From nobody Tue Jan 31 20:03:15 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4P5ww353Y0z3c8RK; Tue, 31 Jan 2023 20:03:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4P5ww32gHHz3Cfq; Tue, 31 Jan 2023 20:03:15 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1675195395; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=IR2EpadjvIoSHn33a5jsmwobt+dvZKP/Ly1m1+k1/NM=; b=p9HSGs5KHuR0vcEb5NmTmLWpOqY+wGm/tPzTiPfqs3/RdEzS6wSQTMfuvAffh63tX6/Rn2 oPpqyYmWY/dzXLozD2L7V0jid5dz45qDpqEi0Rn7jZzuUbUdhtRI/N0joCgUoNI0pp4Tbu ZN5yGwUFfYTXAtZzNEUBBSViNh3oXqZal05BpcYk3JvsqqyfFhzmF9//AG5luFId3ICr8F oPoMz3hhMhxi3v69lQlbWRCIqA0guEvPgkTsGS2oX9nAbNzpb4lI/6/dHRyTOj1AY9i89C QHoaWUXA2xiGiMdWIgRmwVM0QyFwNP/v3PuTiKOu24sZWUO86CqSi9XnKW2XKw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1675195395; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=IR2EpadjvIoSHn33a5jsmwobt+dvZKP/Ly1m1+k1/NM=; b=O5VPwXAUniP7a0kjV6RQ/34IaWXvnMuwYPA9JeoYx4rDzrVWwzraoRhsEFcLzMdOICloQf rG8h+vA+NM9ZbWRWc4vftlxvzqASbSGDsFCflG6Yem3becqappbkJoHlM2jTKgWjCXrwxS JfLV7j9KoMTQ9uI38xzSHcL2aWCRA/rgCtX8iLfjOS2h/8CTtH7uCAFf4WbxwKrBk6nToO sTlVTHVeU9bt6GmV6ZJKEGE2rXCnMEhdDLATQphrLVtNoL9aQ4yWUHWHRUtwFry7caqatH cfjErlzDyyVlYp3/iQfo6rTyXc1DGDDqDLVmWvtf+I6d11m64BhuHiZJiayxAQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1675195395; a=rsa-sha256; cv=none; b=PmyOry3S3YnIlQ8RSwKSly1zwI1TUDpSFAbQjQc+su/Bg8YPU78+FZu8ZugJK533fhVMBG fyBoREo/nU2UUpr8iJtUz3mgQX1GoIEqJuQ3gAZIkqoWTMmbGCiYJZOHuIrCVyx33DDpx7 VqMh5xicSKprbMJBQDK2avd3vo+QCwLcieJo1MROdUgQtQeUMkoZWeJkM2HFI7NYAWjtyz PoUKoXrsRlVeW1C66xqW9zUuwJuHTfIkvPUYEFL4Aef2xRPd5HzdFPN4IH6oXD2rB7FYIu KxWLt3IEaFn3iTVYjucOZOPaRXviPDYNYMAQqDS+928o3gLDPR8abkztjR9+YQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4P5ww31mt9z121m; Tue, 31 Jan 2023 20:03:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 30VK3Fl5024893; Tue, 31 Jan 2023 20:03:15 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 30VK3Fsb024892; Tue, 31 Jan 2023 20:03:15 GMT (envelope-from git) Date: Tue, 31 Jan 2023 20:03:15 GMT Message-Id: <202301312003.30VK3Fsb024892@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Justin Hibbits Subject: git: 30af2c131bb0 - main - IfAPI: Add if_get/setmaclabel() and use it. List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jhibbits X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 30af2c131bb05528f9b14518a7ed3e98c590b55e Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by jhibbits: URL: https://cgit.FreeBSD.org/src/commit/?id=30af2c131bb05528f9b14518a7ed3e98c590b55e commit 30af2c131bb05528f9b14518a7ed3e98c590b55e Author: Justin Hibbits AuthorDate: 2023-01-23 14:34:43 +0000 Commit: Justin Hibbits CommitDate: 2023-01-31 20:02:15 +0000 IfAPI: Add if_get/setmaclabel() and use it. Summary: Port the MAC modules to use the IfAPI