d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Move towards more explicit support for various network protocol stacks

Browse Source 
in the TrustedBSD MAC Framework:

- Add mac_atalk.c and add explicit entry point mac_netatalk_aarp_send()
  for AARP packet labeling, rather than using a generic link layer
  entry point.

- Add mac_inet6.c and add explicit entry point mac_netinet6_nd6_send()
  for ND6 packet labeling, rather than using a generic link layer entry
  point.

- Add expliict entry point mac_netinet_arp_send() for ARP packet
  labeling, and mac_netinet_igmp_send() for IGMP packet labeling,
  rather than using a generic link layer entry point.

- Remove previous genering link layer entry point,
  mac_mbuf_create_linklayer() as it is no longer used.

- Add implementations of new entry points to various policies, largely
  by replicating the existing link layer entry point for them; remove
  old link layer entry point implementation.

- Make MAC_IFNET_LOCK(), MAC_IFNET_UNLOCK(), and mac_ifnet_mtx global
  to the MAC Framework rather than static to mac_net.c as it is now
  needed outside of mac_net.c.

Obtained from:	TrustedBSD Project
This commit is contained in:
Robert Watson 2007-10-28 15:55:23 +00:00
parent b0f4c777e4
commit b9b0dac33b
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=173095
17 changed files with 421 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sys/conf/files
View File

@ -2031,9 +2031,11 @@ security/audit/audit_pipe.c optional audit
security/audit/audit_syscalls.c standard
security/audit/audit_trigger.c optional audit
security/audit/audit_worker.c optional audit
security/mac/mac_atalk.c optional mac netatalk
security/mac/mac_audit.c optional mac audit
security/mac/mac_framework.c optional mac
security/mac/mac_inet.c optional mac inet
security/mac/mac_inet6.c optional mac inet6
security/mac/mac_label.c optional mac
security/mac/mac_net.c optional mac
security/mac/mac_pipe.c optional mac

4
sys/netatalk/aarp.c
View File

@ -177,7 +177,7 @@ aarpwhohas(struct ifnet *ifp, struct sockaddr_at *sat)
if (m == NULL)
return;
#ifdef MAC
mac_mbuf_create_linklayer(ifp, m);
mac_netatalk_aarp_send(ifp, m);
#endif
m->m_len = sizeof(*ea);
m->m_pkthdr.len = sizeof(*ea);
@ -602,7 +602,7 @@ aarpprobe(void *arg)
if (m == NULL)
return;
#ifdef MAC
mac_mbuf_create_linklayer(ifp, m);
mac_netatalk_aarp_send(ifp, m);
#endif
m->m_len = sizeof(*ea);
m->m_pkthdr.len = sizeof(*ea);

2
sys/netinet/if_ether.c
View File

@ -323,7 +323,7 @@ arprequest(struct ifnet *ifp, struct in_addr *sip, struct in_addr *tip,
ah = mtod(m, struct arphdr *);
bzero((caddr_t)ah, m->m_len);
#ifdef MAC
mac_mbuf_create_linklayer(ifp, m);
mac_netinet_arp_send(ifp, m);
#endif
ah->ar_pro = htons(ETHERTYPE_IP);
ah->ar_hln = ifp->if_addrlen; /* hardware address length */

2
sys/netinet/igmp.c
View File

@ -471,7 +471,7 @@ igmp_sendpkt(struct in_multi *inm, int type, unsigned long addr)
m->m_pkthdr.rcvif = loif;
#ifdef MAC
mac_mbuf_create_linklayer(inm->inm_ifp, m);
mac_netinet_igmp_send(inm->inm_ifp, m);
#endif
m->m_pkthdr.len = sizeof(struct ip) + IGMP_MINLEN;
MH_ALIGN(m, IGMP_MINLEN + sizeof(struct ip));

2
sys/netinet6/nd6.c
View File

@ -2114,7 +2114,7 @@ nd6_output(struct ifnet *ifp, struct ifnet *origifp, struct mbuf *m0,
}
#ifdef MAC
mac_mbuf_create_linklayer(ifp, m);
mac_netinet6_nd6_send(ifp, m);
#endif
if ((ifp->if_flags & IFF_LOOPBACK) != 0) {
return ((*ifp->if_output)(origifp, m, (struct sockaddr *)dst,

