PERFORCE change 113338 for review

Todd Miller millert at FreeBSD.org
Mon Jan 22 15:58:38 UTC 2007 

http://perforce.freebsd.org/chv.cgi?CH=113338

Change 113338 by millert at millert_macbook on 2007/01/22 15:54:30

	Add IP fragment queue labeling; adapted from FreeBSD.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_input.c#4 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_var.h#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#34 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_inet.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#43 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#67 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_input.c#4 (text+ko) ====

@@ -1000,6 +1000,9 @@
 			if (ip->ip_id == fp->ipq_id &&
 			    ip->ip_src.s_addr == fp->ipq_src.s_addr &&
 			    ip->ip_dst.s_addr == fp->ipq_dst.s_addr &&
+#ifdef MAC
+			    mac_ipq_label_compare(m, fp) &&
+#endif
 			    ip->ip_p == fp->ipq_p)
 				goto found;
 
@@ -1222,6 +1225,14 @@
 		if ((t = m_get(M_DONTWAIT, MT_FTABLE)) == NULL)
 			goto dropfrag;
 		fp = mtod(t, struct ipq *);
+#ifdef MAC
+		if (mac_ipq_label_init(fp, M_NOWAIT) != 0) {
+			m_free(t);
+			fp = NULL;
+			goto dropfrag;
+		}
+		mac_ipq_label_associate(m, fp);
+#endif
 		insque((void*)fp, (void*)where);
 		nipq++;
 		fp->ipq_nfrags = 1;
@@ -1244,6 +1255,9 @@
 		goto inserted;
 	} else {
 		fp->ipq_nfrags++;
+#ifdef MAC
+		mac_ipq_label_update(m, fp);
+#endif
 	}
 
 #define GETIP(m)	((struct ip*)((m)->m_pkthdr.header))
@@ -1398,6 +1412,10 @@
 	*divcookie = fp->ipq_div_cookie;
 #endif
 
+#ifdef MAC
+	mac_mbuf_label_associate_ipq(fp, m);
+	mac_ipq_label_destroy(fp);
+#endif
 	/*
 	 * Create header for new ip packet by
 	 * modifying header of first packet;

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_var.h#3 (text+ko) ====

@@ -102,6 +102,9 @@
 #endif
 	u_int16_t ipq_div_cookie;	/* ipfw divert cookie */
 #endif
+#ifdef MAC
+	struct label *ipq_label;	/* MAC label */
+#endif
 };
 
 /*

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#34 (text+ko) ====

@@ -52,38 +52,39 @@
 
 #ifdef MAC
 
+struct attrlist;
 struct auditinfo;
-struct attrlist;
 struct bpf_d;
 struct componentname;
 struct devnode;
 struct fdescnode;
 struct fileglob;
 struct ifnet;
+struct ifreq;
 struct inpcb;
-struct ifreq;
+struct ipq;
 struct lctx;
+struct m_tag;
 struct mac;
 struct mac_module_data;
+struct mbuf;
 struct mount;
+struct pipe;
+struct proc;
 struct pseminfo;
 struct pshminfo;
-struct proc;
 struct semid_kernel;
 struct shmid_kernel;
+struct sockaddr;
+struct socket;
+struct task;
 struct thread;
 struct timespec;
 struct ucred;
 struct uio;
+struct vnode;
 struct vnode_attr;
-struct vnode;
-struct socket;
-struct sockaddr;
-struct mbuf;
-struct m_tag;
 struct vop_setlabel_args;
-struct pipe;
-struct task;
 
