Add a MAC label, MAC Framework, and MAC policy entry points for IPv6

fragment reassembly queues.

This allows policies to label reassembly queues, perform access
control checks when matching fragments to a queue, update a queue
label when fragments are matched, and label the resulting
reassembled datagram.

Obtained from:	TrustedBSD Project

3 files changed, 129 insertions, 3 deletions

diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index c09088b..790b921 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
  * Copyright (c) 2005-2006 SPARTA, Inc.
  * All rights reserved.
@@ -60,6 +60,7 @@ struct ifnet;
 struct ifreq;
 struct image_params;
 struct inpcb;
+struct ip6q;
 struct ipq;
 struct ksem;
 struct label;
@@ -138,6 +139,13 @@ void	mac_inpcb_destroy(struct inpcb *);
 int	mac_inpcb_init(struct inpcb *, int);
 void	mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp);
 
+void	mac_ip6q_create(struct mbuf *m, struct ip6q *q6);
+void	mac_ip6q_destroy(struct ip6q *q6);
+int	mac_ip6q_init(struct ip6q *q6, int);
+int	mac_ip6q_match(struct mbuf *m, struct ip6q *q6);
+void	mac_ip6q_reassemble(struct ip6q *q6, struct mbuf *m);
+void	mac_ip6q_update(struct mbuf *m, struct ip6q *q6);
+
 void	mac_ipq_create(struct mbuf *m, struct ipq *q);
 void	mac_ipq_destroy(struct ipq *q);
 int	mac_ipq_init(struct ipq *q, int);
diff --git a/sys/security/mac/mac_inet6.c b/sys/security/mac/mac_inet6.c
index 65a93e1..068455b 100644
--- a/sys/security/mac/mac_inet6.c
+++ b/sys/security/mac/mac_inet6.c
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2007 Robert N. M. Watson
+ * Copyright (c) 2007-2008 Robert N. M. Watson
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
@@ -49,10 +49,108 @@ __FBSDID("$FreeBSD$");
 #include <net/if.h>
 #include <net/if_var.h>
 
+#include <netinet/in.h>
+#include <netinet/ip6.h>
+#include <netinet6/ip6_var.h>
+
 #include <security/mac/mac_framework.h>
 #include <security/mac/mac_internal.h>
 #include <security/mac/mac_policy.h>
 
+static struct label *
+mac_ip6q_label_alloc(int flag)
+{
+	struct label *label;
+	int error;
+
+	label = mac_labelzone_alloc(flag);
+	if (label == NULL)
+		return (NULL);
+
+	MAC_CHECK(ip6q_init_label, label, flag);
+	if (error) {
+		MAC_PERFORM(ip6q_destroy_label, label);
+		mac_labelzone_free(label);
+		return (NULL);
+	}
+	return (label);
+}
+
+int
+mac_ip6q_init(struct ip6q *q6, int flag)
+{
+
+	if (mac_labeled & MPC_OBJECT_IPQ) {
+		q6->ip6q_label = mac_ip6q_label_alloc(flag);
+		if (q6->ip6q_label == NULL)
+			return (ENOMEM);
+	} else
+		q6->ip6q_label = NULL;
+	return (0);
+}
+
+static void
+mac_ip6q_label_free(struct label *label)
+{
+
+	MAC_PERFORM(ip6q_destroy_label, label);
+	mac_labelzone_free(label);
+}
+
+void
+mac_ip6q_destroy(struct ip6q *q6)
+{
+
+	if (q6->ip6q_label != NULL) {
+		mac_ip6q_label_free(q6->ip6q_label);
+		q6->ip6q_label = NULL;
+	}
+}
+
+void
+mac_ip6q_reassemble(struct ip6q *q6, struct mbuf *m)
+{
+	struct label *label;
+
+	label = mac_mbuf_to_label(m);
+
+	MAC_PERFORM(ip6q_reassemble, q6, q6->ip6q_label, m, label);
+}
+
+void
+mac_ip6q_create(struct mbuf *m, struct ip6q *q6)
+{
+	struct label *label;
+
+	label = mac_mbuf_to_label(m);
+
+	MAC_PERFORM(ip6q_create, m, label, q6, q6->ip6q_label);
+}
+
+int
+mac_ip6q_match(struct mbuf *m, struct ip6q *q6)
+{
+	struct label *label;
+	int result;
+
+	label = mac_mbuf_to_label(m);
+
+	result = 1;
+	MAC_BOOLEAN(ip6q_match, &&, m, label, q6, q6->ip6q_label);
+
+	return (result);
+}
+
+void
+mac_ip6q_update(struct mbuf *m, struct ip6q *q6)
+{
+	struct label *label;
+
+	label = mac_mbuf_to_label(m);
+
+	MAC_PERFORM(ip6q_update, m, label, q6, q6->ip6q_label);
+}
+
 void
 mac_netinet6_nd6_send(struct ifnet *ifp, struct mbuf *m)
 {
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index 63ba829..8a2f9f2 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
  * Copyright (c) 2005-2006 SPARTA, Inc.
  * Copyright (c) 2008 Apple Inc.
@@ -72,6 +72,7 @@ struct devfs_dirent;
 struct ifnet;
 struct image_params;
 struct inpcb;
+struct ip6q;
 struct ipq;
 struct ksem;
 struct label;
@@ -201,6 +202,17 @@ typedef void	(*mpo_inpcb_sosetlabel_t)(struct socket *so,
 		    struct label *label, struct inpcb *inp,
 		    struct label *inplabel);
 