66
sys/security/mac/mac_atalk.c Normal file
View File

@ -0,0 +1,66 @@
/*-
* Copyright (c) 2007 Robert N. M. Watson
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include "opt_mac.h"
#include <sys/param.h>
#include <sys/kernel.h>
#include <sys/lock.h>
#include <sys/malloc.h>
#include <sys/mutex.h>
#include <sys/sbuf.h>
#include <sys/systm.h>
#include <sys/mount.h>
#include <sys/file.h>
#include <sys/namei.h>
#include <sys/protosw.h>
#include <sys/socket.h>
#include <sys/socketvar.h>
#include <sys/sysctl.h>
#include <net/if.h>
#include <net/if_var.h>
#include <security/mac/mac_framework.h>
#include <security/mac/mac_internal.h>
#include <security/mac/mac_policy.h>
void
mac_netatalk_aarp_send(struct ifnet *ifp, struct mbuf *m)
{
struct label *mlabel;
mlabel = mac_mbuf_to_label(m);
MAC_IFNET_LOCK(ifp);
MAC_PERFORM(netatalk_aarp_send, ifp, ifp->if_label, m, mlabel);
MAC_IFNET_UNLOCK(ifp);
}

9
sys/security/mac/mac_framework.h
View File

@ -1,5 +1,5 @@
/*-
* Copyright (c) 1999-2002 Robert N. M. Watson
* Copyright (c) 1999-2002, 2007 Robert N. M. Watson
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
* Copyright (c) 2005-2006 SPARTA, Inc.
* All rights reserved.
@ -152,7 +152,6 @@ int mac_kld_check_load(struct ucred *cred, struct vnode *vp);
int mac_kld_check_stat(struct ucred *cred);
void mac_mbuf_copy(struct mbuf *, struct mbuf *);
void mac_mbuf_create_linklayer(struct ifnet *ifp, struct mbuf *m);
void mac_mbuf_create_multicast_encap(struct mbuf *m, struct ifnet *ifp,
struct mbuf *mnew);
void mac_mbuf_create_netlayer(struct mbuf *m, struct mbuf *mnew);
@ -167,11 +166,17 @@ void mac_mount_create(struct ucred *cred, struct mount *mp);
void mac_mount_destroy(struct mount *);
void mac_mount_init(struct mount *);
void mac_netatalk_aarp_send(struct ifnet *ifp, struct mbuf *m);
void mac_netinet_arp_send(struct ifnet *ifp, struct mbuf *m);
void mac_netinet_firewall_send(struct mbuf *m);
void mac_netinet_fragment(struct mbuf *m, struct mbuf *frag);
void mac_netinet_icmp_reply(struct mbuf *m);
void mac_netinet_igmp_send(struct ifnet *ifp, struct mbuf *m);
void mac_netinet_tcp_reply(struct mbuf *m);
void mac_netinet6_nd6_send(struct ifnet *ifp, struct mbuf *m);
int mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
unsigned long cmd, void *data);
int mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp);

26
sys/security/mac/mac_inet.c
View File

@ -1,5 +1,5 @@
/*-
* Copyright (c) 1999-2002 Robert N. M. Watson
* Copyright (c) 1999-2002, 2007 Robert N. M. Watson
* Copyright (c) 2001 Ilmar S. Habibulin
* Copyright (c) 2001-2004 Networks Associates Technology, Inc.
* Copyright (c) 2006 SPARTA, Inc.
@ -221,6 +221,18 @@ mac_ipq_match(struct mbuf *m, struct ipq *ipq)
return (result);
}
void
mac_netinet_arp_send(struct ifnet *ifp, struct mbuf *m)
{
struct label *mlabel;
mlabel = mac_mbuf_to_label(m);
MAC_IFNET_LOCK(ifp);
MAC_PERFORM(netinet_arp_send, ifp, ifp->if_label, m, mlabel);
MAC_IFNET_UNLOCK(ifp);
}
void
mac_netinet_icmp_reply(struct mbuf *m)
{
@ -231,6 +243,18 @@ mac_netinet_icmp_reply(struct mbuf *m)
MAC_PERFORM(netinet_icmp_reply, m, label);
}
void
mac_netinet_igmp_send(struct ifnet *ifp, struct mbuf *m)
{
struct label *mlabel;
mlabel = mac_mbuf_to_label(m);
MAC_IFNET_LOCK(ifp);
MAC_PERFORM(netinet_igmp_send, ifp, ifp->if_label, m, mlabel);
MAC_IFNET_UNLOCK(ifp);
}
void
mac_netinet_tcp_reply(struct mbuf *m)
{

