IfAPI: Add if_get/setmaclabel() and use it.

Summary: Port the MAC modules to use the IfAPI APIs as part of this. Sponsored by: Juniper Networks, Inc. Reviewed by: glebius Differential Revision: https://reviews.freebsd.org/D38197
2023-01-23 09:34:43 -05:00 · 2023-01-23 09:34:43 -05:00 · 30af2c131b
commit 30af2c131b
parent 113af4fd2b
9 changed files with 41 additions and 27 deletions
--- a/sys/net/if.c
+++ b/sys/net/if.c
@ -4809,6 +4809,18 @@ if_setdebugnet_methods(if_t ifp, struct debugnet_methods *m)
 	ifp->if_debugnet_methods = m;
 }

+struct label *
+if_getmaclabel(if_t ifp)
+{
+	return (ifp->if_label);
+}
+
+void
+if_setmaclabel(if_t ifp, struct label *label)
+{
+	ifp->if_label = label;
+}
+
 int
 if_gettype(if_t ifp)
 {
--- a/sys/net/if_var.h
+++ b/sys/net/if_var.h
@ -627,6 +627,8 @@ void if_etherbpfmtap(if_t ifp, struct mbuf *m);
 void if_vlancap(if_t ifp);
 int if_transmit(if_t ifp, struct mbuf *m);
 int if_init(if_t ifp, void *ctx);
+struct label *if_getmaclabel(if_t ifp);
+void if_setmaclabel(if_t ifp, struct label *label);

 /*
 * Traversing through interface address lists.
--- a/sys/security/mac/mac_inet.c
+++ b/sys/security/mac/mac_inet.c
@ -274,8 +274,8 @@ mac_netinet_arp_send(struct ifnet *ifp, struct mbuf *m)
 	mlabel = mac_mbuf_to_label(m);

 	MAC_IFNET_LOCK(ifp, locked);
-	MAC_POLICY_PERFORM_NOSLEEP(netinet_arp_send, ifp, ifp->if_label, m,
-	    mlabel);
+	MAC_POLICY_PERFORM_NOSLEEP(netinet_arp_send, ifp, if_getmaclabel(ifp),
+	    m, mlabel);
 	MAC_IFNET_UNLOCK(ifp, locked);
 }

@ -319,8 +319,8 @@ mac_netinet_igmp_send(struct ifnet *ifp, struct mbuf *m)
 	mlabel = mac_mbuf_to_label(m);

 	MAC_IFNET_LOCK(ifp, locked);
-	MAC_POLICY_PERFORM_NOSLEEP(netinet_igmp_send, ifp, ifp->if_label, m,
-	    mlabel);
+	MAC_POLICY_PERFORM_NOSLEEP(netinet_igmp_send, ifp, if_getmaclabel(ifp),
+	    m, mlabel);
 	MAC_IFNET_UNLOCK(ifp, locked);
 }

--- a/sys/security/mac/mac_inet6.c
+++ b/sys/security/mac/mac_inet6.c
@ -183,6 +183,6 @@ mac_netinet6_nd6_send(struct ifnet *ifp, struct mbuf *m)

 	mlabel = mac_mbuf_to_label(m);

-	MAC_POLICY_PERFORM_NOSLEEP(netinet6_nd6_send, ifp, ifp->if_label, m,
+	MAC_POLICY_PERFORM_NOSLEEP(netinet6_nd6_send, ifp, if_getmaclabel(ifp), m,
 	    mlabel);
 }
--- a/sys/security/mac/mac_net.c
+++ b/sys/security/mac/mac_net.c
@ -143,9 +143,9 @@ mac_ifnet_init(struct ifnet *ifp)
 {

 	if (mac_labeled & MPC_OBJECT_IFNET)
-		ifp->if_label = mac_ifnet_label_alloc();
+		if_setmaclabel(ifp, mac_ifnet_label_alloc());
 	else
-		ifp->if_label = NULL;
+		if_setmaclabel(ifp, NULL);
 }

 int
@ -220,10 +220,10 @@ mac_ifnet_label_free(struct label *label)
 void
 mac_ifnet_destroy(struct ifnet *ifp)
 {
-
-	if (ifp->if_label != NULL) {
-		mac_ifnet_label_free(ifp->if_label);
-		ifp->if_label = NULL;
+	struct label *label = if_getmaclabel(ifp);
+	if (label != NULL) {
+		mac_ifnet_label_free(label);
+		if_setmaclabel(ifp, NULL);
 	}
 }