 /*@ macros */
 #define	VNODE_LABEL_CREATE	1
@@ -167,6 +168,11 @@
 int	mac_inpcb_label_init(struct inpcb *inp, int flag);
 void	mac_inpcb_label_recycle(struct inpcb *inp);
 void	mac_inpcb_label_update(struct socket *so);
+void	mac_ipq_label_associate(struct mbuf *fragment, struct ipq *ipq);
+int	mac_ipq_label_compare(struct mbuf *fragment, struct ipq *ipq);
+void	mac_ipq_label_destroy(struct ipq *ipq);
+int	mac_ipq_label_init(struct ipq *ipq, int flag);
+void	mac_ipq_label_update(struct mbuf *fragment, struct ipq *ipq);
 struct label	*mac_lctx_label_alloc(void);
 void    mac_lctx_label_free(struct label *label);
 void	mac_lctx_label_update(struct lctx *l, struct label *newlabel);
@@ -176,6 +182,7 @@
 void	mac_mbuf_label_associate_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m);
 void	mac_mbuf_label_associate_ifnet(struct ifnet *ifp, struct mbuf *m);
 void	mac_mbuf_label_associate_inpcb(struct inpcb *inp, struct mbuf *m);
+void	mac_mbuf_label_associate_ipq(struct ipq *ipq, struct mbuf *mbuf);
 void	mac_mbuf_label_associate_linklayer(struct ifnet *ifp, struct mbuf *m);
 void	mac_mbuf_label_associate_netlayer(struct mbuf *oldmbuf,
 	    struct mbuf *newmbuf);

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_inet.c#3 (text+ko) ====

@@ -82,7 +82,6 @@
 	return (0);
 }
 
-#ifdef notyet
 static struct label *
 mac_ipq_label_alloc(int flag)
 {
@@ -111,7 +110,6 @@
 		return (ENOMEM);
 	return (0);
 }
-#endif
 
 static void
 mac_inpcb_label_free(struct label *label)
@@ -136,7 +134,6 @@
 	MAC_PERFORM(inpcb_label_recycle, inp->inp_label);
 }
 
-#ifdef notyet
 static void
 mac_ipq_label_free(struct label *label)
 {
@@ -146,13 +143,12 @@
 }
 
 void
-mac_ipq_destroy(struct ipq *ipq)
+mac_ipq_label_destroy(struct ipq *ipq)
 {
 
 	mac_ipq_label_free(ipq->ipq_label);
 	ipq->ipq_label = NULL;
 }
-#endif
 
 void
 mac_inpcb_label_associate(struct socket *so, struct inpcb *inp)
@@ -162,18 +158,15 @@
 	    inp->inp_label);
 }
 
-#ifdef notyet
-/* XXXMAC - rename these */
 void
-mac_ipq_reassemble(struct ipq *ipq, struct mbuf *datagram)
+mac_mbuf_label_associate_ipq(struct ipq *ipq, struct mbuf *m)
 {
 	struct label *label;
 
-	label = mac_mbuf_to_label(datagram);
+	label = mac_mbuf_to_label(m);
 
-	MAC_PERFORM(ipq_reassemble, ipq, ipq->ipq_label, datagram, label);
+	MAC_PERFORM(mbuf_label_associate_ipq, ipq, ipq->ipq_label, m, label);
 }
-#endif
 
 void
 mac_netinet_fragment(struct mbuf *datagram, struct mbuf *fragment)
@@ -187,7 +180,6 @@
 	    fragmentlabel);
 }
 
-#ifdef notyet
 void
 mac_ipq_label_associate(struct mbuf *fragment, struct ipq *ipq)
 {
@@ -197,7 +189,6 @@
 
 	MAC_PERFORM(ipq_label_associate, fragment, label, ipq, ipq->ipq_label);
 }
-#endif
 
 void
 mac_mbuf_label_associate_inpcb(struct inpcb *inp, struct mbuf *m)
@@ -210,9 +201,8 @@
 	MAC_PERFORM(mbuf_label_associate_inpcb, inp, inp->inp_label, m, mlabel);
 }
 
