Introduce two new MAC Framework and MAC policy entry points:

mac_reflect_mbuf_icmp() mac_reflect_mbuf_tcp() These entry points permit MAC policies to do "update in place" changes to the labels on ICMP and TCP mbuf headers when an ICMP or TCP response is generated to a packet outside of the context of an existing socket. For example, in respond to a ping or a RST packet to a SYN on a closed port. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-08-21 18:21:22 +00:00 · 2003-08-21 18:21:22 +00:00 · c896a64fc7
commit c896a64fc7
parent 35a62e1ce4
13 changed files with 181 additions and 0 deletions
--- a/sys/kern/kern_mac.c
+++ b/sys/kern/kern_mac.c
@ -2397,6 +2397,25 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq)
 	return (result);
 }

+void
+mac_reflect_mbuf_icmp(struct mbuf *m)
+{
+	struct label *label;
+
+	label = mbuf_to_label(m);
+
+	MAC_PERFORM(reflect_mbuf_icmp, m, label);
+}
+void
+mac_reflect_mbuf_tcp(struct mbuf *m)
+{
+	struct label *label;
+
+	label = mbuf_to_label(m);
+
+	MAC_PERFORM(reflect_mbuf_tcp, m, label);
+}
+
 void
 mac_update_ipq(struct mbuf *fragment, struct ipq *ipq)
 {
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@ -2397,6 +2397,25 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq)
 	return (result);
 }

+void
+mac_reflect_mbuf_icmp(struct mbuf *m)
+{
+	struct label *label;
+
+	label = mbuf_to_label(m);
+
+	MAC_PERFORM(reflect_mbuf_icmp, m, label);
+}
+void
+mac_reflect_mbuf_tcp(struct mbuf *m)
+{
+	struct label *label;
+
+	label = mbuf_to_label(m);
+
+	MAC_PERFORM(reflect_mbuf_tcp, m, label);
+}
+
 void
 mac_update_ipq(struct mbuf *fragment, struct ipq *ipq)
 {
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@ -210,6 +210,8 @@ void	mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf,
 	    struct ifnet *ifnet, struct mbuf *newmbuf);
 void	mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf);
 int	mac_fragment_match(struct mbuf *fragment, struct ipq *ipq);
+void	mac_reflect_mbuf_icmp(struct mbuf *m);
+void	mac_reflect_mbuf_tcp(struct mbuf *m);
 void	mac_update_ipq(struct mbuf *fragment, struct ipq *ipq);

 /*
--- a/sys/security/mac/mac_internal.h
+++ b/sys/security/mac/mac_internal.h
@ -2397,6 +2397,25 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq)
 	return (result);
 }

+void
+mac_reflect_mbuf_icmp(struct mbuf *m)
+{
+	struct label *label;
+
+	label = mbuf_to_label(m);
+
+	MAC_PERFORM(reflect_mbuf_icmp, m, label);
+}
+void
+mac_reflect_mbuf_tcp(struct mbuf *m)
+{
+	struct label *label;
+
+	label = mbuf_to_label(m);
+
+	MAC_PERFORM(reflect_mbuf_tcp, m, label);
+}
+
 void
 mac_update_ipq(struct mbuf *fragment, struct ipq *ipq)
 {
--- a/sys/security/mac/mac_net.c
+++ b/sys/security/mac/mac_net.c
@ -2397,6 +2397,25 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq)
 	return (result);
 }

+void
+mac_reflect_mbuf_icmp(struct mbuf *m)
+{
+	struct label *label;
+
+	label = mbuf_to_label(m);
+
+	MAC_PERFORM(reflect_mbuf_icmp, m, label);
+}
+void
+mac_reflect_mbuf_tcp(struct mbuf *m)
+{
+	struct label *label;
+
+	label = mbuf_to_label(m);
+
+	MAC_PERFORM(reflect_mbuf_tcp, m, label);
+}
+
 void
 mac_update_ipq(struct mbuf *fragment, struct ipq *ipq)
 {
--- a/sys/security/mac/mac_pipe.c
+++ b/sys/security/mac/mac_pipe.c
@ -2397,6 +2397,25 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq)
 	return (result);
 }

+void
+mac_reflect_mbuf_icmp(struct mbuf *m)
+{
+	struct label *label;
+
+	label = mbuf_to_label(m);
+
+	MAC_PERFORM(reflect_mbuf_icmp, m, label);
+}
+void
+mac_reflect_mbuf_tcp(struct mbuf *m)
+{
+	struct label *label;
+
+	label = mbuf_to_label(m);
+
+	MAC_PERFORM(reflect_mbuf_tcp, m, label);
+}
+
 void
 mac_update_ipq(struct mbuf *fragment, struct ipq *ipq)
 {
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@ -241,6 +241,9 @@ struct mac_policy_ops {
 	int	(*mpo_fragment_match)(struct mbuf *fragment,
 		    struct label *fragmentlabel, struct ipq *ipq,
 		    struct label *ipqlabel);
+	void	(*mpo_reflect_mbuf_icmp)(struct mbuf *m,
+		    struct label *mlabel);
+	void	(*mpo_reflect_mbuf_tcp)(struct mbuf *m, struct label *mlabel);
 	void	(*mpo_relabel_ifnet)(struct ucred *cred, struct ifnet *ifnet,
 		    struct label *ifnetlabel, struct label *newlabel);
 	void	(*mpo_update_ipq)(struct mbuf *fragment,
--- a/sys/security/mac/mac_process.c
+++ b/sys/security/mac/mac_process.c
@ -2397,6 +2397,25 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq)
 	return (result);
 }

