mirror of
https://github.com/freebsd/freebsd-src
synced 2024-09-20 08:44:33 +00:00
Move towards more explicit support for various network protocol stacks
in the TrustedBSD MAC Framework: - Add mac_atalk.c and add explicit entry point mac_netatalk_aarp_send() for AARP packet labeling, rather than using a generic link layer entry point. - Add mac_inet6.c and add explicit entry point mac_netinet6_nd6_send() for ND6 packet labeling, rather than using a generic link layer entry point. - Add expliict entry point mac_netinet_arp_send() for ARP packet labeling, and mac_netinet_igmp_send() for IGMP packet labeling, rather than using a generic link layer entry point. - Remove previous genering link layer entry point, mac_mbuf_create_linklayer() as it is no longer used. - Add implementations of new entry points to various policies, largely by replicating the existing link layer entry point for them; remove old link layer entry point implementation. - Make MAC_IFNET_LOCK(), MAC_IFNET_UNLOCK(), and mac_ifnet_mtx global to the MAC Framework rather than static to mac_net.c as it is now needed outside of mac_net.c. Obtained from: TrustedBSD Project
This commit is contained in:
parent
b0f4c777e4
commit
b9b0dac33b
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=173095
|
@ -2031,9 +2031,11 @@ security/audit/audit_pipe.c optional audit
|
|||
security/audit/audit_syscalls.c standard
|
||||
security/audit/audit_trigger.c optional audit
|
||||
security/audit/audit_worker.c optional audit
|
||||
security/mac/mac_atalk.c optional mac netatalk
|
||||
security/mac/mac_audit.c optional mac audit
|
||||
security/mac/mac_framework.c optional mac
|
||||
security/mac/mac_inet.c optional mac inet
|
||||
security/mac/mac_inet6.c optional mac inet6
|
||||
security/mac/mac_label.c optional mac
|
||||
security/mac/mac_net.c optional mac
|
||||
security/mac/mac_pipe.c optional mac
|
||||
|
|
|
@ -177,7 +177,7 @@ aarpwhohas(struct ifnet *ifp, struct sockaddr_at *sat)
|
|||
if (m == NULL)
|
||||
return;
|
||||
#ifdef MAC
|
||||
mac_mbuf_create_linklayer(ifp, m);
|
||||
mac_netatalk_aarp_send(ifp, m);
|
||||
#endif
|
||||
m->m_len = sizeof(*ea);
|
||||
m->m_pkthdr.len = sizeof(*ea);
|
||||
|
@ -602,7 +602,7 @@ aarpprobe(void *arg)
|
|||
if (m == NULL)
|
||||
return;
|
||||
#ifdef MAC
|
||||
mac_mbuf_create_linklayer(ifp, m);
|
||||
mac_netatalk_aarp_send(ifp, m);
|
||||
#endif
|
||||
m->m_len = sizeof(*ea);
|
||||
m->m_pkthdr.len = sizeof(*ea);
|
||||
|
|
|
@ -323,7 +323,7 @@ arprequest(struct ifnet *ifp, struct in_addr *sip, struct in_addr *tip,
|
|||
ah = mtod(m, struct arphdr *);
|
||||
bzero((caddr_t)ah, m->m_len);
|
||||
#ifdef MAC
|
||||
mac_mbuf_create_linklayer(ifp, m);
|
||||
mac_netinet_arp_send(ifp, m);
|
||||
#endif
|
||||
ah->ar_pro = htons(ETHERTYPE_IP);
|
||||
ah->ar_hln = ifp->if_addrlen; /* hardware address length */
|
||||
|
|
|
@ -471,7 +471,7 @@ igmp_sendpkt(struct in_multi *inm, int type, unsigned long addr)
|
|||
|
||||
m->m_pkthdr.rcvif = loif;
|
||||
#ifdef MAC
|
||||
mac_mbuf_create_linklayer(inm->inm_ifp, m);
|
||||
mac_netinet_igmp_send(inm->inm_ifp, m);
|
||||
#endif
|
||||
m->m_pkthdr.len = sizeof(struct ip) + IGMP_MINLEN;
|
||||
MH_ALIGN(m, IGMP_MINLEN + sizeof(struct ip));
|
||||
|
|
|
@ -2114,7 +2114,7 @@ nd6_output(struct ifnet *ifp, struct ifnet *origifp, struct mbuf *m0,
|
|||
}
|
||||
|
||||
#ifdef MAC
|
||||
mac_mbuf_create_linklayer(ifp, m);
|
||||
mac_netinet6_nd6_send(ifp, m);
|
||||
#endif
|
||||
if ((ifp->if_flags & IFF_LOOPBACK) != 0) {
|
||||
return ((*ifp->if_output)(origifp, m, (struct sockaddr *)dst,
|
||||
|
|
66
sys/security/mac/mac_atalk.c
Normal file
66
sys/security/mac/mac_atalk.c
Normal file
|
@ -0,0 +1,66 @@
|
|||
/*-
|
||||
* Copyright (c) 2007 Robert N. M. Watson
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed by Robert Watson for the TrustedBSD Project.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__FBSDID("$FreeBSD$");
|
||||
|
||||
#include "opt_mac.h"
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/kernel.h>
|
||||
#include <sys/lock.h>
|
||||
#include <sys/malloc.h>
|
||||
#include <sys/mutex.h>
|
||||
#include <sys/sbuf.h>
|
||||
#include <sys/systm.h>
|
||||
#include <sys/mount.h>
|
||||
#include <sys/file.h>
|
||||
#include <sys/namei.h>
|
||||
#include <sys/protosw.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/socketvar.h>
|
||||
#include <sys/sysctl.h>
|
||||
|
||||
#include <net/if.h>
|
||||
#include <net/if_var.h>
|
||||
|
||||
#include <security/mac/mac_framework.h>
|
||||
#include <security/mac/mac_internal.h>
|
||||
#include <security/mac/mac_policy.h>
|
||||
|
||||
void
|
||||
mac_netatalk_aarp_send(struct ifnet *ifp, struct mbuf *m)
|
||||
{
|
||||
struct label *mlabel;
|
||||
|
||||
mlabel = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_IFNET_LOCK(ifp);
|
||||
MAC_PERFORM(netatalk_aarp_send, ifp, ifp->if_label, m, mlabel);
|
||||
MAC_IFNET_UNLOCK(ifp);
|
||||
}
|
|
@ -1,5 +1,5 @@
|
|||
/*-
|
||||
* Copyright (c) 1999-2002 Robert N. M. Watson
|
||||
* Copyright (c) 1999-2002, 2007 Robert N. M. Watson
|
||||
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2005-2006 SPARTA, Inc.
