From owner-trustedbsd-discuss@FreeBSD.ORG Sun Jun 18 01:45:44 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E55C16A479 for ; Sun, 18 Jun 2006 01:45:44 +0000 (UTC) (envelope-from zhouyi04@ios.cn) Received: from abyss.iscas.cn (abyss.iscas.cn [159.226.5.55]) by mx1.FreeBSD.org (Postfix) with SMTP id C083143D45 for ; Sun, 18 Jun 2006 01:45:39 +0000 (GMT) (envelope-from zhouyi04@ios.cn) Received: (qmail 26246 invoked by uid 502); 18 Jun 2006 01:23:34 -0000 Received: from zhouyi04@ios.cn by abyss.iscas.cn by uid 0 with qmail-scanner-1.22 (hbedv: 6.24.0.7/6.24.0.69. spamassassin: 2.63. Clear:RC:0(159.226.5.225):SA:0(-99.1/9.0):. Processed in 1.141823 secs); 18 Jun 2006 01:23:34 -0000 Received: from unknown (HELO zzy.H.qngy.gscas) (zhouyi04@159.226.5.225) by abyss.iscas.cn with SMTP; 18 Jun 2006 01:23:33 -0000 Date: Sun, 18 Jun 2006 09:43:12 +0800 From: zhouyi zhou To: Max Laier Message-Id: <20060618094312.7fec4f77.zhouyi04@ios.cn> In-Reply-To: <200606180008.53676.max@love2party.net> References: <20060327184133.5a35b20f.zhouyi04@ios.cn> <200606172359.13019.max@love2party.net> <200606180008.53676.max@love2party.net> Organization: Institute of Software X-Mailer: Sylpheed version 1.0.4 (GTK+ 1.2.10; i386-portbld-freebsd5.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on abyss.iscas.cn X-Spam-Status: No, hits=-99.1 required=9.0 tests=FROM_ENDS_IN_NUMS, USER_IN_WHITELIST autolearn=no version=2.63 X-Spam-Level: Cc: trustedbsd-discuss@freebsd.org Subject: Re: MAC Framework has confict with IP firewall X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jun 2006 01:45:44 -0000 Thanks for the modification!!! I have three small suggestions, maybe inapproprieate :-) 1) would you think in static void mac_mls_firewall_tcpproxy(struct mbuf *m, struct label *mbuflabel) and so on assigning a mls/low label to the generated mbuf is better, as I have known in BLP kind systems, mls/low is the default label for the system software and system behaviour. 2) I add ethernet address matching for PF in FreeBSD like that in OpenBSD by simplify mantein a chain for which MAC address to insert which tag: //net/if_ethersubr.c static void ether_input(struct ifnet *ifp, struct mbuf *m) { struct ether_header *eh; u_short etype; ....... #ifdef DEV_PF PF_TAG_MBUF(m); #endif //contrib/pf/pf_ioctl.c void pf_tag_mbuf(struct mbuf *mbuf) { struct ether_header *eh; struct pfmac_rule_element * rule_iterator = pfmac_rule_chain; struct ether_header zero_header; bzero(&zero_header.ether_dhost,6); bzero(&zero_header.ether_shost,6); eh = mtod(mbuf, struct ether_header *); while (rule_iterator){ if ((!memcmp(eh->ether_shost, rule_iterator->pfmac_rule->ether_header.ether_shost, 6)||!memcmp(zero_header\.ether_shost, rule_iterator->pfmac_rule->ether_header.ether_shost, 6))&& (!memcmp(eh->ether_dhost, rule_iterator->pfmac_rule->ether_header.ether_dhost, 6)||!memcmp(zero_header\.ether_dhost, rule_iterator->pfmac_rule->ether_header.ether_dhost, 6))) break; rule_iterator = rule_iterator->next; } if (rule_iterator != NULL) pf_tag_packet(mbuf, NULL, pf_tagname2tag(rule_iterator->pfmac_rule->tag)); } 3) MAC Framework has conflicts with NFS, I work it around by: //security/mac/mac_vfs.c int mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; ... /*added by Zhouyi Zhou*/ if (cred->cr_label == NULL) { mac_init_cred(cred); mac_copy_cred(curthread->td_ucred, cred); } /*added by Zhouyi Zhou*/ ... MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_fslabel, dvp, dvp->v_label, vp, vp->v_label, cnp); //////////////// It would also can have vp or dvp's label assigned to the cred. Sincerely yours Zhouyi Zhou