64
sys/security/mac/mac_inet6.c Normal file
View File

@ -0,0 +1,64 @@
/*-
* Copyright (c) 2007 Robert N. M. Watson
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include "opt_mac.h"
#include <sys/param.h>
#include <sys/kernel.h>
#include <sys/lock.h>
#include <sys/malloc.h>
#include <sys/mutex.h>
#include <sys/sbuf.h>
#include <sys/systm.h>
#include <sys/mount.h>
#include <sys/file.h>
#include <sys/namei.h>
#include <sys/protosw.h>
#include <sys/socket.h>
#include <sys/socketvar.h>
#include <sys/sysctl.h>
#include <net/if.h>
#include <net/if_var.h>
#include <security/mac/mac_framework.h>
#include <security/mac/mac_internal.h>
#include <security/mac/mac_policy.h>
void
mac_netinet6_nd6_send(struct ifnet *ifp, struct mbuf *m)
{
struct label *mlabel;
mlabel = mac_mbuf_to_label(m);
MAC_PERFORM(netinet6_nd6_send, ifp, ifp->if_label, m, mlabel);
}

4
sys/security/mac/mac_internal.h
View File

@ -91,6 +91,7 @@ extern struct mac_policy_list_head mac_static_policy_list;
#ifndef MAC_ALWAYS_LABEL_MBUF
extern int mac_labelmbufs;
#endif
extern struct mtx mac_ifnet_mtx;
/*
* MAC Framework infrastructure functions.
@ -113,6 +114,9 @@ void mac_destroy_label(struct label *label);
int mac_check_structmac_consistent(struct mac *mac);
int mac_allocate_slot(void);
#define MAC_IFNET_LOCK(ifp) mtx_lock(&mac_ifnet_mtx)
#define MAC_IFNET_UNLOCK(ifp) mtx_unlock(&mac_ifnet_mtx)
/*
* MAC Framework per-object type functions. It's not yet clear how the
* namespaces, etc, should work for these, so for now, sort by object type.

16
sys/security/mac/mac_net.c
View File

@ -73,10 +73,8 @@ __FBSDID("$FreeBSD$");
* our own global mutex for struct ifnet. Non-ideal, but should help in the
* SMP environment.
*/
static struct mtx mac_ifnet_mtx;
struct mtx mac_ifnet_mtx;
MTX_SYSINIT(mac_ifnet_mtx, &mac_ifnet_mtx, "mac_ifnet", MTX_DEF);
#define MAC_IFNET_LOCK(ifp) mtx_lock(&mac_ifnet_mtx)
#define MAC_IFNET_UNLOCK(ifp) mtx_unlock(&mac_ifnet_mtx)
/*
* Retrieve the label associated with an mbuf by searching for the tag.
@ -309,18 +307,6 @@ mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m)
MAC_PERFORM(bpfdesc_create_mbuf, d, d->bd_label, m, label);
}
void
mac_mbuf_create_linklayer(struct ifnet *ifp, struct mbuf *m)
{
struct label *label;
label = mac_mbuf_to_label(m);
MAC_IFNET_LOCK(ifp);
MAC_PERFORM(mbuf_create_linklayer, ifp, ifp->if_label, m, label);
MAC_IFNET_UNLOCK(ifp);
}
void
mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m)
{