|
||||
* All rights reserved.
|
||||
|
@ -152,7 +152,6 @@ int mac_kld_check_load(struct ucred *cred, struct vnode *vp);
|
|||
int mac_kld_check_stat(struct ucred *cred);
|
||||
|
||||
void mac_mbuf_copy(struct mbuf *, struct mbuf *);
|
||||
void mac_mbuf_create_linklayer(struct ifnet *ifp, struct mbuf *m);
|
||||
void mac_mbuf_create_multicast_encap(struct mbuf *m, struct ifnet *ifp,
|
||||
struct mbuf *mnew);
|
||||
void mac_mbuf_create_netlayer(struct mbuf *m, struct mbuf *mnew);
|
||||
|
@ -167,11 +166,17 @@ void mac_mount_create(struct ucred *cred, struct mount *mp);
|
|||
void mac_mount_destroy(struct mount *);
|
||||
void mac_mount_init(struct mount *);
|
||||
|
||||
void mac_netatalk_aarp_send(struct ifnet *ifp, struct mbuf *m);
|
||||
|
||||
void mac_netinet_arp_send(struct ifnet *ifp, struct mbuf *m);
|
||||
void mac_netinet_firewall_send(struct mbuf *m);
|
||||
void mac_netinet_fragment(struct mbuf *m, struct mbuf *frag);
|
||||
void mac_netinet_icmp_reply(struct mbuf *m);
|
||||
void mac_netinet_igmp_send(struct ifnet *ifp, struct mbuf *m);
|
||||
void mac_netinet_tcp_reply(struct mbuf *m);
|
||||
|
||||
void mac_netinet6_nd6_send(struct ifnet *ifp, struct mbuf *m);
|
||||
|
||||
int mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
|
||||
unsigned long cmd, void *data);
|
||||
int mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp);
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*-
|
||||
* Copyright (c) 1999-2002 Robert N. M. Watson
|
||||
* Copyright (c) 1999-2002, 2007 Robert N. M. Watson
|
||||
* Copyright (c) 2001 Ilmar S. Habibulin
|
||||
* Copyright (c) 2001-2004 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2006 SPARTA, Inc.
