Switch TCP over to using the inpcb label when responding in timed

wait, rather than the socket label. This avoids reaching up to the socket layer during connection close, which requires locking changes. To do this, introduce MAC Framework entry point mac_create_mbuf_from_inpcb(), which is called from tcp_twrespond() instead of calling mac_create_mbuf_from_socket() or mac_create_mbuf_netlayer(). Introduce MAC Policy entry point mpo_create_mbuf_from_inpcb(), and implementations for various policies, which generally just copy label data from the inpcb to the mbuf. Assert the inpcb lock in the entry point since we require consistency for the inpcb label reference. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-12-17 14:55:11 +00:00 · 2003-12-17 14:55:11 +00:00 · 2d92ec9858
commit 2d92ec9858
parent e15d48d945
12 changed files with 78 additions and 8 deletions
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@ -1662,10 +1662,7 @@ tcp_twrespond(struct tcptw *tw, struct socket *so, struct mbuf *msrc,
 	m->m_data += max_linkhdr;

 #ifdef MAC
-	if (so != NULL)
-		mac_create_mbuf_from_socket(so, m);
-	else
-		mac_create_mbuf_netlayer(msrc, m);
+	mac_create_mbuf_from_inpcb(inp, m);
 #endif

 #ifdef INET6
--- a/sys/netinet/tcp_timewait.c
+++ b/sys/netinet/tcp_timewait.c
@ -1662,10 +1662,7 @@ tcp_twrespond(struct tcptw *tw, struct socket *so, struct mbuf *msrc,
 	m->m_data += max_linkhdr;

 #ifdef MAC
-	if (so != NULL)
-		mac_create_mbuf_from_socket(so, m);
-	else
-		mac_create_mbuf_netlayer(msrc, m);
+	mac_create_mbuf_from_inpcb(inp, m);
 #endif

 #ifdef INET6
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@ -213,6 +213,7 @@ void	mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp);
 void	mac_create_ipq(struct mbuf *fragment, struct ipq *ipq);
 void	mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram);
 void	mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment);
+void	mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m);
 void	mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf);
 void	mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *m);
 void	mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m);
--- a/sys/security/mac/mac_net.c
+++ b/sys/security/mac/mac_net.c
@ -588,6 +588,17 @@ mac_create_ipq(struct mbuf *fragment, struct ipq *ipq)
 	MAC_PERFORM(create_ipq, fragment, label, ipq, ipq->ipq_label);
 }

+void
+mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m)
+{
+	struct label *mlabel;
+
+	INP_LOCK_ASSERT(inp);
+	mlabel = mbuf_to_label(m);
+
+	MAC_PERFORM(create_mbuf_from_inpcb, inp, inp->inp_label, m, mlabel);
+}
+
 void
 mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf)
 {
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@ -229,6 +229,9 @@ struct mac_policy_ops {
 	void	(*mpo_create_fragment)(struct mbuf *datagram,
 		    struct label *datagramlabel, struct mbuf *fragment,
 		    struct label *fragmentlabel);
+	void	(*mpo_create_mbuf_from_inpcb)(struct inpcb *inp,
+		    struct label *inplabel, struct mbuf *m,
+		    struct label *mlabel);
 	void	(*mpo_create_mbuf_from_mbuf)(struct mbuf *oldmbuf,
 		    struct label *oldlabel, struct mbuf *newmbuf,
 		    struct label *newlabel);
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@ -1199,6 +1199,18 @@ mac_biba_create_fragment(struct mbuf *datagram, struct label *datagramlabel,
 	mac_biba_copy_single(source, dest);
 }

+static void
+mac_biba_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
+    struct mbuf *m, struct label *mlabel)
+{
+	struct mac_biba *source, *dest;
+
+	source = SLOT(inplabel);
+	dest = SLOT(mlabel);
+
+	mac_biba_copy_single(source, dest);
+}
+
 static void
 mac_biba_create_mbuf_from_mbuf(struct mbuf *oldmbuf,
    struct label *oldmbuflabel, struct mbuf *newmbuf,
@ -2698,6 +2710,7 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_create_ifnet = mac_biba_create_ifnet,
 	.mpo_create_inpcb_from_socket = mac_biba_create_inpcb_from_socket,
 	.mpo_create_ipq = mac_biba_create_ipq,
+	.mpo_create_mbuf_from_inpcb = mac_biba_create_mbuf_from_inpcb,
 	.mpo_create_mbuf_from_mbuf = mac_biba_create_mbuf_from_mbuf,
 	.mpo_create_mbuf_linklayer = mac_biba_create_mbuf_linklayer,
 	.mpo_create_mbuf_from_bpfdesc = mac_biba_create_mbuf_from_bpfdesc,
--- a/sys/security/mac_lomac/mac_lomac.c
+++ b/sys/security/mac_lomac/mac_lomac.c
@ -1339,6 +1339,18 @@ mac_lomac_create_fragment(struct mbuf *datagram, struct label *datagramlabel,
 	mac_lomac_copy_single(source, dest);
 }

