NOSLEEP(netinet_igmp_send, ifp, ifp->if_label, m,
-	    mlabel);
+	MAC_POLICY_PERFORM_NOSLEEP(netinet_igmp_send, ifp, if_getmaclabel(ifp),
+	    m, mlabel);
 	MAC_IFNET_UNLOCK(ifp, locked);
 }
 
diff --git a/sys/security/mac/mac_inet6.c b/sys/security/mac/mac_inet6.c
index a080a74b17a3..cb0812bab785 100644
--- a/sys/security/mac/mac_inet6.c
+++ b/sys/security/mac/mac_inet6.c
@@ -183,6 +183,6 @@ mac_netinet6_nd6_send(struct ifnet *ifp, struct mbuf *m)
 
 	mlabel = mac_mbuf_to_label(m);
 
-	MAC_POLICY_PERFORM_NOSLEEP(netinet6_nd6_send, ifp, ifp->if_label, m,
+	MAC_POLICY_PERFORM_NOSLEEP(netinet6_nd6_send, ifp, if_getmaclabel(ifp), m,
 	    mlabel);
 }
diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c
index 372619c7b583..c21918c99e3e 100644
--- a/sys/security/mac/mac_net.c
+++ b/sys/security/mac/mac_net.c
@@ -143,9 +143,9 @@ mac_ifnet_init(struct ifnet *ifp)
 {
 
 	if (mac_labeled & MPC_OBJECT_IFNET)
-		ifp->if_label = mac_ifnet_label_alloc();
+		if_setmaclabel(ifp, mac_ifnet_label_alloc());
 	else
-		ifp->if_label = NULL;
+		if_setmaclabel(ifp, NULL);
 }
 
 int
@@ -220,10 +220,10 @@ mac_ifnet_label_free(struct label *label)
 void
 mac_ifnet_destroy(struct ifnet *ifp)
 {
-
-	if (ifp->if_label != NULL) {
-		mac_ifnet_label_free(ifp->if_label);
-		ifp->if_label = NULL;
+	struct label *label = if_getmaclabel(ifp);
+	if (label != NULL) {
+		mac_ifnet_label_free(label);
+		if_setmaclabel(ifp, NULL);
 	}
 }
 
@@ -308,7 +308,7 @@ mac_ifnet_create(struct ifnet *ifp)
 		return;
 
 	MAC_IFNET_LOCK(ifp, locked);
-	MAC_POLICY_PERFORM_NOSLEEP(ifnet_create, ifp, ifp->if_label);
+	MAC_POLICY_PERFORM_NOSLEEP(ifnet_create, ifp, if_getmaclabel(ifp));
 	MAC_IFNET_UNLOCK(ifp, locked);
 }
 
@@ -345,7 +345,7 @@ mac_ifnet_create_mbuf_impl(struct ifnet *ifp, struct mbuf *m)
 	label = mac_mbuf_to_label(m);
 
 	MAC_IFNET_LOCK(ifp, locked);
-	MAC_POLICY_PERFORM_NOSLEEP(ifnet_create_mbuf, ifp, ifp->if_label, m,
+	MAC_POLICY_PERFORM_NOSLEEP(ifnet_create_mbuf, ifp, if_getmaclabel(ifp), m,
 	    label);
 	MAC_IFNET_UNLOCK(ifp, locked);
 }
@@ -366,7 +366,7 @@ mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp)
 
 	MAC_IFNET_LOCK(ifp, locked);
 	MAC_POLICY_CHECK_NOSLEEP(bpfdesc_check_receive, d, d->bd_label, ifp,
-	    ifp->if_label);
+	    if_getmaclabel(ifp));
 	MAC_CHECK_PROBE2(bpfdesc_check_receive, error, d, ifp);
 	MAC_IFNET_UNLOCK(ifp, locked);
 
@@ -387,7 +387,7 @@ mac_ifnet_check_transmit_impl(struct ifnet *ifp, struct mbuf *m)
 	label = mac_mbuf_to_label(m);
 
 	MAC_IFNET_LOCK(ifp, locked);
-	MAC_POLICY_CHECK_NOSLEEP(ifnet_check_transmit, ifp, ifp->if_label, m,
+	MAC_POLICY_CHECK_NOSLEEP(ifnet_check_transmit, ifp, if_getmaclabel(ifp), m,
 	    label);
 	MAC_CHECK_PROBE2(ifnet_check_transmit, error, ifp, m);
 	MAC_IFNET_UNLOCK(ifp, locked);
@@ -425,7 +425,7 @@ mac_ifnet_ioctl_get(struct ucred *cred, struct ifreq *ifr,
 	buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
 	intlabel = mac_ifnet_label_alloc();
 	MAC_IFNET_LOCK(ifp, locked);
-	mac_ifnet_copy_label(ifp->if_label, intlabel);
+	mac_ifnet_copy_label(if_getmaclabel(ifp), intlabel);
 	MAC_IFNET_UNLOCK(ifp, locked);
 	error = mac_ifnet_externalize_label(intlabel, elements, buffer,
 	    mac.m_buflen);
@@ -486,14 +486,14 @@ mac_ifnet_ioctl_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp)
 