26
sys/security/mac/mac_policy.h
View File

@ -1,5 +1,5 @@
/*-
* Copyright (c) 1999-2002 Robert N. M. Watson
* Copyright (c) 1999-2002, 2007 Robert N. M. Watson
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
* Copyright (c) 2005-2006 SPARTA, Inc.
* All rights reserved.
@ -221,9 +221,6 @@ typedef int (*mpo_kld_check_stat_t)(struct ucred *cred);
typedef void (*mpo_mbuf_copy_label_t)(struct label *src,
struct label *dest);
typedef void (*mpo_mbuf_create_linklayer_t)(struct ifnet *ifp,
struct label *ifplabel, struct mbuf *m,
struct label *mlabel);
typedef void (*mpo_mbuf_create_multicast_encap_t)(struct mbuf *m,
struct label *mlabel, struct ifnet *ifp,
struct label *ifplabel, struct mbuf *mnew,
@ -241,6 +238,13 @@ typedef void (*mpo_mount_create_t)(struct ucred *cred, struct mount *mp,
typedef void (*mpo_mount_destroy_label_t)(struct label *label);
typedef void (*mpo_mount_init_label_t)(struct label *label);
typedef void (*mpo_netatalk_aarp_send_t)(struct ifnet *ifp,
struct label *ifplabel, struct mbuf *m,
struct label *mlabel);
typedef void (*mpo_netinet_arp_send_t)(struct ifnet *ifp,
struct label *ifplabel, struct mbuf *m,
struct label *mlabel);
typedef void (*mpo_netinet_firewall_send_t)(struct mbuf *m,
struct label *mlabel);
typedef void (*mpo_netinet_fragment_t)(struct mbuf *m,
@ -248,9 +252,16 @@ typedef void (*mpo_netinet_fragment_t)(struct mbuf *m,
struct label *fraglabel);
typedef void (*mpo_netinet_icmp_reply_t)(struct mbuf *m,
struct label *mlabel);
typedef void (*mpo_netinet_igmp_send_t)(struct ifnet *ifp,
struct label *ifplabel, struct mbuf *m,
struct label *mlabel);
typedef void (*mpo_netinet_tcp_reply_t)(struct mbuf *m,
struct label *mlabel);
typedef void (*mpo_netinet6_nd6_send_t)(struct ifnet *ifp,
struct label *ifplabel, struct mbuf *m,
struct label *mlabel);
typedef int (*mpo_pipe_check_ioctl_t)(struct ucred *cred,
struct pipepair *pp, struct label *pplabel,
unsigned long cmd, void *data);
@ -678,7 +689,6 @@ struct mac_policy_ops {
mpo_kld_check_stat_t mpo_kld_check_stat;
mpo_mbuf_copy_label_t mpo_mbuf_copy_label;
mpo_mbuf_create_linklayer_t mpo_mbuf_create_linklayer;
mpo_mbuf_create_multicast_encap_t mpo_mbuf_create_multicast_encap;
mpo_mbuf_create_netlayer_t mpo_mbuf_create_netlayer;
mpo_mbuf_destroy_label_t mpo_mbuf_destroy_label;
@ -689,11 +699,17 @@ struct mac_policy_ops {
mpo_mount_destroy_label_t mpo_mount_destroy_label;
mpo_mount_init_label_t mpo_mount_init_label;
mpo_netatalk_aarp_send_t mpo_netatalk_aarp_send;
mpo_netinet_arp_send_t mpo_netinet_arp_send;
mpo_netinet_firewall_send_t mpo_netinet_firewall_send;
mpo_netinet_fragment_t mpo_netinet_fragment;
mpo_netinet_icmp_reply_t mpo_netinet_icmp_reply;
mpo_netinet_igmp_send_t mpo_netinet_igmp_send;
mpo_netinet_tcp_reply_t mpo_netinet_tcp_reply;
mpo_netinet6_nd6_send_t mpo_netinet6_nd6_send;
mpo_pipe_check_ioctl_t mpo_pipe_check_ioctl;
mpo_pipe_check_poll_t mpo_pipe_check_poll;
mpo_pipe_check_read_t mpo_pipe_check_read;