+static void
+mac_lomac_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
+    struct mbuf *m, struct label *mlabel)
+{
+	struct mac_lomac *source, *dest;
+
+	source = SLOT(inplabel);
+	dest = SLOT(mlabel);
+
+	mac_lomac_copy_single(source, dest);
+}
+
 static void
 mac_lomac_create_mbuf_from_mbuf(struct mbuf *oldmbuf,
    struct label *oldmbuflabel, struct mbuf *newmbuf,
@ -2680,6 +2692,7 @@ static struct mac_policy_ops mac_lomac_ops =
 	.mpo_create_ifnet = mac_lomac_create_ifnet,
 	.mpo_create_inpcb_from_socket = mac_lomac_create_inpcb_from_socket,
 	.mpo_create_ipq = mac_lomac_create_ipq,
+	.mpo_create_mbuf_from_inpcb = mac_lomac_create_mbuf_from_inpcb,
 	.mpo_create_mbuf_from_mbuf = mac_lomac_create_mbuf_from_mbuf,
 	.mpo_create_mbuf_linklayer = mac_lomac_create_mbuf_linklayer,
 	.mpo_create_mbuf_from_bpfdesc = mac_lomac_create_mbuf_from_bpfdesc,
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c
@ -1129,6 +1129,18 @@ mac_mls_create_fragment(struct mbuf *datagram, struct label *datagramlabel,
 	mac_mls_copy_single(source, dest);
 }

+static void
+mac_mls_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
+    struct mbuf *m, struct label *mlabel)
+{
+	struct mac_mls *source, *dest;
+
+	source = SLOT(inplabel);
+	dest = SLOT(mlabel);
+
+	mac_mls_copy_single(source, dest);
+}
+
 static void
 mac_mls_create_mbuf_from_mbuf(struct mbuf *oldmbuf,
    struct label *oldmbuflabel, struct mbuf *newmbuf,
@ -2470,6 +2482,7 @@ static struct mac_policy_ops mac_mls_ops =
 	.mpo_create_ifnet = mac_mls_create_ifnet,
 	.mpo_create_inpcb_from_socket = mac_mls_create_inpcb_from_socket,
 	.mpo_create_ipq = mac_mls_create_ipq,
+	.mpo_create_mbuf_from_inpcb = mac_mls_create_mbuf_from_inpcb,
 	.mpo_create_mbuf_from_mbuf = mac_mls_create_mbuf_from_mbuf,
 	.mpo_create_mbuf_linklayer = mac_mls_create_mbuf_linklayer,
 	.mpo_create_mbuf_from_bpfdesc = mac_mls_create_mbuf_from_bpfdesc,
--- a/sys/security/mac_stub/mac_stub.c
+++ b/sys/security/mac_stub/mac_stub.c
@ -350,6 +350,13 @@ stub_create_ipq(struct mbuf *fragment, struct label *fragmentlabel,

 }

+static void
+stub_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
+    struct mbuf *m, struct label *mlabel)
+{
+
+}
+
 static void
 stub_create_mbuf_from_mbuf(struct mbuf *oldmbuf,
    struct label *oldmbuflabel, struct mbuf *newmbuf,
@ -1092,6 +1099,7 @@ static struct mac_policy_ops mac_stub_ops =
 	.mpo_create_datagram_from_ipq = stub_create_datagram_from_ipq,
 	.mpo_create_fragment = stub_create_fragment,
 	.mpo_create_ipq = stub_create_ipq,
+	.mpo_create_mbuf_from_inpcb = stub_create_mbuf_from_inpcb,
 	.mpo_create_mbuf_from_mbuf = stub_create_mbuf_from_mbuf,
 	.mpo_create_mbuf_linklayer = stub_create_mbuf_linklayer,
 	.mpo_create_mbuf_from_bpfdesc = stub_create_mbuf_from_bpfdesc,
--- a/sys/security/mac_test/mac_test.c
+++ b/sys/security/mac_test/mac_test.c
@ -914,6 +914,15 @@ mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel,
 	ASSERT_IPQ_LABEL(ipqlabel);
 }

+static void
+mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
+    struct mbuf *m, struct label *mlabel)
+{
+
+	ASSERT_INPCB_LABEL(inplabel);
+	ASSERT_MBUF_LABEL(mlabel);
+}
+
 static void
 mac_test_create_mbuf_from_mbuf(struct mbuf *oldmbuf,
    struct label *oldmbuflabel, struct mbuf *newmbuf,
@ -1923,6 +1932,7 @@ static struct mac_policy_ops mac_test_ops =
 	.mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq,
 	.mpo_create_fragment = mac_test_create_fragment,
 	.mpo_create_ipq = mac_test_create_ipq,
+	.mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb,
 	.mpo_create_mbuf_from_mbuf = mac_test_create_mbuf_from_mbuf,
 	.mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer,
 	.mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc,
--- a/sys/sys/mac.h
+++ b/sys/sys/mac.h
@ -213,6 +213,7 @@ void	mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp);
 void	mac_create_ipq(struct mbuf *fragment, struct ipq *ipq);
 void	mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram);
 void	mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment);
+void	mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m);
 void	mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf);
 void	mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *m);
 void	mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m);
--- a/sys/sys/mac_policy.h
+++ b/sys/sys/mac_policy.h
@ -229,6 +229,9 @@ struct mac_policy_ops {
 	void	(*mpo_create_fragment)(struct mbuf *datagram,
 		    struct label *datagramlabel, struct mbuf *fragment,
 		    struct label *fragmentlabel);
+	void	(*mpo_create_mbuf_from_inpcb)(struct inpcb *inp,
+		    struct label *inplabel, struct mbuf *m,
+		    struct label *mlabel);
 	void	(*mpo_create_mbuf_from_mbuf)(struct mbuf *oldmbuf,
 		    struct label *oldlabel, struct mbuf *newmbuf,
 		    struct label *newlabel);