diff options
| -rw-r--r-- | sys/netinet/tcp_input.c | 13 | ||||
| -rw-r--r-- | sys/netinet/tcp_output.c | 5 | ||||
| -rw-r--r-- | sys/netinet/tcp_reass.c | 13 | ||||
| -rw-r--r-- | sys/netinet/tcp_subr.c | 17 | ||||
| -rw-r--r-- | sys/netinet/tcp_syncache.c | 8 | ||||
| -rw-r--r-- | sys/netinet/tcp_timewait.c | 17 |
6 files changed, 73 insertions, 0 deletions
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 431c049..226be18 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -37,11 +37,13 @@ #include "opt_ipfw.h" /* for ipfw_fwd */ #include "opt_inet6.h" #include "opt_ipsec.h" +#include "opt_mac.h" #include "opt_tcpdebug.h" #include "opt_tcp_input.h" #include <sys/param.h> #include <sys/kernel.h> +#include <sys/mac.h> #include <sys/malloc.h> #include <sys/mbuf.h> #include <sys/proc.h> /* for proc0 declaration */ @@ -360,6 +362,9 @@ tcp_input(m, off0) int isipv6; #endif /* INET6 */ struct sockaddr_in *next_hop = NULL; +#ifdef MAC + int error; +#endif int rstreason; /* For badport_bandlim accounting purposes */ /* Grab info from MT_TAG mbufs prepended to the chain. */ @@ -651,6 +656,11 @@ findpcb: tiwin = th->th_win; so = inp->inp_socket; +#ifdef MAC + error = mac_check_socket_receive(so, m); + if (error) + goto drop; +#endif if (so->so_options & (SO_DEBUG|SO_ACCEPTCONN)) { struct in_conninfo inc; #ifdef TCPDEBUG @@ -1171,6 +1181,9 @@ after_listen: tp->t_flags &= ~TF_RCVD_CC; tcpstat.tcps_connects++; soisconnected(so); +#ifdef MAC + mac_set_socket_peer_from_mbuf(m, so); +#endif /* Do window scaling on this connection? */ if ((tp->t_flags & (TF_RCVD_SCALE|TF_REQ_SCALE)) == (TF_RCVD_SCALE|TF_REQ_SCALE)) { diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c index 47a1873..9fc5c31 100644 --- a/sys/netinet/tcp_output.c +++ b/sys/netinet/tcp_output.c @@ -36,6 +36,7 @@ #include "opt_inet6.h" #include "opt_ipsec.h" +#include "opt_mac.h" #include "opt_tcpdebug.h" #include <sys/param.h> @@ -43,6 +44,7 @@ #include <sys/domain.h> #include <sys/kernel.h> #include <sys/lock.h> +#include <sys/mac.h> #include <sys/mbuf.h> #include <sys/mutex.h> #include <sys/protosw.h> @@ -639,6 +641,9 @@ send: m->m_len = hdrlen; } m->m_pkthdr.rcvif = (struct ifnet *)0; +#ifdef MAC + mac_create_mbuf_from_socket(so, m); +#endif #ifdef INET6 if (isipv6) { ip6 = mtod(m, struct ip6_hdr *); diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c index 431c049..226be18 100644 --- a/sys/netinet/tcp_reass.c +++ b/sys/netinet/tcp_reass.c @@ -37,11 +37,13 @@ #include "opt_ipfw.h" /* for ipfw_fwd */ #include "opt_inet6.h" #include "opt_ipsec.h" +#include "opt_mac.h" #include "opt_tcpdebug.h" #include "opt_tcp_input.h" #include <sys/param.h> #include <sys/kernel.h> +#include <sys/mac.h> #include <sys/malloc.h> #include <sys/mbuf.h> #include <sys/proc.h> /* for proc0 declaration */ @@ -360,6 +362,9 @@ tcp_input(m, off0) int isipv6; #endif /* INET6 */ struct sockaddr_in *next_hop = NULL; +#ifdef MAC + int error; +#endif int rstreason; /* For badport_bandlim accounting purposes */ /* Grab info from MT_TAG mbufs prepended to the chain. */ @@ -651,6 +656,11 @@ findpcb: tiwin = th->th_win; so = inp->inp_socket; +#ifdef MAC + error = mac_check_socket_receive(so, m); + if (error) + goto drop; +#endif if (so->so_options & (SO_DEBUG|SO_ACCEPTCONN)) { struct in_conninfo inc; #ifdef TCPDEBUG @@ -1171,6 +1181,9 @@ after_listen: tp->t_flags &= ~TF_RCVD_CC; tcpstat.tcps_connects++; soisconnected(so); +#ifdef MAC + mac_set_socket_peer_from_mbuf(m, so); +#endif /* Do window scaling on this connection? */ if ((tp->t_flags & (TF_RCVD_SCALE|TF_REQ_SCALE)) == (TF_RCVD_SCALE|TF_REQ_SCALE)) { diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index 0c4b385..f960fc4 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -37,6 +37,7 @@ #include "opt_compat.h" #include "opt_inet6.h" #include "opt_ipsec.h" +#include "opt_mac.h" #include "opt_tcpdebug.h" #include <sys/param.h> @@ -44,6 +45,7 @@ #include <sys/callout.h> #include <sys/kernel.h> #include <sys/sysctl.h> +#include <sys/mac.h> #include <sys/malloc.h> #include <sys/mbuf.h> #ifdef INET6 @@ -443,6 +445,21 @@ tcp_respond(tp, ipgen, th, m, ack, seq, flags) m->m_len = tlen; m->m_pkthdr.len = tlen; m->m_pkthdr.rcvif = (struct ifnet *) 0; +#ifdef MAC + if (tp != NULL) { + /* + * Packet is associated with a socket, so allow the + * label of the response to reflect the socket label. + */ + mac_create_mbuf_from_socket(tp->t_inpcb->inp_socket, m); + } else { + /* + * XXXMAC: This will need to call a mac function that + * modifies the mbuf label in place for TCP datagrams + * not associated with a PCB. + */ + } +#endif nth->th_seq = htonl(seq); nth->th_ack = htonl(ack); nth->th_x2 = 0; diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c index a261d21..07b390f 100644 --- a/sys/netinet/tcp_syncache.c +++ b/sys/netinet/tcp_syncache.c @@ -36,12 +36,14 @@ #include "opt_inet6.h" #include "opt_ipsec.h" +#include "opt_mac.h" #include <sys/param.h> #include <sys/systm.h> #include <sys/kernel.h> #include <sys/sysctl.h> #include <sys/malloc.h> +#include <sys/mac.h> #include <sys/mbuf.h> #include <sys/md5.h> #include <sys/proc.h> /* for proc0 declaration */ @@ -560,6 +562,9 @@ syncache_socket(sc, lso, m) tcpstat.tcps_listendrop++; goto abort; } +#ifdef MAC + mac_set_socket_peer_from_mbuf(m, so); +#endif inp = sotoinpcb(so); @@ -1095,6 +1100,9 @@ syncache_respond(sc, m) m->m_len = tlen; m->m_pkthdr.len = tlen; m->m_pkthdr.rcvif = NULL; +#ifdef MAC + mac_create_mbuf_from_socket(sc->sc_tp->t_inpcb->inp_socket, m); +#endif #ifdef IPSEC /* use IPsec policy on listening socket to send SYN,ACK */ diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c index 0c4b385..f960fc4 100644 --- a/sys/netinet/tcp_timewait.c +++ b/sys/netinet/tcp_timewait.c @@ -37,6 +37,7 @@ #include "opt_compat.h" #include "opt_inet6.h" #include "opt_ipsec.h" +#include "opt_mac.h" #include "opt_tcpdebug.h" #include <sys/param.h> @@ -44,6 +45,7 @@ #include <sys/callout.h> #include <sys/kernel.h> #include <sys/sysctl.h> +#include <sys/mac.h> #include <sys/malloc.h> #include <sys/mbuf.h> #ifdef INET6 @@ -443,6 +445,21 @@ tcp_respond(tp, ipgen, th, m, ack, seq, flags) m->m_len = tlen; m->m_pkthdr.len = tlen; m->m_pkthdr.rcvif = (struct ifnet *) 0; +#ifdef MAC + if (tp != NULL) { + /* + * Packet is associated with a socket, so allow the + * label of the response to reflect the socket label. + */ + mac_create_mbuf_from_socket(tp->t_inpcb->inp_socket, m); + } else { + /* + * XXXMAC: This will need to call a mac function that + * modifies the mbuf label in place for TCP datagrams + * not associated with a PCB. + */ + } +#endif nth->th_seq = htonl(seq); nth->th_ack = htonl(ack); nth->th_x2 = 0; |