-#ifdef notyet
 int
-mac_ipq_match(struct mbuf *fragment, struct ipq *ipq)
+mac_ipq_label_compare(struct mbuf *fragment, struct ipq *ipq)
 {
 	struct label *label;
 	int result;
@@ -220,11 +210,10 @@
 	label = mac_mbuf_to_label(fragment);
 
 	result = 1;
-	MAC_BOOLEAN(ipq_match, &&, fragment, label, ipq, ipq->ipq_label);
+	MAC_BOOLEAN(ipq_label_compare, &&, fragment, label, ipq, ipq->ipq_label);
 
 	return (result);
 }
-#endif
 
 void
 mac_netinet_icmp_reply(struct mbuf *m)
@@ -246,17 +235,15 @@
 	MAC_PERFORM(netinet_tcp_reply, m, label);
 }
 
-#ifdef notyet
 void
-mac_ipq_update(struct mbuf *fragment, struct ipq *ipq)
+mac_ipq_label_update(struct mbuf *fragment, struct ipq *ipq)
 {
 	struct label *label;
 
 	label = mac_mbuf_to_label(fragment);
 
-	MAC_PERFORM(ipq_update, fragment, label, ipq, ipq->ipq_label);
+	MAC_PERFORM(ipq_label_update, fragment, label, ipq, ipq->ipq_label);
 }
-#endif
 
 int
 mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m)

