Date: Sun, 18 Jun 2006 04:09:00 +0200 From: Max Laier <max@love2party.net> To: zhouyi zhou <zhouyi04@ios.cn> Cc: trustedbsd-discuss@freebsd.org Subject: Re: MAC Framework has confict with IP firewall Message-ID: <200606180409.06966.max@love2party.net> In-Reply-To: <20060618094312.7fec4f77.zhouyi04@ios.cn> References: <20060327184133.5a35b20f.zhouyi04@ios.cn> <200606180008.53676.max@love2party.net> <20060618094312.7fec4f77.zhouyi04@ios.cn>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1172575.PxHO3y5ZhD
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Sunday 18 June 2006 03:43, zhouyi zhou wrote:
> 1)
> would you think in
> static void
> mac_mls_firewall_tcpproxy(struct mbuf *m, struct label *mbuflabel)
> and so on assigning a mls/low label to the generated mbuf is better,
> as I have known in BLP kind systems, mls/low is the default label for the
> system software and system behaviour.
I'm not really happy with setting any static label in there at all. I was=
=20
merely copying from mac_mls_create_mbuf_linklayer() which also creates a mb=
uf=20
"out of thin air" (i.e. unprovoked, from the system software). I don't say=
=20
there are no better ways to do this, but a clean solution involves keeping =
a=20
label in the firewall state that later creates the packet. I am working on=
=20
patches for that as well, but it might be some time before that gets=20
somewhere as I try to keep it reasonably generic to use with pf and ipfw at=
=20
the same time ... which right now looks like a good way to Waterloo :-\
> 2)
> I add ethernet address matching for PF in FreeBSD like that in OpenBSD
> by simplify mantein a chain for which MAC address to insert which tag:
> //net/if_ethersubr.c
> static void
> ether_input(struct ifnet *ifp, struct mbuf *m)
> {
We hope to place a pfil(9) hook in ether_input and related functions in=20
if_bridge(4) some time soon in order to enable a generic way to do L2=20
filtering. Once that is done (I should probably just do it myself finally)=
I=20
will provide a tagging mechanism along the lines of what OpenBSD provides.
> 3) MAC Framework has conflicts with NFS, I work it around by:
> //security/mac/mac_vfs.c
I'll let somebody else tackle this ;)
> int
> mac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
> struct vnode *dvp, struct vnode *vp, struct componentname *cnp)
> {
> int error;
> ...
> /*added by Zhouyi Zhou*/
> if (cred->cr_label =3D=3D NULL)
> {
> mac_init_cred(cred);
> mac_copy_cred(curthread->td_ucred, cred);
> }
> /*added by Zhouyi Zhou*/
> ...
> MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_fslabel,
> dvp, dvp->v_label, vp, vp->v_label, cnp);
> ////////////////
> It would also can have vp or dvp's label assigned to the cred.
=2D-=20
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
--nextPart1172575.PxHO3y5ZhD
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)
iD8DBQBElLXCXyyEoT62BG0RAvFKAJ4hRKMxc4S9ohZBysBWxmjWi/n3EgCeJXL6
WblfvY3qn5rsrSMZ6+PrRGQ=
=evBU
-----END PGP SIGNATURE-----
--nextPart1172575.PxHO3y5ZhD--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200606180409.06966.max>