+typedef void	(*mpo_ip6q_create_t)(struct mbuf *m, struct label *mlabel,
+		    struct ip6q *q6, struct label *q6label);
+typedef void	(*mpo_ip6q_destroy_label_t)(struct label *label);
+typedef int	(*mpo_ip6q_init_label_t)(struct label *label, int flag);
+typedef int	(*mpo_ip6q_match_t)(struct mbuf *m, struct label *mlabel,
+		    struct ip6q *q6, struct label *q6label);
+typedef void	(*mpo_ip6q_reassemble)(struct ip6q *q6, struct label *q6label,
+		    struct mbuf *m, struct label *mlabel);
+typedef void	(*mpo_ip6q_update_t)(struct mbuf *m, struct label *mlabel,
+		    struct ip6q *q6, struct label *q6label);
+
 typedef void	(*mpo_ipq_create_t)(struct mbuf *m, struct label *mlabel,
 		    struct ipq *q, struct label *qlabel);
 typedef void	(*mpo_ipq_destroy_label_t)(struct label *label);
@@ -698,6 +710,13 @@ struct mac_policy_ops {
 	mpo_inpcb_init_label_t			mpo_inpcb_init_label;
 	mpo_inpcb_sosetlabel_t			mpo_inpcb_sosetlabel;
 
+	mpo_ip6q_create_t			mpo_ip6q_create;
+	mpo_ip6q_destroy_label_t		mpo_ip6q_destroy_label;
+	mpo_ip6q_init_label_t			mpo_ip6q_init_label;
+	mpo_ip6q_match_t			mpo_ip6q_match;
+	mpo_ip6q_reassemble			mpo_ip6q_reassemble;
+	mpo_ip6q_update_t			mpo_ip6q_update;
+
 	mpo_ipq_create_t			mpo_ipq_create;
 	mpo_ipq_destroy_label_t			mpo_ipq_destroy_label;
 	mpo_ipq_init_label_t			mpo_ipq_init_label;
@@ -970,6 +989,7 @@ struct mac_policy_conf {
 #define	MPC_OBJECT_SYSVSEM		0x0000000000010000
 #define	MPC_OBJECT_SYSVSHM		0x0000000000020000
 #define	MPC_OBJECT_SYNCACHE		0x0000000000040000
+#define	MPC_OBJECT_IP6Q			0x0000000000080000
 
 /*-
  * The TrustedBSD MAC Framework has a major version number, MAC_VERSION,