60
sys/security/mac_biba/mac_biba.c
View File

@ -1267,17 +1267,6 @@ biba_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel,
biba_copy_effective(source, dest);
}
static void
biba_mbuf_create_linklayer(struct ifnet *ifp, struct label *ifplabel,
struct mbuf *m, struct label *mlabel)
{
struct mac_biba *dest;
dest = SLOT(mlabel);
biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
}
static void
biba_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
struct mbuf *m, struct label *mlabel)
@ -1371,6 +1360,28 @@ biba_inpcb_sosetlabel(struct socket *so, struct label *solabel,
biba_copy(source, dest);
}
static void
biba_netatalk_aarp_send(struct ifnet *ifp, struct label *ifplabel,
struct mbuf *m, struct label *mlabel)
{
struct mac_biba *dest;
dest = SLOT(mlabel);
biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
}
static void
biba_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel,
struct mbuf *m, struct label *mlabel)
{
struct mac_biba *dest;
dest = SLOT(mlabel);
biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
}
static void
biba_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
{
@ -1382,6 +1393,28 @@ biba_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
}
static void
biba_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel,
struct mbuf *m, struct label *mlabel)
{
struct mac_biba *dest;
dest = SLOT(mlabel);
biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
}
static void
biba_netinet6_nd6_send(struct ifnet *ifp, struct label *ifplabel,
struct mbuf *m, struct label *mlabel)
{
struct mac_biba *dest;
dest = SLOT(mlabel);
biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
}
/*
* Labeling event operations: processes.
*/
@ -3320,7 +3353,6 @@ static struct mac_policy_ops mac_biba_ops =
.mpo_sysvshm_create = biba_sysvshm_create,
.mpo_ipq_create = biba_ipq_create,
.mpo_inpcb_create_mbuf = biba_inpcb_create_mbuf,
.mpo_mbuf_create_linklayer = biba_mbuf_create_linklayer,
.mpo_bpfdesc_create_mbuf = biba_bpfdesc_create_mbuf,
.mpo_ifnet_create_mbuf = biba_ifnet_create_mbuf,
.mpo_mbuf_create_multicast_encap = biba_mbuf_create_multicast_encap,
@ -3412,7 +3444,11 @@ static struct mac_policy_ops mac_biba_ops =
.mpo_vnode_check_stat = biba_vnode_check_stat,
.mpo_vnode_check_unlink = biba_vnode_check_unlink,
.mpo_vnode_check_write = biba_vnode_check_write,
.mpo_netatalk_aarp_send = biba_netatalk_aarp_send,
.mpo_netinet_arp_send = biba_netinet_arp_send,
.mpo_netinet_firewall_send = biba_netinet_firewall_send,
.mpo_netinet_igmp_send = biba_netinet_igmp_send,
.mpo_netinet6_nd6_send = biba_netinet6_nd6_send,
.mpo_priv_check = biba_priv_check,
};