@ -308,7 +308,7 @@ mac_ifnet_create(struct ifnet *ifp)
 		return;

 	MAC_IFNET_LOCK(ifp, locked);
-	MAC_POLICY_PERFORM_NOSLEEP(ifnet_create, ifp, ifp->if_label);
+	MAC_POLICY_PERFORM_NOSLEEP(ifnet_create, ifp, if_getmaclabel(ifp));
 	MAC_IFNET_UNLOCK(ifp, locked);
 }

@ -345,7 +345,7 @@ mac_ifnet_create_mbuf_impl(struct ifnet *ifp, struct mbuf *m)
 	label = mac_mbuf_to_label(m);

 	MAC_IFNET_LOCK(ifp, locked);
-	MAC_POLICY_PERFORM_NOSLEEP(ifnet_create_mbuf, ifp, ifp->if_label, m,
+	MAC_POLICY_PERFORM_NOSLEEP(ifnet_create_mbuf, ifp, if_getmaclabel(ifp), m,
 	    label);
 	MAC_IFNET_UNLOCK(ifp, locked);
 }
@ -366,7 +366,7 @@ mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp)

 	MAC_IFNET_LOCK(ifp, locked);
 	MAC_POLICY_CHECK_NOSLEEP(bpfdesc_check_receive, d, d->bd_label, ifp,
-	    ifp->if_label);
+	    if_getmaclabel(ifp));
 	MAC_CHECK_PROBE2(bpfdesc_check_receive, error, d, ifp);
 	MAC_IFNET_UNLOCK(ifp, locked);

@ -387,7 +387,7 @@ mac_ifnet_check_transmit_impl(struct ifnet *ifp, struct mbuf *m)
 	label = mac_mbuf_to_label(m);

 	MAC_IFNET_LOCK(ifp, locked);
-	MAC_POLICY_CHECK_NOSLEEP(ifnet_check_transmit, ifp, ifp->if_label, m,
+	MAC_POLICY_CHECK_NOSLEEP(ifnet_check_transmit, ifp, if_getmaclabel(ifp), m,
 	    label);
 	MAC_CHECK_PROBE2(ifnet_check_transmit, error, ifp, m);
 	MAC_IFNET_UNLOCK(ifp, locked);
@ -425,7 +425,7 @@ mac_ifnet_ioctl_get(struct ucred *cred, struct ifreq *ifr,
 	buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
 	intlabel = mac_ifnet_label_alloc();
 	MAC_IFNET_LOCK(ifp, locked);
-	mac_ifnet_copy_label(ifp->if_label, intlabel);
+	mac_ifnet_copy_label(if_getmaclabel(ifp), intlabel);
 	MAC_IFNET_UNLOCK(ifp, locked);
 	error = mac_ifnet_externalize_label(intlabel, elements, buffer,
 	    mac.m_buflen);
@ -486,14 +486,14 @@ mac_ifnet_ioctl_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp)

 	MAC_IFNET_LOCK(ifp, locked);
 	MAC_POLICY_CHECK_NOSLEEP(ifnet_check_relabel, cred, ifp,
-	    ifp->if_label, intlabel);
+	    if_getmaclabel(ifp), intlabel);
 	if (error) {
 		MAC_IFNET_UNLOCK(ifp, locked);
 		mac_ifnet_label_free(intlabel);
 		return (error);
 	}

