From owner-svn-src-head@FreeBSD.ORG Sat Jan 10 23:50:23 2009 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5C5E01065670; Sat, 10 Jan 2009 23:50:23 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 4A6AF8FC19; Sat, 10 Jan 2009 23:50:23 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n0ANoNgs011966; Sat, 10 Jan 2009 23:50:23 GMT (envelope-from rwatson@svn.freebsd.org) Received: (from rwatson@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n0ANoN3F011965; Sat, 10 Jan 2009 23:50:23 GMT (envelope-from rwatson@svn.freebsd.org) Message-Id: <200901102350.n0ANoN3F011965@svn.freebsd.org> From: Robert Watson Date: Sat, 10 Jan 2009 23:50:23 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r187039 - head/sys/net X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Jan 2009 23:50:23 -0000 Author: rwatson Date: Sat Jan 10 23:50:23 2009 New Revision: 187039 URL: http://svn.freebsd.org/changeset/base/187039 Log: Do invoke mac_ifnet_check_transmit() and mac_ifnet_create_mbuf() in the loopback and synthetic loopback code so that packets are access control checked and relabeled. Previously, the MAC Framework enforced that packets sent over the loopback weren't relabeled, but this will allow policies to make explicit choices about how and whether to relabel packets on the loopback. Also, for SIMPLEX devices, this produces more consistent behavior for looped back packets to the local MAC address by labeling those packets as coming from the interface. Discussed with: csjp Obtained from: TrustedBSD Project Modified: head/sys/net/if_loop.c Modified: head/sys/net/if_loop.c ============================================================================== --- head/sys/net/if_loop.c Sat Jan 10 22:49:02 2009 (r187038) +++ head/sys/net/if_loop.c Sat Jan 10 23:50:23 2009 (r187039) @@ -38,6 +38,7 @@ #include "opt_inet.h" #include "opt_inet6.h" #include "opt_ipx.h" +#include "opt_mac.h" #include #include @@ -82,6 +83,8 @@ #include #endif +#include + #ifdef TINY_LOMTU #define LOMTU (1024+512) #elif defined(LARGE_LOMTU) @@ -176,9 +179,20 @@ looutput(struct ifnet *ifp, struct mbuf struct rtentry *rt) { u_int32_t af; +#ifdef MAC + int error; +#endif M_ASSERTPKTHDR(m); /* check if we have the packet header */ +#ifdef MAC + error = mac_ifnet_check_transmit(ifp, m); + if (error) { + m_freem(m); + return (error); + } +#endif + if (rt && rt->rt_flags & (RTF_REJECT|RTF_BLACKHOLE)) { m_freem(m); return (rt->rt_flags & RTF_BLACKHOLE ? 0 : @@ -230,6 +244,10 @@ if_simloop(struct ifnet *ifp, struct mbu m_tag_delete_nonpersistent(m); m->m_pkthdr.rcvif = ifp; +#ifdef MAC + mac_ifnet_create_mbuf(ifp, m); +#endif + /* * Let BPF see incoming packet in the following manner: * - Emulated packet loopback for a simplex interface