Introduce a MAC label reference in 'struct inpcb', which caches

the   MAC label referenced from 'struct socket' in the IPv4 and
IPv6-based protocols.  This permits MAC labels to be checked during
network delivery operations without dereferencing inp->inp_socket
to get to so->so_label, which will eventually avoid our having to
grab the socket lock during delivery at the network layer.

This change introduces 'struct inpcb' as a labeled object to the
MAC Framework, along with the normal circus of entry points:
initialization, creation from socket, destruction, as well as a
delivery access control check.

For most policies, the inpcb label will simply be a cache of the
socket label, so a new protocol switch method is introduced,
pr_sosetlabel() to notify protocols that the socket layer label
has been updated so that the cache can be updated while holding
appropriate locks.  Most protocols implement this using
pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use
the the worker function in_pcbsosetlabel(), which calls into the
MAC Framework to perform a cache update.

Biba, LOMAC, and MLS implement these entry points, as do the stub
policy, and test policy.

Reviewed by:	sam, bms
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories

1 files changed, 40 insertions, 7 deletions

diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c
index 480c50e..11735ec 100644
--- a/sys/netinet/in_pcb.c
+++ b/sys/netinet/in_pcb.c
@@ -36,10 +36,12 @@
 
 #include "opt_ipsec.h"
 #include "opt_inet6.h"
+#include "opt_mac.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/limits.h>
+#include <sys/mac.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/domain.h>
@@ -161,26 +163,30 @@ in_pcballoc(so, pcbinfo, td)
 	struct thread *td;
 {
 	register struct inpcb *inp;
-#if defined(IPSEC) || defined(FAST_IPSEC)
 	int error;
-#endif
+
 	INP_INFO_WLOCK_ASSERT(pcbinfo);
+	error = 0;
 	inp = uma_zalloc(pcbinfo->ipi_zone, M_NOWAIT | M_ZERO);
 	if (inp == NULL)
 		return (ENOBUFS);
 	inp->inp_gencnt = ++pcbinfo->ipi_gencnt;
 	inp->inp_pcbinfo = pcbinfo;
 	inp->inp_socket = so;
+#ifdef MAC
+	error = mac_init_inpcb(inp, M_NOWAIT);
+	if (error != 0)
+		goto out;
+	mac_create_inpcb_from_socket(so, inp);
+#endif
 #if defined(IPSEC) || defined(FAST_IPSEC)
 #ifdef FAST_IPSEC
 	error = ipsec_init_policy(so, &inp->inp_sp);
 #else
 	error = ipsec_init_pcbpolicy(so, &inp->inp_sp);
 #endif
-	if (error != 0) {
-		uma_zfree(pcbinfo->ipi_zone, inp);
-		return error;
-	}
+	if (error != 0)
+		goto out;
 #endif /*IPSEC*/
 #if defined(INET6)
 	if (INP_SOCKAF(so) == AF_INET6) {
@@ -197,7 +203,12 @@ in_pcballoc(so, pcbinfo, td)
 	if (ip6_auto_flowlabel)
 		inp->inp_flags |= IN6P_AUTOFLOWLABEL;
 #endif
-	return (0);
+#if defined(IPSEC) || defined(FAST_IPSEC) || defined(MAC)
+out:
+	if (error != 0)
+		uma_zfree(pcbinfo->ipi_zone, inp);
+#endif
+	return (error);
 }
 
 int
@@ -700,6 +711,9 @@ in_pcbdetach(inp)
 	ip_freemoptions(inp->inp_moptions);
 	inp->inp_vflag = 0;
 	INP_LOCK_DESTROY(inp);
+#ifdef MAC
+	mac_destroy_inpcb(inp);
+#endif
 	uma_zfree(ipi->ipi_zone, inp);
 }
 
@@ -1218,6 +1232,25 @@ in_pcbremlists(inp)
 	pcbinfo->ipi_count--;
 }
 
+/*
+ * A set label operation has occurred at the socket layer, propagate the
+ * label change into the in_pcb for the socket.
+ */
+void
+in_pcbsosetlabel(so)
+	struct socket *so;
+{
+#ifdef MAC
+	struct inpcb *inp;
+
+	/* XXX: Will assert socket lock when we have them. */
+	inp = (struct inpcb *)so->so_pcb;
+	INP_LOCK(inp);
+	mac_inpcb_sosetlabel(so, inp);
+	INP_UNLOCK(inp);
+#endif
+}
+
 int
 prison_xinpcb(struct thread *td, struct inpcb *inp)
 {