Date: Mon, 22 Jan 2007 15:32:56 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 113329 for review Message-ID: <200701221532.l0MFWubj013994@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=113329 Change 113329 by millert@millert_macbook on 2007/01/22 15:32:45 Add mac_mbuf_label_associate_linklayer Affected files ... .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/net/ether_inet_pr_module.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/igmp.c#6 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet6/mld6.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet6/nd6.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#30 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_net.c#9 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#38 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#62 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/net/ether_inet_pr_module.c#4 (text+ko) ==== @@ -410,6 +410,10 @@ mbuf_prepend(&m, sizeof(*eh), MBUF_WAITOK); eh = mbuf_data(m); eh->ether_type = htons(ETHERTYPE_ARP); + +#ifdef MAC + mac_mbuf_label_associate_linklayer(ifp, m); +#endif /* Fill out the arp header */ ea->arp_pro = htons(ETHERTYPE_IP); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/igmp.c#6 (text+ko) ==== @@ -492,11 +492,9 @@ return; m->m_pkthdr.rcvif = loif; -#ifdef __darwin8_notyet #ifdef MAC mac_mbuf_label_associate_linklayer(inm->inm_ifp, m); #endif -#endif m->m_pkthdr.len = sizeof(struct ip) + IGMP_MINLEN; MH_ALIGN(m, IGMP_MINLEN + sizeof(struct ip)); m->m_data += sizeof(struct ip); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet6/mld6.c#5 (text+ko) ==== @@ -427,10 +427,8 @@ mh->m_next = md; mh->m_pkthdr.rcvif = NULL; -#ifdef __darwin8_notyet #ifdef MAC - mac_mbuf_label_associate_linklayer(in6m->in6m_ifp, m); -#endif + mac_mbuf_label_associate_linklayer(in6m->in6m_ifp, mh); #endif mh->m_pkthdr.len = sizeof(struct ip6_hdr) + sizeof(struct mld6_hdr); mh->m_len = sizeof(struct ip6_hdr); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet6/nd6.c#2 (text+ko) ==== @@ -2108,6 +2108,9 @@ m->m_pkthdr.csum_data = 0; m->m_pkthdr.csum_flags = 0; +#ifdef MAC + mac_mbuf_label_associate_linklayer(ifp, m); +#endif if ((ifp->if_flags & IFF_LOOPBACK) != 0) { m->m_pkthdr.rcvif = origifp; /* forwarding rules require the original scope_id */ if (locked) ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#30 (text+ko) ==== @@ -170,6 +170,7 @@ void mac_lctx_notify_leave(struct proc *proc, struct lctx *l); void mac_mbuf_label_associate_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m); void mac_mbuf_label_associate_ifnet(struct ifnet *ifp, struct mbuf *m); +void mac_mbuf_label_associate_linklayer(struct ifnet *ifp, struct mbuf *m); void mac_mbuf_label_associate_socket(struct socket *so, struct mbuf *m); void mac_mbuf_label_copy(struct mbuf *m_from, struct mbuf *m_to); void mac_mbuf_label_destroy(struct mbuf *m); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_net.c#9 (text+ko) ==== @@ -330,6 +330,20 @@ } void +mac_mbuf_label_associate_linklayer(struct ifnet *ifp, struct mbuf *mbuf) +{ + struct label *m_label; + + /* ifp must be locked */ + + m_label = mac_mbuf_to_label(mbuf); + + /* Policy must deal with NULL label (unlabeled mbufs) */ + MAC_PERFORM(mbuf_label_associate_linklayer, ifp, ifp->if_label, mbuf, + m_label); +} + +void mac_mbuf_label_associate_socket(struct socket *socket, struct mbuf *mbuf) { struct label *label; ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#38 (text+ko) ==== @@ -1216,6 +1216,24 @@ struct label *m_label ); /** + @brief Assign a label to a new mbuf + @param ifp Subject; network interface + @param i_label Existing label of ifp + @param m Object; mbuf + @param m_label Policy label to fill in for m + + Set the label on the mbuf header of a newly created datagram + generated for the purposes of a link layer response for the passed + interface. This call may be made in a number of situations, including + for ARP or ND6 responses in the IPv4 and IPv6 stacks. +*/ +typedef void mpo_mbuf_label_associate_linklayer_t( + struct ifnet *ifp, + struct label *i_label, + struct mbuf *m, + struct label *m_label +); +/** @brief Assign a label to a new mbuf @param xso Socket to label @param so_label Policy label for socket @@ -5265,6 +5283,7 @@ mpo_lctx_notify_leave_t *mpo_lctx_notify_leave; mpo_mbuf_label_associate_bpfdesc_t *mpo_mbuf_label_associate_bpfdesc; mpo_mbuf_label_associate_ifnet_t *mpo_mbuf_label_associate_ifnet; + mpo_mbuf_label_associate_linklayer_t *mpo_mbuf_label_associate_linklayer; mpo_mbuf_label_associate_socket_t *mpo_mbuf_label_associate_socket; mpo_mbuf_label_copy_t *mpo_mbuf_label_copy; mpo_mbuf_label_destroy_t *mpo_mbuf_label_destroy; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#62 (text+ko) ==== @@ -3477,6 +3477,7 @@ .mpo_ifnet_label_update = sebsd_ifnet_label_update, .mpo_mbuf_label_associate_bpfdesc = sebsd_mbuf_label_associate_bpfdesc, .mpo_mbuf_label_associate_ifnet = sebsd_mbuf_label_associate_ifnet, + .mpo_mbuf_label_associate_linklayer = sebsd_mbuf_label_associate_ifnet, .mpo_mbuf_label_associate_socket = sebsd_mbuf_label_associate_socket, .mpo_mbuf_label_copy = sebsd_label_copy, .mpo_mbuf_label_destroy = sebsd_label_destroy,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701221532.l0MFWubj013994>