PERFORCE change 113362 for review

Todd Miller millert at FreeBSD.org
Mon Jan 22 16:23:25 UTC 2007 

http://perforce.freebsd.org/chv.cgi?CH=113362

Change 113362 by millert at millert_macbook on 2007/01/22 16:22:40

	Add address family and socket type to mac_ifnet_check_transmit()
	and mac_inpcb_check_deliver() so we have the info sedarwin
	needs to make policy decisions for ifnets.
	
	This requires a hack to find the socket type of an mbuf for
	mac_ifnet_check_transmit().  A better solution may be
	possible by changing where the entrypoint is called.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/net/dlil.c#7 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/raw_ip.c#8 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/tcp_input.c#8 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/udp_usrreq.c#4 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#38 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_inet.c#4 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_net.c#13 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#46 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/net/dlil.c#7 (text+ko) ====

@@ -1023,6 +1023,47 @@
 	return result;
 }
 
+#ifdef MAC
+#include <netinet/ip6.h>
+#include <netinet/ip.h>
+static int dlil_get_socket_type(struct mbuf **mp, int family, int raw)
+{
+	struct mbuf *m;
+	struct ip *ip;
+	struct ip6_hdr *ip6;
+	int type = SOCK_RAW;
+
+	if (!raw) {
+		switch (family) {
+		case PF_INET:
+			m = m_pullup(*mp, sizeof(struct ip));
+			if (m == NULL)
+				break;
+			*mp = m;
+			ip = mtod(m, struct ip *);
+			if (ip->ip_p == IPPROTO_TCP)
+				type = SOCK_STREAM;
+			else if (ip->ip_p == IPPROTO_UDP)
+				type = SOCK_DGRAM;
+			break;
+		case PF_INET6:
+			m = m_pullup(*mp, sizeof(struct ip6_hdr));
+			if (m == NULL)
+				break;
+			*mp = m;
+			ip6 = mtod(m, struct ip6_hdr *);
+			if (ip6->ip6_nxt == IPPROTO_TCP)
+				type = SOCK_STREAM;
+			else if (ip6->ip6_nxt == IPPROTO_UDP)
+				type = SOCK_DGRAM;
+			break;
+		}
+	}
+
+	return (type);
+}
+#endif
+
 int
 dlil_output_list(
 	struct ifnet* ifp,
@@ -1094,7 +1135,8 @@
 
 	do {
 #ifdef MAC
-		retval = mac_ifnet_check_transmit(ifp, m);
+		retval = mac_ifnet_check_transmit(ifp, m, proto_family,
+		    dlil_get_socket_type(&m, proto_family, raw));
 		if (retval) {
 			m_freem(m);
 			goto cleanup;
@@ -1227,7 +1269,8 @@
 	}
 
 #ifdef MAC
-	retval = mac_ifnet_check_transmit(ifp, m);
+	retval = mac_ifnet_check_transmit(ifp, m, proto_family,
+	    dlil_get_socket_type(&m, proto_family, raw));
 	if (retval) {
 		m_freem(m);
 		goto cleanup;

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/raw_ip.c#8 (text+ko) ====

@@ -228,7 +228,8 @@
 #endif /*IPSEC*/
 #ifdef MAC
 			if (n && skipit == 0) {
-				if (mac_inpcb_check_deliver(last, n) != 0)
+				if (mac_inpcb_check_deliver(last, n, AF_INET,
+				    SOCK_RAW) != 0)
 					skipit = 1;
 			}
 #endif
@@ -277,7 +278,7 @@
 #endif /*IPSEC*/
 #ifdef MAC
 	if (last && skipit == 0) {
-		if (mac_inpcb_check_deliver(last, m) != 0)
+		if (mac_inpcb_check_deliver(last, m, AF_INET, SOCK_RAW) != 0)
 			skipit = 1;
 	}
 #endif

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/tcp_input.c#8 (text+ko) ====

@@ -911,7 +911,7 @@
 		tiwin = th->th_win;
 
 #ifdef MAC
-	if (mac_inpcb_check_deliver(inp, m))
+	if (mac_inpcb_check_deliver(inp, m, AF_INET, SOCK_STREAM))
 		goto drop;
 #endif
 

