PERFORCE change 32788 for review

Sun Jun 8 05:06:48 GMT 2003

http://perforce.freebsd.org/chv.cgi?CH=32788

Change 32788 by rwatson at rwatson_tislabs on 2003/06/07 22:05:57

	Add new MAC entry point to facilitate the processing of CIPSO
	labels: mac_update_mbuf_from_cipso, which accepts an mbuf pointer 
	and a pointer to the IP CIPSO option, as well as letting the
	MAC framework return an ICMP error code if the call fails in
	some form.
	
	Invoke the entry point from ip_dooptions() in the input path.
	
	Add a new MAC policy entry point, mpo_update_mbuf_from_cipso,
	with similar arguments (added ifnet, mbuf label, and ifnet
	label arguments).
	
	These calls will likely be revised as support for CIPSO 
	evolves.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#390 edit
.. //depot/projects/trustedbsd/mac/sys/netinet/ip_input.c#34 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac.h#237 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#190 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#390 (text+ko) ====

@@ -2443,6 +2443,25 @@
 	MAC_PERFORM(update_ipq, fragment, label, ipq, &ipq->ipq_label);
 }
 
+int
+mac_update_mbuf_from_cipso(struct mbuf *m, char *cp, int *code)
+{
+	struct label *label, *ifnetlabel;
+	int error;
+
+	label = mbuf_to_label(m);
+
+	if (m->m_pkthdr.rcvif != NULL)
+		ifnetlabel = &m->m_pkthdr.rcvif->if_label;
+	else
+		ifnetlabel = NULL;
+
+	MAC_CHECK(update_mbuf_from_cipso, m, label, m->m_pkthdr.rcvif,
+	    ifnetlabel, cp, code);
+
+	return (error);
+}
+
 void
 mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf)
 {

==== //depot/projects/trustedbsd/mac/sys/netinet/ip_input.c#34 (text+ko) ====

@@ -1288,6 +1288,9 @@
 	struct in_addr *sin, dst;
 	n_time ntime;
 	struct	sockaddr_in ipaddr = { sizeof(ipaddr), AF_INET };
+#ifdef MAC
+	int error;
+#endif
 
 	dst = ip->ip_dst;
 	cp = (u_char *)(ip + 1);
@@ -1527,6 +1530,15 @@
 			ntime = iptime();
 			(void)memcpy(cp + off, &ntime, sizeof(n_time));
 			cp[IPOPT_OFFSET] += sizeof(n_time);
+			break;
+
+		case IPOPT_CIPSO:
+#ifdef MAC
+			error = mac_update_mbuf_from_cipso(m, cp, &code);
+			if (error)
+				goto bad;
+#endif
+			break;
 		}
 	}
 	if (forward && ipforwarding) {

==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#237 (text+ko) ====

@@ -214,6 +214,7 @@
 void	mac_reflect_mbuf_icmp(struct mbuf *m);
 void	mac_reflect_mbuf_tcp(struct mbuf *m);
 void	mac_update_ipq(struct mbuf *fragment, struct ipq *ipq);
+int	mac_update_mbuf_from_cipso(struct mbuf *m, char *cp, int *code);
 
 /*
  * Labeling event operations: processes.

==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#190 (text+ko) ====

@@ -238,6 +238,9 @@
 	void	(*mpo_update_ipq)(struct mbuf *fragment,
 		    struct label *fragmentlabel, struct ipq *ipq,
 		    struct label *ipqlabel);
+	int	(*mpo_update_mbuf_from_cipso)(struct mbuf *m,
+		    struct label *mlabel, struct ifnet *ifnet,
+		    struct label *ifnetlabel, char *cp, int *code);
 
 	/*
 	 * Labeling event operations: processes.
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

