Move towards more explicit support for various network protocol stacks

in the TrustedBSD MAC Framework: - Add mac_atalk.c and add explicit entry point mac_netatalk_aarp_send() for AARP packet labeling, rather than using a generic link layer entry point. - Add mac_inet6.c and add explicit entry point mac_netinet6_nd6_send() for ND6 packet labeling, rather than using a generic link layer entry point. - Add expliict entry point mac_netinet_arp_send() for ARP packet labeling, and mac_netinet_igmp_send() for IGMP packet labeling, rather than using a generic link layer entry point. - Remove previous genering link layer entry point, mac_mbuf_create_linklayer() as it is no longer used. - Add implementations of new entry points to various policies, largely by replicating the existing link layer entry point for them; remove old link layer entry point implementation. - Make MAC_IFNET_LOCK(), MAC_IFNET_UNLOCK(), and mac_ifnet_mtx global to the MAC Framework rather than static to mac_net.c as it is now needed outside of mac_net.c. Obtained from: TrustedBSD Project
author: rwatson <rwatson@FreeBSD.org> 2007-10-28 15:55:23 +0000
committer: rwatson <rwatson@FreeBSD.org> 2007-10-28 15:55:23 +0000
commit: 2bca3d4001f67728691cf776e9d18d9c59c19365 (patch)
tree: 6903d27f86e038a8c03b0705e717026eb4846831 /sys/security
parent: 5b4c0a83ffe5155893733797736e14c3b44f759a (diff)
download: FreeBSD-src-2bca3d4001f67728691cf776e9d18d9c59c19365.zip
FreeBSD-src-2bca3d4001f67728691cf776e9d18d9c59c19365.tar.gz
12 files changed, 414 insertions, 82 deletions
diff --git a/sys/security/mac/mac_atalk.c b/sys/security/mac/mac_atalk.c
new file mode 100644
index 0000000..0992ee5
--- /dev/null
+++ b/sys/security/mac/mac_atalk.c
@@ -0,0 +1,66 @@
+/*-
+ * Copyright (c) 2007 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * This software was developed by Robert Watson for the TrustedBSD Project.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include "opt_mac.h"
+
+#include <sys/param.h>
+#include <sys/kernel.h>
+#include <sys/lock.h>
+#include <sys/malloc.h>
+#include <sys/mutex.h>
+#include <sys/sbuf.h>
+#include <sys/systm.h>
+#include <sys/mount.h>
+#include <sys/file.h>
+#include <sys/namei.h>
+#include <sys/protosw.h>
+#include <sys/socket.h>
+#include <sys/socketvar.h>
+#include <sys/sysctl.h>
+
+#include <net/if.h>
+#include <net/if_var.h>
+
+#include <security/mac/mac_framework.h>
+#include <security/mac/mac_internal.h>
+#include <security/mac/mac_policy.h>
+
+void
+mac_netatalk_aarp_send(struct ifnet *ifp, struct mbuf *m)
+{
+	struct label *mlabel;
+
+	mlabel = mac_mbuf_to_label(m);
+
+	MAC_IFNET_LOCK(ifp);
+	MAC_PERFORM(netatalk_aarp_send, ifp, ifp->if_label, m, mlabel);
+	MAC_IFNET_UNLOCK(ifp);
+}
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index 80b8b33..5605a66 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
  * Copyright (c) 2005-2006 SPARTA, Inc.
  * All rights reserved.
@@ -152,7 +152,6 @@ int	mac_kld_check_load(struct ucred *cred, struct vnode *vp);
 int	mac_kld_check_stat(struct ucred *cred);
 
 void	mac_mbuf_copy(struct mbuf *, struct mbuf *);
-void	mac_mbuf_create_linklayer(struct ifnet *ifp, struct mbuf *m);
 void	mac_mbuf_create_multicast_encap(struct mbuf *m, struct ifnet *ifp,
 	    struct mbuf *mnew);
 void	mac_mbuf_create_netlayer(struct mbuf *m, struct mbuf *mnew);
@@ -167,11 +166,17 @@ void	mac_mount_create(struct ucred *cred, struct mount *mp);
 void	mac_mount_destroy(struct mount *);
 void	mac_mount_init(struct mount *);
 
