diff options
| author | rwatson <rwatson@FreeBSD.org> | 2008-10-26 22:46:37 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2008-10-26 22:46:37 +0000 |
| commit | 432d006baee145f31cb162ef67acf255de6b4635 (patch) | |
| tree | afc4eb79fc1edd05f0118dd582da3915014ef082 /sys/security/mac_mls/mac_mls.c | |
| parent | 0db6d4519ceacc0d9c0af2e667962f6c0546029e (diff) | |
| download | FreeBSD-src-432d006baee145f31cb162ef67acf255de6b4635.zip FreeBSD-src-432d006baee145f31cb162ef67acf255de6b4635.tar.gz | |
Implement MAC policy support for IPv6 fragment reassembly queues,
modeled on IPv4 fragment reassembly queue support.
Obtained from: TrustedBSD Project
Diffstat (limited to 'sys/security/mac_mls/mac_mls.c')
| -rw-r--r-- | sys/security/mac_mls/mac_mls.c | 54 |
1 files changed, 53 insertions, 1 deletions
diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index af8d276..a8da56b 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002, 2007 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson * Copyright (c) 2001-2005 McAfee, Inc. * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. @@ -1088,6 +1088,51 @@ mls_inpcb_sosetlabel(struct socket *so, struct label *solabel, } static void +mls_ip6q_create(struct mbuf *m, struct label *mlabel, struct ip6q *q6, + struct label *q6label) +{ + struct mac_mls *source, *dest; + + source = SLOT(mlabel); + dest = SLOT(q6label); + + mls_copy_effective(source, dest); +} + +static int +mls_ip6q_match(struct mbuf *m, struct label *mlabel, struct ip6q *q6, + struct label *q6label) +{ + struct mac_mls *a, *b; + + a = SLOT(q6label); + b = SLOT(mlabel); + + return (mls_equal_effective(a, b)); +} + +static void +mls_ip6q_reassemble(struct ip6q *q6, struct label *q6label, struct mbuf *m, + struct label *mlabel) +{ + struct mac_mls *source, *dest; + + source = SLOT(q6label); + dest = SLOT(mlabel); + + /* Just use the head, since we require them all to match. */ + mls_copy_effective(source, dest); +} + +static void +mls_ip6q_update(struct mbuf *m, struct label *mlabel, struct ip6q *q6, + struct label *q6label) +{ + + /* NOOP: we only accept matching labels, so no need to update */ +} + +static void mls_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *q, struct label *qlabel) { @@ -2948,6 +2993,13 @@ static struct mac_policy_ops mls_ops = .mpo_inpcb_init_label = mls_init_label_waitcheck, .mpo_inpcb_sosetlabel = mls_inpcb_sosetlabel, + .mpo_ip6q_create = mls_ip6q_create, + .mpo_ip6q_destroy_label = mls_destroy_label, + .mpo_ip6q_init_label = mls_init_label_waitcheck, + .mpo_ip6q_match = mls_ip6q_match, + .mpo_ip6q_reassemble = mls_ip6q_reassemble, + .mpo_ip6q_update = mls_ip6q_update, + .mpo_ipq_create = mls_ipq_create, .mpo_ipq_destroy_label = mls_destroy_label, .mpo_ipq_init_label = mls_init_label_waitcheck, |
