Introduce support for Mandatory Access Control and extensible

kernel access control.

Instrument the raw IP socket code for packet generation and delivery:
label outgoing mbufs with the label of the socket, and check the
socket and mbuf labels before permitting delivery to a socket,
permitting MAC policies to selectively allow delivery of raw IP mbufs
to various raw IP sockets that may be open.  Restructure the policy
checking code to compose IPsec and MAC results in a more readable
manner.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs

1 files changed, 41 insertions, 17 deletions

diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
index f104cfc..2ea6a1a 100644
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@@ -36,6 +36,7 @@
 
 #include "opt_inet6.h"
 #include "opt_ipsec.h"
+#include "opt_mac.h"
 #include "opt_random_ip_id.h"
 
 #include <sys/param.h>
@@ -144,16 +145,27 @@ rip_input(m, off)
 			continue;
 		if (last) {
 			struct mbuf *n = m_copy(m, 0, (int)M_COPYALL);
-
-#ifdef IPSEC
-			/* check AH/ESP integrity. */
-			if (n && ipsec4_in_reject_so(n, last->inp_socket)) {
-				m_freem(n);
-				ipsecstat.in_polvio++;
-				/* do not inject data to pcb */
-			} else
+			int policyfail = 0;
+
+			if (n != NULL) {
+#ifdef IPSSEC
+				/* check AH/ESP integrity. */
+				if (ipsec4_in_reject_so(n, last->inp_socket)) {
+					policyfail = 1;
+					ipsecstat.in_polvio++;
+					/* do not inject data to pcb */
+				}
 #endif /*IPSEC*/
-			if (n) {
+#ifdef MAC
+				if (policyfail == 0 &&
+				    mac_check_socket_receive(last->inp_socket,
+				    n) != 0)
+					policyfail = 1;
+#endif
+			}
+			if (policyfail)
+				m_freem(n);
+			else if (n) {
 				if (last->inp_flags & INP_CONTROLOPTS ||
 				    last->inp_socket->so_options & SO_TIMESTAMP)
 				    ip_savecontrol(last, &opts, ip, n);
@@ -171,16 +183,24 @@ rip_input(m, off)
 		}
 		last = inp;
 	}
+	if (last) {
 #ifdef IPSEC
-	/* check AH/ESP integrity. */
-	if (last && ipsec4_in_reject_so(m, last->inp_socket)) {
-		m_freem(m);
-		ipsecstat.in_polvio++;
-		ipstat.ips_delivered--;
-		/* do not inject data to pcb */
-	} else
+		/* check AH/ESP integrity. */
+		if (ipsec4_in_reject_so(m, last->inp_socket)) {
+			m_freem(m);
+			ipsecstat.in_polvio++;
+			ipstat.ips_delivered--;
+			/* do not inject data to pcb */
+			return;
+		}
 #endif /*IPSEC*/
-	if (last) {
+#ifdef MAC
+		if (mac_check_socket_receive(last->inp_socket, m) != 0) {
+			m_freem(m);
+			ipstat.ips_delivered--;
+			return;
+		}
+#endif
 		if (last->inp_flags & INP_CONTROLOPTS ||
 		    last->inp_socket->so_options & SO_TIMESTAMP)
 			ip_savecontrol(last, &opts, ip, m);
@@ -212,6 +232,10 @@ rip_output(m, so, dst)
 	register struct inpcb *inp = sotoinpcb(so);
 	int flags = (so->so_options & SO_DONTROUTE) | IP_ALLOWBROADCAST;
 
+#ifdef MAC
+	mac_create_mbuf_from_socket(so, m);
+#endif
+
 	/*
 	 * If the user handed us a complete IP packet, use it.
 	 * Otherwise, allocate an mbuf for a header and fill it in.