63
sys/security/mac_lomac/mac_lomac.c
View File

@ -1331,17 +1331,6 @@ lomac_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel,
lomac_copy_single(source, dest);
}
static void
lomac_mbuf_create_linklayer(struct ifnet *ifp, struct label *ifplabel,
struct mbuf *m, struct label *mlabel)
{
struct mac_lomac *dest;
dest = SLOT(mlabel);
lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
}
static void
lomac_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
struct mbuf *m, struct label *mlabel)
@ -1456,6 +1445,28 @@ lomac_syncache_create_mbuf(struct label *sc_label, struct mbuf *m,
lomac_copy(source, dest);
}
static void
lomac_netatalk_aarp_send(struct ifnet *ifp, struct label *ifplabel,
struct mbuf *m, struct label *mlabel)
{
struct mac_lomac *dest;
dest = SLOT(mlabel);
lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
}
static void
lomac_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel,
struct mbuf *m, struct label *mlabel)
{
struct mac_lomac *dest;
dest = SLOT(mlabel);
lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
}
static void
lomac_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
{
@ -1467,6 +1478,28 @@ lomac_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
}
static void
lomac_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel,
struct mbuf *m, struct label *mlabel)
{
struct mac_lomac *dest;
dest = SLOT(mlabel);
lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
}
static void
lomac_netinet6_nd6_send(struct ifnet *ifp, struct label *ifplabel,
struct mbuf *m, struct label *mlabel)
{
struct mac_lomac *dest;
dest = SLOT(mlabel);
lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
}
/*
* Labeling event operations: processes.
*/
@ -2878,7 +2911,6 @@ static struct mac_policy_ops lomac_ops =
.mpo_inpcb_create = lomac_inpcb_create,
.mpo_ipq_create = lomac_ipq_create,
.mpo_inpcb_create_mbuf = lomac_inpcb_create_mbuf,
.mpo_mbuf_create_linklayer = lomac_mbuf_create_linklayer,
.mpo_bpfdesc_create_mbuf = lomac_bpfdesc_create_mbuf,
.mpo_ifnet_create_mbuf = lomac_ifnet_create_mbuf,
.mpo_mbuf_create_multicast_encap = lomac_mbuf_create_multicast_encap,
@ -2936,10 +2968,13 @@ static struct mac_policy_ops lomac_ops =
.mpo_vnode_check_unlink = lomac_vnode_check_unlink,
.mpo_vnode_check_write = lomac_vnode_check_write,
.mpo_thread_userret = lomac_thread_userret,
.mpo_netatalk_aarp_send = lomac_netatalk_aarp_send,
.mpo_netinet_arp_send = lomac_netinet_arp_send,
.mpo_netinet_firewall_send = lomac_netinet_firewall_send,
.mpo_netinet_igmp_send = lomac_netinet_igmp_send,
.mpo_netinet6_nd6_send = lomac_netinet6_nd6_send,
.mpo_priv_check = lomac_priv_check,
};
MAC_POLICY_SET(&lomac_ops, mac_lomac, "TrustedBSD MAC/LOMAC",
MPC_LOADTIME_FLAG_NOTLATE | MPC_LOADTIME_FLAG_LABELMBUFS,
&lomac_slot);
MPC_LOADTIME_FLAG_NOTLATE | MPC_LOADTIME_FLAG_LABELMBUFS, &lomac_slot);

62
sys/security/mac_mls/mac_mls.c
View File

@ -1,5 +1,5 @@
/*-
* Copyright (c) 1999-2002 Robert N. M. Watson
* Copyright (c) 1999-2002, 2007 Robert N. M. Watson
* Copyright (c) 2001-2005 McAfee, Inc.
* Copyright (c) 2006 SPARTA, Inc.
* All rights reserved.
@ -1189,17 +1189,6 @@ mls_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel,
mls_copy_effective(source, dest);
}
static void
mls_mbuf_create_linklayer(struct ifnet *ifp, struct label *ifplabel,
struct mbuf *m, struct label *mlabel)
{
struct mac_mls *dest;
dest = SLOT(mlabel);
mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
}
static void
mls_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
struct mbuf *m, struct label *mlabel)
@ -1293,6 +1282,28 @@ mls_inpcb_sosetlabel(struct socket *so, struct label *solabel,
mls_copy(source, dest);
}
static void
mls_netatalk_aarp_send(struct ifnet *ifp, struct label *ifplabel,
struct mbuf *m, struct label *mlabel)
{
struct mac_mls *dest;
dest = SLOT(mlabel);
mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
}
static void
mls_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel,
struct mbuf *m, struct label *mlabel)
{
struct mac_mls *dest;
dest = SLOT(mlabel);
mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
}
static void
mls_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
{
@ -1304,6 +1315,28 @@ mls_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
}
static void
mls_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel,
struct mbuf *m, struct label *mlabel)
{
struct mac_mls *dest;
dest = SLOT(mlabel);
mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
}
static void
mls_netinet6_nd6_send(struct ifnet *ifp, struct label *ifplabel,
struct mbuf *m, struct label *mlabel)
{
struct mac_mls *dest;
dest = SLOT(mlabel);
mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
}
static void
mls_syncache_create(struct label *label, struct inpcb *inp)
{
@ -2947,7 +2980,6 @@ static struct mac_policy_ops mls_ops =
.mpo_sysvsem_create = mls_sysvsem_create,
.mpo_sysvshm_create = mls_sysvshm_create,
.mpo_inpcb_create_mbuf = mls_inpcb_create_mbuf,
.mpo_mbuf_create_linklayer = mls_mbuf_create_linklayer,
.mpo_bpfdesc_create_mbuf = mls_bpfdesc_create_mbuf,
.mpo_ifnet_create_mbuf = mls_ifnet_create_mbuf,
.mpo_mbuf_create_multicast_encap = mls_mbuf_create_multicast_encap,
@ -3035,7 +3067,11 @@ static struct mac_policy_ops mls_ops =
.mpo_vnode_check_stat = mls_vnode_check_stat,
.mpo_vnode_check_unlink = mls_vnode_check_unlink,
.mpo_vnode_check_write = mls_vnode_check_write,
.mpo_netatalk_aarp_send = mls_netatalk_aarp_send,
.mpo_netinet_arp_send = mls_netinet_arp_send,
.mpo_netinet_firewall_send = mls_netinet_firewall_send,
.mpo_netinet_igmp_send = mls_netinet_igmp_send,
.mpo_netinet6_nd6_send = mls_netinet6_nd6_send,
};
MAC_POLICY_SET(&mls_ops, mac_mls, "TrustedBSD MAC/MLS",

