diff options
| author | rwatson <rwatson@FreeBSD.org> | 2003-08-21 18:21:22 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2003-08-21 18:21:22 +0000 |
| commit | 32ed1a62a81fa74b7ba72050f7fcc471b032f95c (patch) | |
| tree | 269bdd075acbd16f8db9b0379a3518d07ca3cd76 /sys/security/mac/mac_syscalls.c | |
| parent | 31a9062bd5a40857d69d229a261f64e30a94e727 (diff) | |
| download | FreeBSD-src-32ed1a62a81fa74b7ba72050f7fcc471b032f95c.zip FreeBSD-src-32ed1a62a81fa74b7ba72050f7fcc471b032f95c.tar.gz | |
Introduce two new MAC Framework and MAC policy entry points:
mac_reflect_mbuf_icmp()
mac_reflect_mbuf_tcp()
These entry points permit MAC policies to do "update in place"
changes to the labels on ICMP and TCP mbuf headers when an ICMP or
TCP response is generated to a packet outside of the context of
an existing socket. For example, in respond to a ping or a RST
packet to a SYN on a closed port.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Diffstat (limited to 'sys/security/mac/mac_syscalls.c')
| -rw-r--r-- | sys/security/mac/mac_syscalls.c | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index dcd8831..490b492 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -2398,6 +2398,25 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) } void +mac_reflect_mbuf_icmp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_icmp, m, label); +} +void +mac_reflect_mbuf_tcp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_tcp, m, label); +} + +void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) { struct label *label; |