APIs as part of this. Sponsored by: Juniper Networks, Inc. Reviewed by: glebius Differential Revision: https://reviews.freebsd.org/D38197 --- sys/net/if.c | 12 ++++++++++++ sys/net/if_var.h | 2 ++ sys/security/mac/mac_inet.c | 8 ++++---- sys/security/mac/mac_inet6.c | 2 +- sys/security/mac/mac_net.c | 26 +++++++++++++------------- sys/security/mac_biba/mac_biba.c | 4 ++-- sys/security/mac_ifoff/mac_ifoff.c | 8 ++++---- sys/security/mac_lomac/mac_lomac.c | 4 ++-- sys/security/mac_mls/mac_mls.c | 2 +- 9 files changed, 41 insertions(+), 27 deletions(-) diff --git a/sys/net/if.c b/sys/net/if.c index 96093d0a2aa3..a6cf6d050875 100644 --- a/sys/net/if.c +++ b/sys/net/if.c @@ -4809,6 +4809,18 @@ if_setdebugnet_methods(if_t ifp, struct debugnet_methods *m) ifp->if_debugnet_methods = m; } +struct label * +if_getmaclabel(if_t ifp) +{ + return (ifp->if_label); +} + +void +if_setmaclabel(if_t ifp, struct label *label) +{ + ifp->if_label = label; +} + int if_gettype(if_t ifp) { diff --git a/sys/net/if_var.h b/sys/net/if_var.h index 4c54d26a921d..e9e6086bfa89 100644 --- a/sys/net/if_var.h +++ b/sys/net/if_var.h @@ -627,6 +627,8 @@ void if_etherbpfmtap(if_t ifp, struct mbuf *m); void if_vlancap(if_t ifp); int if_transmit(if_t ifp, struct mbuf *m); int if_init(if_t ifp, void *ctx); +struct label *if_getmaclabel(if_t ifp); +void if_setmaclabel(if_t ifp, struct label *label); /* * Traversing through interface address lists. diff --git a/sys/security/mac/mac_inet.c b/sys/security/mac/mac_inet.c index 2b6a70fdf1bf..dd77a6825204 100644 --- a/sys/security/mac/mac_inet.c +++ b/sys/security/mac/mac_inet.c @@ -274,8 +274,8 @@ mac_netinet_arp_send(struct ifnet *ifp, struct mbuf *m) mlabel = mac_mbuf_to_label(m); MAC_IFNET_LOCK(ifp, locked); - MAC_POLICY_PERFORM_NOSLEEP(netinet_arp_send, ifp, ifp->if_label, m, - mlabel); + MAC_POLICY_PERFORM_NOSLEEP(netinet_arp_send, ifp, if_getmaclabel(ifp), + m, mlabel); MAC_IFNET_UNLOCK(ifp, locked); } @@ -319,8 +319,8 @@ mac_netinet_igmp_send(struct ifnet *ifp, struct mbuf *m) mlabel = mac_mbuf_to_label(m); MAC_IFNET_LOCK(ifp, locked); - MAC_POLICY_PERFORM_NOSLEEP(netinet_igmp_send, ifp, ifp->if_label, m, - mlabel); + MAC_POLICY_PERFORM_NOSLEEP(netinet_igmp_send, ifp, if_getmaclabel(ifp), + m, mlabel); MAC_IFNET_UNLOCK(ifp, locked); } diff --git a/sys/security/mac/mac_inet6.c b/sys/security/mac/mac_inet6.c index a080a74b17a3..cb0812bab785 100644 --- a/sys/security/mac/mac_inet6.c +++ b/sys/security/mac/mac_inet6.c @@ -183,6 +183,6 @@ mac_netinet6_nd6_send(struct ifnet *ifp, struct mbuf *m) mlabel = mac_mbuf_to_label(m); - MAC_POLICY_PERFORM_NOSLEEP(netinet6_nd6_send, ifp, ifp->if_label, m, + MAC_POLICY_PERFORM_NOSLEEP(netinet6_nd6_send, ifp, if_getmaclabel(ifp), m, mlabel); } diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index 