|
||||
|
@ -221,6 +221,18 @@ mac_ipq_match(struct mbuf *m, struct ipq *ipq)
|
|||
return (result);
|
||||
}
|
||||
|
||||
void
|
||||
mac_netinet_arp_send(struct ifnet *ifp, struct mbuf *m)
|
||||
{
|
||||
struct label *mlabel;
|
||||
|
||||
mlabel = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_IFNET_LOCK(ifp);
|
||||
MAC_PERFORM(netinet_arp_send, ifp, ifp->if_label, m, mlabel);
|
||||
MAC_IFNET_UNLOCK(ifp);
|
||||
}
|
||||
|
||||
void
|
||||
mac_netinet_icmp_reply(struct mbuf *m)
|
||||
{
|
||||
|
@ -231,6 +243,18 @@ mac_netinet_icmp_reply(struct mbuf *m)
|
|||
MAC_PERFORM(netinet_icmp_reply, m, label);
|
||||
}
|
||||
|
||||
void
|
||||
mac_netinet_igmp_send(struct ifnet *ifp, struct mbuf *m)
|
||||
{
|
||||
struct label *mlabel;
|
||||
|
||||
mlabel = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_IFNET_LOCK(ifp);
|
||||
MAC_PERFORM(netinet_igmp_send, ifp, ifp->if_label, m, mlabel);
|
||||
MAC_IFNET_UNLOCK(ifp);
|
||||
}
|
||||
|
||||
void
|
||||
mac_netinet_tcp_reply(struct mbuf *m)
|
||||
{
|
||||
|
|
64
sys/security/mac/mac_inet6.c
Normal file
64
sys/security/mac/mac_inet6.c
Normal file
|
@ -0,0 +1,64 @@
|
|||
/*-
|
||||
* Copyright (c) 2007 Robert N. M. Watson
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed by Robert Watson for the TrustedBSD Project.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__FBSDID("$FreeBSD$");
|
||||
|
||||
#include "opt_mac.h"
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/kernel.h>
|
||||
#include <sys/lock.h>
|
||||
#include <sys/malloc.h>
|
||||
#include <sys/mutex.h>
|
||||
#include <sys/sbuf.h>
|
||||
#include <sys/systm.h>
|
||||
#include <sys/mount.h>
|
||||
#include <sys/file.h>
|
||||
#include <sys/namei.h>
|
||||
#include <sys/protosw.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/socketvar.h>
|
||||
#include <sys/sysctl.h>
|
||||
|
||||
#include <net/if.h>
|
||||
#include <net/if_var.h>
|
||||
|
||||
#include <security/mac/mac_framework.h>
|
||||
#include <security/mac/mac_internal.h>
|
||||
#include <security/mac/mac_policy.h>
|
||||
|
||||
void
|
||||
mac_netinet6_nd6_send(struct ifnet *ifp, struct mbuf *m)
|
||||
{
|
||||
struct label *mlabel;
|
||||
|
||||
mlabel = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_PERFORM(netinet6_nd6_send, ifp, ifp->if_label, m, mlabel);
|
||||
}
|
|
@ -91,6 +91,7 @@ extern struct mac_policy_list_head mac_static_policy_list;
|
|||
#ifndef MAC_ALWAYS_LABEL_MBUF
|
||||
extern int mac_labelmbufs;
|
||||
#endif
|
||||
extern struct mtx mac_ifnet_mtx;
|
||||
|
||||
/*
|
||||
* MAC Framework infrastructure functions.
|
||||
|
@ -113,6 +114,9 @@ void mac_destroy_label(struct label *label);
|
|||
int mac_check_structmac_consistent(struct mac *mac);
|
||||
int mac_allocate_slot(void);
|
||||
|
||||
#define MAC_IFNET_LOCK(ifp) mtx_lock(&mac_ifnet_mtx)
|
||||
#define MAC_IFNET_UNLOCK(ifp) mtx_unlock(&mac_ifnet_mtx)
|
||||
|
||||
/*
|
||||
* MAC Framework per-object type functions. It's not yet clear how the
|
||||
* namespaces, etc, should work for these, so for now, sort by object type.
|
||||
|
|
|
@ -73,10 +73,8 @@ __FBSDID("$FreeBSD$");
|
|||
* our own global mutex for struct ifnet. Non-ideal, but should help in the
|
||||
* SMP environment.
|
||||
*/
|
||||
static struct mtx mac_ifnet_mtx;
|
||||
struct mtx mac_ifnet_mtx;
|
||||
MTX_SYSINIT(mac_ifnet_mtx, &mac_ifnet_mtx, "mac_ifnet", MTX_DEF);
|
||||
#define MAC_IFNET_LOCK(ifp) mtx_lock(&mac_ifnet_mtx)
|
||||
#define MAC_IFNET_UNLOCK(ifp) mtx_unlock(&mac_ifnet_mtx)
|
||||
|
||||
/*
|
||||
* Retrieve the label associated with an mbuf by searching for the tag.
|
||||
|
@ -309,18 +307,6 @@ mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m)
|
|||
MAC_PERFORM(bpfdesc_create_mbuf, d, d->bd_label, m, label);
|
||||
}
|
||||
|
||||
void
|
||||
mac_mbuf_create_linklayer(struct ifnet *ifp, struct mbuf *m)
|
||||
{
|
||||
struct label *label;
|
||||
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_IFNET_LOCK(ifp);
|
||||
MAC_PERFORM(mbuf_create_linklayer, ifp, ifp->if_label, m, label);
|
||||
MAC_IFNET_UNLOCK(ifp);
|
||||
}
|
||||
|
||||
void
|
||||
mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m)
|
||||
{
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*-
|
||||
* Copyright (c) 1999-2002 Robert N. M. Watson
|
||||
* Copyright (c) 1999-2002, 2007 Robert N. M. Watson
|
||||
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2005-2006 SPARTA, Inc.
|
||||
* All rights reserved.
