Implement MAC policy support for IPv6 fragment reassembly queues,

modeled on IPv4 fragment reassembly queue support.

Obtained from:	TrustedBSD Project

sys/security/mac_biba/mac_biba.c

@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
  * Copyright (c) 2001-2005 McAfee, Inc.
  * Copyright (c) 2006 SPARTA, Inc.
  * All rights reserved.
@@ -1169,6 +1169,51 @@ biba_inpcb_sosetlabel(struct socket *so, struct label *solabel,
 	biba_copy(source, dest);
 }
 
+static void
+biba_ip6q_create(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
+    struct label *q6label)
+{
+	struct mac_biba *source, *dest;
+
+	source = SLOT(mlabel);
+	dest = SLOT(q6label);
+
+	biba_copy_effective(source, dest);
+}
+
+static int
+biba_ip6q_match(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
+    struct label *q6label)
+{
+	struct mac_biba *a, *b;
+
+	a = SLOT(q6label);
+	b = SLOT(mlabel);
+
+	return (biba_equal_effective(a, b));
+}
+
+static void
+biba_ip6q_reassemble(struct ip6q *q6, struct label *q6label, struct mbuf *m,
+    struct label *mlabel)
+{
+	struct mac_biba *source, *dest;
+
+	source = SLOT(q6label);
+	dest = SLOT(mlabel);
+
+	/* Just use the head, since we require them all to match. */
+	biba_copy_effective(source, dest);
+}
+
+static void
+biba_ip6q_update(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
+    struct label *q6label)
+{
+
+	/* NOOP: we only accept matching labels, so no need to update */
+}
+
 static void
 biba_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *q,
     struct label *qlabel)
@@ -3325,6 +3370,13 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_inpcb_init_label = biba_init_label_waitcheck,
 	.mpo_inpcb_sosetlabel = biba_inpcb_sosetlabel,
 
+	.mpo_ip6q_create = biba_ip6q_create,
+	.mpo_ip6q_destroy_label = biba_destroy_label,
+	.mpo_ip6q_init_label = biba_init_label_waitcheck,
+	.mpo_ip6q_match = biba_ip6q_match,
+	.mpo_ip6q_reassemble = biba_ip6q_reassemble,
+	.mpo_ip6q_update = biba_ip6q_update,
+
 	.mpo_ipq_create = biba_ipq_create,
 	.mpo_ipq_destroy_label = biba_destroy_label,
 	.mpo_ipq_init_label = biba_init_label_waitcheck,

sys/security/mac_lomac/mac_lomac.c

@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
  * Copyright (c) 2006 SPARTA, Inc.
  * All rights reserved.
@@ -1298,6 +1298,51 @@ lomac_inpcb_sosetlabel(struct socket *so, struct label *solabel,
 	lomac_copy_single(source, dest);
 }
 
+static void
+lomac_ip6q_create(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
+    struct label *q6label)
+{
+	struct mac_lomac *source, *dest;
+
+	source = SLOT(mlabel);
+	dest = SLOT(q6label);
+
+	lomac_copy_single(source, dest);
+}
+
+static int
+lomac_ip6q_match(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
+    struct label *q6label)
+{
+	struct mac_lomac *a, *b;
+
+	a = SLOT(q6label);
+	b = SLOT(mlabel);
+
+	return (lomac_equal_single(a, b));
+}
+
+static void
+lomac_ip6q_reassemble(struct ip6q *q6, struct label *q6label, struct mbuf *m,
+    struct label *mlabel)
+{
+	struct mac_lomac *source, *dest;
+
+	source = SLOT(q6label);
+	dest = SLOT(mlabel);
+
+	/* Just use the head, since we require them all to match. */
+	lomac_copy_single(source, dest);
+}
+
+static void
+lomac_ip6q_update(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
+    struct label *q6label)
+{
+
+	/* NOOP: we only accept matching labels, so no need to update */
+}
+
 static void
 lomac_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *q,
     struct label *qlabel)
@@ -2886,6 +2931,13 @@ static struct mac_policy_ops lomac_ops =
 	.mpo_inpcb_init_label = lomac_init_label_waitcheck,
 	.mpo_inpcb_sosetlabel = lomac_inpcb_sosetlabel,
 
