diff options
author | rwatson <rwatson@FreeBSD.org> | 2002-07-31 17:17:51 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2002-07-31 17:17:51 +0000 |
commit | c520fb317ac85d578a5a3446d54309d13ba10ad2 (patch) | |
tree | 41ed6dd5581d644897c83f9347f6c3309530b152 | |
parent | c55a4dc47c96ac5e7633eb700fa180b6b4d23003 (diff) | |
download | FreeBSD-src-c520fb317ac85d578a5a3446d54309d13ba10ad2.zip FreeBSD-src-c520fb317ac85d578a5a3446d54309d13ba10ad2.tar.gz |
Introduce support for Mandatory Access Control and extensible
kernel access control.
Instrument the code managing IP fragment reassembly queues (struct ipq)
to invoke appropriate MAC entry points to maintain a MAC label on
each queue. Permit MAC policies to associate information with a queue
based on the mbuf that caused it to be created, update that information
based on further mbufs accepted by the queue, influence the decision
making process by which mbufs are accepted to the queue, and set the
label of the mbuf holding the reassembled datagram following reassembly
completetion.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
-rw-r--r-- | sys/netinet/ip_input.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index bec09ea..8d0e232 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -43,11 +43,13 @@ #include "opt_ipfilter.h" #include "opt_ipstealth.h" #include "opt_ipsec.h" +#include "opt_mac.h" #include "opt_pfil_hooks.h" #include "opt_random_ip_id.h" #include <sys/param.h> #include <sys/systm.h> +#include <sys/mac.h> #include <sys/mbuf.h> #include <sys/malloc.h> #include <sys/domain.h> @@ -693,6 +695,9 @@ ours: if (ip->ip_id == fp->ipq_id && ip->ip_src.s_addr == fp->ipq_src.s_addr && ip->ip_dst.s_addr == fp->ipq_dst.s_addr && +#ifdef MAC + mac_fragment_match(m, fp) && +#endif ip->ip_p == fp->ipq_p) goto found; @@ -902,6 +907,10 @@ ip_reass(struct mbuf *m, struct ipqhead *head, struct ipq *fp, if ((t = m_get(M_DONTWAIT, MT_FTABLE)) == NULL) goto dropfrag; fp = mtod(t, struct ipq *); +#ifdef MAC + mac_init_ipq(fp); + mac_create_ipq(m, fp); +#endif TAILQ_INSERT_HEAD(head, fp, ipq_list); nipq++; fp->ipq_ttl = IPFRAGTTL; @@ -916,6 +925,10 @@ ip_reass(struct mbuf *m, struct ipqhead *head, struct ipq *fp, fp->ipq_div_cookie = 0; #endif goto inserted; + } else { +#ifdef MAC + mac_update_ipq(m, fp); +#endif } #define GETIP(m) ((struct ip*)((m)->m_pkthdr.header)) @@ -1028,6 +1041,10 @@ inserted: m->m_pkthdr.csum_data += q->m_pkthdr.csum_data; m_cat(m, q); } +#ifdef MAC + mac_create_datagram_from_ipq(fp, m); + mac_destroy_ipq(fp); +#endif #ifdef IPDIVERT /* |