+void	mac_netatalk_aarp_send(struct ifnet *ifp, struct mbuf *m);
+
+void	mac_netinet_arp_send(struct ifnet *ifp, struct mbuf *m);
 void	mac_netinet_firewall_send(struct mbuf *m);
 void	mac_netinet_fragment(struct mbuf *m, struct mbuf *frag);
 void	mac_netinet_icmp_reply(struct mbuf *m);
+void	mac_netinet_igmp_send(struct ifnet *ifp, struct mbuf *m);
 void	mac_netinet_tcp_reply(struct mbuf *m);
 
+void	mac_netinet6_nd6_send(struct ifnet *ifp, struct mbuf *m);
+
 int	mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
 	    unsigned long cmd, void *data);
 int	mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp);
diff --git a/sys/security/mac/mac_inet.c b/sys/security/mac/mac_inet.c
index ae160a5..22c134f 100644
--- a/sys/security/mac/mac_inet.c
+++ b/sys/security/mac/mac_inet.c
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
  * Copyright (c) 2001 Ilmar S. Habibulin
  * Copyright (c) 2001-2004 Networks Associates Technology, Inc.
  * Copyright (c) 2006 SPARTA, Inc.
@@ -222,6 +222,18 @@ mac_ipq_match(struct mbuf *m, struct ipq *ipq)
 }
 
 void
+mac_netinet_arp_send(struct ifnet *ifp, struct mbuf *m)
+{
+	struct label *mlabel;
+
+	mlabel = mac_mbuf_to_label(m);
+
+	MAC_IFNET_LOCK(ifp);
+	MAC_PERFORM(netinet_arp_send, ifp, ifp->if_label, m, mlabel);
+	MAC_IFNET_UNLOCK(ifp);
+}
+
+void
 mac_netinet_icmp_reply(struct mbuf *m)
 {
 	struct label *label;
@@ -232,6 +244,18 @@ mac_netinet_icmp_reply(struct mbuf *m)
 }
 
 void
+mac_netinet_igmp_send(struct ifnet *ifp, struct mbuf *m)
+{
+	struct label *mlabel;
+
+	mlabel = mac_mbuf_to_label(m);
+
+	MAC_IFNET_LOCK(ifp);
+	MAC_PERFORM(netinet_igmp_send, ifp, ifp->if_label, m, mlabel);
+	MAC_IFNET_UNLOCK(ifp);
+}
+
+void
 mac_netinet_tcp_reply(struct mbuf *m)
 {
 	struct label *label;
diff --git a/sys/security/mac/mac_inet6.c b/sys/security/mac/mac_inet6.c
new file mode 100644
index 0000000..65a93e1
--- /dev/null
+++ b/sys/security/mac/mac_inet6.c
@@ -0,0 +1,64 @@
+/*-
+ * Copyright (c) 2007 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * This software was developed by Robert Watson for the TrustedBSD Project.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include "opt_mac.h"
+
+#include <sys/param.h>
+#include <sys/kernel.h>
+#include <sys/lock.h>
+#include <sys/malloc.h>
+#include <sys/mutex.h>
+#include <sys/sbuf.h>
+#include <sys/systm.h>
+#include <sys/mount.h>
+#include <sys/file.h>
+#include <sys/namei.h>
+#include <sys/protosw.h>
+#include <sys/socket.h>
+#include <sys/socketvar.h>
+#include <sys/sysctl.h>
+
+#include <net/if.h>
+#include <net/if_var.h>
+
+#include <security/mac/mac_framework.h>
+#include <security/mac/mac_internal.h>
+#include <security/mac/mac_policy.h>
+
+void
+mac_netinet6_nd6_send(struct ifnet *ifp, struct mbuf *m)
+{
+	struct label *mlabel;
+
+	mlabel = mac_mbuf_to_label(m);
+
+	MAC_PERFORM(netinet6_nd6_send, ifp, ifp->if_label, m, mlabel);
+}
diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h
index 2cdc006..2ed3dfb 100644
--- a/sys/security/mac/mac_internal.h
+++ b/sys/security/mac/mac_internal.h
@@ -91,6 +91,7 @@ extern struct mac_policy_list_head	mac_static_policy_list;
 #ifndef MAC_ALWAYS_LABEL_MBUF
 extern int				mac_labelmbufs;
 #endif
+extern struct mtx			mac_ifnet_mtx;
 
