Date: Sat, 31 May 2003 06:30:36 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 32166 for review Message-ID: <200305311330.h4VDUa3o090206@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=32166 Change 32166 by rwatson@rwatson_tislabs on 2003/05/31 06:30:19 Introduce two new MAC entry points: void mac_reflect_mbuf_icmp(m); void mac_reflect_mbuf_tcp(m); These entry points are invoked for "in-place" label updates when a packet is responded to without hitting another object (a socket, for example) in the network stack, at the ICMP and TCP levels respectively. Two similar policy-level entry points: void mpo_reflect_mbuf_icmp(m, label); void mpo_reflect_mbuf_tcp(m, label); Identical except with explicit label arguments to avoid policies having to grub around for the label themselves. Note: this changes the mac_policy_conf structure, and hence requires a rebuild of all modules. Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#388 edit .. //depot/projects/trustedbsd/mac/sys/netinet/ip_icmp.c#20 edit .. //depot/projects/trustedbsd/mac/sys/netinet/tcp_subr.c#34 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#236 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#188 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#388 (text+ko) ==== @@ -2435,6 +2435,25 @@ } void +mac_reflect_mbuf_icmp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_icmp, m, label); +} +void +mac_reflect_mbuf_tcp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_tcp, m, label); +} + +void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) { struct label *label; ==== //depot/projects/trustedbsd/mac/sys/netinet/ip_icmp.c#20 (text+ko) ==== @@ -596,10 +596,6 @@ /* * Reflect the ip packet back to the source - * - * XXXMAC: Right now, the old label is inheritted. In practice, - * we'll need an explicit MAC call here to set an appropriate label - * (in place). */ static void icmp_reflect(m) @@ -652,6 +648,9 @@ goto done; } match: +#ifdef MAC + mac_reflect_mbuf_icmp(m); +#endif t = IA_SIN(ia)->sin_addr; ip->ip_src = t; ip->ip_ttl = ip_defttl; ==== //depot/projects/trustedbsd/mac/sys/netinet/tcp_subr.c#34 (text+ko) ==== @@ -488,10 +488,10 @@ mac_create_mbuf_from_socket(tp->t_inpcb->inp_socket, m); } else { /* - * XXXMAC: This will need to call a mac function that - * modifies the mbuf label in place for TCP datagrams - * not associated with a PCB. + * Packet is not associated with a socket, so possibly + * update the label in place. */ + mac_reflect_mbuf_tcp(m); } #endif nth->th_seq = htonl(seq); ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#236 (text+ko) ==== @@ -211,6 +211,8 @@ struct ifnet *ifnet, struct mbuf *newmbuf); void mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf); int mac_fragment_match(struct mbuf *fragment, struct ipq *ipq); +void mac_reflect_mbuf_icmp(struct mbuf *m); +void mac_reflect_mbuf_tcp(struct mbuf *m); void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq); /* ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#188 (text+ko) ==== @@ -235,6 +235,9 @@ int (*mpo_fragment_match)(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel); + void (*mpo_reflect_mbuf_icmp)(struct mbuf *m, + struct label *mlabel); + void (*mpo_reflect_mbuf_tcp)(struct mbuf *m, struct label *mlabel); void (*mpo_relabel_ifnet)(struct ucred *cred, struct ifnet *ifnet, struct label *ifnetlabel, struct label *newlabel); void (*mpo_update_ipq)(struct mbuf *fragment,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200305311330.h4VDUa3o090206>