|
||||
|
@ -221,9 +221,6 @@ typedef int (*mpo_kld_check_stat_t)(struct ucred *cred);
|
|||
|
||||
typedef void (*mpo_mbuf_copy_label_t)(struct label *src,
|
||||
struct label *dest);
|
||||
typedef void (*mpo_mbuf_create_linklayer_t)(struct ifnet *ifp,
|
||||
struct label *ifplabel, struct mbuf *m,
|
||||
struct label *mlabel);
|
||||
typedef void (*mpo_mbuf_create_multicast_encap_t)(struct mbuf *m,
|
||||
struct label *mlabel, struct ifnet *ifp,
|
||||
struct label *ifplabel, struct mbuf *mnew,
|
||||
|
@ -241,6 +238,13 @@ typedef void (*mpo_mount_create_t)(struct ucred *cred, struct mount *mp,
|
|||
typedef void (*mpo_mount_destroy_label_t)(struct label *label);
|
||||
typedef void (*mpo_mount_init_label_t)(struct label *label);
|
||||
|
||||
typedef void (*mpo_netatalk_aarp_send_t)(struct ifnet *ifp,
|
||||
struct label *ifplabel, struct mbuf *m,
|
||||
struct label *mlabel);
|
||||
|
||||
typedef void (*mpo_netinet_arp_send_t)(struct ifnet *ifp,
|
||||
struct label *ifplabel, struct mbuf *m,
|
||||
struct label *mlabel);
|
||||
typedef void (*mpo_netinet_firewall_send_t)(struct mbuf *m,
|
||||
struct label *mlabel);
|
||||
typedef void (*mpo_netinet_fragment_t)(struct mbuf *m,
|
||||
|
@ -248,9 +252,16 @@ typedef void (*mpo_netinet_fragment_t)(struct mbuf *m,
|
|||
struct label *fraglabel);
|
||||
typedef void (*mpo_netinet_icmp_reply_t)(struct mbuf *m,
|
||||
struct label *mlabel);
|
||||
typedef void (*mpo_netinet_igmp_send_t)(struct ifnet *ifp,
|
||||
struct label *ifplabel, struct mbuf *m,
|
||||
struct label *mlabel);
|
||||
typedef void (*mpo_netinet_tcp_reply_t)(struct mbuf *m,
|
||||
struct label *mlabel);
|
||||
|
||||
typedef void (*mpo_netinet6_nd6_send_t)(struct ifnet *ifp,
|
||||
struct label *ifplabel, struct mbuf *m,
|
||||
struct label *mlabel);
|
||||
|
||||
typedef int (*mpo_pipe_check_ioctl_t)(struct ucred *cred,
|
||||
struct pipepair *pp, struct label *pplabel,
|
||||
unsigned long cmd, void *data);
|
||||
|
@ -678,7 +689,6 @@ struct mac_policy_ops {
|
|||
mpo_kld_check_stat_t mpo_kld_check_stat;
|
||||
|
||||
mpo_mbuf_copy_label_t mpo_mbuf_copy_label;
|
||||
mpo_mbuf_create_linklayer_t mpo_mbuf_create_linklayer;
|
||||
mpo_mbuf_create_multicast_encap_t mpo_mbuf_create_multicast_encap;
|
||||
mpo_mbuf_create_netlayer_t mpo_mbuf_create_netlayer;
|
||||
mpo_mbuf_destroy_label_t mpo_mbuf_destroy_label;
|
||||
|
@ -689,11 +699,17 @@ struct mac_policy_ops {
|
|||
mpo_mount_destroy_label_t mpo_mount_destroy_label;
|
||||
mpo_mount_init_label_t mpo_mount_init_label;
|
||||
|
||||
mpo_netatalk_aarp_send_t mpo_netatalk_aarp_send;
|
||||
|
||||
mpo_netinet_arp_send_t mpo_netinet_arp_send;
|
||||
mpo_netinet_firewall_send_t mpo_netinet_firewall_send;
|
||||
mpo_netinet_fragment_t mpo_netinet_fragment;
|
||||
mpo_netinet_icmp_reply_t mpo_netinet_icmp_reply;
|
||||
mpo_netinet_igmp_send_t mpo_netinet_igmp_send;
|
||||
mpo_netinet_tcp_reply_t mpo_netinet_tcp_reply;
|
||||
|
||||
mpo_netinet6_nd6_send_t mpo_netinet6_nd6_send;
|
||||
|
||||
mpo_pipe_check_ioctl_t mpo_pipe_check_ioctl;
|
||||
mpo_pipe_check_poll_t mpo_pipe_check_poll;
|
||||
mpo_pipe_check_read_t mpo_pipe_check_read;
|
||||
|
|
|
@ -1267,17 +1267,6 @@ biba_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel,
|
|||
biba_copy_effective(source, dest);
|
||||
}
|
||||
|
||||
static void
|
||||
biba_mbuf_create_linklayer(struct ifnet *ifp, struct label *ifplabel,
|
||||
struct mbuf *m, struct label *mlabel)
|
||||
{
|
||||
struct mac_biba *dest;
|
||||
|
||||
dest = SLOT(mlabel);
|
||||
|
||||
biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
|
||||
}
|
||||
|
||||
static void
|
||||
biba_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
|
||||
struct mbuf *m, struct label *mlabel)
|
||||
|
@ -1371,6 +1360,28 @@ biba_inpcb_sosetlabel(struct socket *so, struct label *solabel,
|
|||
biba_copy(source, dest);
|
||||
}
|
||||
|
||||
static void
|
||||
biba_netatalk_aarp_send(struct ifnet *ifp, struct label *ifplabel,
|
||||
struct mbuf *m, struct label *mlabel)
|
||||
{
|
||||
struct mac_biba *dest;
|
||||
|
||||
dest = SLOT(mlabel);
|
||||
|
||||
biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
|
||||
}
|
||||
|
||||
static void
|
||||
biba_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel,
|
||||
struct mbuf *m, struct label *mlabel)
|
||||
{
|
||||
struct mac_biba *dest;
|
||||
|
||||
dest = SLOT(mlabel);
|
||||
|
||||
biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
|
||||
}
|
||||
|
||||
static void
|
||||
biba_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
|
||||
{
|
||||
|
@ -1382,6 +1393,28 @@ biba_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
|
|||
biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
|
||||
}
|
||||
|
||||
static void
|
||||
biba_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel,
|
||||
struct mbuf *m, struct label *mlabel)
|
||||
{
|
||||
struct mac_biba *dest;
|
||||
|
||||
dest = SLOT(mlabel);
|
||||
|
||||
biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
|
||||
}
|
||||
|
||||
static void
|
||||
biba_netinet6_nd6_send(struct ifnet *ifp, struct label *ifplabel,
|
||||
struct mbuf *m, struct label *mlabel)
|
||||
{
|
||||
struct mac_biba *dest;
|
||||
|
||||
dest = SLOT(mlabel);
|
||||
|
||||
biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
|
||||
}
|
||||
|
||||
/*
|
||||
* Labeling event operations: processes.