 /*
  * MAC Framework infrastructure functions.
@@ -113,6 +114,9 @@ void	mac_destroy_label(struct label *label);
 int	mac_check_structmac_consistent(struct mac *mac);
 int	mac_allocate_slot(void);
 
+#define MAC_IFNET_LOCK(ifp)	mtx_lock(&mac_ifnet_mtx)
+#define MAC_IFNET_UNLOCK(ifp)	mtx_unlock(&mac_ifnet_mtx)
+
 /*
  * MAC Framework per-object type functions.  It's not yet clear how the
  * namespaces, etc, should work for these, so for now, sort by object type.
diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c
index 5d8aea1..af05875 100644
--- a/sys/security/mac/mac_net.c
+++ b/sys/security/mac/mac_net.c
@@ -73,10 +73,8 @@ __FBSDID("$FreeBSD$");
  * our own global mutex for struct ifnet.  Non-ideal, but should help in the
  * SMP environment.
  */
-static struct mtx mac_ifnet_mtx;
+struct mtx mac_ifnet_mtx;
 MTX_SYSINIT(mac_ifnet_mtx, &mac_ifnet_mtx, "mac_ifnet", MTX_DEF);
-#define	MAC_IFNET_LOCK(ifp)	mtx_lock(&mac_ifnet_mtx)
-#define	MAC_IFNET_UNLOCK(ifp)	mtx_unlock(&mac_ifnet_mtx)
 
 /*
  * Retrieve the label associated with an mbuf by searching for the tag.
@@ -310,18 +308,6 @@ mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m)
 }
 
 void
-mac_mbuf_create_linklayer(struct ifnet *ifp, struct mbuf *m)
-{
-	struct label *label;
-
-	label = mac_mbuf_to_label(m);
-
-	MAC_IFNET_LOCK(ifp);
-	MAC_PERFORM(mbuf_create_linklayer, ifp, ifp->if_label, m, label);
-	MAC_IFNET_UNLOCK(ifp);
-}
-
-void
 mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m)
 {
 	struct label *label;
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index 8dbe9ea..7b606b5 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
  * Copyright (c) 2005-2006 SPARTA, Inc.
  * All rights reserved.
@@ -221,9 +221,6 @@ typedef int	(*mpo_kld_check_stat_t)(struct ucred *cred);
 
 typedef void	(*mpo_mbuf_copy_label_t)(struct label *src,
 		    struct label *dest);
-typedef void	(*mpo_mbuf_create_linklayer_t)(struct ifnet *ifp,
-		    struct label *ifplabel, struct mbuf *m,
-		    struct label *mlabel);
 typedef void	(*mpo_mbuf_create_multicast_encap_t)(struct mbuf *m,
 		    struct label *mlabel, struct ifnet *ifp,
 		    struct label *ifplabel, struct mbuf *mnew,
@@ -241,6 +238,13 @@ typedef void	(*mpo_mount_create_t)(struct ucred *cred, struct mount *mp,
 typedef void	(*mpo_mount_destroy_label_t)(struct label *label);
 typedef void	(*mpo_mount_init_label_t)(struct label *label);
 
+typedef void	(*mpo_netatalk_aarp_send_t)(struct ifnet *ifp,
+		    struct label *ifplabel, struct mbuf *m,
+		    struct label *mlabel);
+
+typedef void	(*mpo_netinet_arp_send_t)(struct ifnet *ifp,
+		    struct label *ifplabel, struct mbuf *m,
+		    struct label *mlabel);
 typedef	void	(*mpo_netinet_firewall_send_t)(struct mbuf *m,
 		    struct label *mlabel);
 typedef void	(*mpo_netinet_fragment_t)(struct mbuf *m,
@@ -248,9 +252,16 @@ typedef void	(*mpo_netinet_fragment_t)(struct mbuf *m,
 		    struct label *fraglabel);
 typedef void	(*mpo_netinet_icmp_reply_t)(struct mbuf *m,
 		    struct label *mlabel);
+typedef void	(*mpo_netinet_igmp_send_t)(struct ifnet *ifp,
+		    struct label *ifplabel, struct mbuf *m,
+		    struct label *mlabel);
 typedef void	(*mpo_netinet_tcp_reply_t)(struct mbuf *m,
 		    struct label *mlabel);
 
