Introduce support for Mandatory Access Control and extensible
kernel access control. Instrument the TCP socket code for packet generation and delivery: label outgoing mbufs with the label of the socket, and check socket and mbuf labels before permitting delivery to a socket. Assign labels to newly accepted connections when the syncache/cookie code has done its business. Also set peer labels as convenient. Currently, MAC policies cannot influence the PCB matching algorithm, so cannot implement polyinstantiation. Note that there is at least one case where a PCB is not available due to the TCP packet not being associated with any socket, so we don't label in that case, but need to handle it in a special manner. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
This commit is contained in:
Robert Watson
parent
239b5b9707
commit
c488362e1a
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=101106
@ -37,11 +37,13 @@
|
||||
#include "opt_ipfw.h" /* for ipfw_fwd */
|
||||
#include "opt_inet6.h"
|
||||
#include "opt_ipsec.h"
|
||||
#include "opt_mac.h"
|
||||
#include "opt_tcpdebug.h"
|
||||
#include "opt_tcp_input.h"
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/kernel.h>
|
||||
#include <sys/mac.h>
|
||||
#include <sys/malloc.h>
|
||||
#include <sys/mbuf.h>
|
||||
#include <sys/proc.h> /* for proc0 declaration */
|
||||
@ -360,6 +362,9 @@ tcp_input(m, off0)
|
||||
int isipv6;
|
||||
#endif /* INET6 */
|
||||
struct sockaddr_in *next_hop = NULL;
|
||||
#ifdef MAC
|
||||
int error;
|
||||
#endif
|
||||
int rstreason; /* For badport_bandlim accounting purposes */
|
||||
|
||||
/* Grab info from MT_TAG mbufs prepended to the chain. */
|
||||
@ -651,6 +656,11 @@ tcp_input(m, off0)
|
||||
tiwin = th->th_win;
|
||||
|
||||
so = inp->inp_socket;
|
||||
#ifdef MAC
|
||||
error = mac_check_socket_receive(so, m);
|
||||
if (error)
|
||||
goto drop;
|
||||
#endif
|
||||
if (so->so_options & (SO_DEBUG|SO_ACCEPTCONN)) {
|
||||
struct in_conninfo inc;
|
||||
#ifdef TCPDEBUG
|
||||
@ -1171,6 +1181,9 @@ tcp_input(m, off0)
|
||||
tp->t_flags &= ~TF_RCVD_CC;
|
||||
tcpstat.tcps_connects++;
|
||||
soisconnected(so);
|
||||
#ifdef MAC
|
||||
mac_set_socket_peer_from_mbuf(m, so);
|
||||
#endif
|
||||
/* Do window scaling on this connection? */
|
||||
if ((tp->t_flags & (TF_RCVD_SCALE|TF_REQ_SCALE)) ==
|
||||
(TF_RCVD_SCALE|TF_REQ_SCALE)) {
|
||||
|
||||
@ -36,6 +36,7 @@
|
||||
|
||||
#include "opt_inet6.h"
|
||||
#include "opt_ipsec.h"
|
||||
#include "opt_mac.h"
|
||||
#include "opt_tcpdebug.h"
|
||||
|
||||
#include <sys/param.h>
|
||||
@ -43,6 +44,7 @@
|
||||
#include <sys/domain.h>
|
||||
#include <sys/kernel.h>
|
||||
#include <sys/lock.h>
|
||||
#include <sys/mac.h>
|
||||
#include <sys/mbuf.h>
|
||||
#include <sys/mutex.h>
|
||||
#include <sys/protosw.h>
|
||||
@ -639,6 +641,9 @@ tcp_output(struct tcpcb *tp)
|
||||
m->m_len = hdrlen;
|
||||
}
|
||||
m->m_pkthdr.rcvif = (struct ifnet *)0;
|
||||
#ifdef MAC
|
||||
mac_create_mbuf_from_socket(so, m);
|
||||
#endif
|
||||
#ifdef INET6
|
||||
if (isipv6) {
|
||||
ip6 = mtod(m, struct ip6_hdr *);
|
||||
|
||||
@ -37,11 +37,13 @@
|
||||
#include "opt_ipfw.h" /* for ipfw_fwd */
|
||||
#include "opt_inet6.h"
|
||||
#include "opt_ipsec.h"
|
||||
#include "opt_mac.h"
|
||||
#include "opt_tcpdebug.h"
|
||||
#include "opt_tcp_input.h"
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/kernel.h>
|
||||
#include <sys/mac.h>
|
||||
#include <sys/malloc.h>
|
||||
#include <sys/mbuf.h>
|
||||
#include <sys/proc.h> /* for proc0 declaration */
|
||||
@ -360,6 +362,9 @@ tcp_input(m, off0)
|
||||
int isipv6;
|
||||
#endif /* INET6 */
|
||||
struct sockaddr_in *next_hop = NULL;
|
||||
#ifdef MAC
|
||||
int error;
|
||||
#endif
|
||||
int rstreason; /* For badport_bandlim accounting purposes */
|
||||
|
||||
/* Grab info from MT_TAG mbufs prepended to the chain. */
|
||||
@ -651,6 +656,11 @@ tcp_input(m, off0)
|
||||
tiwin = th->th_win;
|
||||
|
||||
so = inp->inp_socket;
|
