diff options
| -rw-r--r-- | sys/netinet/tcp_subr.c | 5 | ||||
| -rw-r--r-- | sys/netinet/tcp_timewait.c | 5 | ||||
| -rw-r--r-- | sys/security/mac/mac_framework.h | 1 | ||||
| -rw-r--r-- | sys/security/mac/mac_net.c | 11 | ||||
| -rw-r--r-- | sys/security/mac/mac_policy.h | 3 | ||||
| -rw-r--r-- | sys/security/mac_biba/mac_biba.c | 13 | ||||
| -rw-r--r-- | sys/security/mac_lomac/mac_lomac.c | 13 | ||||
| -rw-r--r-- | sys/security/mac_mls/mac_mls.c | 13 | ||||
| -rw-r--r-- | sys/security/mac_stub/mac_stub.c | 8 | ||||
| -rw-r--r-- | sys/security/mac_test/mac_test.c | 10 | ||||
| -rw-r--r-- | sys/sys/mac.h | 1 | ||||
| -rw-r--r-- | sys/sys/mac_policy.h | 3 |
12 files changed, 78 insertions, 8 deletions
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index 926d547..12394eb 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -1662,10 +1662,7 @@ tcp_twrespond(struct tcptw *tw, struct socket *so, struct mbuf *msrc, m->m_data += max_linkhdr; #ifdef MAC - if (so != NULL) - mac_create_mbuf_from_socket(so, m); - else - mac_create_mbuf_netlayer(msrc, m); + mac_create_mbuf_from_inpcb(inp, m); #endif #ifdef INET6 diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c index 926d547..12394eb 100644 --- a/sys/netinet/tcp_timewait.c +++ b/sys/netinet/tcp_timewait.c @@ -1662,10 +1662,7 @@ tcp_twrespond(struct tcptw *tw, struct socket *so, struct mbuf *msrc, m->m_data += max_linkhdr; #ifdef MAC - if (so != NULL) - mac_create_mbuf_from_socket(so, m); - else - mac_create_mbuf_netlayer(msrc, m); + mac_create_mbuf_from_inpcb(inp, m); #endif #ifdef INET6 diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 098a2bd..ed04abd 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -213,6 +213,7 @@ void mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp); void mac_create_ipq(struct mbuf *fragment, struct ipq *ipq); void mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram); void mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment); +void mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m); void mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf); void mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *m); void mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m); diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index 8337a19..9e5cfe5 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -589,6 +589,17 @@ mac_create_ipq(struct mbuf *fragment, struct ipq *ipq) } void +mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m) +{ + struct label *mlabel; + + INP_LOCK_ASSERT(inp); + mlabel = mbuf_to_label(m); + + MAC_PERFORM(create_mbuf_from_inpcb, inp, inp->inp_label, m, mlabel); +} + +void mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf) { struct label *oldmbuflabel, *newmbuflabel; diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index be43253..55ed7fb 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -229,6 +229,9 @@ struct mac_policy_ops { void (*mpo_create_fragment)(struct mbuf *datagram, struct label *datagramlabel, struct mbuf *fragment, struct label *fragmentlabel); + void (*mpo_create_mbuf_from_inpcb)(struct inpcb *inp, + struct label *inplabel, struct mbuf *m, + struct label *mlabel); void (*mpo_create_mbuf_from_mbuf)(struct mbuf *oldmbuf, struct label *oldlabel, struct mbuf *newmbuf, struct label *newlabel); diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 1239220..a813b9b 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -1200,6 +1200,18 @@ mac_biba_create_fragment(struct mbuf *datagram, struct label *datagramlabel, } static void +mac_biba_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, + struct mbuf *m, struct label *mlabel) +{ + struct mac_biba *source, *dest; + + source = SLOT(inplabel); + dest = SLOT(mlabel); + + mac_biba_copy_single(source, dest); +} + +static void mac_biba_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct mbuf *newmbuf, struct label *newmbuflabel) @@ -2698,6 +2710,7 @@ static struct mac_policy_ops mac_biba_ops = .mpo_create_ifnet = mac_biba_create_ifnet, .mpo_create_inpcb_from_socket = mac_biba_create_inpcb_from_socket, .mpo_create_ipq = mac_biba_create_ipq, + .mpo_create_mbuf_from_inpcb = mac_biba_create_mbuf_from_inpcb, .mpo_create_mbuf_from_mbuf = mac_biba_create_mbuf_from_mbuf, .mpo_create_mbuf_linklayer = mac_biba_create_mbuf_linklayer, .mpo_create_mbuf_from_bpfdesc = mac_biba_create_mbuf_from_bpfdesc, diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c index a8a4a98..10608d1 100644 --- a/sys/security/mac_lomac/mac_lomac.c +++ b/sys/security/mac_lomac/mac_lomac.c @@ -1340,6 +1340,18 @@ mac_lomac_create_fragment(struct mbuf *datagram, struct label *datagramlabel, } static void +mac_lomac_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, + struct mbuf *m, struct label *mlabel) +{ + struct mac_lomac *source, *dest; + + source = SLOT(inplabel); + dest = SLOT(mlabel); + + mac_lomac_copy_single(source, dest); +} + +static void mac_lomac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct mbuf *newmbuf, struct label *newmbuflabel) @@ -2680,6 +2692,7 @@ static struct mac_policy_ops mac_lomac_ops = .mpo_create_ifnet = mac_lomac_create_ifnet, .mpo_create_inpcb_from_socket = mac_lomac_create_inpcb_from_socket, .mpo_create_ipq = mac_lomac_create_ipq, + .mpo_create_mbuf_from_inpcb = mac_lomac_create_mbuf_from_inpcb, .mpo_create_mbuf_from_mbuf = mac_lomac_create_mbuf_from_mbuf, .mpo_create_mbuf_linklayer = mac_lomac_create_mbuf_linklayer, .mpo_create_mbuf_from_bpfdesc = mac_lomac_create_mbuf_from_bpfdesc, diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index 3a73467..96016ce 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -1130,6 +1130,18 @@ mac_mls_create_fragment(struct mbuf *datagram, struct label *datagramlabel, } static void +mac_mls_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, + struct mbuf *m, struct label *mlabel) +{ + struct mac_mls *source, *dest; + + source = SLOT(inplabel); + dest = SLOT(mlabel); + + mac_mls_copy_single(source, dest); +} + +static void mac_mls_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct mbuf *newmbuf, struct label *newmbuflabel) @@ -2470,6 +2482,7 @@ static struct mac_policy_ops mac_mls_ops = .mpo_create_ifnet = mac_mls_create_ifnet, .mpo_create_inpcb_from_socket = mac_mls_create_inpcb_from_socket, .mpo_create_ipq = mac_mls_create_ipq, + .mpo_create_mbuf_from_inpcb = mac_mls_create_mbuf_from_inpcb, .mpo_create_mbuf_from_mbuf = mac_mls_create_mbuf_from_mbuf, .mpo_create_mbuf_linklayer = mac_mls_create_mbuf_linklayer, .mpo_create_mbuf_from_bpfdesc = mac_mls_create_mbuf_from_bpfdesc, diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index ccf3583..2ef6f5b 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -351,6 +351,13 @@ stub_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, } static void +stub_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, + struct mbuf *m, struct label *mlabel) +{ + +} + +static void stub_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct mbuf *newmbuf, struct label *newmbuflabel) @@ -1092,6 +1099,7 @@ static struct mac_policy_ops mac_stub_ops = .mpo_create_datagram_from_ipq = stub_create_datagram_from_ipq, .mpo_create_fragment = stub_create_fragment, .mpo_create_ipq = stub_create_ipq, + .mpo_create_mbuf_from_inpcb = stub_create_mbuf_from_inpcb, .mpo_create_mbuf_from_mbuf = stub_create_mbuf_from_mbuf, .mpo_create_mbuf_linklayer = stub_create_mbuf_linklayer, .mpo_create_mbuf_from_bpfdesc = stub_create_mbuf_from_bpfdesc, diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index 05f0e8c..0d5fdf3 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -915,6 +915,15 @@ mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, } static void +mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, + struct mbuf *m, struct label *mlabel) +{ + + ASSERT_INPCB_LABEL(inplabel); + ASSERT_MBUF_LABEL(mlabel); +} + +static void mac_test_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct mbuf *newmbuf, struct label *newmbuflabel) @@ -1923,6 +1932,7 @@ static struct mac_policy_ops mac_test_ops = .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq, .mpo_create_fragment = mac_test_create_fragment, .mpo_create_ipq = mac_test_create_ipq, + .mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb, .mpo_create_mbuf_from_mbuf = mac_test_create_mbuf_from_mbuf, .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer, .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc, diff --git a/sys/sys/mac.h b/sys/sys/mac.h index 098a2bd..ed04abd 100644 --- a/sys/sys/mac.h +++ b/sys/sys/mac.h @@ -213,6 +213,7 @@ void mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp); void mac_create_ipq(struct mbuf *fragment, struct ipq *ipq); void mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram); void mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment); +void mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m); void mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf); void mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *m); void mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m); diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h index be43253..55ed7fb 100644 --- a/sys/sys/mac_policy.h +++ b/sys/sys/mac_policy.h @@ -229,6 +229,9 @@ struct mac_policy_ops { void (*mpo_create_fragment)(struct mbuf *datagram, struct label *datagramlabel, struct mbuf *fragment, struct label *fragmentlabel); + void (*mpo_create_mbuf_from_inpcb)(struct inpcb *inp, + struct label *inplabel, struct mbuf *m, + struct label *mlabel); void (*mpo_create_mbuf_from_mbuf)(struct mbuf *oldmbuf, struct label *oldlabel, struct mbuf *newmbuf, struct label *newlabel); |
