diff options
author | rwatson <rwatson@FreeBSD.org> | 2006-12-20 23:14:33 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2006-12-20 23:14:33 +0000 |
commit | c77864165e31d8da2807ab97b6846c4f9fc4950a (patch) | |
tree | b844b49144c6b66117ec6da6934ec75fdb9cab61 /sys/security | |
parent | f30462f07d120659ae673b3b6fb145d8d60bed15 (diff) | |
download | FreeBSD-src-c77864165e31d8da2807ab97b6846c4f9fc4950a.zip FreeBSD-src-c77864165e31d8da2807ab97b6846c4f9fc4950a.tar.gz |
Document that we could allocate the mbuf label as part of the tag rather
than from the slab, but don't.
Document mac_mbuf_to_label(), mac_copy_mbuf_tag().
Clean up white space/wrapping for other comments.
Obtained from: TrustedBSD Project
Diffstat (limited to 'sys/security')
-rw-r--r-- | sys/security/mac/mac_net.c | 34 |
1 files changed, 26 insertions, 8 deletions
diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index 11cb92d..374b3cd 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -66,8 +66,8 @@ __FBSDID("$FreeBSD$"); #include <security/mac/mac_internal.h> /* - * mac_enforce_network is used by IPv4 and IPv6 checks, and so must - * be non-static for now. + * mac_enforce_network is used by IPv4 and IPv6 checks, and so must be + * non-static for now. */ int mac_enforce_network = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, @@ -75,15 +75,29 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); /* - * XXXRW: struct ifnet locking is incomplete in the network code, so we - * use our own global mutex for struct ifnet. Non-ideal, but should help - * in the SMP environment. + * XXXRW: struct ifnet locking is incomplete in the network code, so we use + * our own global mutex for struct ifnet. Non-ideal, but should help in the + * SMP environment. */ static struct mtx mac_ifnet_mtx; MTX_SYSINIT(mac_ifnet_mtx, &mac_ifnet_mtx, "mac_ifnet", MTX_DEF); #define MAC_IFNET_LOCK(ifp) mtx_lock(&mac_ifnet_mtx) #define MAC_IFNET_UNLOCK(ifp) mtx_unlock(&mac_ifnet_mtx) +/* + * XXXRW: In order to use the MAC label UMA zone for all label allocations, + * we simply store a pointer to a UMA-allocated label in the mbuf tag. This + * is inefficient and should likely change to using a label embedded in the + * tag. + */ + +/* + * Retrieve the label associated with an mbuf by searching for the tag. + * Depending on the value of mac_labelmbufs, it's possible that a label will + * not be present, in which case NULL is returned. Policies must handle the + * possibility of an mbuf not having label storage if they do not enforce + * early loading. + */ struct label * mac_mbuf_to_label(struct mbuf *mbuf) { @@ -222,6 +236,10 @@ mac_destroy_mbuf_tag(struct m_tag *tag) mac_destroy_label(label); } +/* + * mac_copy_mbuf_tag is called when an mbuf header is duplicated, in which + * case the labels must also be duplicated. + */ void mac_copy_mbuf_tag(struct m_tag *src, struct m_tag *dest) { @@ -231,8 +249,8 @@ mac_copy_mbuf_tag(struct m_tag *src, struct m_tag *dest) dest_label = (struct label *)(dest+1); /* - * mac_init_mbuf_tag() is called on the target tag in - * m_tag_copy(), so we don't need to call it here. + * mac_init_mbuf_tag() is called on the target tag in m_tag_copy(), + * so we don't need to call it here. */ MAC_PERFORM(copy_mbuf_label, src_label, dest_label); } @@ -472,7 +490,7 @@ mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, /* * XXX: Note that this is a redundant privilege check, since policies - * impose this check themselves if required by the policy. + * impose this check themselves if required by the policy * Eventually, this should go away. */ error = priv_check_cred(cred, PRIV_NET_SETIFMAC, 0); |