|
||||
*/
|
||||
|
@ -3320,7 +3353,6 @@ static struct mac_policy_ops mac_biba_ops =
|
|||
.mpo_sysvshm_create = biba_sysvshm_create,
|
||||
.mpo_ipq_create = biba_ipq_create,
|
||||
.mpo_inpcb_create_mbuf = biba_inpcb_create_mbuf,
|
||||
.mpo_mbuf_create_linklayer = biba_mbuf_create_linklayer,
|
||||
.mpo_bpfdesc_create_mbuf = biba_bpfdesc_create_mbuf,
|
||||
.mpo_ifnet_create_mbuf = biba_ifnet_create_mbuf,
|
||||
.mpo_mbuf_create_multicast_encap = biba_mbuf_create_multicast_encap,
|
||||
|
@ -3412,7 +3444,11 @@ static struct mac_policy_ops mac_biba_ops =
|
|||
.mpo_vnode_check_stat = biba_vnode_check_stat,
|
||||
.mpo_vnode_check_unlink = biba_vnode_check_unlink,
|
||||
.mpo_vnode_check_write = biba_vnode_check_write,
|
||||
.mpo_netatalk_aarp_send = biba_netatalk_aarp_send,
|
||||
.mpo_netinet_arp_send = biba_netinet_arp_send,
|
||||
.mpo_netinet_firewall_send = biba_netinet_firewall_send,
|
||||
.mpo_netinet_igmp_send = biba_netinet_igmp_send,
|
||||
.mpo_netinet6_nd6_send = biba_netinet6_nd6_send,
|
||||
.mpo_priv_check = biba_priv_check,
|
||||
};
|
||||
|
||||
|
|
|
@ -1331,17 +1331,6 @@ lomac_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel,
|
|||
lomac_copy_single(source, dest);
|
||||
}
|
||||
|
||||
static void
|
||||
lomac_mbuf_create_linklayer(struct ifnet *ifp, struct label *ifplabel,
|
||||
struct mbuf *m, struct label *mlabel)
|
||||
{
|
||||
struct mac_lomac *dest;
|
||||
|
||||
dest = SLOT(mlabel);
|
||||
|
||||
lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
|
||||
}
|
||||
|
||||
static void
|
||||
lomac_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
|
||||
struct mbuf *m, struct label *mlabel)
|
||||
|
@ -1456,6 +1445,28 @@ lomac_syncache_create_mbuf(struct label *sc_label, struct mbuf *m,
|
|||
lomac_copy(source, dest);
|
||||
}
|
||||
|
||||
static void
|
||||
lomac_netatalk_aarp_send(struct ifnet *ifp, struct label *ifplabel,
|
||||
struct mbuf *m, struct label *mlabel)
|
||||
{
|
||||
struct mac_lomac *dest;
|
||||
|
||||
dest = SLOT(mlabel);
|
||||
|
||||
lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
|
||||
}
|
||||
|
||||
static void
|
||||
lomac_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel,
|
||||
struct mbuf *m, struct label *mlabel)
|
||||
{
|
||||
struct mac_lomac *dest;
|
||||
|
||||
dest = SLOT(mlabel);
|
||||
|
||||
lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
|
||||
}
|
||||
|
||||
static void
|
||||
lomac_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
|
||||
{
|
||||
|
@ -1467,6 +1478,28 @@ lomac_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
|
|||
lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
|
||||
}
|
||||
|
||||
static void
|
||||
lomac_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel,
|
||||
struct mbuf *m, struct label *mlabel)
|
||||
{
|
||||
struct mac_lomac *dest;
|
||||
|
||||
dest = SLOT(mlabel);
|
||||
|
||||
lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
|
||||
}
|
||||
|
||||
static void
|
||||
lomac_netinet6_nd6_send(struct ifnet *ifp, struct label *ifplabel,
|
||||
struct mbuf *m, struct label *mlabel)
|
||||
{
|
||||
struct mac_lomac *dest;
|
||||
|
||||
dest = SLOT(mlabel);
|
||||
|
||||
lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
|
||||
}
|
||||
|
||||
/*
|
||||
* Labeling event operations: processes.
