PERFORCE change 32166 for review
Robert Watson
rwatson at FreeBSD.org
Sat May 31 06:30:39 PDT 2003
http://perforce.freebsd.org/chv.cgi?CH=32166
Change 32166 by rwatson at rwatson_tislabs on 2003/05/31 06:30:19
Introduce two new MAC entry points:
void mac_reflect_mbuf_icmp(m);
void mac_reflect_mbuf_tcp(m);
These entry points are invoked for "in-place" label updates when
a packet is responded to without hitting another object (a
socket, for example) in the network stack, at the ICMP and
TCP levels respectively.
Two similar policy-level entry points:
void mpo_reflect_mbuf_icmp(m, label);
void mpo_reflect_mbuf_tcp(m, label);
Identical except with explicit label arguments to avoid policies
having to grub around for the label themselves.
Note: this changes the mac_policy_conf structure, and hence
requires a rebuild of all modules.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#388 edit
.. //depot/projects/trustedbsd/mac/sys/netinet/ip_icmp.c#20 edit
.. //depot/projects/trustedbsd/mac/sys/netinet/tcp_subr.c#34 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac.h#236 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#188 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#388 (text+ko) ====
@@ -2435,6 +2435,25 @@
}
void
+mac_reflect_mbuf_icmp(struct mbuf *m)
+{
+ struct label *label;
+
+ label = mbuf_to_label(m);
+
+ MAC_PERFORM(reflect_mbuf_icmp, m, label);
+}
+void
+mac_reflect_mbuf_tcp(struct mbuf *m)
+{
+ struct label *label;
+
+ label = mbuf_to_label(m);
+
+ MAC_PERFORM(reflect_mbuf_tcp, m, label);
+}
+
+void
mac_update_ipq(struct mbuf *fragment, struct ipq *ipq)
{
struct label *label;
==== //depot/projects/trustedbsd/mac/sys/netinet/ip_icmp.c#20 (text+ko) ====
@@ -596,10 +596,6 @@
/*
* Reflect the ip packet back to the source
- *
- * XXXMAC: Right now, the old label is inheritted. In practice,
- * we'll need an explicit MAC call here to set an appropriate label
- * (in place).
*/
static void
icmp_reflect(m)
@@ -652,6 +648,9 @@
goto done;
}
match:
+#ifdef MAC
+ mac_reflect_mbuf_icmp(m);
+#endif
t = IA_SIN(ia)->sin_addr;
ip->ip_src = t;
ip->ip_ttl = ip_defttl;
==== //depot/projects/trustedbsd/mac/sys/netinet/tcp_subr.c#34 (text+ko) ====
@@ -488,10 +488,10 @@
mac_create_mbuf_from_socket(tp->t_inpcb->inp_socket, m);
} else {
/*
- * XXXMAC: This will need to call a mac function that
- * modifies the mbuf label in place for TCP datagrams
- * not associated with a PCB.
+ * Packet is not associated with a socket, so possibly
+ * update the label in place.
*/
+ mac_reflect_mbuf_tcp(m);
}
#endif
nth->th_seq = htonl(seq);
==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#236 (text+ko) ====
@@ -211,6 +211,8 @@
struct ifnet *ifnet, struct mbuf *newmbuf);
void mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf);
int mac_fragment_match(struct mbuf *fragment, struct ipq *ipq);
+void mac_reflect_mbuf_icmp(struct mbuf *m);
+void mac_reflect_mbuf_tcp(struct mbuf *m);
void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq);
/*
==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#188 (text+ko) ====
@@ -235,6 +235,9 @@
int (*mpo_fragment_match)(struct mbuf *fragment,
struct label *fragmentlabel, struct ipq *ipq,
struct label *ipqlabel);
+ void (*mpo_reflect_mbuf_icmp)(struct mbuf *m,
+ struct label *mlabel);
+ void (*mpo_reflect_mbuf_tcp)(struct mbuf *m, struct label *mlabel);
void (*mpo_relabel_ifnet)(struct ucred *cred, struct ifnet *ifnet,
struct label *ifnetlabel, struct label *newlabel);
void (*mpo_update_ipq)(struct mbuf *fragment,
More information about the p4-projects
mailing list