PERFORCE change 43986 for review
Robert Watson
rwatson at FreeBSD.org
Tue Dec 16 22:02:14 GMT 2003
http://perforce.freebsd.org/chv.cgi?CH=43986
Change 43986 by rwatson at rwatson_tislabs on 2003/12/16 14:01:57
Switch TCP over to using the inpcb label when responding in timed
wait, rather than the socket label. This avoids reaching up to
the socket layer during connection close, which requires locking
changes. To do this, introduce MAC Framework entry point
mac_create_mbuf_from_inpcb(), which is called from tcp_twrespond()
instead of calling mac_create_mbuf_from_socket() or
mac_create_mbuf_netlayer(). Introduce MAC Policy entry point
mpo_create_mbuf_from_inpcb(), and implementations for various
policies, which generally just copy label data from the inpcb to
the mbuf. Assert the inpcb lock in the entry point since we
require consistency for the inpcb label reference.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/netinet/tcp_subr.c#40 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac/mac_net.c#20 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#240 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#82 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#194 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_stub/mac_stub.c#18 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#128 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac.h#258 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#207 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/netinet/tcp_subr.c#40 (text+ko) ====
@@ -1662,10 +1662,7 @@
m->m_data += max_linkhdr;
#ifdef MAC
- if (so != NULL)
- mac_create_mbuf_from_socket(so, m);
- else
- mac_create_mbuf_netlayer(msrc, m);
+ mac_create_mbuf_from_inpcb(inp, m);
#endif
#ifdef INET6
==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_net.c#20 (text+ko) ====
@@ -589,6 +589,17 @@
}
void
+mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m)
+{
+ struct label *mlabel;
+
+ INP_LOCK_ASSERT(inp);
+ mlabel = mbuf_to_label(m);
+
+ MAC_PERFORM(create_mbuf_from_inpcb, inp, inp->inp_label, m, mlabel);
+}
+
+void
mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf)
{
struct label *oldmbuflabel, *newmbuflabel;
==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#240 (text+ko) ====
@@ -1339,6 +1339,18 @@
}
static void
+mac_biba_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
+ struct mbuf *m, struct label *mlabel)
+{
+ struct mac_biba *source, *dest;
+
+ source = SLOT(inplabel);
+ dest = SLOT(mlabel);
+
+ mac_biba_copy_single(source, dest);
+}
+
+static void
mac_biba_create_mbuf_from_mbuf(struct mbuf *oldmbuf,
struct label *oldmbuflabel, struct mbuf *newmbuf,
struct label *newmbuflabel)
@@ -3219,6 +3231,7 @@
.mpo_create_ipc_sema = mac_biba_create_ipc_sema,
.mpo_create_ipc_shm = mac_biba_create_ipc_shm,
.mpo_create_ipq = mac_biba_create_ipq,
+ .mpo_create_mbuf_from_inpcb = mac_biba_create_mbuf_from_inpcb,
.mpo_create_mbuf_from_mbuf = mac_biba_create_mbuf_from_mbuf,
.mpo_create_mbuf_linklayer = mac_biba_create_mbuf_linklayer,
.mpo_create_mbuf_from_bpfdesc = mac_biba_create_mbuf_from_bpfdesc,
==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#82 (text+ko) ====
@@ -1423,6 +1423,18 @@
}
static void
+mac_lomac_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
+ struct mbuf *m, struct label *mlabel)
+{
+ struct mac_lomac *source, *dest;
+
+ source = SLOT(inplabel);
+ dest = SLOT(mlabel);
+
+ mac_lomac_copy_single(source, dest);
+}
+
+static void
mac_lomac_create_mbuf_from_mbuf(struct mbuf *oldmbuf,
struct label *oldmbuflabel, struct mbuf *newmbuf,
struct label *newmbuflabel)
@@ -3149,6 +3161,7 @@
.mpo_create_ipc_sema = mac_lomac_create_ipc_sema,
.mpo_create_ipc_shm = mac_lomac_create_ipc_shm,
.mpo_create_ipq = mac_lomac_create_ipq,
+ .mpo_create_mbuf_from_inpcb = mac_lomac_create_mbuf_from_inpcb,