-	MAC_POLICY_PERFORM_NOSLEEP(ifnet_relabel, cred, ifp, ifp->if_label,
+	MAC_POLICY_PERFORM_NOSLEEP(ifnet_relabel, cred, ifp, if_getmaclabel(ifp),
 	    intlabel);
 	MAC_IFNET_UNLOCK(ifp, locked);

--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@ -1064,7 +1064,7 @@ biba_ifnet_create(struct ifnet *ifp, struct label *ifplabel)

 	dest = SLOT(ifplabel);

-	if (ifp->if_type == IFT_LOOP || interfaces_equal != 0) {
+	if (if_gettype(ifp) == IFT_LOOP || interfaces_equal != 0) {
 		type = MAC_BIBA_TYPE_EQUAL;
 		goto set;
 	}
@ -1091,7 +1091,7 @@ biba_ifnet_create(struct ifnet *ifp, struct label *ifplabel)
 			if (len < IFNAMSIZ) {
 				bzero(tifname, sizeof(tifname));
 				bcopy(q, tifname, len);
-				if (strcmp(tifname, ifp->if_xname) == 0) {
+				if (strcmp(tifname, if_name(ifp)) == 0) {
 					type = MAC_BIBA_TYPE_HIGH;
 					break;
 				}
--- a/sys/security/mac_ifoff/mac_ifoff.c
+++ b/sys/security/mac_ifoff/mac_ifoff.c
@ -90,10 +90,10 @@ ifnet_check_outgoing(struct ifnet *ifp)
 	if (!ifoff_enabled)
 		return (0);

-	if (ifoff_lo_enabled && ifp->if_type == IFT_LOOP)
+	if (ifoff_lo_enabled && if_gettype(ifp) == IFT_LOOP)
 		return (0);

-	if (ifoff_other_enabled && ifp->if_type != IFT_LOOP)
+	if (ifoff_other_enabled && if_gettype(ifp) != IFT_LOOP)
 		return (0);

 	return (EPERM);
@ -105,10 +105,10 @@ ifnet_check_incoming(struct ifnet *ifp, int viabpf)
 	if (!ifoff_enabled)
 		return (0);

-	if (ifoff_lo_enabled && ifp->if_type == IFT_LOOP)
+	if (ifoff_lo_enabled && if_gettype(ifp) == IFT_LOOP)
 		return (0);

-	if (ifoff_other_enabled && ifp->if_type != IFT_LOOP)
+	if (ifoff_other_enabled && if_gettype(ifp) != IFT_LOOP)
 		return (0);

 	if (viabpf && ifoff_bpfrecv_enabled)
--- a/sys/security/mac_lomac/mac_lomac.c
+++ b/sys/security/mac_lomac/mac_lomac.c
@ -1188,7 +1188,7 @@ lomac_ifnet_create(struct ifnet *ifp, struct label *ifplabel)

 	dest = SLOT(ifplabel);

-	if (ifp->if_type == IFT_LOOP) {
+	if (if_gettype(ifp) == IFT_LOOP) {
 		grade = MAC_LOMAC_TYPE_EQUAL;
 		goto set;
 	}
@ -1215,7 +1215,7 @@ lomac_ifnet_create(struct ifnet *ifp, struct label *ifplabel)
 			if (len < IFNAMSIZ) {
 				bzero(tifname, sizeof(tifname));
 				bcopy(q, tifname, len);
-				if (strcmp(tifname, ifp->if_xname) == 0) {
+				if (strcmp(tifname, if_name(ifp)) == 0) {
 					grade = MAC_LOMAC_TYPE_HIGH;
 					break;
 				}
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c
@ -1024,7 +1024,7 @@ mls_ifnet_create(struct ifnet *ifp, struct label *ifplabel)

 	dest = SLOT(ifplabel);

-	if (ifp->if_type == IFT_LOOP)
+	if (if_gettype(ifp) == IFT_LOOP)
 		type = MAC_MLS_TYPE_EQUAL;
 	else
 		type = MAC_MLS_TYPE_LOW;