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#43 (text+ko) ====

@@ -62,6 +62,7 @@
 struct fileglob;
 struct ifnet;
 struct inpcb;
+struct ipq;
 struct label;
 struct lctx;
 struct mac_module_data;
@@ -857,6 +858,10 @@
 /**
  @brief Destroy file label
  @param label The label to be destroyed
+
+ Destroy the label on a file descriptor.  In this entry point, a
+ policy module should free any internal storage associated with
+ label so that it may be destroyed.
 */
 typedef void mpo_file_label_destroy_t(
 	struct label *label
@@ -935,6 +940,10 @@
 /**
  @brief Destroy ifnet label
  @param label The label to be destroyed
+
+ Destroy the label on an ifnet label.  In this entry point, a
+ policy module should free any internal storage associated with
+ label so that it may be destroyed.
 */
 typedef void mpo_ifnet_label_destroy_t(
 	struct label *label
@@ -1059,6 +1068,10 @@
 /**
  @brief Destroy inpcb label
  @param label The label to be destroyed
+
+ Destroy the label on an inpcb label.  In this entry point, a
+ policy module should free any internal storage associated with
+ label so that it may be destroyed.
 */
 typedef void mpo_inpcb_label_destroy_t(
 	struct label *label
@@ -1125,6 +1138,91 @@
 	struct mac_module_data *mdata
 );
 /**
+  @brief Create an IP reassembly queue label
+  @param fragment First received IP fragment
+  @param fragmentlabel Policy label for fragment
+  @param ipq IP reassembly queue to be labeled
+  @param ipqlabel Policy label to be filled in for ipq
+
+  Set the label on a newly created IP reassembly queue from
+  the mbuf header of the first received fragment.
+*/
+typedef void mpo_ipq_label_associate_t(
+	struct mbuf *fragment,
+	struct label *fragmentlabel,
+	struct ipq *ipq,
+	struct label *ipqlabel
+);
+/**
+  @brief Compare an mbuf header label to an ipq label
+  @param fragment IP datagram fragment
+  @param fragmentlabel Policy label for fragment
+  @param ipq IP fragment reassembly queue
+  @param ipqlabel Policy label for ipq
+
+  Compare the label of the mbuf header containing an IP datagram
+  (fragment) fragment with the label of the passed IP fragment
+  reassembly queue (ipq). Return (1) for a successful match, or (0)
+  for no match. This call is made when the IP stack attempts to
+  find an existing fragment reassembly queue for a newly received
+  fragment; if this fails, a new fragment reassembly queue may be
+  instantiated for the fragment. Policies may use this entry point
+  to prevent the reassembly of otherwise matching IP fragments if
+  policy does not permit them to be reassembled based on the label
+  or other information.
+*/
+typedef int mpo_ipq_label_compare_t(
+	struct mbuf *fragment,
+	struct label *fragmentlabel,
+	struct ipq *ipq,
+	struct label *ipqlabel
+);
+/**
+ @brief Destroy IP reassembly queue label
+ @param label The label to be destroyed
+
+ Destroy the label on an IP fragment queue.  In this entry point, a
+ policy module should free any internal storage associated with
+ label so that it may be destroyed.
+*/
+typedef void mpo_ipq_label_destroy_t(
+	struct label *label
+);
+/**
+  @brief Initialize IP reassembly queue label
+  @param label New label to initialize
+  @param flag M_WAITOK or M_NOWAIT
+
+  Initialize the label on a newly instantiated IP fragment reassembly
+  queue.  The flag field may be one of M_WAITOK and M_NOWAIT, and
+  should be employed to avoid performing a sleeping malloc(9) during
+  this initialization call. IP fragment reassembly queue allocation
+  frequently occurs in performance sensitive environments, and the
+  implementation should be careful to avoid sleeping or long-lived
+  operations. This entry point is permitted to fail resulting in
+  the failure to allocate the IP fragment reassembly queue.
+*/
+typedef int mpo_ipq_label_init_t(
+	struct label *label,
+	int flag
+);
+/**
+  @brief Update the label on an IP fragment reassembly queue
+  @param fragment IP fragment
+  @param fragmentlabel Policy label for fragment
+  @param ipq IP fragment reassembly queue
+  @param ipqlabel Policy label to be updated for ipq
+
+  Update the label on an IP fragment reassembly queue (ipq) based
+  on the acceptance of the passed IP fragment mbuf header (fragment).
+*/
+typedef void mpo_ipq_label_update_t(
+	struct mbuf *fragment,
+	struct label *fragmentlabel,
+	struct ipq *ipq,
+	struct label *ipqlabel
+);
+/**
   @brief Access control check for relabelling Login Context
   @param l Subject credential
   @param newlabel New label to apply to the Login Context
@@ -1310,6 +1408,22 @@
 	struct label *m_label
 );
 /**
+  @brief Set the label on a newly reassembled IP datagram
+  @param ipq IP fragment reassembly queue
+  @param ipqlabel Policy label for ipq
+  @param mbuf IP datagram to be labeled
+  @param mbuflabel Policy label to be filled in for mbuf
+
+  Set the label on a newly reassembled IP datagram (mbuf) from the IP
+  fragment reassembly queue (ipq) from which it was generated.
+*/
+typedef void mpo_mbuf_label_associate_ipq_t(
+	struct ipq *ipq,
+	struct label *ipqlabel,
+	struct mbuf *mbuf,
+	struct label *mbuflabel
+);
+/**
  @brief Assign a label to a new mbuf
  @param ifp Subject; network interface
  @param i_label Existing label of ifp
@@ -5431,6 +5545,11 @@
 	mpo_inpcb_label_recycle_t		*mpo_inpcb_label_recycle;
 	mpo_inpcb_label_update_t		*mpo_inpcb_label_update;
 	mpo_iokit_check_device_t		*mpo_iokit_check_device;
+	mpo_ipq_label_associate_t		*mpo_ipq_label_associate;
+	mpo_ipq_label_compare_t			*mpo_ipq_label_compare;
+	mpo_ipq_label_destroy_t			*mpo_ipq_label_destroy;
+	mpo_ipq_label_init_t			*mpo_ipq_label_init;
+	mpo_ipq_label_update_t			*mpo_ipq_label_update;
 	mpo_lctx_check_label_update_t		*mpo_lctx_check_label_update;
 	mpo_lctx_label_destroy_t		*mpo_lctx_label_destroy;
 	mpo_lctx_label_externalize_t		*mpo_lctx_label_externalize;
@@ -5443,6 +5562,7 @@
 	mpo_mbuf_label_associate_bpfdesc_t	*mpo_mbuf_label_associate_bpfdesc;
 	mpo_mbuf_label_associate_ifnet_t	*mpo_mbuf_label_associate_ifnet;
 	mpo_mbuf_label_associate_inpcb_t	*mpo_mbuf_label_associate_inpcb;
+	mpo_mbuf_label_associate_ipq_t		*mpo_mbuf_label_associate_ipq;
 	mpo_mbuf_label_associate_linklayer_t	*mpo_mbuf_label_associate_linklayer;
 	mpo_mbuf_label_associate_netlayer_t	*mpo_mbuf_label_associate_netlayer;
 	mpo_mbuf_label_associate_socket_t	*mpo_mbuf_label_associate_socket;

