cvs commit: src/sys/kern uipc_socket2.c uipc_usrreq.c
src/sys/modules/null Makefile src/sys/net raw_usrreq.c rtsock.c
src/sys/netatalk ddp_usrreq.c src/sys/netatm atm_aal5.c
atm_usrreq.c src/sys/netgraph ng_socket.c ...
Robert Watson
rwatson at FreeBSD.org
Mon Nov 17 16:40:38 PST 2003
rwatson 2003/11/17 16:39:07 PST
FreeBSD src repository
Modified files:
sys/kern uipc_socket2.c uipc_usrreq.c
sys/modules/null Makefile
sys/net raw_usrreq.c rtsock.c
sys/netatalk ddp_usrreq.c
sys/netatm atm_aal5.c atm_usrreq.c
sys/netgraph ng_socket.c
sys/netgraph/bluetooth/socket ng_btsocket.c
sys/netinet in_pcb.c in_pcb.h ip_divert.c raw_ip.c
tcp_input.c tcp_usrreq.c udp_usrreq.c
sys/netinet6 raw_ip6.c udp6_usrreq.c
sys/netipsec keysock.c
sys/netipx ipx_usrreq.c spx_usrreq.c
sys/netkey keysock.c
sys/netnatm natm.c
sys/security/mac mac_net.c
sys/security/mac_biba mac_biba.c
sys/security/mac_ifoff mac_ifoff.c
sys/security/mac_lomac mac_lomac.c
sys/security/mac_mls mac_mls.c
sys/security/mac_stub mac_stub.c
sys/security/mac_test mac_test.c
sys/sys mac.h mac_policy.h protosw.h
Log:
Introduce a MAC label reference in 'struct inpcb', which caches
the MAC label referenced from 'struct socket' in the IPv4 and
IPv6-based protocols. This permits MAC labels to be checked during
network delivery operations without dereferencing inp->inp_socket
to get to so->so_label, which will eventually avoid our having to
grab the socket lock during delivery at the network layer.
This change introduces 'struct inpcb' as a labeled object to the
MAC Framework, along with the normal circus of entry points:
initialization, creation from socket, destruction, as well as a
delivery access control check.
For most policies, the inpcb label will simply be a cache of the
socket label, so a new protocol switch method is introduced,
pr_sosetlabel() to notify protocols that the socket layer label
has been updated so that the cache can be updated while holding
appropriate locks. Most protocols implement this using
pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use
the the worker function in_pcbsosetlabel(), which calls into the
MAC Framework to perform a cache update.
Biba, LOMAC, and MLS implement these entry points, as do the stub
policy, and test policy.
Reviewed by: sam, bms
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Revision Changes Path
1.118 +10 -0 src/sys/kern/uipc_socket2.c
1.112 +1 -1 src/sys/kern/uipc_usrreq.c
1.2 +1 -0 src/sys/modules/null/Makefile
1.30 +1 -1 src/sys/net/raw_usrreq.c
1.96 +1 -1 src/sys/net/rtsock.c
1.33 +2 -1 src/sys/netatalk/ddp_usrreq.c
1.18 +2 -1 src/sys/netatm/atm_aal5.c
1.21 +4 -0 src/sys/netatm/atm_usrreq.c
1.5 +8 -4 src/sys/netgraph/bluetooth/socket/ng_btsocket.c
1.45 +4 -2 src/sys/netgraph/ng_socket.c
1.131 +40 -7 src/sys/netinet/in_pcb.c
1.66 +3 -0 src/sys/netinet/in_pcb.h
1.79 +1 -1 src/sys/netinet/ip_divert.c
1.121 +2 -2 src/sys/netinet/raw_ip.c
1.215 +2 -2 src/sys/netinet/tcp_input.c
1.88 +2 -2 src/sys/netinet/tcp_usrreq.c
1.141 +2 -2 src/sys/netinet/udp_usrreq.c
1.34 +1 -1 src/sys/netinet6/raw_ip6.c
1.39 +1 -1 src/sys/netinet6/udp6_usrreq.c
1.7 +2 -1 src/sys/netipsec/keysock.c
1.39 +2 -2 src/sys/netipx/ipx_usrreq.c
1.40 +2 -2 src/sys/netipx/spx_usrreq.c
1.26 +2 -1 src/sys/netkey/keysock.c
1.31 +1 -1 src/sys/netnatm/natm.c
1.110 +96 -1 src/sys/security/mac/mac_net.c
1.70 +45 -0 src/sys/security/mac_biba/mac_biba.c
1.8 +13 -0 src/sys/security/mac_ifoff/mac_ifoff.c
1.24 +45 -0 src/sys/security/mac_lomac/mac_lomac.c
1.57 +45 -0 src/sys/security/mac_mls/mac_mls.c
1.35 +28 -0 src/sys/security/mac_stub/mac_stub.c
1.37 +71 -0 src/sys/security/mac_test/mac_test.c
1.51 +7 -0 src/sys/sys/mac.h
1.45 +12 -0 src/sys/sys/mac_policy.h
1.42 +2 -0 src/sys/sys/protosw.h
More information about the cvs-src
mailing list