+void
+mac_reflect_mbuf_icmp(struct mbuf *m)
+{
+	struct label *label;
+
+	label = mbuf_to_label(m);
+
+	MAC_PERFORM(reflect_mbuf_icmp, m, label);
+}
+void
+mac_reflect_mbuf_tcp(struct mbuf *m)
+{
+	struct label *label;
+
+	label = mbuf_to_label(m);
+
+	MAC_PERFORM(reflect_mbuf_tcp, m, label);
+}
+
 void
 mac_update_ipq(struct mbuf *fragment, struct ipq *ipq)
 {
--- a/sys/security/mac/mac_syscalls.c
+++ b/sys/security/mac/mac_syscalls.c
@ -2397,6 +2397,25 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq)
 	return (result);
 }

+void
+mac_reflect_mbuf_icmp(struct mbuf *m)
+{
+	struct label *label;
+
+	label = mbuf_to_label(m);
+
+	MAC_PERFORM(reflect_mbuf_icmp, m, label);
+}
+void
+mac_reflect_mbuf_tcp(struct mbuf *m)
+{
+	struct label *label;
+
+	label = mbuf_to_label(m);
+
+	MAC_PERFORM(reflect_mbuf_tcp, m, label);
+}
+
 void
 mac_update_ipq(struct mbuf *fragment, struct ipq *ipq)
 {
--- a/sys/security/mac/mac_system.c
+++ b/sys/security/mac/mac_system.c
@ -2397,6 +2397,25 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq)
 	return (result);
 }

+void
+mac_reflect_mbuf_icmp(struct mbuf *m)
+{
+	struct label *label;
+
+	label = mbuf_to_label(m);
+
+	MAC_PERFORM(reflect_mbuf_icmp, m, label);
+}
+void
+mac_reflect_mbuf_tcp(struct mbuf *m)
+{
+	struct label *label;
+
+	label = mbuf_to_label(m);
+
+	MAC_PERFORM(reflect_mbuf_tcp, m, label);
+}
+
 void
 mac_update_ipq(struct mbuf *fragment, struct ipq *ipq)
 {
--- a/sys/security/mac/mac_vfs.c
+++ b/sys/security/mac/mac_vfs.c
@ -2397,6 +2397,25 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq)
 	return (result);
 }

+void
+mac_reflect_mbuf_icmp(struct mbuf *m)
+{
+	struct label *label;
+
+	label = mbuf_to_label(m);
+
+	MAC_PERFORM(reflect_mbuf_icmp, m, label);
+}
+void
+mac_reflect_mbuf_tcp(struct mbuf *m)
+{
+	struct label *label;
+
+	label = mbuf_to_label(m);
+
+	MAC_PERFORM(reflect_mbuf_tcp, m, label);
+}
+
 void
 mac_update_ipq(struct mbuf *fragment, struct ipq *ipq)
 {
--- a/sys/sys/mac.h
+++ b/sys/sys/mac.h
@ -210,6 +210,8 @@ void	mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf,
 	    struct ifnet *ifnet, struct mbuf *newmbuf);
 void	mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf);
 int	mac_fragment_match(struct mbuf *fragment, struct ipq *ipq);
+void	mac_reflect_mbuf_icmp(struct mbuf *m);
+void	mac_reflect_mbuf_tcp(struct mbuf *m);
 void	mac_update_ipq(struct mbuf *fragment, struct ipq *ipq);

 /*
--- a/sys/sys/mac_policy.h
+++ b/sys/sys/mac_policy.h
@ -241,6 +241,9 @@ struct mac_policy_ops {
 	int	(*mpo_fragment_match)(struct mbuf *fragment,
 		    struct label *fragmentlabel, struct ipq *ipq,
 		    struct label *ipqlabel);
+	void	(*mpo_reflect_mbuf_icmp)(struct mbuf *m,
+		    struct label *mlabel);
+	void	(*mpo_reflect_mbuf_tcp)(struct mbuf *m, struct label *mlabel);
 	void	(*mpo_relabel_ifnet)(struct ucred *cred, struct ifnet *ifnet,
 		    struct label *ifnetlabel, struct label *newlabel);
 	void	(*mpo_update_ipq)(struct mbuf *fragment,