|
||||
*/
|
||||
|
@ -2878,7 +2911,6 @@ static struct mac_policy_ops lomac_ops =
|
|||
.mpo_inpcb_create = lomac_inpcb_create,
|
||||
.mpo_ipq_create = lomac_ipq_create,
|
||||
.mpo_inpcb_create_mbuf = lomac_inpcb_create_mbuf,
|
||||
.mpo_mbuf_create_linklayer = lomac_mbuf_create_linklayer,
|
||||
.mpo_bpfdesc_create_mbuf = lomac_bpfdesc_create_mbuf,
|
||||
.mpo_ifnet_create_mbuf = lomac_ifnet_create_mbuf,
|
||||
.mpo_mbuf_create_multicast_encap = lomac_mbuf_create_multicast_encap,
|
||||
|
@ -2936,10 +2968,13 @@ static struct mac_policy_ops lomac_ops =
|
|||
.mpo_vnode_check_unlink = lomac_vnode_check_unlink,
|
||||
.mpo_vnode_check_write = lomac_vnode_check_write,
|
||||
.mpo_thread_userret = lomac_thread_userret,
|
||||
.mpo_netatalk_aarp_send = lomac_netatalk_aarp_send,
|
||||
.mpo_netinet_arp_send = lomac_netinet_arp_send,
|
||||
.mpo_netinet_firewall_send = lomac_netinet_firewall_send,
|
||||
.mpo_netinet_igmp_send = lomac_netinet_igmp_send,
|
||||
.mpo_netinet6_nd6_send = lomac_netinet6_nd6_send,
|
||||
.mpo_priv_check = lomac_priv_check,
|
||||
};
|
||||
|
||||
MAC_POLICY_SET(&lomac_ops, mac_lomac, "TrustedBSD MAC/LOMAC",
|
||||
MPC_LOADTIME_FLAG_NOTLATE | MPC_LOADTIME_FLAG_LABELMBUFS,
|
||||
&lomac_slot);
|
||||
MPC_LOADTIME_FLAG_NOTLATE | MPC_LOADTIME_FLAG_LABELMBUFS, &lomac_slot);
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*-
|
||||
* Copyright (c) 1999-2002 Robert N. M. Watson
|
||||
* Copyright (c) 1999-2002, 2007 Robert N. M. Watson
|
||||
* Copyright (c) 2001-2005 McAfee, Inc.
|
||||
* Copyright (c) 2006 SPARTA, Inc.
|
||||
* All rights reserved.
|
||||
|
@ -1189,17 +1189,6 @@ mls_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel,
|
|||
mls_copy_effective(source, dest);
|
||||
}
|
||||
|
||||
static void
|
||||
mls_mbuf_create_linklayer(struct ifnet *ifp, struct label *ifplabel,
|
||||
struct mbuf *m, struct label *mlabel)
|
||||
{
|
||||
struct mac_mls *dest;
|
||||
|
||||
dest = SLOT(mlabel);
|
||||
|
||||
mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
|
||||
}
|
||||
|
||||
static void
|
||||
mls_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
|
||||
struct mbuf *m, struct label *mlabel)
|
||||
|
@ -1293,6 +1282,28 @@ mls_inpcb_sosetlabel(struct socket *so, struct label *solabel,
|
|||
mls_copy(source, dest);
|
||||
}
|
||||
|
||||
static void
|
||||
mls_netatalk_aarp_send(struct ifnet *ifp, struct label *ifplabel,
|
||||
struct mbuf *m, struct label *mlabel)
|
||||
{
|
||||
struct mac_mls *dest;
|
||||
|
||||
dest = SLOT(mlabel);
|
||||
|
||||
mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
|
||||
}
|
||||
|
||||
static void
|
||||
mls_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel,
|
||||
struct mbuf *m, struct label *mlabel)
|
||||
{
|
||||
struct mac_mls *dest;
|
||||
|
||||
dest = SLOT(mlabel);
|
||||
|
||||
mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
|
||||
}
|
||||
|
||||
static void
|
||||
mls_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
|
||||
{
|
||||
|
@ -1304,6 +1315,28 @@ mls_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
|
|||
mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
|
||||
}
|
||||
|
||||
static void
|
||||
mls_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel,
|
||||
struct mbuf *m, struct label *mlabel)
|
||||
{
|
||||
struct mac_mls *dest;
|
||||
|
||||
dest = SLOT(mlabel);
|
||||
|
||||
mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
|
||||
}
|
||||
|
||||
static void
|
||||
mls_netinet6_nd6_send(struct ifnet *ifp, struct label *ifplabel,
|
||||
struct mbuf *m, struct label *mlabel)
|
||||
{
|
||||
struct mac_mls *dest;
|
||||
|
||||
dest = SLOT(mlabel);
|
||||
|
||||
mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
|
||||
}
|
||||
|
||||
static void
|
