Move towards more explicit support for various network protocol stacks

in the TrustedBSD MAC Framework:

- Add mac_atalk.c and add explicit entry point mac_netatalk_aarp_send()
  for AARP packet labeling, rather than using a generic link layer
  entry point.

- Add mac_inet6.c and add explicit entry point mac_netinet6_nd6_send()
  for ND6 packet labeling, rather than using a generic link layer entry
  point.

- Add expliict entry point mac_netinet_arp_send() for ARP packet
  labeling, and mac_netinet_igmp_send() for IGMP packet labeling,
  rather than using a generic link layer entry point.

- Remove previous genering link layer entry point,
  mac_mbuf_create_linklayer() as it is no longer used.

- Add implementations of new entry points to various policies, largely
  by replicating the existing link layer entry point for them; remove
  old link layer entry point implementation.

- Make MAC_IFNET_LOCK(), MAC_IFNET_UNLOCK(), and mac_ifnet_mtx global
  to the MAC Framework rather than static to mac_net.c as it is now
  needed outside of mac_net.c.

Obtained from:	TrustedBSD Project

7 files changed, 188 insertions, 23 deletions

diff --git a/sys/security/mac/mac_atalk.c b/sys/security/mac/mac_atalk.c
new file mode 100644
index 0000000..0992ee5
--- /dev/null
+++ b/sys/security/mac/mac_atalk.c
@@ -0,0 +1,66 @@
+/*-
+ * Copyright (c) 2007 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * This software was developed by Robert Watson for the TrustedBSD Project.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include "opt_mac.h"
+
+#include <sys/param.h>
+#include <sys/kernel.h>
+#include <sys/lock.h>
+#include <sys/malloc.h>
+#include <sys/mutex.h>
+#include <sys/sbuf.h>
+#include <sys/systm.h>
+#include <sys/mount.h>
+#include <sys/file.h>
+#include <sys/namei.h>
+#include <sys/protosw.h>
+#include <sys/socket.h>
+#include <sys/socketvar.h>
+#include <sys/sysctl.h>
+
+#include <net/if.h>
+#include <net/if_var.h>
+
+#include <security/mac/mac_framework.h>
+#include <security/mac/mac_internal.h>
+#include <security/mac/mac_policy.h>
+
+void
+mac_netatalk_aarp_send(struct ifnet *ifp, struct mbuf *m)
+{
+	struct label *mlabel;
+
+	mlabel = mac_mbuf_to_label(m);
+
+	MAC_IFNET_LOCK(ifp);
+	MAC_PERFORM(netatalk_aarp_send, ifp, ifp->if_label, m, mlabel);
+	MAC_IFNET_UNLOCK(ifp);
+}
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index 80b8b33..5605a66 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
  * Copyright (c) 2005-2006 SPARTA, Inc.
  * All rights reserved.
@@ -152,7 +152,6 @@ int	mac_kld_check_load(struct ucred *cred, struct vnode *vp);
 int	mac_kld_check_stat(struct ucred *cred);
 
 void	mac_mbuf_copy(struct mbuf *, struct mbuf *);
-void	mac_mbuf_create_linklayer(struct ifnet *ifp, struct mbuf *m);
 void	mac_mbuf_create_multicast_encap(struct mbuf *m, struct ifnet *ifp,
 	    struct mbuf *mnew);
 void	mac_mbuf_create_netlayer(struct mbuf *m, struct mbuf *mnew);
@@ -167,11 +166,17 @@ void	mac_mount_create(struct ucred *cred, struct mount *mp);
 void	mac_mount_destroy(struct mount *);
 void	mac_mount_init(struct mount *);
 
+void	mac_netatalk_aarp_send(struct ifnet *ifp, struct mbuf *m);
+
+void	mac_netinet_arp_send(struct ifnet *ifp, struct mbuf *m);
 void	mac_netinet_firewall_send(struct mbuf *m);
 void	mac_netinet_fragment(struct mbuf *m, struct mbuf *frag);
 void	mac_netinet_icmp_reply(struct mbuf *m);
+void	mac_netinet_igmp_send(struct ifnet *ifp, struct mbuf *m);
 void	mac_netinet_tcp_reply(struct mbuf *m);
 
