Continue to move from generic network entry points in the TrustedBSD MAC

Framework by moving from mac_mbuf_create_netlayer() to more specific
entry points for specific network services:

- mac_netinet_firewall_reply() to be used when replying to in-bound TCP
  segments in pf and ipfw (etc).

- Rename mac_netinet_icmp_reply() to mac_netinet_icmp_replyinplace() and
  add mac_netinet_icmp_reply(), reflecting that in some cases we overwrite
  a label in place, but in others we apply the label to a new mbuf.

Obtained from:	TrustedBSD Project

1 files changed, 26 insertions, 13 deletions

diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index d96c4e1..5702c01 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -1304,18 +1304,6 @@ biba_mbuf_create_multicast_encap(struct mbuf *m, struct label *mlabel,
 	biba_copy_effective(source, dest);
 }
 
-static void
-biba_mbuf_create_netlayer(struct mbuf *m, struct label *mlabel,
-    struct mbuf *newm, struct label *mnewlabel)
-{
-	struct mac_biba *source, *dest;
-
-	source = SLOT(mlabel);
-	dest = SLOT(mnewlabel);
-
-	biba_copy_effective(source, dest);
-}
-
 static int
 biba_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
     struct label *ipqlabel)
@@ -1383,6 +1371,18 @@ biba_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel,
 }
 
 static void
+biba_netinet_firewall_reply(struct mbuf *mrecv, struct label *mrecvlabel,
+    struct mbuf *msend, struct label *msendlabel)
+{
+	struct mac_biba *source, *dest;
+
+	source = SLOT(mrecvlabel);
+	dest = SLOT(msendlabel);
+
+	biba_copy_effective(source, dest);
+}
+
+static void
 biba_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
 {
 	struct mac_biba *dest;
@@ -1394,6 +1394,18 @@ biba_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
 }
 
 static void
+biba_netinet_icmp_reply(struct mbuf *mrecv, struct label *mrecvlabel,
+    struct mbuf *msend, struct label *msendlabel)
+{
+	struct mac_biba *source, *dest;
+
+	source = SLOT(mrecvlabel);
+	dest = SLOT(msendlabel);
+
+	biba_copy_effective(source, dest);
+}
+
+static void
 biba_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel,
     struct mbuf *m, struct label *mlabel)
 {
@@ -3356,7 +3368,6 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_bpfdesc_create_mbuf = biba_bpfdesc_create_mbuf,
 	.mpo_ifnet_create_mbuf = biba_ifnet_create_mbuf,
 	.mpo_mbuf_create_multicast_encap = biba_mbuf_create_multicast_encap,
-	.mpo_mbuf_create_netlayer = biba_mbuf_create_netlayer,
 	.mpo_ipq_match = biba_ipq_match,
 	.mpo_ifnet_relabel = biba_ifnet_relabel,
 	.mpo_ipq_update = biba_ipq_update,
@@ -3446,7 +3457,9 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_vnode_check_write = biba_vnode_check_write,
 	.mpo_netatalk_aarp_send = biba_netatalk_aarp_send,
 	.mpo_netinet_arp_send = biba_netinet_arp_send,
+	.mpo_netinet_firewall_reply = biba_netinet_firewall_reply,
 	.mpo_netinet_firewall_send = biba_netinet_firewall_send,
+	.mpo_netinet_icmp_reply = biba_netinet_icmp_reply,
 	.mpo_netinet_igmp_send = biba_netinet_igmp_send,
 	.mpo_netinet6_nd6_send = biba_netinet6_nd6_send,
 	.mpo_priv_check = biba_priv_check,