Continue to move from generic network entry points in the TrustedBSD MAC

Framework by moving from mac_mbuf_create_netlayer() to more specific
entry points for specific network services:

- mac_netinet_firewall_reply() to be used when replying to in-bound TCP
  segments in pf and ipfw (etc).

- Rename mac_netinet_icmp_reply() to mac_netinet_icmp_replyinplace() and
  add mac_netinet_icmp_reply(), reflecting that in some cases we overwrite
  a label in place, but in others we apply the label to a new mbuf.

Obtained from:	TrustedBSD Project

4 files changed, 41 insertions, 20 deletions

diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index 5605a66..3ea3490 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -154,7 +154,6 @@ int	mac_kld_check_stat(struct ucred *cred);
 void	mac_mbuf_copy(struct mbuf *, struct mbuf *);
 void	mac_mbuf_create_multicast_encap(struct mbuf *m, struct ifnet *ifp,
 	    struct mbuf *mnew);
-void	mac_mbuf_create_netlayer(struct mbuf *m, struct mbuf *mnew);
 int	mac_mbuf_init(struct mbuf *, int);
 
 void	mac_mbuf_tag_copy(struct m_tag *, struct m_tag *);
@@ -169,9 +168,11 @@ void	mac_mount_init(struct mount *);
 void	mac_netatalk_aarp_send(struct ifnet *ifp, struct mbuf *m);
 
 void	mac_netinet_arp_send(struct ifnet *ifp, struct mbuf *m);
+void	mac_netinet_firewall_reply(struct mbuf *mrecv, struct mbuf *msend);
 void	mac_netinet_firewall_send(struct mbuf *m);
 void	mac_netinet_fragment(struct mbuf *m, struct mbuf *frag);
-void	mac_netinet_icmp_reply(struct mbuf *m);
+void	mac_netinet_icmp_reply(struct mbuf *mrecv, struct mbuf *msend);
+void	mac_netinet_icmp_replyinplace(struct mbuf *m);
 void	mac_netinet_igmp_send(struct ifnet *ifp, struct mbuf *m);
 void	mac_netinet_tcp_reply(struct mbuf *m);
 
diff --git a/sys/security/mac/mac_inet.c b/sys/security/mac/mac_inet.c
index 22c134f..6533cf0 100644
--- a/sys/security/mac/mac_inet.c
+++ b/sys/security/mac/mac_inet.c
@@ -234,13 +234,25 @@ mac_netinet_arp_send(struct ifnet *ifp, struct mbuf *m)
 }
 
 void
-mac_netinet_icmp_reply(struct mbuf *m)
+mac_netinet_icmp_reply(struct mbuf *mrecv, struct mbuf *msend)
+{
+	struct label *mrecvlabel, *msendlabel;
+
+	mrecvlabel = mac_mbuf_to_label(mrecv);
+	msendlabel = mac_mbuf_to_label(msend);
+
+	MAC_PERFORM(netinet_icmp_reply, mrecv, mrecvlabel, msend,
+	    msendlabel);
+}
+
+void
+mac_netinet_icmp_replyinplace(struct mbuf *m)
 {
 	struct label *label;
 
 	label = mac_mbuf_to_label(m);
 
-	MAC_PERFORM(netinet_icmp_reply, m, label);
+	MAC_PERFORM(netinet_icmp_replyinplace, m, label);
 }
 
 void
@@ -300,6 +312,21 @@ mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp)
 }
 
 void
+mac_netinet_firewall_reply(struct mbuf *mrecv, struct mbuf *msend)
+{
+	struct label *mrecvlabel, *msendlabel;
+
+	M_ASSERTPKTHDR(mrecv);
+	M_ASSERTPKTHDR(msend);
+
+	mrecvlabel = mac_mbuf_to_label(mrecv);
+	msendlabel = mac_mbuf_to_label(msend);
+
+	MAC_PERFORM(netinet_firewall_reply, mrecv, mrecvlabel, msend,
+	    msendlabel);
+}
+
+void
 mac_netinet_firewall_send(struct mbuf *m)
 {
 	struct label *label;
diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c
index af05875..c451a29 100644
--- a/sys/security/mac/mac_net.c
+++ b/sys/security/mac/mac_net.c
@@ -334,17 +334,6 @@ mac_mbuf_create_multicast_encap(struct mbuf *m, struct ifnet *ifp,
 	MAC_IFNET_UNLOCK(ifp);
 }
 