||||
mls_syncache_create(struct label *label, struct inpcb *inp)
|
||||
{
|
||||
|
@ -2947,7 +2980,6 @@ static struct mac_policy_ops mls_ops =
|
|||
.mpo_sysvsem_create = mls_sysvsem_create,
|
||||
.mpo_sysvshm_create = mls_sysvshm_create,
|
||||
.mpo_inpcb_create_mbuf = mls_inpcb_create_mbuf,
|
||||
.mpo_mbuf_create_linklayer = mls_mbuf_create_linklayer,
|
||||
.mpo_bpfdesc_create_mbuf = mls_bpfdesc_create_mbuf,
|
||||
.mpo_ifnet_create_mbuf = mls_ifnet_create_mbuf,
|
||||
.mpo_mbuf_create_multicast_encap = mls_mbuf_create_multicast_encap,
|
||||
|
@ -3035,7 +3067,11 @@ static struct mac_policy_ops mls_ops =
|
|||
.mpo_vnode_check_stat = mls_vnode_check_stat,
|
||||
.mpo_vnode_check_unlink = mls_vnode_check_unlink,
|
||||
.mpo_vnode_check_write = mls_vnode_check_write,
|
||||
.mpo_netatalk_aarp_send = mls_netatalk_aarp_send,
|
||||
.mpo_netinet_arp_send = mls_netinet_arp_send,
|
||||
.mpo_netinet_firewall_send = mls_netinet_firewall_send,
|
||||
.mpo_netinet_igmp_send = mls_netinet_igmp_send,
|
||||
.mpo_netinet6_nd6_send = mls_netinet6_nd6_send,
|
||||
};
|
||||
|
||||
MAC_POLICY_SET(&mls_ops, mac_mls, "TrustedBSD MAC/MLS",
|
||||
|
|
|
@ -404,13 +404,6 @@ stub_syncache_create_mbuf(struct label *sc_label, struct mbuf *m,
|
|||
|
||||
}
|
||||
|
||||
static void
|
||||
stub_mbuf_create_linklayer(struct ifnet *ifp, struct label *iflpabel,
|
||||
struct mbuf *m, struct label *mlabel)
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
static void
|
||||
stub_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
|
||||
struct mbuf *m, struct label *mlabel)
|
||||
|
@ -440,12 +433,40 @@ stub_mbuf_create_netlayer(struct mbuf *m, struct label *mlabel,
|
|||
|
||||
}
|
||||
|
||||
static void
|
||||
stub_netatalk_aarp_send(struct ifnet *ifp, struct label *iflpabel,
|
||||
struct mbuf *m, struct label *mlabel)
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
static void
|
||||
stub_netinet_arp_send(struct ifnet *ifp, struct label *iflpabel,
|
||||
struct mbuf *m, struct label *mlabel)
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
static void
|
||||
stub_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
static void
|
||||
stub_netinet_igmp_send(struct ifnet *ifp, struct label *iflpabel,
|
||||
struct mbuf *m, struct label *mlabel)
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
static void
|
||||
stub_netinet6_nd6_send(struct ifnet *ifp, struct label *iflpabel,
|
||||
struct mbuf *m, struct label *mlabel)
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
static int
|
||||
stub_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
|
||||
struct label *ipqlabel)
|
||||
|
@ -1521,12 +1542,15 @@ static struct mac_policy_ops stub_ops =
|
|||
.mpo_ipq_reassemble = stub_ipq_reassemble,
|
||||
.mpo_netinet_fragment = stub_netinet_fragment,
|
||||
.mpo_inpcb_create_mbuf = stub_inpcb_create_mbuf,
|
||||
.mpo_mbuf_create_linklayer = stub_mbuf_create_linklayer,
|
||||
.mpo_bpfdesc_create_mbuf = stub_bpfdesc_create_mbuf,
|
||||
.mpo_ifnet_create_mbuf = stub_ifnet_create_mbuf,
|
||||
.mpo_mbuf_create_multicast_encap = stub_mbuf_create_multicast_encap,
|
||||
.mpo_mbuf_create_netlayer = stub_mbuf_create_netlayer,
|
||||
.mpo_netatalk_aarp_send = stub_netatalk_aarp_send,
|
||||
.mpo_netinet_arp_send = stub_netinet_arp_send,
|
||||
.mpo_netinet_firewall_send = stub_netinet_firewall_send,
|
||||
.mpo_netinet_igmp_send = stub_netinet_igmp_send,
|
||||
.mpo_netinet6_nd6_send = stub_netinet6_nd6_send,
|
||||
.mpo_ipq_match = stub_ipq_match,
|
||||
.mpo_netinet_icmp_reply = stub_netinet_icmp_reply,
|
||||
.mpo_netinet_tcp_reply = stub_netinet_tcp_reply,
|
||||
|
|
|
@ -1015,17 +1015,6 @@ test_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel,
|
|||
COUNTER_INC(inpcb_create_mbuf);
|
||||
