From owner-p4-projects@FreeBSD.ORG  Tue Dec 16 14:02:38 2003
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 47B5116A4D0; Tue, 16 Dec 2003 14:02:38 -0800 (PST)
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 055B316A4CE
	for <perforce@freebsd.org>; Tue, 16 Dec 2003 14:02:38 -0800 (PST)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1515143D3F
	for <perforce@freebsd.org>; Tue, 16 Dec 2003 14:02:15 -0800 (PST)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.12.10/8.12.10) with ESMTP id hBGM2E0B040756
	for <perforce@freebsd.org>; Tue, 16 Dec 2003 14:02:14 -0800 (PST)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.12.10/8.12.10/Submit) id hBGM2EMM040753
	for perforce@freebsd.org; Tue, 16 Dec 2003 14:02:14 -0800 (PST)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Date: Tue, 16 Dec 2003 14:02:14 -0800 (PST)
Message-Id: <200312162202.hBGM2EMM040753@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Subject: PERFORCE change 43986 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Dec 2003 22:02:38 -0000

http://perforce.freebsd.org/chv.cgi?CH=43986

Change 43986 by rwatson@rwatson_tislabs on 2003/12/16 14:01:57

	Switch TCP over to using the inpcb label when responding in timed
	wait, rather than the socket label.  This avoids reaching up to
	the socket layer during connection close, which requires locking
	changes.  To do this, introduce MAC Framework entry point
	mac_create_mbuf_from_inpcb(), which is called from tcp_twrespond()
	instead of calling mac_create_mbuf_from_socket() or
	mac_create_mbuf_netlayer().  Introduce MAC Policy entry point
	mpo_create_mbuf_from_inpcb(), and implementations for various
	policies, which generally just copy label data from the inpcb to
	the mbuf.  Assert the inpcb lock in the entry point since we
	require consistency for the inpcb label reference.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/netinet/tcp_subr.c#40 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac/mac_net.c#20 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#240 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#82 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#194 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_stub/mac_stub.c#18 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#128 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac.h#258 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#207 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/netinet/tcp_subr.c#40 (text+ko) ====

@@ -1662,10 +1662,7 @@
 	m->m_data += max_linkhdr;
 
 #ifdef MAC
-	if (so != NULL)
-		mac_create_mbuf_from_socket(so, m);
-	else
-		mac_create_mbuf_netlayer(msrc, m);
+	mac_create_mbuf_from_inpcb(inp, m);
 #endif
 
 #ifdef INET6

==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_net.c#20 (text+ko) ====

@@ -589,6 +589,17 @@
 }
 
 void
+mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m)
+{
+	struct label *mlabel;
+
+	INP_LOCK_ASSERT(inp);
+	mlabel = mbuf_to_label(m);
+
+	MAC_PERFORM(create_mbuf_from_inpcb, inp, inp->inp_label, m, mlabel);
+}
+
+void
 mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf)
 {
 	struct label *oldmbuflabel, *newmbuflabel;

==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#240 (text+ko) ====

@@ -1339,6 +1339,18 @@
 }
 
 static void
+mac_biba_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
+    struct mbuf *m, struct label *mlabel)
+{
+	struct mac_biba *source, *dest;
+
+	source = SLOT(inplabel);
+	dest = SLOT(mlabel);
+
+	mac_biba_copy_single(source, dest);
+}
+
+static void
 mac_biba_create_mbuf_from_mbuf(struct mbuf *oldmbuf,
     struct label *oldmbuflabel, struct mbuf *newmbuf,
     struct label *newmbuflabel)
@@ -3219,6 +3231,7 @@
 	.mpo_create_ipc_sema = mac_biba_create_ipc_sema,
 	.mpo_create_ipc_shm = mac_biba_create_ipc_shm,
 	.mpo_create_ipq = mac_biba_create_ipq,
+	.mpo_create_mbuf_from_inpcb = mac_biba_create_mbuf_from_inpcb,
 	.mpo_create_mbuf_from_mbuf = mac_biba_create_mbuf_from_mbuf,
 	.mpo_create_mbuf_linklayer = mac_biba_create_mbuf_linklayer,
 	.mpo_create_mbuf_from_bpfdesc = mac_biba_create_mbuf_from_bpfdesc,

