Introduce a temporary mutex, mac_ifnet_mtx, to lock MAC labels on

network interfaces.  This global mutex will protect all ifnet labels.
Acquire the mutex across various MAC activities on interfaces, such
as security checks, propagating interface labels to mbufs generated
from the interface, retrieving and setting the interface label.

Introduce mpo_copy_ifnet_label MAC policy entry point to copy the
value of an interface label from one label to another.  Use this
to avoid performing a label externalize while holding mac_ifnet_mtx;
copy the label to a temporary ifnet label and then externalize that.

Implement mpo_copy_ifnet_label for various MAC policies that
implement interface labeling using generic label copying routines.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, McAfee Research

1 files changed, 1 insertions, 0 deletions

diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c
index 9d4ef7b..5e5d569 100644
--- a/sys/security/mac_lomac/mac_lomac.c
+++ b/sys/security/mac_lomac/mac_lomac.c
@@ -2643,6 +2643,7 @@ static struct mac_policy_ops mac_lomac_ops =
 	.mpo_destroy_socket_peer_label = mac_lomac_destroy_label,
 	.mpo_destroy_vnode_label = mac_lomac_destroy_label,
 	.mpo_copy_cred_label = mac_lomac_copy_label,
+	.mpo_copy_ifnet_label = mac_lomac_copy_label,
 	.mpo_copy_mbuf_label = mac_lomac_copy_label,
 	.mpo_copy_pipe_label = mac_lomac_copy_label,
 	.mpo_copy_socket_label = mac_lomac_copy_label,