From owner-p4-projects@FreeBSD.ORG  Mon Jan 22 15:53:27 2007
Return-Path: <owner-p4-projects@FreeBSD.ORG>
X-Original-To: p4-projects@freebsd.org
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 36C7016A404; Mon, 22 Jan 2007 15:53:27 +0000 (UTC)
X-Original-To: perforce@freebsd.org
Delivered-To: perforce@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id EB81C16A402
	for <perforce@freebsd.org>; Mon, 22 Jan 2007 15:53:26 +0000 (UTC)
	(envelope-from millert@freebsd.org)
Received: from repoman.freebsd.org (repoman.freebsd.org [69.147.83.41])
	by mx1.freebsd.org (Postfix) with ESMTP id DA06513C44B
	for <perforce@freebsd.org>; Mon, 22 Jan 2007 15:53:26 +0000 (UTC)
	(envelope-from millert@freebsd.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id l0MFrQ4Q023763
	for <perforce@freebsd.org>; Mon, 22 Jan 2007 15:53:26 GMT
	(envelope-from millert@freebsd.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.13.6/8.13.4/Submit) id l0MFrQhg023759
	for perforce@freebsd.org; Mon, 22 Jan 2007 15:53:26 GMT
	(envelope-from millert@freebsd.org)
Date: Mon, 22 Jan 2007 15:53:26 GMT
Message-Id: <200701221553.l0MFrQhg023759@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	millert@freebsd.org using -f
From: Todd Miller <millert@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 113335 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jan 2007 15:53:27 -0000

http://perforce.freebsd.org/chv.cgi?CH=113335

Change 113335 by millert@millert_macbook on 2007/01/22 15:52:26

	Implement mac_netinet_icmp_reply(), mac_netinet_fragment(),
	and mac_netinet_tcp_reply().  These entry point should be
	renamed to better match the current naming scheme.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_icmp.c#8 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_output.c#6 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/tcp_subr.c#7 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#33 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_inet.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#41 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#65 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_icmp.c#8 (text+ko) ====

@@ -730,11 +730,9 @@
 		ifaref(&ia->ia_ifa);
 	}
 	lck_mtx_unlock(rt_mtx);
-#ifdef __darwin8_notyet
 #ifdef MAC
 	mac_netinet_icmp_reply(m);
 #endif
-#endif
 	t = IA_SIN(ia)->sin_addr;
 	ip->ip_src = t;
 	ip->ip_ttl = ip_defttl;

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_output.c#6 (text+ko) ====

@@ -1293,11 +1293,9 @@
 		m->m_pkthdr.rcvif = 0;
 		m->m_pkthdr.csum_flags = m0->m_pkthdr.csum_flags;
 		m->m_pkthdr.socket_id = m0->m_pkthdr.socket_id;
-#ifdef __darwin8_notyet
 #ifdef MAC
 		mac_netinet_fragment(m0, m);
 #endif
-#endif
 		HTONS(mhip->ip_off);
 		mhip->ip_sum = 0;
 		if (sw_csum & CSUM_DELAY_IP) {

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/tcp_subr.c#7 (text+ko) ====

@@ -583,13 +583,11 @@
 		 */
 		mac_mbuf_label_associate_inpcb(tp->t_inpcb, m);
 	} else {
-#ifdef __darwin8_notyet
 		/*
 		 * Packet is not associated with a socket, so possibly
 		 * update the label in place.
 		 */
 		mac_netinet_tcp_reply(m);
-#endif
 	}
 #endif
 	nth->th_seq = htonl(seq);

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#33 (text+ko) ====

@@ -205,6 +205,9 @@
 int	mac_mount_label_get(struct mount *mp, user_addr_t mac_p);
 void	mac_mount_label_init(struct mount *);
 int	mac_mount_label_internalize(struct label *, char *string);
+void	mac_netinet_fragment(struct mbuf *datagram, struct mbuf *fragment);
+void	mac_netinet_icmp_reply(struct mbuf *m);
+void	mac_netinet_tcp_reply(struct mbuf *m);
 int	mac_pipe_check_ioctl(struct ucred *cred, struct pipe *cpipe,
 	    unsigned int cmd);
 int	mac_pipe_check_kqfilter(struct ucred *cred, struct knote *kn,

