Date: Sun, 18 Jun 2006 09:43:12 +0800 From: zhouyi zhou <zhouyi04@ios.cn> To: Max Laier <max@love2party.net> Cc: trustedbsd-discuss@freebsd.org Subject: Re: MAC Framework has confict with IP firewall Message-ID: <20060618094312.7fec4f77.zhouyi04@ios.cn> In-Reply-To: <200606180008.53676.max@love2party.net> References: <20060327184133.5a35b20f.zhouyi04@ios.cn> <200606172359.13019.max@love2party.net> <200606180008.53676.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for the modification!!! I have three small suggestions, maybe inapproprieate :-) 1) would you think in static void mac_mls_firewall_tcpproxy(struct mbuf *m, struct label *mbuflabel) and so on assigning a mls/low label to the generated mbuf is better, as I have known in BLP kind systems, mls/low is the default label for the system software and system behaviour. 2) I add ethernet address matching for PF in FreeBSD like that in OpenBSD by simplify mantein a chain for which MAC address to insert which tag: //net/if_ethersubr.c static void ether_input(struct ifnet *ifp, struct mbuf *m) { struct ether_header *eh; u_short etype; ....... #ifdef DEV_PF PF_TAG_MBUF(m); #endif //contrib/pf/pf_ioctl.c void pf_tag_mbuf(struct mbuf *mbuf) { struct ether_header *eh; struct pfmac_rule_element * rule_iterator = pfmac_rule_chain; struct ether_header zero_header; bzero(&zero_header.ether_dhost,6); bzero(&zero_header.ether_shost,6); eh = mtod(mbuf, struct ether_header *); while (rule_iterator){ if ((!memcmp(eh->ether_shost, rule_iterator->pfmac_rule->ether_header.ether_shost, 6)||!memcmp(zero_header\.ether_shost, rule_iterator->pfmac_rule->ether_header.ether_shost, 6))&& (!memcmp(eh->ether_dhost, rule_iterator->pfmac_rule->ether_header.ether_dhost, 6)||!memcmp(zero_header\.ether_dhost, rule_iterator->pfmac_rule->ether_header.ether_dhost, 6))) break; rule_iterator = rule_iterator->next; } if (rule_iterator != NULL) pf_tag_packet(mbuf, NULL, pf_tagname2tag(rule_iterator->pfmac_rule->tag)); } 3) MAC Framework has conflicts with NFS, I work it around by: //security/mac/mac_vfs.c int mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; ... /*added by Zhouyi Zhou*/ if (cred->cr_label == NULL) { mac_init_cred(cred); mac_copy_cred(curthread->td_ucred, cred); } /*added by Zhouyi Zhou*/ ... MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_fslabel, dvp, dvp->v_label, vp, vp->v_label, cnp); //////////////// It would also can have vp or dvp's label assigned to the cred. Sincerely yours Zhouyi Zhou
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060618094312.7fec4f77.zhouyi04>