40
sys/security/mac_stub/mac_stub.c
View File

@ -404,13 +404,6 @@ stub_syncache_create_mbuf(struct label *sc_label, struct mbuf *m,
}
static void
stub_mbuf_create_linklayer(struct ifnet *ifp, struct label *iflpabel,
struct mbuf *m, struct label *mlabel)
{
}
static void
stub_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
struct mbuf *m, struct label *mlabel)
@ -440,12 +433,40 @@ stub_mbuf_create_netlayer(struct mbuf *m, struct label *mlabel,
}
static void
stub_netatalk_aarp_send(struct ifnet *ifp, struct label *iflpabel,
struct mbuf *m, struct label *mlabel)
{
}
static void
stub_netinet_arp_send(struct ifnet *ifp, struct label *iflpabel,
struct mbuf *m, struct label *mlabel)
{
}
static void
stub_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
{
}
static void
stub_netinet_igmp_send(struct ifnet *ifp, struct label *iflpabel,
struct mbuf *m, struct label *mlabel)
{
}
static void
stub_netinet6_nd6_send(struct ifnet *ifp, struct label *iflpabel,
struct mbuf *m, struct label *mlabel)
{
}
static int
stub_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
struct label *ipqlabel)
@ -1521,12 +1542,15 @@ static struct mac_policy_ops stub_ops =
.mpo_ipq_reassemble = stub_ipq_reassemble,
.mpo_netinet_fragment = stub_netinet_fragment,
.mpo_inpcb_create_mbuf = stub_inpcb_create_mbuf,
.mpo_mbuf_create_linklayer = stub_mbuf_create_linklayer,
.mpo_bpfdesc_create_mbuf = stub_bpfdesc_create_mbuf,
.mpo_ifnet_create_mbuf = stub_ifnet_create_mbuf,
.mpo_mbuf_create_multicast_encap = stub_mbuf_create_multicast_encap,
.mpo_mbuf_create_netlayer = stub_mbuf_create_netlayer,
.mpo_netatalk_aarp_send = stub_netatalk_aarp_send,
.mpo_netinet_arp_send = stub_netinet_arp_send,
.mpo_netinet_firewall_send = stub_netinet_firewall_send,
.mpo_netinet_igmp_send = stub_netinet_igmp_send,
.mpo_netinet6_nd6_send = stub_netinet6_nd6_send,
.mpo_ipq_match = stub_ipq_match,
.mpo_netinet_icmp_reply = stub_netinet_icmp_reply,
.mpo_netinet_tcp_reply = stub_netinet_tcp_reply,

