Continue to move from generic network entry points in the TrustedBSD MAC

Framework by moving from mac_mbuf_create_netlayer() to more specific
entry points for specific network services:

- mac_netinet_firewall_reply() to be used when replying to in-bound TCP
  segments in pf and ipfw (etc).

- Rename mac_netinet_icmp_reply() to mac_netinet_icmp_replyinplace() and
  add mac_netinet_icmp_reply(), reflecting that in some cases we overwrite
  a label in place, but in others we apply the label to a new mbuf.

Obtained from:	TrustedBSD Project

1 files changed, 29 insertions, 2 deletions

diff --git a/sys/security/mac/mac_inet.c b/sys/security/mac/mac_inet.c
index 22c134f..6533cf0 100644
--- a/sys/security/mac/mac_inet.c
+++ b/sys/security/mac/mac_inet.c
@@ -234,13 +234,25 @@ mac_netinet_arp_send(struct ifnet *ifp, struct mbuf *m)
 }
 
 void
-mac_netinet_icmp_reply(struct mbuf *m)
+mac_netinet_icmp_reply(struct mbuf *mrecv, struct mbuf *msend)
+{
+	struct label *mrecvlabel, *msendlabel;
+
+	mrecvlabel = mac_mbuf_to_label(mrecv);
+	msendlabel = mac_mbuf_to_label(msend);
+
+	MAC_PERFORM(netinet_icmp_reply, mrecv, mrecvlabel, msend,
+	    msendlabel);
+}
+
+void
+mac_netinet_icmp_replyinplace(struct mbuf *m)
 {
 	struct label *label;
 
 	label = mac_mbuf_to_label(m);
 
-	MAC_PERFORM(netinet_icmp_reply, m, label);
+	MAC_PERFORM(netinet_icmp_replyinplace, m, label);
 }
 
 void
@@ -300,6 +312,21 @@ mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp)
 }
 
 void
+mac_netinet_firewall_reply(struct mbuf *mrecv, struct mbuf *msend)
+{
+	struct label *mrecvlabel, *msendlabel;
+
+	M_ASSERTPKTHDR(mrecv);
+	M_ASSERTPKTHDR(msend);
+
+	mrecvlabel = mac_mbuf_to_label(mrecv);
+	msendlabel = mac_mbuf_to_label(msend);
+
+	MAC_PERFORM(netinet_firewall_reply, mrecv, mrecvlabel, msend,
+	    msendlabel);
+}
+
+void
 mac_netinet_firewall_send(struct mbuf *m)
 {
 	struct label *label;