+typedef void	(*mpo_netinet6_nd6_send_t)(struct ifnet *ifp,
+		    struct label *ifplabel, struct mbuf *m,
+		    struct label *mlabel);
+
 typedef int	(*mpo_pipe_check_ioctl_t)(struct ucred *cred,
 		    struct pipepair *pp, struct label *pplabel,
 		    unsigned long cmd, void *data);
@@ -678,7 +689,6 @@ struct mac_policy_ops {
 	mpo_kld_check_stat_t			mpo_kld_check_stat;
 
 	mpo_mbuf_copy_label_t			mpo_mbuf_copy_label;
-	mpo_mbuf_create_linklayer_t		mpo_mbuf_create_linklayer;
 	mpo_mbuf_create_multicast_encap_t	mpo_mbuf_create_multicast_encap;
 	mpo_mbuf_create_netlayer_t		mpo_mbuf_create_netlayer;
 	mpo_mbuf_destroy_label_t		mpo_mbuf_destroy_label;
@@ -689,11 +699,17 @@ struct mac_policy_ops {
 	mpo_mount_destroy_label_t		mpo_mount_destroy_label;
 	mpo_mount_init_label_t			mpo_mount_init_label;
 
+	mpo_netatalk_aarp_send_t		mpo_netatalk_aarp_send;
+
+	mpo_netinet_arp_send_t			mpo_netinet_arp_send;
 	mpo_netinet_firewall_send_t		mpo_netinet_firewall_send;
 	mpo_netinet_fragment_t			mpo_netinet_fragment;
 	mpo_netinet_icmp_reply_t		mpo_netinet_icmp_reply;
+	mpo_netinet_igmp_send_t			mpo_netinet_igmp_send;
 	mpo_netinet_tcp_reply_t			mpo_netinet_tcp_reply;
 
+	mpo_netinet6_nd6_send_t			mpo_netinet6_nd6_send;
+
 	mpo_pipe_check_ioctl_t			mpo_pipe_check_ioctl;
 	mpo_pipe_check_poll_t			mpo_pipe_check_poll;
 	mpo_pipe_check_read_t			mpo_pipe_check_read;
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index fc2baa9..d96c4e1 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -1268,17 +1268,6 @@ biba_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel,
 }
 
 static void
-biba_mbuf_create_linklayer(struct ifnet *ifp, struct label *ifplabel,
-    struct mbuf *m, struct label *mlabel)
-{
-	struct mac_biba *dest;
-
-	dest = SLOT(mlabel);
-
-	biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
-}
-
-static void
 biba_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
     struct mbuf *m, struct label *mlabel)
 {
@@ -1372,6 +1361,28 @@ biba_inpcb_sosetlabel(struct socket *so, struct label *solabel,
 }
 
 static void
+biba_netatalk_aarp_send(struct ifnet *ifp, struct label *ifplabel,
+    struct mbuf *m, struct label *mlabel)
+{
+	struct mac_biba *dest;
+
+	dest = SLOT(mlabel);
+
+	biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
+}
+
+static void
+biba_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel,
+    struct mbuf *m, struct label *mlabel)
+{
+	struct mac_biba *dest;
+
+	dest = SLOT(mlabel);
+
+	biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
+}
+
+static void
 biba_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
 {
 	struct mac_biba *dest;
@@ -1382,6 +1393,28 @@ biba_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
 	biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
 }
 