 	MAC_IFNET_LOCK(ifp, locked);
 	MAC_POLICY_CHECK_NOSLEEP(ifnet_check_relabel, cred, ifp,
-	    ifp->if_label, intlabel);
+	    if_getmaclabel(ifp), intlabel);
 	if (error) {
 		MAC_IFNET_UNLOCK(ifp, locked);
 		mac_ifnet_label_free(intlabel);
 		return (error);
 	}
 
-	MAC_POLICY_PERFORM_NOSLEEP(ifnet_relabel, cred, ifp, ifp->if_label,
+	MAC_POLICY_PERFORM_NOSLEEP(ifnet_relabel, cred, ifp, if_getmaclabel(ifp),
 	    intlabel);
 	MAC_IFNET_UNLOCK(ifp, locked);
 
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index 08df65cc289d..d011f7e19a56 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -1064,7 +1064,7 @@ biba_ifnet_create(struct ifnet *ifp, struct label *ifplabel)
 
 	dest = SLOT(ifplabel);
 
-	if (ifp->if_type == IFT_LOOP || interfaces_equal != 0) {
+	if (if_gettype(ifp) == IFT_LOOP || interfaces_equal != 0) {
 		type = MAC_BIBA_TYPE_EQUAL;
 		goto set;
 	}
@@ -1091,7 +1091,7 @@ biba_ifnet_create(struct ifnet *ifp, struct label *ifplabel)
 			if (len < IFNAMSIZ) {
 				bzero(tifname, sizeof(tifname));
 				bcopy(q, tifname, len);
-				if (strcmp(tifname, ifp->if_xname) == 0) {
+				if (strcmp(tifname, if_name(ifp)) == 0) {
 					type = MAC_BIBA_TYPE_HIGH;
 					break;
 				}
diff --git a/sys/security/mac_ifoff/mac_ifoff.c b/sys/security/mac_ifoff/mac_ifoff.c
index a19ddd34b22b..b52a70d3c7bf 100644
--- a/sys/security/mac_ifoff/mac_ifoff.c
+++ b/sys/security/mac_ifoff/mac_ifoff.c
@@ -90,10 +90,10 @@ ifnet_check_outgoing(struct ifnet *ifp)
 	if (!ifoff_enabled)
 		return (0);
 
-	if (ifoff_lo_enabled && ifp->if_type == IFT_LOOP)
+	if (ifoff_lo_enabled && if_gettype(ifp) == IFT_LOOP)
 		return (0);
 
-	if (ifoff_other_enabled && ifp->if_type != IFT_LOOP)
+	if (ifoff_other_enabled && if_gettype(ifp) != IFT_LOOP)
 		return (0);
 
 	return (EPERM);
@@ -105,10 +105,10 @@ ifnet_check_incoming(struct ifnet *ifp, int viabpf)
 	if (!ifoff_enabled)
 		return (0);
 
-	if (ifoff_lo_enabled && ifp->if_type == IFT_LOOP)
+	if (ifoff_lo_enabled && if_gettype(ifp) == IFT_LOOP)
 		return (0);
 
-	if (ifoff_other_enabled && ifp->if_type != IFT_LOOP)
+	if (ifoff_other_enabled && if_gettype(ifp) != IFT_LOOP)
 		return (0);
 
 	if (viabpf && ifoff_bpfrecv_enabled)
diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c
index dffd06d964a2..2384b590d1c8 100644
--- a/sys/security/mac_lomac/mac_lomac.c
+++ b/sys/security/mac_lomac/mac_lomac.c
@@ -1188,7 +1188,7 @@ lomac_ifnet_create(struct ifnet *ifp, struct label *ifplabel)
 
 	dest = SLOT(ifplabel);
 
-	if (ifp->if_type == IFT_LOOP) {
+	if (if_gettype(ifp) == IFT_LOOP) {
 		grade = MAC_LOMAC_TYPE_EQUAL;
 		goto set;
 	}
@@ -1215,7 +1215,7 @@ lomac_ifnet_create(struct ifnet *ifp, struct label *ifplabel)
 			if (len < IFNAMSIZ) {
 				bzero(tifname, sizeof(tifname));
 				bcopy(q, tifname, len);
-				if (strcmp(tifname, ifp->if_xname) == 0) {
+				if (strcmp(tifname, if_name(ifp)) == 0) {
 					grade = MAC_LOMAC_TYPE_HIGH;
 					break;
 				}
diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c
index da9ed8a3e141..94d907efc7f1 100644
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c
@@ -1024,7 +1024,7 @@ mls_ifnet_create(struct ifnet *ifp, struct label *ifplabel)
 
 	dest = SLOT(ifplabel);
 
-	if (ifp->if_type == IFT_LOOP)
+	if (if_gettype(ifp) == IFT_LOOP)
 		type = MAC_MLS_TYPE_EQUAL;
 	else
 		type = MAC_MLS_TYPE_LOW;