MAC Framework has confict with IP firewall

zhouyi zhou zhouyi04 at ios.cn
Sun Jun 18 01:45:44 UTC 2006 

Thanks for the modification!!!
I have three small suggestions, maybe inapproprieate :-)


1)
would you think in 
static void
mac_mls_firewall_tcpproxy(struct mbuf *m, struct label *mbuflabel)
and so on assigning a mls/low label to the generated mbuf is better, 
as I have known in BLP kind systems, mls/low is the default label for the system
software and system behaviour. 

2)
I add ethernet address matching for PF in FreeBSD like that in OpenBSD
by simplify mantein a chain for which MAC address to insert which tag:
//net/if_ethersubr.c  
static void
ether_input(struct ifnet *ifp, struct mbuf *m)
{
        struct ether_header *eh;
        u_short etype;

.......
#ifdef  DEV_PF
        PF_TAG_MBUF(m);
#endif
//contrib/pf/pf_ioctl.c
void pf_tag_mbuf(struct mbuf *mbuf)
{
 struct ether_header *eh;
 struct pfmac_rule_element * rule_iterator = pfmac_rule_chain;
 struct ether_header zero_header;
 bzero(&zero_header.ether_dhost,6);
 bzero(&zero_header.ether_shost,6);
 eh = mtod(mbuf, struct ether_header *);
 while (rule_iterator){
   if ((!memcmp(eh->ether_shost, rule_iterator->pfmac_rule->ether_header.ether_shost, 6)||!memcmp(zero_header\.ether_shost, rule_iterator->pfmac_rule->ether_header.ether_shost, 6))&&
       (!memcmp(eh->ether_dhost, rule_iterator->pfmac_rule->ether_header.ether_dhost, 6)||!memcmp(zero_header\.ether_dhost, rule_iterator->pfmac_rule->ether_header.ether_dhost, 6)))
   break;
  rule_iterator = rule_iterator->next;
 }
 if (rule_iterator != NULL)
   pf_tag_packet(mbuf, NULL, pf_tagname2tag(rule_iterator->pfmac_rule->tag));
}

3) MAC Framework has conflicts with NFS, I work it around by:
//security/mac/mac_vfs.c
int
mac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
    struct vnode *dvp, struct vnode *vp, struct componentname *cnp)
{
        int error;
...
/*added by Zhouyi Zhou*/
        if (cred->cr_label == NULL)
        {
          mac_init_cred(cred);
          mac_copy_cred(curthread->td_ucred, cred);
        }
/*added by Zhouyi Zhou*/
...
        MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_fslabel,
            dvp, dvp->v_label, vp, vp->v_label, cnp);
////////////////
It would also can have vp or dvp's label assigned to the cred.


Sincerely yours
Zhouyi Zhou

More information about the trustedbsd-discuss mailing list