Date: Wed, 31 Jul 2002 12:06:49 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/netinet tcp_input.c tcp_output.c tcp_subr.c tcp_syncache.c Message-ID: <200207311906.g6VJ6nC5030551@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
rwatson 2002/07/31 12:06:49 PDT
Modified files:
sys/netinet tcp_input.c tcp_output.c tcp_subr.c
tcp_syncache.c
Log:
Introduce support for Mandatory Access Control and extensible
kernel access control.
Instrument the TCP socket code for packet generation and delivery:
label outgoing mbufs with the label of the socket, and check socket and
mbuf labels before permitting delivery to a socket. Assign labels
to newly accepted connections when the syncache/cookie code has done
its business. Also set peer labels as convenient. Currently,
MAC policies cannot influence the PCB matching algorithm, so cannot
implement polyinstantiation. Note that there is at least one case
where a PCB is not available due to the TCP packet not being associated
with any socket, so we don't label in that case, but need to handle
it in a special manner.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
Revision Changes Path
1.167 +13 -0 src/sys/netinet/tcp_input.c
1.66 +5 -0 src/sys/netinet/tcp_output.c
1.139 +17 -0 src/sys/netinet/tcp_subr.c
1.24 +8 -0 src/sys/netinet/tcp_syncache.c
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207311906.g6VJ6nC5030551>