+static void
+biba_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel,
+    struct mbuf *m, struct label *mlabel)
+{
+	struct mac_biba *dest;
+
+	dest = SLOT(mlabel);
+
+	biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
+}
+
+static void
+biba_netinet6_nd6_send(struct ifnet *ifp, struct label *ifplabel,
+    struct mbuf *m, struct label *mlabel)
+{
+	struct mac_biba *dest;
+
+	dest = SLOT(mlabel);
+
+	biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
+}
+
 /*
  * Labeling event operations: processes.
  */
@@ -3320,7 +3353,6 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_sysvshm_create = biba_sysvshm_create,
 	.mpo_ipq_create = biba_ipq_create,
 	.mpo_inpcb_create_mbuf = biba_inpcb_create_mbuf,
-	.mpo_mbuf_create_linklayer = biba_mbuf_create_linklayer,
 	.mpo_bpfdesc_create_mbuf = biba_bpfdesc_create_mbuf,
 	.mpo_ifnet_create_mbuf = biba_ifnet_create_mbuf,
 	.mpo_mbuf_create_multicast_encap = biba_mbuf_create_multicast_encap,
@@ -3412,7 +3444,11 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_vnode_check_stat = biba_vnode_check_stat,
 	.mpo_vnode_check_unlink = biba_vnode_check_unlink,
 	.mpo_vnode_check_write = biba_vnode_check_write,
+	.mpo_netatalk_aarp_send = biba_netatalk_aarp_send,
+	.mpo_netinet_arp_send = biba_netinet_arp_send,
 	.mpo_netinet_firewall_send = biba_netinet_firewall_send,
+	.mpo_netinet_igmp_send = biba_netinet_igmp_send,
+	.mpo_netinet6_nd6_send = biba_netinet6_nd6_send,
 	.mpo_priv_check = biba_priv_check,
 };
 
diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c
index 8eb2067..d670d19 100644
--- a/sys/security/mac_lomac/mac_lomac.c
+++ b/sys/security/mac_lomac/mac_lomac.c
@@ -1332,17 +1332,6 @@ lomac_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel,
 }
 
 static void
-lomac_mbuf_create_linklayer(struct ifnet *ifp, struct label *ifplabel,
-    struct mbuf *m, struct label *mlabel)
-{
-	struct mac_lomac *dest;
-
-	dest = SLOT(mlabel);
-
-	lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
-}
-
-static void
 lomac_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
     struct mbuf *m, struct label *mlabel)
 {
@@ -1457,6 +1446,28 @@ lomac_syncache_create_mbuf(struct label *sc_label, struct mbuf *m,
 }
 
 static void
+lomac_netatalk_aarp_send(struct ifnet *ifp, struct label *ifplabel,
+    struct mbuf *m, struct label *mlabel)
+{
+	struct mac_lomac *dest;
+
+	dest = SLOT(mlabel);
+
+	lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
+}
+
+static void
+lomac_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel,
+    struct mbuf *m, struct label *mlabel)
+{
+	struct mac_lomac *dest;
+
+	dest = SLOT(mlabel);
+
+	lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
+}
+
+static void
 lomac_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
 {
 	struct mac_lomac *dest;
@@ -1467,6 +1478,28 @@ lomac_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
 	lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
 }
 
+static void
+lomac_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel,
+    struct mbuf *m, struct label *mlabel)
+{
+	struct mac_lomac *dest;
+
+	dest = SLOT(mlabel);
+
+	lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
+}
+
+static void
+lomac_netinet6_nd6_send(struct ifnet *ifp, struct label *ifplabel,
+    struct mbuf *m, struct label *mlabel)
+{
+	struct mac_lomac *dest;
+
+	dest = SLOT(mlabel);
+
+	lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
+}
+
 /*
  * Labeling event operations: processes.
  */
@@ -2878,7 +2911,6 @@ static struct mac_policy_ops lomac_ops =
 	.mpo_inpcb_create = lomac_inpcb_create,
 	.mpo_ipq_create = lomac_ipq_create,
 	.mpo_inpcb_create_mbuf = lomac_inpcb_create_mbuf,
-	.mpo_mbuf_create_linklayer = lomac_mbuf_create_linklayer,
 	.mpo_bpfdesc_create_mbuf = lomac_bpfdesc_create_mbuf,
 	.mpo_ifnet_create_mbuf = lomac_ifnet_create_mbuf,
 	.mpo_mbuf_create_multicast_encap = lomac_mbuf_create_multicast_encap,
@@ -2936,10 +2968,13 @@ static struct mac_policy_ops lomac_ops =
 	.mpo_vnode_check_unlink = lomac_vnode_check_unlink,
 	.mpo_vnode_check_write = lomac_vnode_check_write,
 	.mpo_thread_userret = lomac_thread_userret,
+	.mpo_netatalk_aarp_send = lomac_netatalk_aarp_send,
+	.mpo_netinet_arp_send = lomac_netinet_arp_send,
 	.mpo_netinet_firewall_send = lomac_netinet_firewall_send,
+	.mpo_netinet_igmp_send = lomac_netinet_igmp_send,
+	.mpo_netinet6_nd6_send = lomac_netinet6_nd6_send,
 	.mpo_priv_check = lomac_priv_check,
 };
 
