diff options
author | rwatson <rwatson@FreeBSD.org> | 2007-10-28 15:55:23 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2007-10-28 15:55:23 +0000 |
commit | 2bca3d4001f67728691cf776e9d18d9c59c19365 (patch) | |
tree | 6903d27f86e038a8c03b0705e717026eb4846831 /sys/security/mac | |
parent | 5b4c0a83ffe5155893733797736e14c3b44f759a (diff) | |
download | FreeBSD-src-2bca3d4001f67728691cf776e9d18d9c59c19365.zip FreeBSD-src-2bca3d4001f67728691cf776e9d18d9c59c19365.tar.gz |
Move towards more explicit support for various network protocol stacks
in the TrustedBSD MAC Framework:
- Add mac_atalk.c and add explicit entry point mac_netatalk_aarp_send()
for AARP packet labeling, rather than using a generic link layer
entry point.
- Add mac_inet6.c and add explicit entry point mac_netinet6_nd6_send()
for ND6 packet labeling, rather than using a generic link layer entry
point.
- Add expliict entry point mac_netinet_arp_send() for ARP packet
labeling, and mac_netinet_igmp_send() for IGMP packet labeling,
rather than using a generic link layer entry point.
- Remove previous genering link layer entry point,
mac_mbuf_create_linklayer() as it is no longer used.
- Add implementations of new entry points to various policies, largely
by replicating the existing link layer entry point for them; remove
old link layer entry point implementation.
- Make MAC_IFNET_LOCK(), MAC_IFNET_UNLOCK(), and mac_ifnet_mtx global
to the MAC Framework rather than static to mac_net.c as it is now
needed outside of mac_net.c.
Obtained from: TrustedBSD Project
Diffstat (limited to 'sys/security/mac')
-rw-r--r-- | sys/security/mac/mac_atalk.c | 66 | ||||
-rw-r--r-- | sys/security/mac/mac_framework.h | 9 | ||||
-rw-r--r-- | sys/security/mac/mac_inet.c | 26 | ||||
-rw-r--r-- | sys/security/mac/mac_inet6.c | 64 | ||||
-rw-r--r-- | sys/security/mac/mac_internal.h | 4 | ||||
-rw-r--r-- | sys/security/mac/mac_net.c | 16 | ||||
-rw-r--r-- | sys/security/mac/mac_policy.h | 26 |
7 files changed, 188 insertions, 23 deletions
diff --git a/sys/security/mac/mac_atalk.c b/sys/security/mac/mac_atalk.c new file mode 100644 index 0000000..0992ee5 --- /dev/null +++ b/sys/security/mac/mac_atalk.c @@ -0,0 +1,66 @@ +/*- + * Copyright (c) 2007 Robert N. M. Watson + * All rights reserved. + * + * This software was developed by Robert Watson for the TrustedBSD Project. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include "opt_mac.h" + +#include <sys/param.h> +#include <sys/kernel.h> +#include <sys/lock.h> +#include <sys/malloc.h> +#include <sys/mutex.h> +#include <sys/sbuf.h> +#include <sys/systm.h> +#include <sys/mount.h> +#include <sys/file.h> +#include <sys/namei.h> +#include <sys/protosw.h> +#include <sys/socket.h> +#include <sys/socketvar.h> +#include <sys/sysctl.h> + +#include <net/if.h> +#include <net/if_var.h> + +#include <security/mac/mac_framework.h> +#include <security/mac/mac_internal.h> +#include <security/mac/mac_policy.h> + +void +mac_netatalk_aarp_send(struct ifnet *ifp, struct mbuf *m) +{ + struct label *mlabel; + + mlabel = mac_mbuf_to_label(m); + + MAC_IFNET_LOCK(ifp); + MAC_PERFORM(netatalk_aarp_send, ifp, ifp->if_label, m, mlabel); + MAC_IFNET_UNLOCK(ifp); +} diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 80b8b33..5605a66 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * Copyright (c) 2005-2006 SPARTA, Inc. * All rights reserved. @@ -152,7 +152,6 @@ int mac_kld_check_load(struct ucred *cred, struct vnode *vp); int mac_kld_check_stat(struct ucred *cred); void mac_mbuf_copy(struct mbuf *, struct mbuf *); -void mac_mbuf_create_linklayer(struct ifnet *ifp, struct mbuf *m); void mac_mbuf_create_multicast_encap(struct mbuf *m, struct ifnet *ifp, struct mbuf *mnew); void mac_mbuf_create_netlayer(struct mbuf *m, struct mbuf *mnew); @@ -167,11 +166,17 @@ void mac_mount_create(struct ucred *cred, struct mount *mp); void mac_mount_destroy(struct mount *); void mac_mount_init(struct mount *); +void mac_netatalk_aarp_send(struct ifnet *ifp, struct mbuf *m); + +void mac_netinet_arp_send(struct ifnet *ifp, struct mbuf *m); void mac_netinet_firewall_send(struct mbuf *m); void mac_netinet_fragment(struct mbuf *m, struct mbuf *frag); void mac_netinet_icmp_reply(struct mbuf *m); +void mac_netinet_igmp_send(struct ifnet *ifp, struct mbuf *m); void mac_netinet_tcp_reply(struct mbuf *m); +void mac_netinet6_nd6_send(struct ifnet *ifp, struct mbuf *m); + int mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, unsigned long cmd, void *data); int mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp); diff --git a/sys/security/mac/mac_inet.c b/sys/security/mac/mac_inet.c index ae160a5..22c134f 100644 --- a/sys/security/mac/mac_inet.c +++ b/sys/security/mac/mac_inet.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2004 Networks Associates Technology, Inc. * Copyright (c) 2006 SPARTA, Inc. @@ -222,6 +222,18 @@ mac_ipq_match(struct mbuf *m, struct ipq *ipq) } void +mac_netinet_arp_send(struct ifnet *ifp, struct mbuf *m) +{ + struct label *mlabel; + + mlabel = mac_mbuf_to_label(m); + + MAC_IFNET_LOCK(ifp); + MAC_PERFORM(netinet_arp_send, ifp, ifp->if_label, m, mlabel); + MAC_IFNET_UNLOCK(ifp); +} + +void mac_netinet_icmp_reply(struct mbuf *m) { struct label *label; @@ -232,6 +244,18 @@ mac_netinet_icmp_reply(struct mbuf *m) } void +mac_netinet_igmp_send(struct ifnet *ifp, struct mbuf *m) +{ + struct label *mlabel; + + mlabel = mac_mbuf_to_label(m); + + MAC_IFNET_LOCK(ifp); + MAC_PERFORM(netinet_igmp_send, ifp, ifp->if_label, m, mlabel); + MAC_IFNET_UNLOCK(ifp); +} + +void mac_netinet_tcp_reply(struct mbuf *m) { struct label *label; diff --git a/sys/security/mac/mac_inet6.c b/sys/security/mac/mac_inet6.c new file mode 100644 index 0000000..65a93e1 --- /dev/null +++ b/sys/security/mac/mac_inet6.c @@ -0,0 +1,64 @@ +/*- + * Copyright (c) 2007 Robert N. M. Watson + * All rights reserved. + * + * This software was developed by Robert Watson for the TrustedBSD Project. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include "opt_mac.h" + +#include <sys/param.h> +#include <sys/kernel.h> +#include <sys/lock.h> +#include <sys/malloc.h> +#include <sys/mutex.h> +#include <sys/sbuf.h> +#include <sys/systm.h> +#include <sys/mount.h> +#include <sys/file.h> +#include <sys/namei.h> +#include <sys/protosw.h> +#include <sys/socket.h> +#include <sys/socketvar.h> +#include <sys/sysctl.h> + +#include <net/if.h> +#include <net/if_var.h> + +#include <security/mac/mac_framework.h> +#include <security/mac/mac_internal.h> +#include <security/mac/mac_policy.h> + +void +mac_netinet6_nd6_send(struct ifnet *ifp, struct mbuf *m) +{ + struct label *mlabel; + + mlabel = mac_mbuf_to_label(m); + + MAC_PERFORM(netinet6_nd6_send, ifp, ifp->if_label, m, mlabel); +} diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index 2cdc006..2ed3dfb 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -91,6 +91,7 @@ extern struct mac_policy_list_head mac_static_policy_list; #ifndef MAC_ALWAYS_LABEL_MBUF extern int mac_labelmbufs; #endif +extern struct mtx mac_ifnet_mtx; /* * MAC Framework infrastructure functions. @@ -113,6 +114,9 @@ void mac_destroy_label(struct label *label); int mac_check_structmac_consistent(struct mac *mac); int mac_allocate_slot(void); +#define MAC_IFNET_LOCK(ifp) mtx_lock(&mac_ifnet_mtx) +#define MAC_IFNET_UNLOCK(ifp) mtx_unlock(&mac_ifnet_mtx) + /* * MAC Framework per-object type functions. It's not yet clear how the * namespaces, etc, should work for these, so for now, sort by object type. diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index 5d8aea1..af05875 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -73,10 +73,8 @@ __FBSDID("$FreeBSD$"); * our own global mutex for struct ifnet. Non-ideal, but should help in the * SMP environment. */ -static struct mtx mac_ifnet_mtx; +struct mtx mac_ifnet_mtx; MTX_SYSINIT(mac_ifnet_mtx, &mac_ifnet_mtx, "mac_ifnet", MTX_DEF); -#define MAC_IFNET_LOCK(ifp) mtx_lock(&mac_ifnet_mtx) -#define MAC_IFNET_UNLOCK(ifp) mtx_unlock(&mac_ifnet_mtx) /* * Retrieve the label associated with an mbuf by searching for the tag. @@ -310,18 +308,6 @@ mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m) } void -mac_mbuf_create_linklayer(struct ifnet *ifp, struct mbuf *m) -{ - struct label *label; - - label = mac_mbuf_to_label(m); - - MAC_IFNET_LOCK(ifp); - MAC_PERFORM(mbuf_create_linklayer, ifp, ifp->if_label, m, label); - MAC_IFNET_UNLOCK(ifp); -} - -void mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m) { struct label *label; diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 8dbe9ea..7b606b5 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * Copyright (c) 2005-2006 SPARTA, Inc. * All rights reserved. @@ -221,9 +221,6 @@ typedef int (*mpo_kld_check_stat_t)(struct ucred *cred); typedef void (*mpo_mbuf_copy_label_t)(struct label *src, struct label *dest); -typedef void (*mpo_mbuf_create_linklayer_t)(struct ifnet *ifp, - struct label *ifplabel, struct mbuf *m, - struct label *mlabel); typedef void (*mpo_mbuf_create_multicast_encap_t)(struct mbuf *m, struct label *mlabel, struct ifnet *ifp, struct label *ifplabel, struct mbuf *mnew, @@ -241,6 +238,13 @@ typedef void (*mpo_mount_create_t)(struct ucred *cred, struct mount *mp, typedef void (*mpo_mount_destroy_label_t)(struct label *label); typedef void (*mpo_mount_init_label_t)(struct label *label); +typedef void (*mpo_netatalk_aarp_send_t)(struct ifnet *ifp, + struct label *ifplabel, struct mbuf *m, + struct label *mlabel); + +typedef void (*mpo_netinet_arp_send_t)(struct ifnet *ifp, + struct label *ifplabel, struct mbuf *m, + struct label *mlabel); typedef void (*mpo_netinet_firewall_send_t)(struct mbuf *m, struct label *mlabel); typedef void (*mpo_netinet_fragment_t)(struct mbuf *m, @@ -248,9 +252,16 @@ typedef void (*mpo_netinet_fragment_t)(struct mbuf *m, struct label *fraglabel); typedef void (*mpo_netinet_icmp_reply_t)(struct mbuf *m, struct label *mlabel); +typedef void (*mpo_netinet_igmp_send_t)(struct ifnet *ifp, + struct label *ifplabel, struct mbuf *m, + struct label *mlabel); typedef void (*mpo_netinet_tcp_reply_t)(struct mbuf *m, struct label *mlabel); +typedef void (*mpo_netinet6_nd6_send_t)(struct ifnet *ifp, + struct label *ifplabel, struct mbuf *m, + struct label *mlabel); + typedef int (*mpo_pipe_check_ioctl_t)(struct ucred *cred, struct pipepair *pp, struct label *pplabel, unsigned long cmd, void *data); @@ -678,7 +689,6 @@ struct mac_policy_ops { mpo_kld_check_stat_t mpo_kld_check_stat; mpo_mbuf_copy_label_t mpo_mbuf_copy_label; - mpo_mbuf_create_linklayer_t mpo_mbuf_create_linklayer; mpo_mbuf_create_multicast_encap_t mpo_mbuf_create_multicast_encap; mpo_mbuf_create_netlayer_t mpo_mbuf_create_netlayer; mpo_mbuf_destroy_label_t mpo_mbuf_destroy_label; @@ -689,11 +699,17 @@ struct mac_policy_ops { mpo_mount_destroy_label_t mpo_mount_destroy_label; mpo_mount_init_label_t mpo_mount_init_label; + mpo_netatalk_aarp_send_t mpo_netatalk_aarp_send; + + mpo_netinet_arp_send_t mpo_netinet_arp_send; mpo_netinet_firewall_send_t mpo_netinet_firewall_send; mpo_netinet_fragment_t mpo_netinet_fragment; mpo_netinet_icmp_reply_t mpo_netinet_icmp_reply; + mpo_netinet_igmp_send_t mpo_netinet_igmp_send; mpo_netinet_tcp_reply_t mpo_netinet_tcp_reply; + mpo_netinet6_nd6_send_t mpo_netinet6_nd6_send; + mpo_pipe_check_ioctl_t mpo_pipe_check_ioctl; mpo_pipe_check_poll_t mpo_pipe_check_poll; mpo_pipe_check_read_t mpo_pipe_check_read; |