||||
#ifdef MAC
|
||||
error = mac_check_socket_receive(so, m);
|
||||
if (error)
|
||||
goto drop;
|
||||
#endif
|
||||
if (so->so_options & (SO_DEBUG|SO_ACCEPTCONN)) {
|
||||
struct in_conninfo inc;
|
||||
#ifdef TCPDEBUG
|
||||
@ -1171,6 +1181,9 @@ tcp_input(m, off0)
|
||||
tp->t_flags &= ~TF_RCVD_CC;
|
||||
tcpstat.tcps_connects++;
|
||||
soisconnected(so);
|
||||
#ifdef MAC
|
||||
mac_set_socket_peer_from_mbuf(m, so);
|
||||
#endif
|
||||
/* Do window scaling on this connection? */
|
||||
if ((tp->t_flags & (TF_RCVD_SCALE|TF_REQ_SCALE)) ==
|
||||
(TF_RCVD_SCALE|TF_REQ_SCALE)) {
|
||||
|
||||
@ -37,6 +37,7 @@
|
||||
#include "opt_compat.h"
|
||||
#include "opt_inet6.h"
|
||||
#include "opt_ipsec.h"
|
||||
#include "opt_mac.h"
|
||||
#include "opt_tcpdebug.h"
|
||||
|
||||
#include <sys/param.h>
|
||||
@ -44,6 +45,7 @@
|
||||
#include <sys/callout.h>
|
||||
#include <sys/kernel.h>
|
||||
#include <sys/sysctl.h>
|
||||
#include <sys/mac.h>
|
||||
#include <sys/malloc.h>
|
||||
#include <sys/mbuf.h>
|
||||
#ifdef INET6
|
||||
@ -443,6 +445,21 @@ tcp_respond(tp, ipgen, th, m, ack, seq, flags)
|
||||
m->m_len = tlen;
|
||||
m->m_pkthdr.len = tlen;
|
||||
m->m_pkthdr.rcvif = (struct ifnet *) 0;
|
||||
#ifdef MAC
|
||||
if (tp != NULL) {
|
||||
/*
|
||||
* Packet is associated with a socket, so allow the
|
||||
* label of the response to reflect the socket label.
|
||||
*/
|
||||
mac_create_mbuf_from_socket(tp->t_inpcb->inp_socket, m);
|
||||
} else {
|
||||
/*
|
||||
* XXXMAC: This will need to call a mac function that
|
||||
* modifies the mbuf label in place for TCP datagrams
|
||||
* not associated with a PCB.
|
||||
*/
|
||||
}
|
||||
#endif
|
||||
nth->th_seq = htonl(seq);
|
||||
nth->th_ack = htonl(ack);
|
||||
nth->th_x2 = 0;
|
||||
|
||||
@ -36,12 +36,14 @@
|
||||
|
||||
#include "opt_inet6.h"
|
||||
#include "opt_ipsec.h"
|
||||
#include "opt_mac.h"
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
#include <sys/kernel.h>
|
||||
#include <sys/sysctl.h>
|
||||
#include <sys/malloc.h>
|
||||
#include <sys/mac.h>
|
||||
#include <sys/mbuf.h>
|
||||
#include <sys/md5.h>
|
||||
#include <sys/proc.h> /* for proc0 declaration */
|
||||
@ -560,6 +562,9 @@ syncache_socket(sc, lso, m)
|
||||
tcpstat.tcps_listendrop++;
|
||||
goto abort;
|
||||
}
|
||||
#ifdef MAC
|
||||
mac_set_socket_peer_from_mbuf(m, so);
|
||||
#endif
|
||||
|
||||
inp = sotoinpcb(so);
|
||||
|
||||
@ -1095,6 +1100,9 @@ syncache_respond(sc, m)
|
||||
m->m_len = tlen;
|
||||
m->m_pkthdr.len = tlen;
|
||||
m->m_pkthdr.rcvif = NULL;
|
||||
#ifdef MAC
|
||||
mac_create_mbuf_from_socket(sc->sc_tp->t_inpcb->inp_socket, m);
|
||||
#endif
|
||||
|
||||
#ifdef IPSEC
|
||||
/* use IPsec policy on listening socket to send SYN,ACK */
|
||||
|
||||
@ -37,6 +37,7 @@
|
||||
#include "opt_compat.h"
|
||||
#include "opt_inet6.h"
|
||||
#include "opt_ipsec.h"
|
||||
#include "opt_mac.h"
|
||||
#include "opt_tcpdebug.h"
|
||||
|
||||
#include <sys/param.h>
|
||||
@ -44,6 +45,7 @@
|
||||
#include <sys/callout.h>
|
||||
#include <sys/kernel.h>
|
||||
#include <sys/sysctl.h>
|
||||
#include <sys/mac.h>
|
||||
#include <sys/malloc.h>
|
||||
#include <sys/mbuf.h>
|
||||
#ifdef INET6
|
||||
@ -443,6 +445,21 @@ tcp_respond(tp, ipgen, th, m, ack, seq, flags)
|
||||
m->m_len = tlen;
|
||||
m->m_pkthdr.len = tlen;
|
||||
m->m_pkthdr.rcvif = (struct ifnet *) 0;
|
||||
#ifdef MAC
|
||||
if (tp != NULL) {
|
||||
/*
|
||||
* Packet is associated with a socket, so allow the
|
||||
* label of the response to reflect the socket label.
|
||||
*/
|
||||
mac_create_mbuf_from_socket(tp->t_inpcb->inp_socket, m);
|
||||
} else {
|
||||
/*
|
||||
* XXXMAC: This will need to call a mac function that
|
||||
* modifies the mbuf label in place for TCP datagrams
|
||||
* not associated with a PCB.
|
||||
*/
|
||||
}
|
||||
#endif
|
||||
nth->th_seq = htonl(seq);
|
||||
nth->th_ack = htonl(ack);
|
||||
nth->th_x2 = 0;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user