==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#82 (text+ko) ====

@@ -1423,6 +1423,18 @@
 }
 
 static void
+mac_lomac_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
+    struct mbuf *m, struct label *mlabel)
+{
+	struct mac_lomac *source, *dest;
+
+	source = SLOT(inplabel);
+	dest = SLOT(mlabel);
+
+	mac_lomac_copy_single(source, dest);
+}
+
+static void
 mac_lomac_create_mbuf_from_mbuf(struct mbuf *oldmbuf,
     struct label *oldmbuflabel, struct mbuf *newmbuf,
     struct label *newmbuflabel)
@@ -3149,6 +3161,7 @@
 	.mpo_create_ipc_sema = mac_lomac_create_ipc_sema,
 	.mpo_create_ipc_shm = mac_lomac_create_ipc_shm,
 	.mpo_create_ipq = mac_lomac_create_ipq,
+	.mpo_create_mbuf_from_inpcb = mac_lomac_create_mbuf_from_inpcb,
 	.mpo_create_mbuf_from_mbuf = mac_lomac_create_mbuf_from_mbuf,
 	.mpo_create_mbuf_linklayer = mac_lomac_create_mbuf_linklayer,
 	.mpo_create_mbuf_from_bpfdesc = mac_lomac_create_mbuf_from_bpfdesc,

==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#194 (text+ko) ====

@@ -1278,6 +1278,18 @@
 }
 
 static void
+mac_mls_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
+    struct mbuf *m, struct label *mlabel)
+{
+	struct mac_mls *source, *dest;
+
+	source = SLOT(inplabel);
+	dest = SLOT(mlabel);
+
+	mac_mls_copy_single(source, dest);
+}
+
+static void
 mac_mls_create_mbuf_from_mbuf(struct mbuf *oldmbuf,
     struct label *oldmbuflabel, struct mbuf *newmbuf,
     struct label *newmbuflabel)
@@ -2996,6 +3008,7 @@
 	.mpo_create_ipc_msgqueue = mac_mls_create_ipc_msgqueue,
 	.mpo_create_ipc_sema = mac_mls_create_ipc_sema,
 	.mpo_create_ipc_shm = mac_mls_create_ipc_shm,
+	.mpo_create_mbuf_from_inpcb = mac_mls_create_mbuf_from_inpcb,
 	.mpo_create_mbuf_from_mbuf = mac_mls_create_mbuf_from_mbuf,
 	.mpo_create_mbuf_linklayer = mac_mls_create_mbuf_linklayer,
 	.mpo_create_mbuf_from_bpfdesc = mac_mls_create_mbuf_from_bpfdesc,

==== //depot/projects/trustedbsd/mac/sys/security/mac_stub/mac_stub.c#18 (text+ko) ====

@@ -394,6 +394,13 @@
 }
 
 static void
+stub_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
+    struct mbuf *m, struct label *mlabel)
+{
+
+}
+
+static void
 stub_create_mbuf_from_mbuf(struct mbuf *oldmbuf,
     struct label *oldmbuflabel, struct mbuf *newmbuf,
     struct label *newmbuflabel)
@@ -1368,6 +1375,7 @@
 	.mpo_create_datagram_from_ipq = stub_create_datagram_from_ipq,
 	.mpo_create_fragment = stub_create_fragment,
 	.mpo_create_ipq = stub_create_ipq,
+	.mpo_create_mbuf_from_inpcb = stub_create_mbuf_from_inpcb,
 	.mpo_create_mbuf_from_mbuf = stub_create_mbuf_from_mbuf,
 	.mpo_create_mbuf_linklayer = stub_create_mbuf_linklayer,
 	.mpo_create_mbuf_from_bpfdesc = stub_create_mbuf_from_bpfdesc,

==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#128 (text+ko) ====

@@ -1116,6 +1116,15 @@
 }
 
 static void
+mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
+    struct mbuf *m, struct label *mlabel)
+{
+
+	ASSERT_INPCB_LABEL(inplabel);
+	ASSERT_MBUF_LABEL(mlabel);
+}
+
+static void
 mac_test_create_mbuf_from_mbuf(struct mbuf *oldmbuf,
     struct label *oldmbuflabel, struct mbuf *newmbuf,
     struct label *newmbuflabel)
@@ -2373,6 +2382,7 @@
 	.mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq,
 	.mpo_create_fragment = mac_test_create_fragment,
 	.mpo_create_ipq = mac_test_create_ipq,
+	.mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb,
 	.mpo_create_mbuf_from_mbuf = mac_test_create_mbuf_from_mbuf,
 	.mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer,
 	.mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc,

==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#258 (text+ko) ====

@@ -248,6 +248,7 @@
 void	mac_create_ipq(struct mbuf *fragment, struct ipq *ipq);
 void	mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram);
 void	mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment);
+void	mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m);
 void	mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf);
 void	mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *m);
 void	mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m);

==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#207 (text+ko) ====

@@ -261,6 +261,9 @@
 	void	(*mpo_create_fragment)(struct mbuf *datagram,
 		    struct label *datagramlabel, struct mbuf *fragment,
 		    struct label *fragmentlabel);
+	void	(*mpo_create_mbuf_from_inpcb)(struct inpcb *inp,
+		    struct label *inplabel, struct mbuf *m,
+		    struct label *mlabel);
 	void	(*mpo_create_mbuf_from_mbuf)(struct mbuf *oldmbuf,
 		    struct label *oldlabel, struct mbuf *newmbuf,
 		    struct label *newlabel);