 MAC_POLICY_SET(&lomac_ops, mac_lomac, "TrustedBSD MAC/LOMAC",
-    MPC_LOADTIME_FLAG_NOTLATE | MPC_LOADTIME_FLAG_LABELMBUFS,
-    &lomac_slot);
+    MPC_LOADTIME_FLAG_NOTLATE | MPC_LOADTIME_FLAG_LABELMBUFS, &lomac_slot);
diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c
index ce7fae9..46deacf 100644
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
  * Copyright (c) 2001-2005 McAfee, Inc.
  * Copyright (c) 2006 SPARTA, Inc.
  * All rights reserved.
@@ -1190,17 +1190,6 @@ mls_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel,
 }
 
 static void
-mls_mbuf_create_linklayer(struct ifnet *ifp, struct label *ifplabel,
-    struct mbuf *m, struct label *mlabel)
-{
-	struct mac_mls *dest;
-
-	dest = SLOT(mlabel);
-
-	mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
-}
-
-static void
 mls_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
     struct mbuf *m, struct label *mlabel)
 {
@@ -1294,6 +1283,28 @@ mls_inpcb_sosetlabel(struct socket *so, struct label *solabel,
 }
 
 static void
+mls_netatalk_aarp_send(struct ifnet *ifp, struct label *ifplabel,
+    struct mbuf *m, struct label *mlabel)
+{
+	struct mac_mls *dest;
+
+	dest = SLOT(mlabel);
+
+	mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
+}
+
+static void
+mls_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel,
+    struct mbuf *m, struct label *mlabel)
+{
+	struct mac_mls *dest;
+
+	dest = SLOT(mlabel);
+
+	mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
+}
+
+static void
 mls_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
 {
 	struct mac_mls *dest;
@@ -1305,6 +1316,28 @@ mls_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
 }
 
 static void
+mls_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel,
+    struct mbuf *m, struct label *mlabel)
+{
+	struct mac_mls *dest;
+
+	dest = SLOT(mlabel);
+
+	mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
+}
+
+static void
+mls_netinet6_nd6_send(struct ifnet *ifp, struct label *ifplabel,
+    struct mbuf *m, struct label *mlabel)
+{
+	struct mac_mls *dest;
+
+	dest = SLOT(mlabel);
+
+	mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
+}
+
+static void
 mls_syncache_create(struct label *label, struct inpcb *inp)
 {
 	struct mac_mls *source, *dest;
@@ -2947,7 +2980,6 @@ static struct mac_policy_ops mls_ops =
 	.mpo_sysvsem_create = mls_sysvsem_create,
 	.mpo_sysvshm_create = mls_sysvshm_create,
 	.mpo_inpcb_create_mbuf = mls_inpcb_create_mbuf,
-	.mpo_mbuf_create_linklayer = mls_mbuf_create_linklayer,
 	.mpo_bpfdesc_create_mbuf = mls_bpfdesc_create_mbuf,
 	.mpo_ifnet_create_mbuf = mls_ifnet_create_mbuf,
 	.mpo_mbuf_create_multicast_encap = mls_mbuf_create_multicast_encap,
@@ -3035,7 +3067,11 @@ static struct mac_policy_ops mls_ops =
 	.mpo_vnode_check_stat = mls_vnode_check_stat,
 	.mpo_vnode_check_unlink = mls_vnode_check_unlink,
 	.mpo_vnode_check_write = mls_vnode_check_write,
+	.mpo_netatalk_aarp_send = mls_netatalk_aarp_send,
+	.mpo_netinet_arp_send = mls_netinet_arp_send,
 	.mpo_netinet_firewall_send = mls_netinet_firewall_send,
+	.mpo_netinet_igmp_send = mls_netinet_igmp_send,
+	.mpo_netinet6_nd6_send = mls_netinet6_nd6_send,
 };
 