+	.mpo_ip6q_create = lomac_ip6q_create,
+	.mpo_ip6q_destroy_label = lomac_destroy_label,
+	.mpo_ip6q_init_label = lomac_init_label_waitcheck,
+	.mpo_ip6q_match = lomac_ip6q_match,
+	.mpo_ip6q_reassemble = lomac_ip6q_reassemble,
+	.mpo_ip6q_update = lomac_ip6q_update,
+
 	.mpo_ipq_create = lomac_ipq_create,
 	.mpo_ipq_destroy_label = lomac_destroy_label,
 	.mpo_ipq_init_label = lomac_init_label_waitcheck,

sys/security/mac_mls/mac_mls.c

@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
  * Copyright (c) 2001-2005 McAfee, Inc.
  * Copyright (c) 2006 SPARTA, Inc.
  * All rights reserved.
@@ -1087,6 +1087,51 @@ mls_inpcb_sosetlabel(struct socket *so, struct label *solabel,
 	mls_copy(source, dest);
 }
 
+static void
+mls_ip6q_create(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
+    struct label *q6label)
+{
+	struct mac_mls *source, *dest;
+
+	source = SLOT(mlabel);
+	dest = SLOT(q6label);
+
+	mls_copy_effective(source, dest);
+}
+
+static int
+mls_ip6q_match(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
+    struct label *q6label)
+{
+	struct mac_mls *a, *b;
+
+	a = SLOT(q6label);
+	b = SLOT(mlabel);
+
+	return (mls_equal_effective(a, b));
+}
+
+static void
+mls_ip6q_reassemble(struct ip6q *q6, struct label *q6label, struct mbuf *m,
+    struct label *mlabel)
+{
+	struct mac_mls *source, *dest;
+
+	source = SLOT(q6label);
+	dest = SLOT(mlabel);
+
+	/* Just use the head, since we require them all to match. */
+	mls_copy_effective(source, dest);
+}
+
+static void
+mls_ip6q_update(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
+    struct label *q6label)
+{
+
+	/* NOOP: we only accept matching labels, so no need to update */
+}
+
 static void
 mls_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *q,
     struct label *qlabel)
@@ -2948,6 +2993,13 @@ static struct mac_policy_ops mls_ops =
 	.mpo_inpcb_init_label = mls_init_label_waitcheck,
 	.mpo_inpcb_sosetlabel = mls_inpcb_sosetlabel,
 
+	.mpo_ip6q_create = mls_ip6q_create,
+	.mpo_ip6q_destroy_label = mls_destroy_label,
+	.mpo_ip6q_init_label = mls_init_label_waitcheck,
+	.mpo_ip6q_match = mls_ip6q_match,
+	.mpo_ip6q_reassemble = mls_ip6q_reassemble,
+	.mpo_ip6q_update = mls_ip6q_update,
+
 	.mpo_ipq_create = mls_ipq_create,
 	.mpo_ipq_destroy_label = mls_destroy_label,
 	.mpo_ipq_init_label = mls_init_label_waitcheck,

sys/security/mac_stub/mac_stub.c

@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
  * Copyright (c) 2001-2005 McAfee, Inc.
  * Copyright (c) 2005-2006 SPARTA, Inc.
  * Copyright (c) 2008 Apple Inc.
@@ -307,6 +307,35 @@ stub_inpcb_sosetlabel(struct socket *so, struct label *solabel,
 
 }
 
+static void
+stub_ip6q_create(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
+    struct label *q6label)
+{
+
+}
+
+static int
+stub_ip6q_match(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
+    struct label *q6label)
+{
+
+	return (1);
+}
+
+static void
+stub_ip6q_reassemble(struct ip6q *q6, struct label *q6label, struct mbuf *m,
+    struct label *mlabel)
+{
+
+}
+
+static void
+stub_ip6q_update(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
+    struct label *q6label)
+{
+
+}
+
 static void
 stub_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *q,
     struct label *qlabel)
@@ -1546,6 +1575,13 @@ static struct mac_policy_ops stub_ops =
 	.mpo_inpcb_init_label = stub_init_label_waitcheck,
 	.mpo_inpcb_sosetlabel = stub_inpcb_sosetlabel,
 