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#67 (text+ko) ====

@@ -1,6 +1,6 @@
-/*-
+/*
  * Copyright (c) 2002, 2003 Networks Associates Technology, Inc.
- * Copyright (c) 2005-2006 SPARTA, Inc.
+ * Copyright (c) 2005-2007 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed for the FreeBSD Project by NAI Labs, the
@@ -950,6 +950,14 @@
 }
 
 static void
+sebsd_mbuf_label_associate_ipq(struct ipq *ipq, struct label *ipqlabel,
+    struct mbuf *mbuf, struct label *mbuflabel)
+{
+
+	sebsd_label_copy(ipqlabel, mbuflabel);
+}
+
+static void
 sebsd_posixsem_label_associate(struct ucred *cred, struct pseminfo *psem,
     struct label *psemlabel, const char *name)
 {
@@ -3143,6 +3151,34 @@
 }
 
 static void
+sebsd_ipq_label_associate(struct mbuf *fragment, struct label *fragmentlabel,
+    struct ipq *ipq, struct label *ipqlabel)
+{
+
+	sebsd_label_copy(fragmentlabel, ipqlabel);
+}
+
+static int
+sebsd_ipq_label_compare(struct mbuf *fragment, struct label *fragmentlabel,
+    struct ipq *ipq, struct label *ipqlabel)
+{
+	struct network_security_struct *fragsec, *ipqsec;
+
+	fragsec = SLOT(fragmentlabel);
+	ipqsec = SLOT(ipqlabel);
+
+	return (fragsec->sid == ipqsec->sid);
+}
+
+static void
+sebsd_ipq_label_update(struct mbuf *fragment, struct label *fragmentlabel,
+    struct ipq *ipq, struct label *ipqlabel)
+{
+
+	sebsd_label_copy(fragmentlabel, ipqlabel);
+}
+
+static void
 sebsd_netinet_fragment(struct mbuf *mbuf, struct label *mlabel,
     struct mbuf *frag, struct label *flabel)
 {
@@ -3542,9 +3578,15 @@
 	.mpo_inpcb_label_init = sebsd_label_init2,
 	.mpo_inpcb_label_recycle = sebsd_label_recycle,
 	.mpo_inpcb_label_update = sebsd_inpcb_label_update,
+	.mpo_ipq_label_associate = sebsd_ipq_label_associate,
+	.mpo_ipq_label_compare = sebsd_ipq_label_compare,
+	.mpo_ipq_label_destroy = sebsd_label_destroy,
+	.mpo_ipq_label_init = sebsd_label_init2,
+	.mpo_ipq_label_update = sebsd_ipq_label_update,
 	.mpo_mbuf_label_associate_bpfdesc = sebsd_mbuf_label_associate_bpfdesc,
 	.mpo_mbuf_label_associate_ifnet = sebsd_mbuf_label_associate_ifnet,
 	.mpo_mbuf_label_associate_inpcb = sebsd_mbuf_label_associate_inpcb,
+	.mpo_mbuf_label_associate_ipq = sebsd_mbuf_label_associate_ipq,
 	.mpo_mbuf_label_associate_linklayer = sebsd_mbuf_label_associate_ifnet,
 	.mpo_mbuf_label_associate_netlayer = sebsd_mbuf_label_associate_netlayer,
 	.mpo_mbuf_label_associate_socket = sebsd_mbuf_label_associate_socket,

More information about the trustedbsd-cvs mailing list