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/udp_usrreq.c#4 (text+ko) ====

@@ -697,7 +697,7 @@
 	struct mbuf *opts = 0;
 
 #ifdef MAC
-	if (mac_inpcb_check_deliver(last, n) != 0) {
+	if (mac_inpcb_check_deliver(last, n, AF_INET, SOCK_DGRAM) != 0) {
 		m_freem(n);
 		return;
 	}

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#38 (text+ko) ====

@@ -154,7 +154,8 @@
 void	mac_file_label_associate(struct ucred *cred, struct fileglob *fg);
 void	mac_file_label_destroy(struct fileglob *fg);
 void	mac_file_label_init(struct fileglob *fg);
-int	mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *mbuf);
+int	mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *mbuf,
+	    int family, int type);
 void	mac_ifnet_label_associate(struct ifnet *ifp);
 void	mac_ifnet_label_destroy(struct ifnet *ifp);
 int	mac_ifnet_label_get(struct ucred *cred, struct ifreq *ifr,
@@ -163,7 +164,8 @@
 void	mac_ifnet_label_recycle(struct ifnet *ifp);
 int	mac_ifnet_label_set(struct ucred *cred, struct ifreq *ifr,
 	    struct ifnet *ifp);
-int	mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *mbuf);
+int	mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *mbuf,
+	    int family, int type);
 void	mac_inpcb_label_associate(struct socket *so, struct inpcb *inp);
 void	mac_inpcb_label_destroy(struct inpcb *inp);
 int	mac_inpcb_label_init(struct inpcb *inp, int flag);

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_inet.c#4 (text+ko) ====

@@ -246,7 +246,7 @@
 }
 
 int
-mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m)
+mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m, int family, int type)
 {
 	struct label *label;
 	int error;
@@ -256,7 +256,8 @@
 
 	label = mac_mbuf_to_label(m);
 
-	MAC_CHECK(inpcb_check_deliver, inp, inp->inp_label, m, label);
+	MAC_CHECK(inpcb_check_deliver, inp, inp->inp_label, m, label,
+	    family, type);
 
 	return (error);
 }

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_net.c#13 (text+ko) ====

@@ -377,7 +377,8 @@
 }
 
 int
-mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *mbuf)
+mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *mbuf, int family,
+    int type)
 {
 	struct label *label;
 	int error;
@@ -385,7 +386,8 @@
 	label = mac_mbuf_to_label(mbuf);
 
 	ifnet_lock_shared(ifp);
-	MAC_CHECK(ifnet_check_transmit, ifp, ifp->if_label, mbuf, label);
+	MAC_CHECK(ifnet_check_transmit, ifp, ifp->if_label, mbuf, label,
+	    family, type);
 	ifnet_lock_done(ifp);
 
 	return (error);

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#46 (text+ko) ====

@@ -900,6 +900,8 @@
   @param ifnetlabel Label of the network interfaces
   @param m The mbuf to be transmitted
   @param mbuflabel Label of the mbuf to be transmitted
+  @param family Address Family, AF_*
+  @param type Type of socket, SOCK_{STREAM,DGRAM,RAW}
 
   Determine whether the mbuf with label mbuflabel may be transmitted
   through the network interface represented by ifp that has the
@@ -912,7 +914,9 @@
 	struct ifnet *ifp,
 	struct label *ifnetlabel,
 	struct mbuf *m,
-	struct label *mbuflabel
+	struct label *mbuflabel,
+	int family,
+	int type
 );
 /**
   @brief Create a network interface label
@@ -1036,6 +1040,8 @@
   @param inplabel Label of the inpcb
   @param m The mbuf being received
   @param mbuflabel Label of the mbuf being received
+  @param family Address family, AF_*
+  @param type Type of socket, SOCK_{STREAM,DGRAM,RAW}
 
   Determine whether the mbuf with label mbuflabel may be received
   by the socket associated with inpcb that has the label inplabel.
@@ -1047,7 +1053,9 @@
 	struct inpcb *inp,
 	struct label *inplabel,
 	struct mbuf *m,
-	struct label *mbuflabel
+	struct label *mbuflabel,
+	int family,
+	int type
 );
 /**
   @brief Create an inpcb label

More information about the trustedbsd-cvs mailing list