Introduce a new entry point, mac_create_mbuf_from_firewall. This entry point

exists to allow the mandatory access control policy to properly initialize
mbufs generated by the firewall. An example where this might happen is keep
alive packets, or ICMP error packets in response to other packets.

This takes care of kernel panics associated with un-initialize mbuf labels
when the firewall generates packets.

[1] I modified this patch from it's original version, the initial patch
    introduced a number of entry points which were programmatically
    equivalent. So I introduced only one. Instead, we should leverage
    mac_create_mbuf_netlayer() which is used for similar situations,
    an example being icmp_error()

    This will minimize the impact associated with the MFC

Submitted by:	mlaier [1]
MFC after:	1 week

This is a RELENG_6 candidate

1 files changed, 3 insertions, 0 deletions

diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index e349f75..afd437f 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -326,6 +326,8 @@ typedef void	(*mpo_inpcb_sosetlabel_t)(struct socket *so,
 		    struct label *label, struct inpcb *inp,
 		    struct label *inplabel);
 
+typedef	void	(*mpo_create_mbuf_from_firewall_t)(struct mbuf *m,
+		    struct label *label);
 /*
  * Labeling event operations: processes.
  */
@@ -880,6 +882,7 @@ struct mac_policy_ops {
 	mpo_check_vnode_stat_t			mpo_check_vnode_stat;
 	mpo_check_vnode_write_t			mpo_check_vnode_write;
 	mpo_associate_nfsd_label_t		mpo_associate_nfsd_label;
+	mpo_create_mbuf_from_firewall_t		mpo_create_mbuf_from_firewall;
 };
 
 /*