PERFORCE change 113335 for review
Todd Miller
millert at FreeBSD.org
Mon Jan 22 15:57:48 UTC 2007
http://perforce.freebsd.org/chv.cgi?CH=113335
Change 113335 by millert at millert_macbook on 2007/01/22 15:52:26
Implement mac_netinet_icmp_reply(), mac_netinet_fragment(),
and mac_netinet_tcp_reply(). These entry point should be
renamed to better match the current naming scheme.
Affected files ...
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_icmp.c#8 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_output.c#6 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/tcp_subr.c#7 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#33 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_inet.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#41 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#65 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_icmp.c#8 (text+ko) ====
@@ -730,11 +730,9 @@
ifaref(&ia->ia_ifa);
}
lck_mtx_unlock(rt_mtx);
-#ifdef __darwin8_notyet
#ifdef MAC
mac_netinet_icmp_reply(m);
#endif
-#endif
t = IA_SIN(ia)->sin_addr;
ip->ip_src = t;
ip->ip_ttl = ip_defttl;
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_output.c#6 (text+ko) ====
@@ -1293,11 +1293,9 @@
m->m_pkthdr.rcvif = 0;
m->m_pkthdr.csum_flags = m0->m_pkthdr.csum_flags;
m->m_pkthdr.socket_id = m0->m_pkthdr.socket_id;
-#ifdef __darwin8_notyet
#ifdef MAC
mac_netinet_fragment(m0, m);
#endif
-#endif
HTONS(mhip->ip_off);
mhip->ip_sum = 0;
if (sw_csum & CSUM_DELAY_IP) {
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/tcp_subr.c#7 (text+ko) ====
@@ -583,13 +583,11 @@
*/
mac_mbuf_label_associate_inpcb(tp->t_inpcb, m);
} else {
-#ifdef __darwin8_notyet
/*
* Packet is not associated with a socket, so possibly
* update the label in place.
*/
mac_netinet_tcp_reply(m);
-#endif
}
#endif
nth->th_seq = htonl(seq);
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#33 (text+ko) ====
@@ -205,6 +205,9 @@
int mac_mount_label_get(struct mount *mp, user_addr_t mac_p);
void mac_mount_label_init(struct mount *);
int mac_mount_label_internalize(struct label *, char *string);
+void mac_netinet_fragment(struct mbuf *datagram, struct mbuf *fragment);
+void mac_netinet_icmp_reply(struct mbuf *m);
+void mac_netinet_tcp_reply(struct mbuf *m);
int mac_pipe_check_ioctl(struct ucred *cred, struct pipe *cpipe,
unsigned int cmd);
int mac_pipe_check_kqfilter(struct ucred *cred, struct knote *kn,
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_inet.c#2 (text+ko) ====
@@ -173,6 +173,7 @@
MAC_PERFORM(ipq_reassemble, ipq, ipq->ipq_label, datagram, label);
}
+#endif
void
mac_netinet_fragment(struct mbuf *datagram, struct mbuf *fragment)
@@ -186,6 +187,7 @@
fragmentlabel);
}
+#ifdef notyet
void
mac_ipq_label_associate(struct mbuf *fragment, struct ipq *ipq)
{
@@ -222,6 +224,7 @@
return (result);
}
+#endif
void
mac_netinet_icmp_reply(struct mbuf *m)
@@ -243,6 +246,7 @@
MAC_PERFORM(netinet_tcp_reply, m, label);
}
+#ifdef notyet
void
mac_ipq_update(struct mbuf *fragment, struct ipq *ipq)
{
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#41 (text+ko) ====
@@ -1656,6 +1656,47 @@
char *element_data
);
/**
+ @brief Set the label on an IPv4 datagram fragment
+ @param datagram Datagram being fragmented
+ @param datagramlabel Policy label for datagram
+ @param fragment New fragment
+ @param fragmentlabel Policy label for fragment
+
+ Called when an IPv4 datagram is fragmented into several smaller datagrams.
+ Policies implementing mbuf labels will typically copy the label from the
+ source datagram to the new fragment.
+*/
+typedef void mpo_netinet_fragment_t(
+ struct mbuf *datagram,
+ struct label *datagramlabel,
+ struct mbuf *fragment,
+ struct label *fragmentlabel
+);
+/**
+ @brief Set the label on an ICMP reply
+ @param m mbuf containing the ICMP reply
+ @param mlabel Policy label for m
+
+ A policy may wish to update the label of an mbuf that refers to
+ an ICMP packet being sent in response to an IP packet. This may
+ be called in response to a bad packet or an ICMP request.
+*/
+typedef void mpo_netinet_icmp_reply_t(
+ struct mbuf *m,
+ struct label *mlabel
+);
+/**
+ @brief Set the label on a TCP reply
+ @param m mbuf containing the TCP reply
+ @param mlabel Policy label for m
+
+ Called for outgoing TCP packets not associated with an actual socket.
+*/
+typedef void mpo_netinet_tcp_reply_t(
+ struct mbuf *m,
+ struct label *mlabel
+);
+/**
@brief Access control check for pipe ioctl
@param cred Subject credential
@param cpipe Object to be accessed
@@ -5421,6 +5462,9 @@
mpo_mount_label_externalize_t *mpo_mount_label_externalize;
mpo_mount_label_init_t *mpo_mount_label_init;
mpo_mount_label_internalize_t *mpo_mount_label_internalize;
+ mpo_netinet_fragment_t *mpo_netinet_fragment;
+ mpo_netinet_icmp_reply_t *mpo_netinet_icmp_reply;
+ mpo_netinet_tcp_reply_t *mpo_netinet_tcp_reply;
mpo_pipe_check_ioctl_t *mpo_pipe_check_ioctl;
mpo_pipe_check_kqfilter_t *mpo_pipe_check_kqfilter;
mpo_pipe_check_label_update_t *mpo_pipe_check_label_update;
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#65 (text+ko) ====
@@ -3137,6 +3137,14 @@
return (error);
}
+static void
+sebsd_netinet_fragment(struct mbuf *mbuf, struct label *mlabel,
+ struct mbuf *frag, struct label *flabel)
+{
+
+ sebsd_label_copy(mlabel, flabel);
+}
+
static int
ipc_has_perm(struct ucred *cred, struct label *label, u_int32_t perm)
{
@@ -3552,6 +3560,7 @@
.mpo_mount_label_externalize = sebsd_label_externalize,
.mpo_mount_label_init = sebsd_label_init,
.mpo_mount_label_internalize = sebsd_label_internalize,
+ .mpo_netinet_fragment = sebsd_netinet_fragment,
.mpo_pipe_check_ioctl = sebsd_pipe_check_ioctl,
.mpo_pipe_check_label_update = sebsd_pipe_check_label_update,
.mpo_pipe_check_read = sebsd_pipe_check_read,
More information about the trustedbsd-cvs
mailing list