-void
-mac_mbuf_create_netlayer(struct mbuf *m, struct mbuf *mnew)
-{
-	struct label *mlabel, *mnewlabel;
-
-	mlabel = mac_mbuf_to_label(m);
-	mnewlabel = mac_mbuf_to_label(mnew);
-
-	MAC_PERFORM(mbuf_create_netlayer, m, mlabel, mnew, mnewlabel);
-}
-
 int
 mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp)
 {
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index 7b606b5..8f26818 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -225,9 +225,6 @@ typedef void	(*mpo_mbuf_create_multicast_encap_t)(struct mbuf *m,
 		    struct label *mlabel, struct ifnet *ifp,
 		    struct label *ifplabel, struct mbuf *mnew,
 		    struct label *mnewlabel);
-typedef void	(*mpo_mbuf_create_netlayer_t)(struct mbuf *m,
-		    struct label *mlabel, struct mbuf *mnew,
-		    struct label *mnewlabel);
 typedef void	(*mpo_mbuf_destroy_label_t)(struct label *label);
 typedef int	(*mpo_mbuf_init_label_t)(struct label *label, int flag);
 
@@ -245,12 +242,18 @@ typedef void	(*mpo_netatalk_aarp_send_t)(struct ifnet *ifp,
 typedef void	(*mpo_netinet_arp_send_t)(struct ifnet *ifp,
 		    struct label *ifplabel, struct mbuf *m,
 		    struct label *mlabel);
+typedef void	(*mpo_netinet_firewall_reply_t)(struct mbuf *mrecv,
+		    struct label *mrecvlabel, struct mbuf *msend,
+		    struct label *msendlabel);
 typedef	void	(*mpo_netinet_firewall_send_t)(struct mbuf *m,
 		    struct label *mlabel);
 typedef void	(*mpo_netinet_fragment_t)(struct mbuf *m,
 		    struct label *mlabel, struct mbuf *frag,
 		    struct label *fraglabel);
-typedef void	(*mpo_netinet_icmp_reply_t)(struct mbuf *m,
+typedef void	(*mpo_netinet_icmp_reply_t)(struct mbuf *mrecv,
+		    struct label *mrecvlabel, struct mbuf *msend,
+		    struct label *msendlabel);
+typedef void	(*mpo_netinet_icmp_replyinplace_t)(struct mbuf *m,
 		    struct label *mlabel);
 typedef void	(*mpo_netinet_igmp_send_t)(struct ifnet *ifp,
 		    struct label *ifplabel, struct mbuf *m,
@@ -690,7 +693,6 @@ struct mac_policy_ops {
 
 	mpo_mbuf_copy_label_t			mpo_mbuf_copy_label;
 	mpo_mbuf_create_multicast_encap_t	mpo_mbuf_create_multicast_encap;
-	mpo_mbuf_create_netlayer_t		mpo_mbuf_create_netlayer;
 	mpo_mbuf_destroy_label_t		mpo_mbuf_destroy_label;
 	mpo_mbuf_init_label_t			mpo_mbuf_init_label;
 
@@ -702,9 +704,11 @@ struct mac_policy_ops {
 	mpo_netatalk_aarp_send_t		mpo_netatalk_aarp_send;
 
 	mpo_netinet_arp_send_t			mpo_netinet_arp_send;
+	mpo_netinet_firewall_reply_t		mpo_netinet_firewall_reply;
 	mpo_netinet_firewall_send_t		mpo_netinet_firewall_send;
 	mpo_netinet_fragment_t			mpo_netinet_fragment;
 	mpo_netinet_icmp_reply_t		mpo_netinet_icmp_reply;
+	mpo_netinet_icmp_replyinplace_t		mpo_netinet_icmp_replyinplace;
 	mpo_netinet_igmp_send_t			mpo_netinet_igmp_send;
 	mpo_netinet_tcp_reply_t			mpo_netinet_tcp_reply;