.mpo_create_mbuf_from_mbuf = mac_lomac_create_mbuf_from_mbuf,
.mpo_create_mbuf_linklayer = mac_lomac_create_mbuf_linklayer,
.mpo_create_mbuf_from_bpfdesc = mac_lomac_create_mbuf_from_bpfdesc,
==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#194 (text+ko) ====
@@ -1278,6 +1278,18 @@
}
static void
+mac_mls_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
+ struct mbuf *m, struct label *mlabel)
+{
+ struct mac_mls *source, *dest;
+
+ source = SLOT(inplabel);
+ dest = SLOT(mlabel);
+
+ mac_mls_copy_single(source, dest);
+}
+
+static void
mac_mls_create_mbuf_from_mbuf(struct mbuf *oldmbuf,
struct label *oldmbuflabel, struct mbuf *newmbuf,
struct label *newmbuflabel)
@@ -2996,6 +3008,7 @@
.mpo_create_ipc_msgqueue = mac_mls_create_ipc_msgqueue,
.mpo_create_ipc_sema = mac_mls_create_ipc_sema,
.mpo_create_ipc_shm = mac_mls_create_ipc_shm,
+ .mpo_create_mbuf_from_inpcb = mac_mls_create_mbuf_from_inpcb,
.mpo_create_mbuf_from_mbuf = mac_mls_create_mbuf_from_mbuf,
.mpo_create_mbuf_linklayer = mac_mls_create_mbuf_linklayer,
.mpo_create_mbuf_from_bpfdesc = mac_mls_create_mbuf_from_bpfdesc,
==== //depot/projects/trustedbsd/mac/sys/security/mac_stub/mac_stub.c#18 (text+ko) ====
@@ -394,6 +394,13 @@
}
static void
+stub_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
+ struct mbuf *m, struct label *mlabel)
+{
+
+}
+
+static void
stub_create_mbuf_from_mbuf(struct mbuf *oldmbuf,
struct label *oldmbuflabel, struct mbuf *newmbuf,
struct label *newmbuflabel)
@@ -1368,6 +1375,7 @@
.mpo_create_datagram_from_ipq = stub_create_datagram_from_ipq,
.mpo_create_fragment = stub_create_fragment,
.mpo_create_ipq = stub_create_ipq,
+ .mpo_create_mbuf_from_inpcb = stub_create_mbuf_from_inpcb,
.mpo_create_mbuf_from_mbuf = stub_create_mbuf_from_mbuf,
.mpo_create_mbuf_linklayer = stub_create_mbuf_linklayer,
.mpo_create_mbuf_from_bpfdesc = stub_create_mbuf_from_bpfdesc,
==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#128 (text+ko) ====
@@ -1116,6 +1116,15 @@
}
static void
+mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
+ struct mbuf *m, struct label *mlabel)
+{
+
+ ASSERT_INPCB_LABEL(inplabel);
+ ASSERT_MBUF_LABEL(mlabel);
+}
+
+static void
mac_test_create_mbuf_from_mbuf(struct mbuf *oldmbuf,
struct label *oldmbuflabel, struct mbuf *newmbuf,
struct label *newmbuflabel)
@@ -2373,6 +2382,7 @@
.mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq,
.mpo_create_fragment = mac_test_create_fragment,
.mpo_create_ipq = mac_test_create_ipq,
+ .mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb,
.mpo_create_mbuf_from_mbuf = mac_test_create_mbuf_from_mbuf,
.mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer,
.mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc,
==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#258 (text+ko) ====
@@ -248,6 +248,7 @@
void mac_create_ipq(struct mbuf *fragment, struct ipq *ipq);
void mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram);
void mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment);
+void mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m);
void mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf);
void mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *m);
void mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m);
==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#207 (text+ko) ====
@@ -261,6 +261,9 @@
void (*mpo_create_fragment)(struct mbuf *datagram,
struct label *datagramlabel, struct mbuf *fragment,
struct label *fragmentlabel);
+ void (*mpo_create_mbuf_from_inpcb)(struct inpcb *inp,
+ struct label *inplabel, struct mbuf *m,
+ struct label *mlabel);
void (*mpo_create_mbuf_from_mbuf)(struct mbuf *oldmbuf,
struct label *oldlabel, struct mbuf *newmbuf,
struct label *newlabel);
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list