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_inet.c#2 (text+ko) ====

@@ -173,6 +173,7 @@
 
 	MAC_PERFORM(ipq_reassemble, ipq, ipq->ipq_label, datagram, label);
 }
+#endif
 
 void
 mac_netinet_fragment(struct mbuf *datagram, struct mbuf *fragment)
@@ -186,6 +187,7 @@
 	    fragmentlabel);
 }
 
+#ifdef notyet
 void
 mac_ipq_label_associate(struct mbuf *fragment, struct ipq *ipq)
 {
@@ -222,6 +224,7 @@
 
 	return (result);
 }
+#endif
 
 void
 mac_netinet_icmp_reply(struct mbuf *m)
@@ -243,6 +246,7 @@
 	MAC_PERFORM(netinet_tcp_reply, m, label);
 }
 
+#ifdef notyet
 void
 mac_ipq_update(struct mbuf *fragment, struct ipq *ipq)
 {

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#41 (text+ko) ====

@@ -1656,6 +1656,47 @@
 	char *element_data
 );
 /**
+  @brief Set the label on an IPv4 datagram fragment
+  @param datagram Datagram being fragmented
+  @param datagramlabel Policy label for datagram
+  @param fragment New fragment
+  @param fragmentlabel Policy label for fragment
+
+  Called when an IPv4 datagram is fragmented into several smaller datagrams.
+  Policies implementing mbuf labels will typically copy the label from the
+  source datagram to the new fragment.
+*/
+typedef void mpo_netinet_fragment_t(
+	struct mbuf *datagram,
+	struct label *datagramlabel,
+	struct mbuf *fragment,
+	struct label *fragmentlabel
+);
+/**
+  @brief Set the label on an ICMP reply
+  @param m mbuf containing the ICMP reply
+  @param mlabel Policy label for m
+
+  A policy may wish to update the label of an mbuf that refers to
+  an ICMP packet being sent in response to an IP packet.  This may
+  be called in response to a bad packet or an ICMP request.
+*/
+typedef void mpo_netinet_icmp_reply_t(
+	struct mbuf *m,
+	struct label *mlabel
+);
+/**
+  @brief Set the label on a TCP reply
+  @param m mbuf containing the TCP reply
+  @param mlabel Policy label for m
+
+  Called for outgoing TCP packets not associated with an actual socket.
+*/
+typedef void mpo_netinet_tcp_reply_t(
+	struct mbuf *m,
+	struct label *mlabel
+);
+/**
   @brief Access control check for pipe ioctl
   @param cred Subject credential
   @param cpipe Object to be accessed
@@ -5421,6 +5462,9 @@
 	mpo_mount_label_externalize_t		*mpo_mount_label_externalize;
 	mpo_mount_label_init_t			*mpo_mount_label_init;
 	mpo_mount_label_internalize_t		*mpo_mount_label_internalize;
+	mpo_netinet_fragment_t			*mpo_netinet_fragment;
+	mpo_netinet_icmp_reply_t		*mpo_netinet_icmp_reply;
+	mpo_netinet_tcp_reply_t			*mpo_netinet_tcp_reply;
 	mpo_pipe_check_ioctl_t			*mpo_pipe_check_ioctl;
 	mpo_pipe_check_kqfilter_t		*mpo_pipe_check_kqfilter;
 	mpo_pipe_check_label_update_t		*mpo_pipe_check_label_update;

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#65 (text+ko) ====

@@ -3137,6 +3137,14 @@
 	return (error);
 }
 
+static void
+sebsd_netinet_fragment(struct mbuf *mbuf, struct label *mlabel,
+    struct mbuf *frag, struct label *flabel)
+{
+
+	sebsd_label_copy(mlabel, flabel);
+}
+
 static int
 ipc_has_perm(struct ucred *cred, struct label *label, u_int32_t perm)
 {
@@ -3552,6 +3560,7 @@
 	.mpo_mount_label_externalize = sebsd_label_externalize,
 	.mpo_mount_label_init = sebsd_label_init,
 	.mpo_mount_label_internalize = sebsd_label_internalize,
+	.mpo_netinet_fragment = sebsd_netinet_fragment,
 	.mpo_pipe_check_ioctl = sebsd_pipe_check_ioctl,
 	.mpo_pipe_check_label_update = sebsd_pipe_check_label_update,
 	.mpo_pipe_check_read = sebsd_pipe_check_read,