Introduce support for Mandatory Access Control and extensible

kernel access control. Invoke additional MAC entry points when an mbuf packet header is copied to another mbuf: release the old label if any, reinitialize the new header, and ask the MAC framework to copy the header label data. Note that this requires a potential allocation operation, but m_copy_pkthdr() is not permitted to fail, so we must block. Since we now use interrupt threads, this is possible, but not desirable. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
svn path=/head/; revision=101007
2002-07-31 01:51:34 +00:00 · 2002-07-31 01:51:34 +00:00 · e32a5b94d8 · 2020-12-20 02:59:44 +00:00
commit e32a5b94d8
parent a3abeda755
1 changed files with 14 additions and 0 deletions
--- a/sys/kern/uipc_mbuf.c
+++ b/sys/kern/uipc_mbuf.c
@ -34,12 +34,15 @@
 * $FreeBSD$
 */

+#include "opt_mac.h"
 #include "opt_param.h"
+
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/kernel.h>
 #include <sys/lock.h>
 #include <sys/malloc.h>
+#include <sys/mac.h>
 #include <sys/mbuf.h>
 #include <sys/sysctl.h>
 #include <sys/domain.h>
@ -74,10 +77,18 @@ m_copy_pkthdr(struct mbuf *to, struct mbuf *from)
 #if 0
 	KASSERT(to->m_flags & M_PKTHDR,
 	    ("m_copy_pkthdr() called on non-header"));
+#endif
+#ifdef MAC
+	if (to->m_flags & M_PKTHDR)
+		mac_destroy_mbuf(to);
 #endif
 	to->m_data = to->m_pktdat;
 	to->m_flags = from->m_flags & M_COPYFLAGS;
 	to->m_pkthdr = from->m_pkthdr;
+#ifdef MAC
+	mac_init_mbuf(to, 1);			/* XXXMAC no way to fail */
+	mac_create_mbuf_from_mbuf(from, to);
+#endif
 	from->m_pkthdr.aux = NULL;
 }

@ -98,6 +109,9 @@ m_prepend(struct mbuf *m, int len, int how)
 	}
 	if (m->m_flags & M_PKTHDR) {
 		M_COPY_PKTHDR(mn, m);
+#ifdef MAC
+		mac_destroy_mbuf(m);
+#endif
 		m->m_flags &= ~M_PKTHDR;
 	}
 	mn->m_next = m;