From owner-svn-src-head@FreeBSD.ORG Sun Oct 26 22:46:38 2008 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5DDBD106567E; Sun, 26 Oct 2008 22:46:38 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 23B4D8FC0A; Sun, 26 Oct 2008 22:46:38 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id m9QMkc2L099637; Sun, 26 Oct 2008 22:46:38 GMT (envelope-from rwatson@svn.freebsd.org) Received: (from rwatson@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id m9QMkbxk099632; Sun, 26 Oct 2008 22:46:37 GMT (envelope-from rwatson@svn.freebsd.org) Message-Id: <200810262246.m9QMkbxk099632@svn.freebsd.org> From: Robert Watson Date: Sun, 26 Oct 2008 22:46:37 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r184308 - in head/sys/security: mac_biba mac_lomac mac_mls mac_stub mac_test X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Oct 2008 22:46:38 -0000 Author: rwatson Date: Sun Oct 26 22:46:37 2008 New Revision: 184308 URL: http://svn.freebsd.org/changeset/base/184308 Log: Implement MAC policy support for IPv6 fragment reassembly queues, modeled on IPv4 fragment reassembly queue support. Obtained from: TrustedBSD Project Modified: head/sys/security/mac_biba/mac_biba.c head/sys/security/mac_lomac/mac_lomac.c head/sys/security/mac_mls/mac_mls.c head/sys/security/mac_stub/mac_stub.c head/sys/security/mac_test/mac_test.c Modified: head/sys/security/mac_biba/mac_biba.c ============================================================================== --- head/sys/security/mac_biba/mac_biba.c Sun Oct 26 22:45:18 2008 (r184307) +++ head/sys/security/mac_biba/mac_biba.c Sun Oct 26 22:46:37 2008 (r184308) @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002, 2007 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson * Copyright (c) 2001-2005 McAfee, Inc. * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. @@ -1170,6 +1170,51 @@ biba_inpcb_sosetlabel(struct socket *so, } static void +biba_ip6q_create(struct mbuf *m, struct label *mlabel, struct ip6q *q6, + struct label *q6label) +{ + struct mac_biba *source, *dest; + + source = SLOT(mlabel); + dest = SLOT(q6label); + + biba_copy_effective(source, dest); +} + +static int +biba_ip6q_match(struct mbuf *m, struct label *mlabel, struct ip6q *q6, + struct label *q6label) +{ + struct mac_biba *a, *b; + + a = SLOT(q6label); + b = SLOT(mlabel); + + return (biba_equal_effective(a, b)); +} + +static void +biba_ip6q_reassemble(struct ip6q *q6, struct label *q6label, struct mbuf *m, + struct label *mlabel) +{ + struct mac_biba *source, *dest; + + source = SLOT(q6label); + dest = SLOT(mlabel); + + /* Just use the head, since we require them all to match. */ + biba_copy_effective(source, dest); +} + +static void +biba_ip6q_update(struct mbuf *m, struct label *mlabel, struct ip6q *q6, + struct label *q6label) +{ + + /* NOOP: we only accept matching labels, so no need to update */ +} + +static void biba_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *q, struct label *qlabel) { @@ -3325,6 +3370,13 @@ static struct mac_policy_ops mac_biba_op .mpo_inpcb_init_label = biba_init_label_waitcheck, .mpo_inpcb_sosetlabel = biba_inpcb_sosetlabel, + .mpo_ip6q_create = biba_ip6q_create, + .mpo_ip6q_destroy_label = biba_destroy_label, + .mpo_ip6q_init_label = biba_init_label_waitcheck, + .mpo_ip6q_match = biba_ip6q_match, + .mpo_ip6q_reassemble = biba_ip6q_reassemble, + .mpo_ip6q_update = biba_ip6q_update, + .mpo_ipq_create = biba_ipq_create, .mpo_ipq_destroy_label = biba_destroy_label, .mpo_ipq_init_label = biba_init_label_waitcheck, Modified: head/sys/security/mac_lomac/mac_lomac.c ============================================================================== --- head/sys/security/mac_lomac/mac_lomac.c Sun Oct 26 22:45:18 2008 (r184307) +++ head/sys/security/mac_lomac/mac_lomac.c Sun Oct 26 22:46:37 2008 (r184308) @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002, 2007 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. @@ -1299,6 +1299,51 @@ lomac_inpcb_sosetlabel(struct socket *so } static void +lomac_ip6q_create(struct mbuf *m, struct label *mlabel, struct ip6q *q6, + struct label *q6label) +{ + struct mac_lomac *source, *dest; + + source = SLOT(mlabel); + dest = SLOT(q6label); + + lomac_copy_single(source, dest); +} + +static int +lomac_ip6q_match(struct mbuf *m, struct label *mlabel, struct ip6q *q6, + struct label *q6label) +{ + struct mac_lomac *a, *b; + + a = SLOT(q6label); + b = SLOT(mlabel); + + return (lomac_equal_single(a, b)); +} + +static void +lomac_ip6q_reassemble(struct ip6q *q6, struct label *q6label, struct mbuf *m, + struct label *mlabel) +{ + struct mac_lomac *source, *dest; + + source = SLOT(q6label); + dest = SLOT(mlabel); + + /* Just use the head, since we require them all to match. */ + lomac_copy_single(source, dest); +} + +static void +lomac_ip6q_update(struct mbuf *m, struct label *mlabel, struct ip6q *q6, + struct label *q6label) +{ + + /* NOOP: we only accept matching labels, so no need to update */ +} + +static void lomac_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *q, struct label *qlabel) { @@ -2886,6 +2931,13 @@ static struct mac_policy_ops lomac_ops = .mpo_inpcb_init_label = lomac_init_label_waitcheck, .mpo_inpcb_sosetlabel = lomac_inpcb_sosetlabel, + .mpo_ip6q_create = lomac_ip6q_create, + .mpo_ip6q_destroy_label = lomac_destroy_label, + .mpo_ip6q_init_label = lomac_init_label_waitcheck, + .mpo_ip6q_match = lomac_ip6q_match, + .mpo_ip6q_reassemble = lomac_ip6q_reassemble, + .mpo_ip6q_update = lomac_ip6q_update, + .mpo_ipq_create = lomac_ipq_create, .mpo_ipq_destroy_label = lomac_destroy_label, .mpo_ipq_init_label = lomac_init_label_waitcheck, Modified: head/sys/security/mac_mls/mac_mls.c ============================================================================== --- head/sys/security/mac_mls/mac_mls.c Sun Oct 26 22:45:18 2008 (r184307) +++ head/sys/security/mac_mls/mac_mls.c Sun Oct 26 22:46:37 2008 (r184308) @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002, 2007 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson * Copyright (c) 2001-2005 McAfee, Inc. * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. @@ -1088,6 +1088,51 @@ mls_inpcb_sosetlabel(struct socket *so, } static void +mls_ip6q_create(struct mbuf *m, struct label *mlabel, struct ip6q *q6, + struct label *q6label) +{ + struct mac_mls *source, *dest; + + source = SLOT(mlabel); + dest = SLOT(q6label); + + mls_copy_effective(source, dest); +} + +static int +mls_ip6q_match(struct mbuf *m, struct label *mlabel, struct ip6q *q6, + struct label *q6label) +{ + struct mac_mls *a, *b; + + a = SLOT(q6label); + b = SLOT(mlabel); + + return (mls_equal_effective(a, b)); +} + +static void +mls_ip6q_reassemble(struct ip6q *q6, struct label *q6label, struct mbuf *m, + struct label *mlabel) +{ + struct mac_mls *source, *dest; + + source = SLOT(q6label); + dest = SLOT(mlabel); + + /* Just use the head, since we require them all to match. */ + mls_copy_effective(source, dest); +} + +static void +mls_ip6q_update(struct mbuf *m, struct label *mlabel, struct ip6q *q6, + struct label *q6label) +{ + + /* NOOP: we only accept matching labels, so no need to update */ +} + +static void mls_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *q, struct label *qlabel) { @@ -2948,6 +2993,13 @@ static struct mac_policy_ops mls_ops = .mpo_inpcb_init_label = mls_init_label_waitcheck, .mpo_inpcb_sosetlabel = mls_inpcb_sosetlabel, + .mpo_ip6q_create = mls_ip6q_create, + .mpo_ip6q_destroy_label = mls_destroy_label, + .mpo_ip6q_init_label = mls_init_label_waitcheck, + .mpo_ip6q_match = mls_ip6q_match, + .mpo_ip6q_reassemble = mls_ip6q_reassemble, + .mpo_ip6q_update = mls_ip6q_update, + .mpo_ipq_create = mls_ipq_create, .mpo_ipq_destroy_label = mls_destroy_label, .mpo_ipq_init_label = mls_init_label_waitcheck, Modified: head/sys/security/mac_stub/mac_stub.c ============================================================================== --- head/sys/security/mac_stub/mac_stub.c Sun Oct 26 22:45:18 2008 (r184307) +++ head/sys/security/mac_stub/mac_stub.c Sun Oct 26 22:46:37 2008 (r184308) @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002, 2007 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson * Copyright (c) 2001-2005 McAfee, Inc. * Copyright (c) 2005-2006 SPARTA, Inc. * Copyright (c) 2008 Apple Inc. @@ -308,6 +308,35 @@ stub_inpcb_sosetlabel(struct socket *so, } static void +stub_ip6q_create(struct mbuf *m, struct label *mlabel, struct ip6q *q6, + struct label *q6label) +{ + +} + +static int +stub_ip6q_match(struct mbuf *m, struct label *mlabel, struct ip6q *q6, + struct label *q6label) +{ + + return (1); +} + +static void +stub_ip6q_reassemble(struct ip6q *q6, struct label *q6label, struct mbuf *m, + struct label *mlabel) +{ + +} + +static void +stub_ip6q_update(struct mbuf *m, struct label *mlabel, struct ip6q *q6, + struct label *q6label) +{ + +} + +static void stub_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *q, struct label *qlabel) { @@ -1546,6 +1575,13 @@ static struct mac_policy_ops stub_ops = .mpo_inpcb_init_label = stub_init_label_waitcheck, .mpo_inpcb_sosetlabel = stub_inpcb_sosetlabel, + .mpo_ip6q_create = stub_ip6q_create, + .mpo_ip6q_destroy_label = stub_destroy_label, + .mpo_ip6q_init_label = stub_init_label_waitcheck, + .mpo_ip6q_match = stub_ip6q_match, + .mpo_ip6q_update = stub_ip6q_update, + .mpo_ip6q_reassemble = stub_ip6q_reassemble, + .mpo_ipq_create = stub_ipq_create, .mpo_ipq_destroy_label = stub_destroy_label, .mpo_ipq_init_label = stub_init_label_waitcheck, Modified: head/sys/security/mac_test/mac_test.c ============================================================================== --- head/sys/security/mac_test/mac_test.c Sun Oct 26 22:45:18 2008 (r184307) +++ head/sys/security/mac_test/mac_test.c Sun Oct 26 22:46:37 2008 (r184308) @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002, 2007 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson * Copyright (c) 2001-2005 McAfee, Inc. * Copyright (c) 2006 SPARTA, Inc. * Copyright (c) 2008 Apple Inc. @@ -84,6 +84,7 @@ SYSCTL_NODE(_security_mac, OID_AUTO, tes #define MAGIC_DEVFS 0x9ee79c32 #define MAGIC_IFNET 0xc218b120 #define MAGIC_INPCB 0x4440f7bb +#define MAGIC_IP6Q 0x0870e1b7 #define MAGIC_IPQ 0x206188ef #define MAGIC_MBUF 0xbbefa5bb #define MAGIC_MOUNT 0xc7c46e47 @@ -564,6 +565,76 @@ test_inpcb_sosetlabel(struct socket *so, COUNTER_INC(inpcb_sosetlabel); } +COUNTER_DECL(ip6q_create); +static void +test_ip6q_create(struct mbuf *fragment, struct label *fragmentlabel, + struct ip6q *q6, struct label *q6label) +{ + + LABEL_CHECK(fragmentlabel, MAGIC_MBUF); + LABEL_CHECK(q6label, MAGIC_IP6Q); + COUNTER_INC(ip6q_create); +} + +COUNTER_DECL(ip6q_destroy_label); +static void +test_ip6q_destroy_label(struct label *label) +{ + + LABEL_DESTROY(label, MAGIC_IP6Q); + COUNTER_INC(ip6q_destroy_label); +} + +COUNTER_DECL(ip6q_init_label); +static int +test_ip6q_init_label(struct label *label, int flag) +{ + + if (flag & M_WAITOK) + WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, + "test_ip6q_init_label() at %s:%d", __FILE__, + __LINE__); + + LABEL_INIT(label, MAGIC_IP6Q); + COUNTER_INC(ip6q_init_label); + return (0); +} + +COUNTER_DECL(ip6q_match); +static int +test_ip6q_match(struct mbuf *fragment, struct label *fragmentlabel, + struct ip6q *q6, struct label *q6label) +{ + + LABEL_CHECK(fragmentlabel, MAGIC_MBUF); + LABEL_CHECK(q6label, MAGIC_IP6Q); + COUNTER_INC(ip6q_match); + + return (1); +} + +COUNTER_DECL(ip6q_reassemble); +static void +test_ip6q_reassemble(struct ip6q *q6, struct label *q6label, struct mbuf *m, + struct label *mlabel) +{ + + LABEL_CHECK(q6label, MAGIC_IP6Q); + LABEL_CHECK(mlabel, MAGIC_MBUF); + COUNTER_INC(ip6q_reassemble); +} + +COUNTER_DECL(ip6q_update); +static void +test_ip6q_update(struct mbuf *m, struct label *mlabel, struct ip6q *q6, + struct label *q6label) +{ + + LABEL_CHECK(mlabel, MAGIC_MBUF); + LABEL_CHECK(q6label, MAGIC_IP6Q); + COUNTER_INC(ip6q_update); +} + COUNTER_DECL(ipq_create); static void test_ipq_create(struct mbuf *fragment, struct label *fragmentlabel, @@ -2860,6 +2931,13 @@ static struct mac_policy_ops test_ops = .mpo_inpcb_init_label = test_inpcb_init_label, .mpo_inpcb_sosetlabel = test_inpcb_sosetlabel, + .mpo_ip6q_create = test_ip6q_create, + .mpo_ip6q_destroy_label = test_ip6q_destroy_label, + .mpo_ip6q_init_label = test_ip6q_init_label, + .mpo_ip6q_match = test_ip6q_match, + .mpo_ip6q_reassemble = test_ip6q_reassemble, + .mpo_ip6q_update = test_ip6q_update, + .mpo_ipq_create = test_ipq_create, .mpo_ipq_destroy_label = test_ipq_destroy_label, .mpo_ipq_init_label = test_ipq_init_label,