From owner-cvs-all  Wed Jul 31 12: 6:54 2002
Delivered-To: cvs-all@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 5EC0137B400; Wed, 31 Jul 2002 12:06:50 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 2362843E42; Wed, 31 Jul 2002 12:06:50 -0700 (PDT)
	(envelope-from rwatson@FreeBSD.org)
Received: from freefall.freebsd.org (rwatson@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g6VJ6nJU030552;
	Wed, 31 Jul 2002 12:06:49 -0700 (PDT)
	(envelope-from rwatson@freefall.freebsd.org)
Received: (from rwatson@localhost)
	by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g6VJ6nC5030551;
	Wed, 31 Jul 2002 12:06:49 -0700 (PDT)
Message-Id: <200207311906.g6VJ6nC5030551@freefall.freebsd.org>
From: Robert Watson <rwatson@FreeBSD.org>
Date: Wed, 31 Jul 2002 12:06:49 -0700 (PDT)
To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: cvs commit: src/sys/netinet tcp_input.c tcp_output.c tcp_subr.c
         tcp_syncache.c
X-FreeBSD-CVS-Branch: HEAD
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

rwatson     2002/07/31 12:06:49 PDT

  Modified files:
    sys/netinet          tcp_input.c tcp_output.c tcp_subr.c 
                         tcp_syncache.c 
  Log:
  Introduce support for Mandatory Access Control and extensible
  kernel access control.
  
  Instrument the TCP socket code for packet generation and delivery:
  label outgoing mbufs with the label of the socket, and check socket and
  mbuf labels before permitting delivery to a socket.  Assign labels
  to newly accepted connections when the syncache/cookie code has done
  its business.  Also set peer labels as convenient.  Currently,
  MAC policies cannot influence the PCB matching algorithm, so cannot
  implement polyinstantiation.  Note that there is at least one case
  where a PCB is not available due to the TCP packet not being associated
  with any socket, so we don't label in that case, but need to handle
  it in a special manner.
  
  Obtained from:  TrustedBSD Project
  Sponsored by:   DARPA, NAI Labs
  
  Revision  Changes    Path
  1.167     +13 -0     src/sys/netinet/tcp_input.c
  1.66      +5 -0      src/sys/netinet/tcp_output.c
  1.139     +17 -0     src/sys/netinet/tcp_subr.c
  1.24      +8 -0      src/sys/netinet/tcp_syncache.c

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message