+void	mac_netinet6_nd6_send(struct ifnet *ifp, struct mbuf *m);
+
 int	mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
 	    unsigned long cmd, void *data);
 int	mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp);
diff --git a/sys/security/mac/mac_inet.c b/sys/security/mac/mac_inet.c
index ae160a5..22c134f 100644
--- a/sys/security/mac/mac_inet.c
+++ b/sys/security/mac/mac_inet.c
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
  * Copyright (c) 2001 Ilmar S. Habibulin
  * Copyright (c) 2001-2004 Networks Associates Technology, Inc.
  * Copyright (c) 2006 SPARTA, Inc.
@@ -222,6 +222,18 @@ mac_ipq_match(struct mbuf *m, struct ipq *ipq)
 }
 
 void
+mac_netinet_arp_send(struct ifnet *ifp, struct mbuf *m)
+{
+	struct label *mlabel;
+
+	mlabel = mac_mbuf_to_label(m);
+
+	MAC_IFNET_LOCK(ifp);
+	MAC_PERFORM(netinet_arp_send, ifp, ifp->if_label, m, mlabel);
+	MAC_IFNET_UNLOCK(ifp);
+}
+
+void
 mac_netinet_icmp_reply(struct mbuf *m)
 {
 	struct label *label;
@@ -232,6 +244,18 @@ mac_netinet_icmp_reply(struct mbuf *m)
 }
 
 void
+mac_netinet_igmp_send(struct ifnet *ifp, struct mbuf *m)
+{
+	struct label *mlabel;
+
+	mlabel = mac_mbuf_to_label(m);
+
+	MAC_IFNET_LOCK(ifp);
+	MAC_PERFORM(netinet_igmp_send, ifp, ifp->if_label, m, mlabel);
+	MAC_IFNET_UNLOCK(ifp);
+}
+
+void
 mac_netinet_tcp_reply(struct mbuf *m)
 {
 	struct label *label;
diff --git a/sys/security/mac/mac_inet6.c b/sys/security/mac/mac_inet6.c
new file mode 100644
index 0000000..65a93e1
--- /dev/null
+++ b/sys/security/mac/mac_inet6.c
@@ -0,0 +1,64 @@
+/*-
+ * Copyright (c) 2007 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * This software was developed by Robert Watson for the TrustedBSD Project.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include "opt_mac.h"
+
+#include <sys/param.h>
+#include <sys/kernel.h>
+#include <sys/lock.h>
+#include <sys/malloc.h>
+#include <sys/mutex.h>
+#include <sys/sbuf.h>
+#include <sys/systm.h>
+#include <sys/mount.h>
+#include <sys/file.h>
+#include <sys/namei.h>
+#include <sys/protosw.h>
+#include <sys/socket.h>
+#include <sys/socketvar.h>
+#include <sys/sysctl.h>
+
+#include <net/if.h>
+#include <net/if_var.h>
+
+#include <security/mac/mac_framework.h>
+#include <security/mac/mac_internal.h>
+#include <security/mac/mac_policy.h>
+
+void
+mac_netinet6_nd6_send(struct ifnet *ifp, struct mbuf *m)
+{
+	struct label *mlabel;
+
+	mlabel = mac_mbuf_to_label(m);
+
+	MAC_PERFORM(netinet6_nd6_send, ifp, ifp->if_label, m, mlabel);
+}
diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h
index 2cdc006..2ed3dfb 100644
--- a/sys/security/mac/mac_internal.h
+++ b/sys/security/mac/mac_internal.h
@@ -91,6 +91,7 @@ extern struct mac_policy_list_head	mac_static_policy_list;
 #ifndef MAC_ALWAYS_LABEL_MBUF
 extern int				mac_labelmbufs;
 #endif
+extern struct mtx			mac_ifnet_mtx;
 
 /*
  * MAC Framework infrastructure functions.
@@ -113,6 +114,9 @@ void	mac_destroy_label(struct label *label);
 int	mac_check_structmac_consistent(struct mac *mac);
 int	mac_allocate_slot(void);
 
+#define MAC_IFNET_LOCK(ifp)	mtx_lock(&mac_ifnet_mtx)
+#define MAC_IFNET_UNLOCK(ifp)	mtx_unlock(&mac_ifnet_mtx)
+
 /*
  * MAC Framework per-object type functions.  It's not yet clear how the
  * namespaces, etc, should work for these, so for now, sort by object type.
diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c
index 5d8aea1..af05875 100644
--- a/sys/security/mac/mac_net.c
+++ b/sys/security/mac/mac_net.c
@@ -73,10 +73,8 @@ __FBSDID("$FreeBSD$");
  * our own global mutex for struct ifnet.  Non-ideal, but should help in the
  * SMP environment.
  */
-static struct mtx mac_ifnet_mtx;
+struct mtx mac_ifnet_mtx;
 MTX_SYSINIT(mac_ifnet_mtx, &mac_ifnet_mtx, "mac_ifnet", MTX_DEF);
-#define	MAC_IFNET_LOCK(ifp)	mtx_lock(&mac_ifnet_mtx)
-#define	MAC_IFNET_UNLOCK(ifp)	mtx_unlock(&mac_ifnet_mtx)
 