+	.mpo_ip6q_create = stub_ip6q_create,
+	.mpo_ip6q_destroy_label = stub_destroy_label,
+	.mpo_ip6q_init_label = stub_init_label_waitcheck,
+	.mpo_ip6q_match = stub_ip6q_match,
+	.mpo_ip6q_update = stub_ip6q_update,
+	.mpo_ip6q_reassemble = stub_ip6q_reassemble,
+
 	.mpo_ipq_create = stub_ipq_create,
 	.mpo_ipq_destroy_label = stub_destroy_label,
 	.mpo_ipq_init_label = stub_init_label_waitcheck,

sys/security/mac_test/mac_test.c

@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
  * Copyright (c) 2001-2005 McAfee, Inc.
  * Copyright (c) 2006 SPARTA, Inc.
  * Copyright (c) 2008 Apple Inc.
@@ -84,6 +84,7 @@ SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0,
 #define	MAGIC_DEVFS	0x9ee79c32
 #define	MAGIC_IFNET	0xc218b120
 #define	MAGIC_INPCB	0x4440f7bb
+#define	MAGIC_IP6Q	0x0870e1b7
 #define	MAGIC_IPQ	0x206188ef
 #define	MAGIC_MBUF	0xbbefa5bb
 #define	MAGIC_MOUNT	0xc7c46e47
@@ -564,6 +565,76 @@ test_inpcb_sosetlabel(struct socket *so, struct label *solabel,
 	COUNTER_INC(inpcb_sosetlabel);
 }
 
+COUNTER_DECL(ip6q_create);
+static void
+test_ip6q_create(struct mbuf *fragment, struct label *fragmentlabel,
+    struct ip6q *q6, struct label *q6label)
+{
+
+	LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
+	LABEL_CHECK(q6label, MAGIC_IP6Q);
+	COUNTER_INC(ip6q_create);
+}
+
+COUNTER_DECL(ip6q_destroy_label);
+static void
+test_ip6q_destroy_label(struct label *label)
+{
+
+	LABEL_DESTROY(label, MAGIC_IP6Q);
+	COUNTER_INC(ip6q_destroy_label);
+}
+
+COUNTER_DECL(ip6q_init_label);
+static int
+test_ip6q_init_label(struct label *label, int flag)
+{
+
+	if (flag & M_WAITOK)
+		WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
+		    "test_ip6q_init_label() at %s:%d", __FILE__,
+		    __LINE__);
+
+	LABEL_INIT(label, MAGIC_IP6Q);
+	COUNTER_INC(ip6q_init_label);
+	return (0);
+}
+
+COUNTER_DECL(ip6q_match);
+static int
+test_ip6q_match(struct mbuf *fragment, struct label *fragmentlabel,
+    struct ip6q *q6, struct label *q6label)
+{
+
+	LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
+	LABEL_CHECK(q6label, MAGIC_IP6Q);
+	COUNTER_INC(ip6q_match);
+
+	return (1);
+}
+
+COUNTER_DECL(ip6q_reassemble);
+static void
+test_ip6q_reassemble(struct ip6q *q6, struct label *q6label, struct mbuf *m,
+   struct label *mlabel)
+{
+
+	LABEL_CHECK(q6label, MAGIC_IP6Q);
+	LABEL_CHECK(mlabel, MAGIC_MBUF);
+	COUNTER_INC(ip6q_reassemble);
+}
+
+COUNTER_DECL(ip6q_update);
+static void
+test_ip6q_update(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
+    struct label *q6label)
+{
+
+	LABEL_CHECK(mlabel, MAGIC_MBUF);
+	LABEL_CHECK(q6label, MAGIC_IP6Q);
+	COUNTER_INC(ip6q_update);
+}
+
 COUNTER_DECL(ipq_create);
 static void
 test_ipq_create(struct mbuf *fragment, struct label *fragmentlabel,
@@ -2860,6 +2931,13 @@ static struct mac_policy_ops test_ops =
 	.mpo_inpcb_init_label = test_inpcb_init_label,
 	.mpo_inpcb_sosetlabel = test_inpcb_sosetlabel,
 
+	.mpo_ip6q_create = test_ip6q_create,
+	.mpo_ip6q_destroy_label = test_ip6q_destroy_label,
+	.mpo_ip6q_init_label = test_ip6q_init_label,
+	.mpo_ip6q_match = test_ip6q_match,
+	.mpo_ip6q_reassemble = test_ip6q_reassemble,
+	.mpo_ip6q_update = test_ip6q_update,
+
 	.mpo_ipq_create = test_ipq_create,
 	.mpo_ipq_destroy_label = test_ipq_destroy_label,
 	.mpo_ipq_init_label = test_ipq_init_label,