 MAC_POLICY_SET(&mls_ops, mac_mls, "TrustedBSD MAC/MLS",
diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c
index 6c3ac33..71c175b 100644
--- a/sys/security/mac_stub/mac_stub.c
+++ b/sys/security/mac_stub/mac_stub.c
@@ -405,13 +405,6 @@ stub_syncache_create_mbuf(struct label *sc_label, struct mbuf *m,
 }
 
 static void
-stub_mbuf_create_linklayer(struct ifnet *ifp, struct label *iflpabel,
-    struct mbuf *m, struct label *mlabel)
-{
-
-}
-
-static void
 stub_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
     struct mbuf *m, struct label *mlabel)
 {
@@ -441,11 +434,39 @@ stub_mbuf_create_netlayer(struct mbuf *m, struct label *mlabel,
 }
 
 static void
+stub_netatalk_aarp_send(struct ifnet *ifp, struct label *iflpabel,
+    struct mbuf *m, struct label *mlabel)
+{
+
+}
+
+static void
+stub_netinet_arp_send(struct ifnet *ifp, struct label *iflpabel,
+    struct mbuf *m, struct label *mlabel)
+{
+
+}
+
+static void
 stub_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
 {
 
 }
 
+static void
+stub_netinet_igmp_send(struct ifnet *ifp, struct label *iflpabel,
+    struct mbuf *m, struct label *mlabel)
+{
+
+}
+
+static void
+stub_netinet6_nd6_send(struct ifnet *ifp, struct label *iflpabel,
+    struct mbuf *m, struct label *mlabel)
+{
+
+}
+
 static int
 stub_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
     struct label *ipqlabel)
@@ -1521,12 +1542,15 @@ static struct mac_policy_ops stub_ops =
 	.mpo_ipq_reassemble = stub_ipq_reassemble,
 	.mpo_netinet_fragment = stub_netinet_fragment,
 	.mpo_inpcb_create_mbuf = stub_inpcb_create_mbuf,
-	.mpo_mbuf_create_linklayer = stub_mbuf_create_linklayer,
 	.mpo_bpfdesc_create_mbuf = stub_bpfdesc_create_mbuf,
 	.mpo_ifnet_create_mbuf = stub_ifnet_create_mbuf,
 	.mpo_mbuf_create_multicast_encap = stub_mbuf_create_multicast_encap,
 	.mpo_mbuf_create_netlayer = stub_mbuf_create_netlayer,
+	.mpo_netatalk_aarp_send = stub_netatalk_aarp_send,
+	.mpo_netinet_arp_send = stub_netinet_arp_send,
 	.mpo_netinet_firewall_send = stub_netinet_firewall_send,
+	.mpo_netinet_igmp_send = stub_netinet_igmp_send,
+	.mpo_netinet6_nd6_send = stub_netinet6_nd6_send,
 	.mpo_ipq_match = stub_ipq_match,
 	.mpo_netinet_icmp_reply = stub_netinet_icmp_reply,
 	.mpo_netinet_tcp_reply = stub_netinet_tcp_reply,
diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c
index 6c88010..69b5c27 100644
--- a/sys/security/mac_test/mac_test.c
+++ b/sys/security/mac_test/mac_test.c
@@ -1015,17 +1015,6 @@ test_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel,
 	COUNTER_INC(inpcb_create_mbuf);
 }
 
-COUNTER_DECL(mbuf_create_linklayer);
-static void
-test_mbuf_create_linklayer(struct ifnet *ifp, struct label *ifplabel,
-    struct mbuf *mbuf, struct label *mbuflabel)
-{
-
-	LABEL_CHECK(ifplabel, MAGIC_IFNET);
-	LABEL_CHECK(mbuflabel, MAGIC_MBUF);
-	COUNTER_INC(mbuf_create_linklayer);
-}
-
 COUNTER_DECL(bpfdesc_create_mbuf);
 static void
 test_bpfdesc_create_mbuf(struct bpf_d *bpf_d, struct label *bpflabel,
@@ -1086,6 +1075,28 @@ test_ipq_match(struct mbuf *fragment, struct label *fragmentlabel,
 	return (1);
 }
 