60
sys/security/mac_test/mac_test.c
View File

@ -1015,17 +1015,6 @@ test_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel,
COUNTER_INC(inpcb_create_mbuf);
}
COUNTER_DECL(mbuf_create_linklayer);
static void
test_mbuf_create_linklayer(struct ifnet *ifp, struct label *ifplabel,
struct mbuf *mbuf, struct label *mbuflabel)
{
LABEL_CHECK(ifplabel, MAGIC_IFNET);
LABEL_CHECK(mbuflabel, MAGIC_MBUF);
COUNTER_INC(mbuf_create_linklayer);
}
COUNTER_DECL(bpfdesc_create_mbuf);
static void
test_bpfdesc_create_mbuf(struct bpf_d *bpf_d, struct label *bpflabel,
@ -1086,6 +1075,28 @@ test_ipq_match(struct mbuf *fragment, struct label *fragmentlabel,
return (1);
}
COUNTER_DECL(netatalk_aarp_send);
static void
test_netatalk_aarp_send(struct ifnet *ifp, struct label *ifplabel,
struct mbuf *mbuf, struct label *mbuflabel)
{
LABEL_CHECK(ifplabel, MAGIC_IFNET);
LABEL_CHECK(mbuflabel, MAGIC_MBUF);
COUNTER_INC(netatalk_aarp_send);
}
COUNTER_DECL(netinet_arp_send);
static void
test_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel,
struct mbuf *mbuf, struct label *mbuflabel)
{
LABEL_CHECK(ifplabel, MAGIC_IFNET);
LABEL_CHECK(mbuflabel, MAGIC_MBUF);
COUNTER_INC(netinet_arp_send);
}
COUNTER_DECL(netinet_icmp_reply);
static void
test_netinet_icmp_reply(struct mbuf *m, struct label *mlabel)
@ -1095,6 +1106,17 @@ test_netinet_icmp_reply(struct mbuf *m, struct label *mlabel)
COUNTER_INC(netinet_icmp_reply);
}
COUNTER_DECL(netinet_igmp_send);
static void
test_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel,
struct mbuf *mbuf, struct label *mbuflabel)
{
LABEL_CHECK(ifplabel, MAGIC_IFNET);
LABEL_CHECK(mbuflabel, MAGIC_MBUF);
COUNTER_INC(netinet_igmp_send);
}
COUNTER_DECL(netinet_tcp_reply);
static void
test_netinet_tcp_reply(struct mbuf *m, struct label *mlabel)
@ -1104,6 +1126,17 @@ test_netinet_tcp_reply(struct mbuf *m, struct label *mlabel)
COUNTER_INC(netinet_tcp_reply);
}
COUNTER_DECL(netinet6_nd6_send);
static void
test_netinet6_nd6_send(struct ifnet *ifp, struct label *ifplabel,
struct mbuf *mbuf, struct label *mbuflabel)
{
LABEL_CHECK(ifplabel, MAGIC_IFNET);
LABEL_CHECK(mbuflabel, MAGIC_MBUF);
COUNTER_INC(netinet6_nd6_send);
}
COUNTER_DECL(ifnet_relabel);
static void
test_ifnet_relabel(struct ucred *cred, struct ifnet *ifp,
@ -2686,14 +2719,17 @@ static struct mac_policy_ops test_ops =
.mpo_netinet_fragment = test_netinet_fragment,
.mpo_ipq_create = test_ipq_create,
.mpo_inpcb_create_mbuf = test_inpcb_create_mbuf,
.mpo_mbuf_create_linklayer = test_mbuf_create_linklayer,
.mpo_bpfdesc_create_mbuf = test_bpfdesc_create_mbuf,
.mpo_ifnet_create_mbuf = test_ifnet_create_mbuf,
.mpo_mbuf_create_multicast_encap = test_mbuf_create_multicast_encap,
.mpo_mbuf_create_netlayer = test_mbuf_create_netlayer,
.mpo_ipq_match = test_ipq_match,
.mpo_netatalk_aarp_send = test_netatalk_aarp_send,
.mpo_netinet_arp_send = test_netinet_arp_send,
.mpo_netinet_icmp_reply = test_netinet_icmp_reply,
.mpo_netinet_igmp_send = test_netinet_igmp_send,
.mpo_netinet_tcp_reply = test_netinet_tcp_reply,
.mpo_netinet6_nd6_send = test_netinet6_nd6_send,
.mpo_ifnet_relabel = test_ifnet_relabel,
.mpo_ipq_update = test_ipq_update,
.mpo_inpcb_sosetlabel = test_inpcb_sosetlabel,