PERFORCE change 113333 for review

Todd Miller millert at FreeBSD.org
Mon Jan 22 15:49:26 UTC 2007 

http://perforce.freebsd.org/chv.cgi?CH=113333

Change 113333 by millert at millert_macbook on 2007/01/22 15:45:28

	Add mac_mbuf_label_associate_netlayer().

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_icmp.c#7 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#32 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_net.c#10 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#40 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#64 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_icmp.c#7 (text+ko) ====

@@ -231,11 +231,9 @@
 		m->m_flags |= M_SKIP_FIREWALL;
 	}
 
-#ifdef __darwin8_notyet
 #ifdef MAC
 	mac_mbuf_label_associate_netlayer(n, m);
 #endif
-#endif
 	icmplen = min(oiplen + 8, oip->ip_len);
 	if (icmplen < sizeof(struct ip)) {
 		printf("icmp_error: bad length\n");

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#32 (text+ko) ====

@@ -177,6 +177,8 @@
 void	mac_mbuf_label_associate_ifnet(struct ifnet *ifp, struct mbuf *m);
 void	mac_mbuf_label_associate_inpcb(struct inpcb *inp, struct mbuf *m);
 void	mac_mbuf_label_associate_linklayer(struct ifnet *ifp, struct mbuf *m);
+void	mac_mbuf_label_associate_netlayer(struct mbuf *oldmbuf,
+	    struct mbuf *newmbuf);
 void	mac_mbuf_label_associate_socket(struct socket *so, struct mbuf *m);
 void	mac_mbuf_label_copy(struct mbuf *m_from, struct mbuf *m_to);
 void	mac_mbuf_label_destroy(struct mbuf *m);

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_net.c#10 (text+ko) ====

@@ -310,7 +310,6 @@
 	m_label = mac_mbuf_to_label(mbuf);
 	b_label = mac_bpfdesc_label_get(bpf_d);
 
-	/* Policy must deal with NULL label (unlabeled mbufs) */
 	MAC_PERFORM(mbuf_label_associate_bpfdesc, bpf_d, b_label, mbuf,
 	    m_label);
 }
@@ -324,7 +323,6 @@
 
 	m_label = mac_mbuf_to_label(mbuf);
 
-	/* Policy must deal with NULL label (unlabeled mbufs) */
 	MAC_PERFORM(mbuf_label_associate_ifnet, ifp, ifp->if_label, mbuf,
 	    m_label);
 }
@@ -338,12 +336,23 @@
 
 	m_label = mac_mbuf_to_label(mbuf);
 
-	/* Policy must deal with NULL label (unlabeled mbufs) */
 	MAC_PERFORM(mbuf_label_associate_linklayer, ifp, ifp->if_label, mbuf,
 	    m_label);
 }
 
 void
+mac_mbuf_label_associate_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf)
+{
+	struct label *oldmbuflabel, *newmbuflabel;
+
+	oldmbuflabel = mac_mbuf_to_label(oldmbuf);
+	newmbuflabel = mac_mbuf_to_label(newmbuf);
+
+	MAC_PERFORM(mbuf_label_associate_netlayer, oldmbuf, oldmbuflabel,
+	    newmbuf, newmbuflabel);
+}
+
+void
 mac_mbuf_label_associate_socket(struct socket *socket, struct mbuf *mbuf)
 {
 	struct label *label;
@@ -353,7 +362,6 @@
 
 	label = mac_mbuf_to_label(mbuf);
 
-	/* Policy must deal with NULL label (unlabeled mbufs) */
 	sotoxsocket(socket, &xso);
 	MAC_PERFORM(mbuf_label_associate_socket, &xso, socket->so_label,
 		    mbuf, label);

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#40 (text+ko) ====

@@ -1328,6 +1328,24 @@
 	struct label *m_label
 );
 /**
+ @brief Assign a label to a new mbuf
+ @param oldmbuf Received datagram
+ @param oldmbuflabel Policy label for oldmbuf
+ @param newmbuf Newly created datagram
+ @param newmbuflabel Policy label for newmbuf
+
+ Set the label on the mbuf header of a newly created datagram generated
+ by the IP stack in response to an existing received datagram (oldmbuf).
+ This call may be made in a number of situations, including when responding
+ to ICMP request datagrams.
+*/
+typedef void mpo_mbuf_label_associate_netlayer_t(
+	struct mbuf *oldmbuf,
+	struct label *oldmbuflabel,
+	struct mbuf *newmbuf,
+	struct label *newmbuflabel
+);
+/**
   @brief Assign a label to a new mbuf
   @param xso Socket to label
   @param so_label Policy label for socket
@@ -5385,6 +5403,7 @@
 	mpo_mbuf_label_associate_ifnet_t	*mpo_mbuf_label_associate_ifnet;
 	mpo_mbuf_label_associate_inpcb_t	*mpo_mbuf_label_associate_inpcb;
 	mpo_mbuf_label_associate_linklayer_t	*mpo_mbuf_label_associate_linklayer;
+	mpo_mbuf_label_associate_netlayer_t	*mpo_mbuf_label_associate_netlayer;
 	mpo_mbuf_label_associate_socket_t	*mpo_mbuf_label_associate_socket;
 	mpo_mbuf_label_copy_t			*mpo_mbuf_label_copy;
 	mpo_mbuf_label_destroy_t		*mpo_mbuf_label_destroy;

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#64 (text+ko) ====

@@ -933,6 +933,15 @@
 }
 
 static void
+sebsd_mbuf_label_associate_netlayer(struct mbuf *oldmbuf,
+    struct label *oldmbuflabel, struct mbuf *newmbuf,
+    struct label *newmbuflabel)
+{
+
+	sebsd_label_copy(oldmbuflabel, newmbuflabel);
+}
+
+static void
 sebsd_mbuf_label_associate_inpcb(struct inpcb *inp, struct label *ilabel,
     struct mbuf *m, struct label *mlabel)
 {
@@ -3524,6 +3533,7 @@
 	.mpo_mbuf_label_associate_ifnet = sebsd_mbuf_label_associate_ifnet,
 	.mpo_mbuf_label_associate_inpcb = sebsd_mbuf_label_associate_inpcb,
 	.mpo_mbuf_label_associate_linklayer = sebsd_mbuf_label_associate_ifnet,
+	.mpo_mbuf_label_associate_netlayer = sebsd_mbuf_label_associate_netlayer,
 	.mpo_mbuf_label_associate_socket = sebsd_mbuf_label_associate_socket,
 	.mpo_mbuf_label_copy = sebsd_label_copy,
 	.mpo_mbuf_label_destroy = sebsd_label_destroy,

More information about the trustedbsd-cvs mailing list