+COUNTER_DECL(netatalk_aarp_send);
+static void
+test_netatalk_aarp_send(struct ifnet *ifp, struct label *ifplabel,
+    struct mbuf *mbuf, struct label *mbuflabel)
+{
+
+	LABEL_CHECK(ifplabel, MAGIC_IFNET);
+	LABEL_CHECK(mbuflabel, MAGIC_MBUF);
+	COUNTER_INC(netatalk_aarp_send);
+}
+
+COUNTER_DECL(netinet_arp_send);
+static void
+test_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel,
+    struct mbuf *mbuf, struct label *mbuflabel)
+{
+
+	LABEL_CHECK(ifplabel, MAGIC_IFNET);
+	LABEL_CHECK(mbuflabel, MAGIC_MBUF);
+	COUNTER_INC(netinet_arp_send);
+}
+
 COUNTER_DECL(netinet_icmp_reply);
 static void
 test_netinet_icmp_reply(struct mbuf *m, struct label *mlabel)
@@ -1095,6 +1106,17 @@ test_netinet_icmp_reply(struct mbuf *m, struct label *mlabel)
 	COUNTER_INC(netinet_icmp_reply);
 }
 
+COUNTER_DECL(netinet_igmp_send);
+static void
+test_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel,
+    struct mbuf *mbuf, struct label *mbuflabel)
+{
+
+	LABEL_CHECK(ifplabel, MAGIC_IFNET);
+	LABEL_CHECK(mbuflabel, MAGIC_MBUF);
+	COUNTER_INC(netinet_igmp_send);
+}
+
 COUNTER_DECL(netinet_tcp_reply);
 static void
 test_netinet_tcp_reply(struct mbuf *m, struct label *mlabel)
@@ -1104,6 +1126,17 @@ test_netinet_tcp_reply(struct mbuf *m, struct label *mlabel)
 	COUNTER_INC(netinet_tcp_reply);
 }
 
+COUNTER_DECL(netinet6_nd6_send);
+static void
+test_netinet6_nd6_send(struct ifnet *ifp, struct label *ifplabel,
+    struct mbuf *mbuf, struct label *mbuflabel)
+{
+
+	LABEL_CHECK(ifplabel, MAGIC_IFNET);
+	LABEL_CHECK(mbuflabel, MAGIC_MBUF);
+	COUNTER_INC(netinet6_nd6_send);
+}
+
 COUNTER_DECL(ifnet_relabel);
 static void
 test_ifnet_relabel(struct ucred *cred, struct ifnet *ifp,
@@ -2686,14 +2719,17 @@ static struct mac_policy_ops test_ops =
 	.mpo_netinet_fragment = test_netinet_fragment,
 	.mpo_ipq_create = test_ipq_create,
 	.mpo_inpcb_create_mbuf = test_inpcb_create_mbuf,
-	.mpo_mbuf_create_linklayer = test_mbuf_create_linklayer,
 	.mpo_bpfdesc_create_mbuf = test_bpfdesc_create_mbuf,
 	.mpo_ifnet_create_mbuf = test_ifnet_create_mbuf,
 	.mpo_mbuf_create_multicast_encap = test_mbuf_create_multicast_encap,
 	.mpo_mbuf_create_netlayer = test_mbuf_create_netlayer,
 	.mpo_ipq_match = test_ipq_match,
+	.mpo_netatalk_aarp_send = test_netatalk_aarp_send,
+	.mpo_netinet_arp_send = test_netinet_arp_send,
 	.mpo_netinet_icmp_reply = test_netinet_icmp_reply,
+	.mpo_netinet_igmp_send = test_netinet_igmp_send,
 	.mpo_netinet_tcp_reply = test_netinet_tcp_reply,
+	.mpo_netinet6_nd6_send = test_netinet6_nd6_send,
 	.mpo_ifnet_relabel = test_ifnet_relabel,
 	.mpo_ipq_update = test_ipq_update,
 	.mpo_inpcb_sosetlabel = test_inpcb_sosetlabel,
author	rwatson <rwatson@FreeBSD.org>	2007-10-28 15:55:23 +0000
committer	rwatson <rwatson@FreeBSD.org>	2007-10-28 15:55:23 +0000
commit	2bca3d4001f67728691cf776e9d18d9c59c19365 (patch)
tree	6903d27f86e038a8c03b0705e717026eb4846831 /sys/security
parent	5b4c0a83ffe5155893733797736e14c3b44f759a (diff)
download	FreeBSD-src-2bca3d4001f67728691cf776e9d18d9c59c19365.zip FreeBSD-src-2bca3d4001f67728691cf776e9d18d9c59c19365.tar.gz