}
|
||||
|
||||
COUNTER_DECL(mbuf_create_linklayer);
|
||||
static void
|
||||
test_mbuf_create_linklayer(struct ifnet *ifp, struct label *ifplabel,
|
||||
struct mbuf *mbuf, struct label *mbuflabel)
|
||||
{
|
||||
|
||||
LABEL_CHECK(ifplabel, MAGIC_IFNET);
|
||||
LABEL_CHECK(mbuflabel, MAGIC_MBUF);
|
||||
COUNTER_INC(mbuf_create_linklayer);
|
||||
}
|
||||
|
||||
COUNTER_DECL(bpfdesc_create_mbuf);
|
||||
static void
|
||||
test_bpfdesc_create_mbuf(struct bpf_d *bpf_d, struct label *bpflabel,
|
||||
|
@ -1086,6 +1075,28 @@ test_ipq_match(struct mbuf *fragment, struct label *fragmentlabel,
|
|||
return (1);
|
||||
}
|
||||
|
||||
COUNTER_DECL(netatalk_aarp_send);
|
||||
static void
|
||||
test_netatalk_aarp_send(struct ifnet *ifp, struct label *ifplabel,
|
||||
struct mbuf *mbuf, struct label *mbuflabel)
|
||||
{
|
||||
|
||||
LABEL_CHECK(ifplabel, MAGIC_IFNET);
|
||||
LABEL_CHECK(mbuflabel, MAGIC_MBUF);
|
||||
COUNTER_INC(netatalk_aarp_send);
|
||||
}
|
||||
|
||||
COUNTER_DECL(netinet_arp_send);
|
||||
static void
|
||||
test_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel,
|
||||
struct mbuf *mbuf, struct label *mbuflabel)
|
||||
{
|
||||
|
||||
LABEL_CHECK(ifplabel, MAGIC_IFNET);
|
||||
LABEL_CHECK(mbuflabel, MAGIC_MBUF);
|
||||
COUNTER_INC(netinet_arp_send);
|
||||
}
|
||||
|
||||
COUNTER_DECL(netinet_icmp_reply);
|
||||
static void
|
||||
test_netinet_icmp_reply(struct mbuf *m, struct label *mlabel)
|
||||
|
@ -1095,6 +1106,17 @@ test_netinet_icmp_reply(struct mbuf *m, struct label *mlabel)
|
|||
COUNTER_INC(netinet_icmp_reply);
|
||||
}
|
||||
|
||||
COUNTER_DECL(netinet_igmp_send);
|
||||
static void
|
||||
test_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel,
|
||||
struct mbuf *mbuf, struct label *mbuflabel)
|
||||
{
|
||||
|
||||
LABEL_CHECK(ifplabel, MAGIC_IFNET);
|
||||
LABEL_CHECK(mbuflabel, MAGIC_MBUF);
|
||||
COUNTER_INC(netinet_igmp_send);
|
||||
}
|
||||
|
||||
COUNTER_DECL(netinet_tcp_reply);
|
||||
static void
|
||||
test_netinet_tcp_reply(struct mbuf *m, struct label *mlabel)
|
||||
|
@ -1104,6 +1126,17 @@ test_netinet_tcp_reply(struct mbuf *m, struct label *mlabel)
|
|||
COUNTER_INC(netinet_tcp_reply);
|
||||
}
|
||||
|
||||
COUNTER_DECL(netinet6_nd6_send);
|
||||
static void
|
||||
test_netinet6_nd6_send(struct ifnet *ifp, struct label *ifplabel,
|
||||
struct mbuf *mbuf, struct label *mbuflabel)
|
||||
{
|
||||
|
||||
LABEL_CHECK(ifplabel, MAGIC_IFNET);
|
||||
LABEL_CHECK(mbuflabel, MAGIC_MBUF);
|
||||
COUNTER_INC(netinet6_nd6_send);
|
||||
}
|
||||
|
||||
COUNTER_DECL(ifnet_relabel);
|
||||
static void
|
||||
test_ifnet_relabel(struct ucred *cred, struct ifnet *ifp,
|
||||
|
@ -2686,14 +2719,17 @@ static struct mac_policy_ops test_ops =
|
|||
.mpo_netinet_fragment = test_netinet_fragment,
|
||||
.mpo_ipq_create = test_ipq_create,
|
||||
.mpo_inpcb_create_mbuf = test_inpcb_create_mbuf,
|
||||
.mpo_mbuf_create_linklayer = test_mbuf_create_linklayer,
|
||||
.mpo_bpfdesc_create_mbuf = test_bpfdesc_create_mbuf,
|
||||
.mpo_ifnet_create_mbuf = test_ifnet_create_mbuf,
|
||||
.mpo_mbuf_create_multicast_encap = test_mbuf_create_multicast_encap,
|
||||
.mpo_mbuf_create_netlayer = test_mbuf_create_netlayer,
|
||||
.mpo_ipq_match = test_ipq_match,
|
||||
.mpo_netatalk_aarp_send = test_netatalk_aarp_send,
|
||||
.mpo_netinet_arp_send = test_netinet_arp_send,
|
||||
.mpo_netinet_icmp_reply = test_netinet_icmp_reply,
|
||||
.mpo_netinet_igmp_send = test_netinet_igmp_send,
|
||||
.mpo_netinet_tcp_reply = test_netinet_tcp_reply,
|
||||
.mpo_netinet6_nd6_send = test_netinet6_nd6_send,
|
||||
.mpo_ifnet_relabel = test_ifnet_relabel,
|
||||
.mpo_ipq_update = test_ipq_update,
|
||||
.mpo_inpcb_sosetlabel = test_inpcb_sosetlabel,
|
||||
|
|
Loading…
Reference in a new issue