MAC Framework has confict with IP firewall

Max Laier max at love2party.net
Sun Jun 18 02:09:15 UTC 2006 

On Sunday 18 June 2006 03:43, zhouyi zhou wrote:
> 1)
> would you think in
> static void
> mac_mls_firewall_tcpproxy(struct mbuf *m, struct label *mbuflabel)
> and so on assigning a mls/low label to the generated mbuf is better,
> as I have known in BLP kind systems, mls/low is the default label for the
> system software and system behaviour.

I'm not really happy with setting any static label in there at all.  I was 
merely copying from mac_mls_create_mbuf_linklayer() which also creates a mbuf 
"out of thin air" (i.e. unprovoked, from the system software).  I don't say 
there are no better ways to do this, but a clean solution involves keeping a 
label in the firewall state that later creates the packet.  I am working on 
patches for that as well, but it might be some time before that gets 
somewhere as I try to keep it reasonably generic to use with pf and ipfw at 
the same time ... which right now looks like a good way to Waterloo :-\

> 2)
> I add ethernet address matching for PF in FreeBSD like that in OpenBSD
> by simplify mantein a chain for which MAC address to insert which tag:
> //net/if_ethersubr.c
> static void
> ether_input(struct ifnet *ifp, struct mbuf *m)
> {

We hope to place a pfil(9) hook in ether_input and related functions in 
if_bridge(4) some time soon in order to enable a generic way to do L2 
filtering.  Once that is done (I should probably just do it myself finally) I 
will provide a tagging mechanism along the lines of what OpenBSD provides.

> 3) MAC Framework has conflicts with NFS, I work it around by:
> //security/mac/mac_vfs.c

I'll let somebody else tackle this ;)

> int
> mac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
>     struct vnode *dvp, struct vnode *vp, struct componentname *cnp)
> {
>         int error;
> ...
> /*added by Zhouyi Zhou*/
>         if (cred->cr_label == NULL)
>         {
>           mac_init_cred(cred);
>           mac_copy_cred(curthread->td_ucred, cred);
>         }
> /*added by Zhouyi Zhou*/
> ...
>         MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_fslabel,
>             dvp, dvp->v_label, vp, vp->v_label, cnp);
> ////////////////
> It would also can have vp or dvp's label assigned to the cred.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/trustedbsd-discuss/attachments/20060618/56f2fa32/attachment.pgp

More information about the trustedbsd-discuss mailing list