 /*
  * Retrieve the label associated with an mbuf by searching for the tag.
@@ -310,18 +308,6 @@ mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m)
 }
 
 void
-mac_mbuf_create_linklayer(struct ifnet *ifp, struct mbuf *m)
-{
-	struct label *label;
-
-	label = mac_mbuf_to_label(m);
-
-	MAC_IFNET_LOCK(ifp);
-	MAC_PERFORM(mbuf_create_linklayer, ifp, ifp->if_label, m, label);
-	MAC_IFNET_UNLOCK(ifp);
-}
-
-void
 mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m)
 {
 	struct label *label;
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index 8dbe9ea..7b606b5 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
  * Copyright (c) 2005-2006 SPARTA, Inc.
  * All rights reserved.
@@ -221,9 +221,6 @@ typedef int	(*mpo_kld_check_stat_t)(struct ucred *cred);
 
 typedef void	(*mpo_mbuf_copy_label_t)(struct label *src,
 		    struct label *dest);
-typedef void	(*mpo_mbuf_create_linklayer_t)(struct ifnet *ifp,
-		    struct label *ifplabel, struct mbuf *m,
-		    struct label *mlabel);
 typedef void	(*mpo_mbuf_create_multicast_encap_t)(struct mbuf *m,
 		    struct label *mlabel, struct ifnet *ifp,
 		    struct label *ifplabel, struct mbuf *mnew,
@@ -241,6 +238,13 @@ typedef void	(*mpo_mount_create_t)(struct ucred *cred, struct mount *mp,
 typedef void	(*mpo_mount_destroy_label_t)(struct label *label);
 typedef void	(*mpo_mount_init_label_t)(struct label *label);
 
+typedef void	(*mpo_netatalk_aarp_send_t)(struct ifnet *ifp,
+		    struct label *ifplabel, struct mbuf *m,
+		    struct label *mlabel);
+
+typedef void	(*mpo_netinet_arp_send_t)(struct ifnet *ifp,
+		    struct label *ifplabel, struct mbuf *m,
+		    struct label *mlabel);
 typedef	void	(*mpo_netinet_firewall_send_t)(struct mbuf *m,
 		    struct label *mlabel);
 typedef void	(*mpo_netinet_fragment_t)(struct mbuf *m,
@@ -248,9 +252,16 @@ typedef void	(*mpo_netinet_fragment_t)(struct mbuf *m,
 		    struct label *fraglabel);
 typedef void	(*mpo_netinet_icmp_reply_t)(struct mbuf *m,
 		    struct label *mlabel);
+typedef void	(*mpo_netinet_igmp_send_t)(struct ifnet *ifp,
+		    struct label *ifplabel, struct mbuf *m,
+		    struct label *mlabel);
 typedef void	(*mpo_netinet_tcp_reply_t)(struct mbuf *m,
 		    struct label *mlabel);
 
+typedef void	(*mpo_netinet6_nd6_send_t)(struct ifnet *ifp,
+		    struct label *ifplabel, struct mbuf *m,
+		    struct label *mlabel);
+
 typedef int	(*mpo_pipe_check_ioctl_t)(struct ucred *cred,
 		    struct pipepair *pp, struct label *pplabel,
 		    unsigned long cmd, void *data);
@@ -678,7 +689,6 @@ struct mac_policy_ops {
 	mpo_kld_check_stat_t			mpo_kld_check_stat;
 
 	mpo_mbuf_copy_label_t			mpo_mbuf_copy_label;
-	mpo_mbuf_create_linklayer_t		mpo_mbuf_create_linklayer;
 	mpo_mbuf_create_multicast_encap_t	mpo_mbuf_create_multicast_encap;
 	mpo_mbuf_create_netlayer_t		mpo_mbuf_create_netlayer;
 	mpo_mbuf_destroy_label_t		mpo_mbuf_destroy_label;
@@ -689,11 +699,17 @@ struct mac_policy_ops {
 	mpo_mount_destroy_label_t		mpo_mount_destroy_label;
 	mpo_mount_init_label_t			mpo_mount_init_label;
 
+	mpo_netatalk_aarp_send_t		mpo_netatalk_aarp_send;
+
+	mpo_netinet_arp_send_t			mpo_netinet_arp_send;
 	mpo_netinet_firewall_send_t		mpo_netinet_firewall_send;
 	mpo_netinet_fragment_t			mpo_netinet_fragment;
 	mpo_netinet_icmp_reply_t		mpo_netinet_icmp_reply;
+	mpo_netinet_igmp_send_t			mpo_netinet_igmp_send;
 	mpo_netinet_tcp_reply_t			mpo_netinet_tcp_reply;
 
+	mpo_netinet6_nd6_send_t			mpo_netinet6_nd6_send;
+
 	mpo_pipe_check_ioctl_t			mpo_pipe_check_ioctl;
 	mpo_pipe_check_poll_t			mpo_pipe_check_poll;
 	mpo_pipe_check_read_t			mpo_pipe_check_read;