PERFORCE change 113329 for review

Todd Miller millert at FreeBSD.org
Mon Jan 22 15:36:00 UTC 2007 

http://perforce.freebsd.org/chv.cgi?CH=113329

Change 113329 by millert at millert_macbook on 2007/01/22 15:32:45

	Add mac_mbuf_label_associate_linklayer

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/net/ether_inet_pr_module.c#4 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/igmp.c#6 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet6/mld6.c#5 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet6/nd6.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#30 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_net.c#9 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#38 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#62 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/net/ether_inet_pr_module.c#4 (text+ko) ====

@@ -410,6 +410,10 @@
 	mbuf_prepend(&m, sizeof(*eh), MBUF_WAITOK);
 	eh = mbuf_data(m);
 	eh->ether_type = htons(ETHERTYPE_ARP);
+
+#ifdef MAC
+	mac_mbuf_label_associate_linklayer(ifp, m);
+#endif
 	
 	/* Fill out the arp header */
 	ea->arp_pro = htons(ETHERTYPE_IP);

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/igmp.c#6 (text+ko) ====

@@ -492,11 +492,9 @@
                 return;
 
 	m->m_pkthdr.rcvif = loif;
-#ifdef __darwin8_notyet
 #ifdef MAC
 	mac_mbuf_label_associate_linklayer(inm->inm_ifp, m);
 #endif
-#endif
 	m->m_pkthdr.len = sizeof(struct ip) + IGMP_MINLEN;
 	MH_ALIGN(m, IGMP_MINLEN + sizeof(struct ip));
 	m->m_data += sizeof(struct ip);

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet6/mld6.c#5 (text+ko) ====

@@ -427,10 +427,8 @@
 	mh->m_next = md;
 
 	mh->m_pkthdr.rcvif = NULL;
-#ifdef __darwin8_notyet
 #ifdef MAC
-	mac_mbuf_label_associate_linklayer(in6m->in6m_ifp, m);
-#endif
+	mac_mbuf_label_associate_linklayer(in6m->in6m_ifp, mh);
 #endif
 	mh->m_pkthdr.len = sizeof(struct ip6_hdr) + sizeof(struct mld6_hdr);
 	mh->m_len = sizeof(struct ip6_hdr);

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet6/nd6.c#2 (text+ko) ====

@@ -2108,6 +2108,9 @@
 	m->m_pkthdr.csum_data = 0;
 	m->m_pkthdr.csum_flags = 0;
 
+#ifdef MAC
+	mac_mbuf_label_associate_linklayer(ifp, m);
+#endif
 	if ((ifp->if_flags & IFF_LOOPBACK) != 0) {
 		m->m_pkthdr.rcvif = origifp; /* forwarding rules require the original scope_id */
 		if (locked)

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#30 (text+ko) ====

@@ -170,6 +170,7 @@
 void	mac_lctx_notify_leave(struct proc *proc, struct lctx *l);
 void	mac_mbuf_label_associate_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m);
 void	mac_mbuf_label_associate_ifnet(struct ifnet *ifp, struct mbuf *m);
+void	mac_mbuf_label_associate_linklayer(struct ifnet *ifp, struct mbuf *m);
 void	mac_mbuf_label_associate_socket(struct socket *so, struct mbuf *m);
 void	mac_mbuf_label_copy(struct mbuf *m_from, struct mbuf *m_to);
 void	mac_mbuf_label_destroy(struct mbuf *m);

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_net.c#9 (text+ko) ====

@@ -330,6 +330,20 @@
 }
 
 void
+mac_mbuf_label_associate_linklayer(struct ifnet *ifp, struct mbuf *mbuf)
+{
+	struct label *m_label;
+
+	/* ifp must be locked */
+
+	m_label = mac_mbuf_to_label(mbuf);
+
+	/* Policy must deal with NULL label (unlabeled mbufs) */
+	MAC_PERFORM(mbuf_label_associate_linklayer, ifp, ifp->if_label, mbuf,
+	    m_label);
+}
+
+void
 mac_mbuf_label_associate_socket(struct socket *socket, struct mbuf *mbuf)
 {
 	struct label *label;

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#38 (text+ko) ====

@@ -1216,6 +1216,24 @@
 	struct label *m_label
 );
 /**
+ @brief Assign a label to a new mbuf
+ @param ifp Subject; network interface
+ @param i_label Existing label of ifp
+ @param m Object; mbuf
+ @param m_label Policy label to fill in for m
+
+ Set the label on the mbuf header of a newly created datagram
+ generated for the purposes of a link layer response for the passed
+ interface. This call may be made in a number of situations, including
+ for ARP or ND6 responses in the IPv4 and IPv6 stacks.
+*/
+typedef void mpo_mbuf_label_associate_linklayer_t(
+	struct ifnet *ifp,
+	struct label *i_label,
+	struct mbuf *m,
+	struct label *m_label
+);
+/**
   @brief Assign a label to a new mbuf
   @param xso Socket to label
   @param so_label Policy label for socket
@@ -5265,6 +5283,7 @@
 	mpo_lctx_notify_leave_t			*mpo_lctx_notify_leave;
 	mpo_mbuf_label_associate_bpfdesc_t	*mpo_mbuf_label_associate_bpfdesc;
 	mpo_mbuf_label_associate_ifnet_t	*mpo_mbuf_label_associate_ifnet;
+	mpo_mbuf_label_associate_linklayer_t	*mpo_mbuf_label_associate_linklayer;
 	mpo_mbuf_label_associate_socket_t	*mpo_mbuf_label_associate_socket;
 	mpo_mbuf_label_copy_t			*mpo_mbuf_label_copy;
 	mpo_mbuf_label_destroy_t		*mpo_mbuf_label_destroy;

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#62 (text+ko) ====

@@ -3477,6 +3477,7 @@
 	.mpo_ifnet_label_update = sebsd_ifnet_label_update,
 	.mpo_mbuf_label_associate_bpfdesc = sebsd_mbuf_label_associate_bpfdesc,
 	.mpo_mbuf_label_associate_ifnet = sebsd_mbuf_label_associate_ifnet,
+	.mpo_mbuf_label_associate_linklayer = sebsd_mbuf_label_associate_ifnet,
 	.mpo_mbuf_label_associate_socket = sebsd_mbuf_label_associate_socket,
 	.mpo_mbuf_label_copy = sebsd_label_copy,
 	.mpo_mbuf_label_destroy = sebsd_label_destroy,

More information about the trustedbsd-cvs mailing list