Date: Mon, 22 Jan 2007 15:53:26 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 113335 for review Message-ID: <200701221553.l0MFrQhg023759@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=113335 Change 113335 by millert@millert_macbook on 2007/01/22 15:52:26 Implement mac_netinet_icmp_reply(), mac_netinet_fragment(), and mac_netinet_tcp_reply(). These entry point should be renamed to better match the current naming scheme. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_icmp.c#8 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_output.c#6 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/tcp_subr.c#7 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#33 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_inet.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#41 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#65 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_icmp.c#8 (text+ko) ==== @@ -730,11 +730,9 @@ ifaref(&ia->ia_ifa); } lck_mtx_unlock(rt_mtx); -#ifdef __darwin8_notyet #ifdef MAC mac_netinet_icmp_reply(m); #endif -#endif t = IA_SIN(ia)->sin_addr; ip->ip_src = t; ip->ip_ttl = ip_defttl; ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_output.c#6 (text+ko) ==== @@ -1293,11 +1293,9 @@ m->m_pkthdr.rcvif = 0; m->m_pkthdr.csum_flags = m0->m_pkthdr.csum_flags; m->m_pkthdr.socket_id = m0->m_pkthdr.socket_id; -#ifdef __darwin8_notyet #ifdef MAC mac_netinet_fragment(m0, m); #endif -#endif HTONS(mhip->ip_off); mhip->ip_sum = 0; if (sw_csum & CSUM_DELAY_IP) { ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/tcp_subr.c#7 (text+ko) ==== @@ -583,13 +583,11 @@ */ mac_mbuf_label_associate_inpcb(tp->t_inpcb, m); } else { -#ifdef __darwin8_notyet /* * Packet is not associated with a socket, so possibly * update the label in place. */ mac_netinet_tcp_reply(m); -#endif } #endif nth->th_seq = htonl(seq); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#33 (text+ko) ==== @@ -205,6 +205,9 @@ int mac_mount_label_get(struct mount *mp, user_addr_t mac_p); void mac_mount_label_init(struct mount *); int mac_mount_label_internalize(struct label *, char *string); +void mac_netinet_fragment(struct mbuf *datagram, struct mbuf *fragment); +void mac_netinet_icmp_reply(struct mbuf *m); +void mac_netinet_tcp_reply(struct mbuf *m); int mac_pipe_check_ioctl(struct ucred *cred, struct pipe *cpipe, unsigned int cmd); int mac_pipe_check_kqfilter(struct ucred *cred, struct knote *kn, ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_inet.c#2 (text+ko) ==== @@ -173,6 +173,7 @@ MAC_PERFORM(ipq_reassemble, ipq, ipq->ipq_label, datagram, label); } +#endif void mac_netinet_fragment(struct mbuf *datagram, struct mbuf *fragment) @@ -186,6 +187,7 @@ fragmentlabel); } +#ifdef notyet void mac_ipq_label_associate(struct mbuf *fragment, struct ipq *ipq) { @@ -222,6 +224,7 @@ return (result); } +#endif void mac_netinet_icmp_reply(struct mbuf *m) @@ -243,6 +246,7 @@ MAC_PERFORM(netinet_tcp_reply, m, label); } +#ifdef notyet void mac_ipq_update(struct mbuf *fragment, struct ipq *ipq) { ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#41 (text+ko) ==== @@ -1656,6 +1656,47 @@ char *element_data ); /** + @brief Set the label on an IPv4 datagram fragment + @param datagram Datagram being fragmented + @param datagramlabel Policy label for datagram + @param fragment New fragment + @param fragmentlabel Policy label for fragment + + Called when an IPv4 datagram is fragmented into several smaller datagrams. + Policies implementing mbuf labels will typically copy the label from the + source datagram to the new fragment. +*/ +typedef void mpo_netinet_fragment_t( + struct mbuf *datagram, + struct label *datagramlabel, + struct mbuf *fragment, + struct label *fragmentlabel +); +/** + @brief Set the label on an ICMP reply + @param m mbuf containing the ICMP reply + @param mlabel Policy label for m + + A policy may wish to update the label of an mbuf that refers to + an ICMP packet being sent in response to an IP packet. This may + be called in response to a bad packet or an ICMP request. +*/ +typedef void mpo_netinet_icmp_reply_t( + struct mbuf *m, + struct label *mlabel +); +/** + @brief Set the label on a TCP reply + @param m mbuf containing the TCP reply + @param mlabel Policy label for m + + Called for outgoing TCP packets not associated with an actual socket. +*/ +typedef void mpo_netinet_tcp_reply_t( + struct mbuf *m, + struct label *mlabel +); +/** @brief Access control check for pipe ioctl @param cred Subject credential @param cpipe Object to be accessed @@ -5421,6 +5462,9 @@ mpo_mount_label_externalize_t *mpo_mount_label_externalize; mpo_mount_label_init_t *mpo_mount_label_init; mpo_mount_label_internalize_t *mpo_mount_label_internalize; + mpo_netinet_fragment_t *mpo_netinet_fragment; + mpo_netinet_icmp_reply_t *mpo_netinet_icmp_reply; + mpo_netinet_tcp_reply_t *mpo_netinet_tcp_reply; mpo_pipe_check_ioctl_t *mpo_pipe_check_ioctl; mpo_pipe_check_kqfilter_t *mpo_pipe_check_kqfilter; mpo_pipe_check_label_update_t *mpo_pipe_check_label_update; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#65 (text+ko) ==== @@ -3137,6 +3137,14 @@ return (error); } +static void +sebsd_netinet_fragment(struct mbuf *mbuf, struct label *mlabel, + struct mbuf *frag, struct label *flabel) +{ + + sebsd_label_copy(mlabel, flabel); +} + static int ipc_has_perm(struct ucred *cred, struct label *label, u_int32_t perm) { @@ -3552,6 +3560,7 @@ .mpo_mount_label_externalize = sebsd_label_externalize, .mpo_mount_label_init = sebsd_label_init, .mpo_mount_label_internalize = sebsd_label_internalize, + .mpo_netinet_fragment = sebsd_netinet_fragment, .mpo_pipe_check_ioctl = sebsd_pipe_check_ioctl, .mpo_pipe_check_label_update = sebsd_pipe_check_label_update, .mpo_pipe_check_read = sebsd_pipe_check_read,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701221553.l0MFrQhg023759>