PERFORCE change 32166 for review

Robert Watson rwatson at FreeBSD.org
Sat May 31 06:30:39 PDT 2003


http://perforce.freebsd.org/chv.cgi?CH=32166

Change 32166 by rwatson at rwatson_tislabs on 2003/05/31 06:30:19

	Introduce two new MAC entry points:
	
	void	mac_reflect_mbuf_icmp(m);
	void	mac_reflect_mbuf_tcp(m);
	
	These entry points are invoked for "in-place" label updates when
	a packet is responded to without hitting another object (a
	socket, for example) in the network stack, at the ICMP and
	TCP levels respectively.
	
	Two similar policy-level entry points:
	
	void	mpo_reflect_mbuf_icmp(m, label);
	void	mpo_reflect_mbuf_tcp(m, label);
	
	Identical except with explicit label arguments to avoid policies
	having to grub around for the label themselves.
	
	Note: this changes the mac_policy_conf structure, and hence
	requires a rebuild of all modules.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#388 edit
.. //depot/projects/trustedbsd/mac/sys/netinet/ip_icmp.c#20 edit
.. //depot/projects/trustedbsd/mac/sys/netinet/tcp_subr.c#34 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac.h#236 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#188 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#388 (text+ko) ====

@@ -2435,6 +2435,25 @@
 }
 
 void
+mac_reflect_mbuf_icmp(struct mbuf *m)
+{
+	struct label *label;
+
+	label = mbuf_to_label(m);
+
+	MAC_PERFORM(reflect_mbuf_icmp, m, label);
+}
+void
+mac_reflect_mbuf_tcp(struct mbuf *m)
+{
+	struct label *label;
+
+	label = mbuf_to_label(m);
+
+	MAC_PERFORM(reflect_mbuf_tcp, m, label);
+}
+
+void
 mac_update_ipq(struct mbuf *fragment, struct ipq *ipq)
 {
 	struct label *label;

==== //depot/projects/trustedbsd/mac/sys/netinet/ip_icmp.c#20 (text+ko) ====

@@ -596,10 +596,6 @@
 
 /*
  * Reflect the ip packet back to the source
- *
- * XXXMAC: Right now, the old label is inheritted.  In practice,
- * we'll need an explicit MAC call here to set an appropriate label
- * (in place).
  */
 static void
 icmp_reflect(m)
@@ -652,6 +648,9 @@
 		goto done;
 	}
 match:
+#ifdef MAC
+	mac_reflect_mbuf_icmp(m);
+#endif
 	t = IA_SIN(ia)->sin_addr;
 	ip->ip_src = t;
 	ip->ip_ttl = ip_defttl;

==== //depot/projects/trustedbsd/mac/sys/netinet/tcp_subr.c#34 (text+ko) ====

@@ -488,10 +488,10 @@
 		mac_create_mbuf_from_socket(tp->t_inpcb->inp_socket, m);
 	} else {
 		/*
-		 * XXXMAC: This will need to call a mac function that
-		 * modifies the mbuf label in place for TCP datagrams
-		 * not associated with a PCB.
+		 * Packet is not associated with a socket, so possibly
+		 * update the label in place.
 		 */
+		mac_reflect_mbuf_tcp(m);
 	}
 #endif
 	nth->th_seq = htonl(seq);

==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#236 (text+ko) ====

@@ -211,6 +211,8 @@
 	    struct ifnet *ifnet, struct mbuf *newmbuf);
 void	mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf);
 int	mac_fragment_match(struct mbuf *fragment, struct ipq *ipq);
+void	mac_reflect_mbuf_icmp(struct mbuf *m);
+void	mac_reflect_mbuf_tcp(struct mbuf *m);
 void	mac_update_ipq(struct mbuf *fragment, struct ipq *ipq);
 
 /*

==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#188 (text+ko) ====

@@ -235,6 +235,9 @@
 	int	(*mpo_fragment_match)(struct mbuf *fragment,
 		    struct label *fragmentlabel, struct ipq *ipq,
 		    struct label *ipqlabel);
+	void	(*mpo_reflect_mbuf_icmp)(struct mbuf *m,
+		    struct label *mlabel);
+	void	(*mpo_reflect_mbuf_tcp)(struct mbuf *m, struct label *mlabel);
 	void	(*mpo_relabel_ifnet)(struct ucred *cred, struct ifnet *ifnet,
 		    struct label *ifnetlabel, struct label *newlabel);
 	void	(*mpo_update_ipq)(struct mbuf *fragment,


More information about the p4-projects mailing list