diff options
author | rwatson <rwatson@FreeBSD.org> | 2007-10-28 17:12:48 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2007-10-28 17:12:48 +0000 |
commit | 369fd04f480478bfb9d2cb1566ec0189185a020e (patch) | |
tree | 538321b7fe182a0082beacd5d1ff13b9d63f3fca /sys/security/mac_biba/mac_biba.c | |
parent | 6b31aa449ccb86216e7b0fbfdaf1540f5cf34e82 (diff) | |
download | FreeBSD-src-369fd04f480478bfb9d2cb1566ec0189185a020e.zip FreeBSD-src-369fd04f480478bfb9d2cb1566ec0189185a020e.tar.gz |
Continue to move from generic network entry points in the TrustedBSD MAC
Framework by moving from mac_mbuf_create_netlayer() to more specific
entry points for specific network services:
- mac_netinet_firewall_reply() to be used when replying to in-bound TCP
segments in pf and ipfw (etc).
- Rename mac_netinet_icmp_reply() to mac_netinet_icmp_replyinplace() and
add mac_netinet_icmp_reply(), reflecting that in some cases we overwrite
a label in place, but in others we apply the label to a new mbuf.
Obtained from: TrustedBSD Project
Diffstat (limited to 'sys/security/mac_biba/mac_biba.c')
-rw-r--r-- | sys/security/mac_biba/mac_biba.c | 39 |
1 files changed, 26 insertions, 13 deletions
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index d96c4e1..5702c01 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -1304,18 +1304,6 @@ biba_mbuf_create_multicast_encap(struct mbuf *m, struct label *mlabel, biba_copy_effective(source, dest); } -static void -biba_mbuf_create_netlayer(struct mbuf *m, struct label *mlabel, - struct mbuf *newm, struct label *mnewlabel) -{ - struct mac_biba *source, *dest; - - source = SLOT(mlabel); - dest = SLOT(mnewlabel); - - biba_copy_effective(source, dest); -} - static int biba_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) @@ -1383,6 +1371,18 @@ biba_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel, } static void +biba_netinet_firewall_reply(struct mbuf *mrecv, struct label *mrecvlabel, + struct mbuf *msend, struct label *msendlabel) +{ + struct mac_biba *source, *dest; + + source = SLOT(mrecvlabel); + dest = SLOT(msendlabel); + + biba_copy_effective(source, dest); +} + +static void biba_netinet_firewall_send(struct mbuf *m, struct label *mlabel) { struct mac_biba *dest; @@ -1394,6 +1394,18 @@ biba_netinet_firewall_send(struct mbuf *m, struct label *mlabel) } static void +biba_netinet_icmp_reply(struct mbuf *mrecv, struct label *mrecvlabel, + struct mbuf *msend, struct label *msendlabel) +{ + struct mac_biba *source, *dest; + + source = SLOT(mrecvlabel); + dest = SLOT(msendlabel); + + biba_copy_effective(source, dest); +} + +static void biba_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { @@ -3356,7 +3368,6 @@ static struct mac_policy_ops mac_biba_ops = .mpo_bpfdesc_create_mbuf = biba_bpfdesc_create_mbuf, .mpo_ifnet_create_mbuf = biba_ifnet_create_mbuf, .mpo_mbuf_create_multicast_encap = biba_mbuf_create_multicast_encap, - .mpo_mbuf_create_netlayer = biba_mbuf_create_netlayer, .mpo_ipq_match = biba_ipq_match, .mpo_ifnet_relabel = biba_ifnet_relabel, .mpo_ipq_update = biba_ipq_update, @@ -3446,7 +3457,9 @@ static struct mac_policy_ops mac_biba_ops = .mpo_vnode_check_write = biba_vnode_check_write, .mpo_netatalk_aarp_send = biba_netatalk_aarp_send, .mpo_netinet_arp_send = biba_netinet_arp_send, + .mpo_netinet_firewall_reply = biba_netinet_firewall_reply, .mpo_netinet_firewall_send = biba_netinet_firewall_send, + .mpo_netinet_icmp_reply = biba_netinet_icmp_reply, .mpo_netinet_igmp_send = biba_netinet_igmp_send, .mpo_netinet6_nd6_send = biba_netinet6_nd6_send, .mpo_priv_check = biba_priv_check, |