diff options
author | csjp <csjp@FreeBSD.org> | 2006-09-12 04:25:13 +0000 |
---|---|---|
committer | csjp <csjp@FreeBSD.org> | 2006-09-12 04:25:13 +0000 |
commit | 63e89c05d2dd3463fdb87ade28334a74d7c6e6f0 (patch) | |
tree | bfad0bcbfb5566e8fc5f5992840f671a03dba9ea /sys/security | |
parent | c74e70f7a8f39a60078eafdfacb3a154e190b0f8 (diff) | |
download | FreeBSD-src-63e89c05d2dd3463fdb87ade28334a74d7c6e6f0.zip FreeBSD-src-63e89c05d2dd3463fdb87ade28334a74d7c6e6f0.tar.gz |
Introduce a new entry point, mac_create_mbuf_from_firewall. This entry point
exists to allow the mandatory access control policy to properly initialize
mbufs generated by the firewall. An example where this might happen is keep
alive packets, or ICMP error packets in response to other packets.
This takes care of kernel panics associated with un-initialize mbuf labels
when the firewall generates packets.
[1] I modified this patch from it's original version, the initial patch
introduced a number of entry points which were programmatically
equivalent. So I introduced only one. Instead, we should leverage
mac_create_mbuf_netlayer() which is used for similar situations,
an example being icmp_error()
This will minimize the impact associated with the MFC
Submitted by: mlaier [1]
MFC after: 1 week
This is a RELENG_6 candidate
Diffstat (limited to 'sys/security')
-rw-r--r-- | sys/security/mac/mac_framework.h | 1 | ||||
-rw-r--r-- | sys/security/mac/mac_inet.c | 10 | ||||
-rw-r--r-- | sys/security/mac/mac_policy.h | 3 | ||||
-rw-r--r-- | sys/security/mac_biba/mac_biba.c | 12 | ||||
-rw-r--r-- | sys/security/mac_lomac/mac_lomac.c | 12 | ||||
-rw-r--r-- | sys/security/mac_mls/mac_mls.c | 12 |
6 files changed, 50 insertions, 0 deletions
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index f1b6fe0..520e767 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -267,6 +267,7 @@ void mac_reflect_mbuf_tcp(struct mbuf *m); void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq); void mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp); +void mac_create_mbuf_from_firewall(struct mbuf *m); /* * Labeling event operations: processes. */ diff --git a/sys/security/mac/mac_inet.c b/sys/security/mac/mac_inet.c index beb65ef..775ce39 100644 --- a/sys/security/mac/mac_inet.c +++ b/sys/security/mac/mac_inet.c @@ -290,3 +290,13 @@ mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp) INP_LOCK_ASSERT(inp); MAC_PERFORM(inpcb_sosetlabel, so, so->so_label, inp, inp->inp_label); } + +void +mac_create_mbuf_from_firewall(struct mbuf *m) +{ + struct label *label; + + M_ASSERTPKTHDR(m); + label = mac_mbuf_to_label(m); + MAC_PERFORM(create_mbuf_from_firewall, m, label); +} diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index e349f75..afd437f 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -326,6 +326,8 @@ typedef void (*mpo_inpcb_sosetlabel_t)(struct socket *so, struct label *label, struct inpcb *inp, struct label *inplabel); +typedef void (*mpo_create_mbuf_from_firewall_t)(struct mbuf *m, + struct label *label); /* * Labeling event operations: processes. */ @@ -880,6 +882,7 @@ struct mac_policy_ops { mpo_check_vnode_stat_t mpo_check_vnode_stat; mpo_check_vnode_write_t mpo_check_vnode_write; mpo_associate_nfsd_label_t mpo_associate_nfsd_label; + mpo_create_mbuf_from_firewall_t mpo_create_mbuf_from_firewall; }; /* diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index aecf72b..3f244ae 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -1381,6 +1381,17 @@ mac_biba_inpcb_sosetlabel(struct socket *so, struct label *solabel, mac_biba_copy(source, dest); } +static void +mac_biba_create_mbuf_from_firewall(struct mbuf *m, struct label *label) +{ + struct mac_biba *dest; + + dest = SLOT(label); + + /* XXX: where is the label for the firewall really comming from? */ + mac_biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); +} + /* * Labeling event operations: processes. */ @@ -3210,6 +3221,7 @@ static struct mac_policy_ops mac_biba_ops = .mpo_check_vnode_stat = mac_biba_check_vnode_stat, .mpo_check_vnode_write = mac_biba_check_vnode_write, .mpo_associate_nfsd_label = mac_biba_associate_nfsd_label, + .mpo_create_mbuf_from_firewall = mac_biba_create_mbuf_from_firewall, }; MAC_POLICY_SET(&mac_biba_ops, mac_biba, "TrustedBSD MAC/Biba", diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c index b68fd25..8ae03e0 100644 --- a/sys/security/mac_lomac/mac_lomac.c +++ b/sys/security/mac_lomac/mac_lomac.c @@ -1446,6 +1446,17 @@ mac_lomac_inpcb_sosetlabel(struct socket *so, struct label *solabel, mac_lomac_copy_single(source, dest); } +static void +mac_lomac_create_mbuf_from_firewall(struct mbuf *m, struct label *label) +{ + struct mac_lomac *dest; + + dest = SLOT(label); + + /* XXX: where is the label for the firewall really comming from? */ + mac_lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0); +} + /* * Labeling event operations: processes. */ @@ -2685,6 +2696,7 @@ static struct mac_policy_ops mac_lomac_ops = .mpo_check_vnode_setutimes = mac_lomac_check_vnode_setutimes, .mpo_check_vnode_write = mac_lomac_check_vnode_write, .mpo_thread_userret = mac_lomac_thread_userret, + .mpo_create_mbuf_from_firewall = mac_lomac_create_mbuf_from_firewall, }; MAC_POLICY_SET(&mac_lomac_ops, mac_lomac, "TrustedBSD MAC/LOMAC", diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index b258b21..2361abc 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -1305,6 +1305,17 @@ mac_mls_inpcb_sosetlabel(struct socket *so, struct label *solabel, mac_mls_copy(source, dest); } +static void +mac_mls_create_mbuf_from_firewall(struct mbuf *m, struct label *mbuflabel) +{ + struct mac_mls *dest; + + dest = SLOT(mbuflabel); + + /* XXX: where is the label for the firewall really comming from? */ + mac_mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); +} + /* * Labeling event operations: processes. */ @@ -2972,6 +2983,7 @@ static struct mac_policy_ops mac_mls_ops = .mpo_check_vnode_stat = mac_mls_check_vnode_stat, .mpo_check_vnode_write = mac_mls_check_vnode_write, .mpo_associate_nfsd_label = mac_mls_associate_nfsd_label, + .mpo_create_mbuf_from_firewall = mac_mls_create_mbuf_from_firewall, }; MAC_POLICY_SET(&mac_mls_ops, mac_mls, "TrustedBSD MAC/MLS", |