372619c7b583..c21918c99e3e 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -143,9 +143,9 @@ mac_ifnet_init(struct ifnet *ifp) { if (mac_labeled & MPC_OBJECT_IFNET) - ifp->if_label = mac_ifnet_label_alloc(); + if_setmaclabel(ifp, mac_ifnet_label_alloc()); else - ifp->if_label = NULL; + if_setmaclabel(ifp, NULL); } int @@ -220,10 +220,10 @@ mac_ifnet_label_free(struct label *label) void mac_ifnet_destroy(struct ifnet *ifp) { - - if (ifp->if_label != NULL) { - mac_ifnet_label_free(ifp->if_label); - ifp->if_label = NULL; + struct label *label = if_getmaclabel(ifp); + if (label != NULL) { + mac_ifnet_label_free(label); + if_setmaclabel(ifp, NULL); } } @@ -308,7 +308,7 @@ mac_ifnet_create(struct ifnet *ifp) return; MAC_IFNET_LOCK(ifp, locked); - MAC_POLICY_PERFORM_NOSLEEP(ifnet_create, ifp, ifp->if_label); + MAC_POLICY_PERFORM_NOSLEEP(ifnet_create, ifp, if_getmaclabel(ifp)); MAC_IFNET_UNLOCK(ifp, locked); } @@ -345,7 +345,7 @@ mac_ifnet_create_mbuf_impl(struct ifnet *ifp, struct mbuf *m) label = mac_mbuf_to_label(m); MAC_IFNET_LOCK(ifp, locked); - MAC_POLICY_PERFORM_NOSLEEP(ifnet_create_mbuf, ifp, ifp->if_label, m, + MAC_POLICY_PERFORM_NOSLEEP(ifnet_create_mbuf, ifp, if_getmaclabel(ifp), m, label); MAC_IFNET_UNLOCK(ifp, locked); } @@ -366,7 +366,7 @@ mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp) MAC_IFNET_LOCK(ifp, locked); MAC_POLICY_CHECK_NOSLEEP(bpfdesc_check_receive, d, d->bd_label, ifp, - ifp->if_label); + if_getmaclabel(ifp)); MAC_CHECK_PROBE2(bpfdesc_check_receive, error, d, ifp); MAC_IFNET_UNLOCK(ifp, locked); @@ -387,7 +387,7 @@ mac_ifnet_check_transmit_impl(struct ifnet *ifp, struct mbuf *m) label = mac_mbuf_to_label(m); MAC_IFNET_LOCK(ifp, locked); - MAC_POLICY_CHECK_NOSLEEP(ifnet_check_transmit, ifp, ifp->if_label, m, + MAC_POLICY_CHECK_NOSLEEP(ifnet_check_transmit, ifp, if_getmaclabel(ifp), m, label); MAC_CHECK_PROBE2(ifnet_check_transmit, error, ifp, m); MAC_IFNET_UNLOCK(ifp, locked); @@ -425,7 +425,7 @@ mac_ifnet_ioctl_get(struct ucred *cred, struct ifreq *ifr, buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); intlabel = mac_ifnet_label_alloc(); MAC_IFNET_LOCK(ifp, locked); - mac_ifnet_copy_label(ifp->if_label, intlabel); + mac_ifnet_copy_label(if_getmaclabel(ifp), intlabel); MAC_IFNET_UNLOCK(ifp, locked); error = mac_ifnet_externalize_label(intlabel, elements, buffer, mac.m_buflen); @@ -486,14 +486,14 @@ mac_ifnet_ioctl_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp) MAC_IFNET_LOCK(ifp, locked); MAC_POLICY_CHECK_NOSLEEP(ifnet_check_relabel, cred, ifp, - ifp->if_label, intlabel); + if_getmaclabel(ifp), intlabel); if (error) { MAC_IFNET_UNLOCK(ifp, locked); mac_ifnet_label_free(intlabel); return (error); } - MAC_POLICY_PERFORM_NOSLEEP(ifnet_relabel, cred, ifp, ifp->if_label, + MAC_POLICY_PERFORM_NOSLEEP(ifnet_relabel, cred, ifp, if_getmaclabel(ifp), intlabel); MAC_IFNET_UNLOCK(ifp, locked); diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 08df65cc289d..d011f7e19a56 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -1064,7 +1064,7 @@ biba_ifnet_create(struct ifnet *ifp, struct label *ifplabel) dest = SLOT(ifplabel); - if (ifp->if_type == IFT_LOOP || interfaces_equal != 0) { + if (if_gettype(ifp) == IFT_LOOP || interfaces_equal != 0) { type = MAC_BIBA_TYPE_EQUAL; goto set; } @@ -1091,7 +1091,7 @@ biba_ifnet_create(struct ifnet *ifp, struct label *ifplabel) if (len < IFNAMSIZ) { bzero(tifname, sizeof(tifname)); bcopy(q, tifname, len); - if (strcmp(tifname, ifp->if_xname) == 0) { + if (strcmp(tifname, if_name(ifp)) == 0) { type = MAC_BIBA_TYPE_HIGH; break; } diff --git a/sys/security/mac_ifoff/mac_ifoff.c b/sys/security/mac_ifoff/mac_ifoff.c index a19ddd34b22b..b52a70d3c7bf 100644 --- a/sys/security/mac_ifoff/mac_ifoff.c +++ b/sys/security/mac_ifoff/mac_ifoff.c @@ -90,10 +90,10 @@ ifnet_check_outgoing(struct ifnet *ifp) if (!ifoff_enabled) return (0); - if (ifoff_lo_enabled && ifp->if_type == IFT_LOOP) + if (ifoff_lo_enabled && if_gettype(ifp) == IFT_LOOP) return (0); - if (ifoff_other_enabled && ifp->if_type != IFT_LOOP) + if (ifoff_other_enabled && if_gettype(ifp) != IFT_LOOP) return (0); return (EPERM); @@ -105,10 +105,10 @@ ifnet_check_incoming(struct ifnet *ifp, int viabpf) if (!ifoff_enabled) return (0); - if (ifoff_lo_enabled && ifp->if_type == IFT_LOOP) + if (ifoff_lo_enabled && if_gettype(ifp) == IFT_LOOP) return (0); - if (ifoff_other_enabled && ifp->if_type != IFT_LOOP) + if (ifoff_other_enabled && if_gettype(ifp) != IFT_LOOP) return (0); if (viabpf && ifoff_bpfrecv_enabled) diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c index dffd06d964a2..2384b590d1c8 100644 --- a/sys/security/mac_lomac/mac_lomac.c +++ b/sys/security/mac_lomac/mac_lomac.c @@ -1188,7 +1188,7 @@ lomac_ifnet_create(struct ifnet *ifp, struct label *ifplabel) dest = SLOT(ifplabel); - if (ifp->if_type == IFT_LOOP) { + if (if_gettype(ifp) == IFT_LOOP) { grade = MAC_LOMAC_TYPE_EQUAL; goto set; } @@ -1215,7 +1215,7 @@ lomac_ifnet_create(struct ifnet *ifp, struct label *ifplabel) if (len < IFNAMSIZ) { bzero(tifname, sizeof(tifname)); bcopy(q, tifname, len); - if (strcmp(tifname, ifp->if_xname) == 0) { + if (strcmp(tifname, if_name(ifp)) == 0) { grade = MAC_LOMAC_TYPE_HIGH; break; } diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index da9ed8a3e141..94d907efc7f1 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -1024,7 +1024,7 @@ mls_ifnet_create(struct ifnet *ifp, struct label *ifplabel) dest = SLOT(ifplabel); - if (ifp->if_type == IFT_LOOP) + if (if_gettype(ifp) == IFT_LOOP) type = MAC_MLS_TYPE_EQUAL; else type = MAC_MLS_TYPE_LOW;