diff options
-rw-r--r-- | sys/conf/files | 2 | ||||
-rw-r--r-- | sys/netatalk/aarp.c | 4 | ||||
-rw-r--r-- | sys/netinet/if_ether.c | 2 | ||||
-rw-r--r-- | sys/netinet/igmp.c | 2 | ||||
-rw-r--r-- | sys/netinet6/nd6.c | 2 | ||||
-rw-r--r-- | sys/security/mac/mac_atalk.c | 66 | ||||
-rw-r--r-- | sys/security/mac/mac_framework.h | 9 | ||||
-rw-r--r-- | sys/security/mac/mac_inet.c | 26 | ||||
-rw-r--r-- | sys/security/mac/mac_inet6.c | 64 | ||||
-rw-r--r-- | sys/security/mac/mac_internal.h | 4 | ||||
-rw-r--r-- | sys/security/mac/mac_net.c | 16 | ||||
-rw-r--r-- | sys/security/mac/mac_policy.h | 26 | ||||
-rw-r--r-- | sys/security/mac_biba/mac_biba.c | 60 | ||||
-rw-r--r-- | sys/security/mac_lomac/mac_lomac.c | 63 | ||||
-rw-r--r-- | sys/security/mac_mls/mac_mls.c | 62 | ||||
-rw-r--r-- | sys/security/mac_stub/mac_stub.c | 40 | ||||
-rw-r--r-- | sys/security/mac_test/mac_test.c | 60 |
17 files changed, 421 insertions, 87 deletions
diff --git a/sys/conf/files b/sys/conf/files index a1001a4..6d26a88 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -2031,9 +2031,11 @@ security/audit/audit_pipe.c optional audit security/audit/audit_syscalls.c standard security/audit/audit_trigger.c optional audit security/audit/audit_worker.c optional audit +security/mac/mac_atalk.c optional mac netatalk security/mac/mac_audit.c optional mac audit security/mac/mac_framework.c optional mac security/mac/mac_inet.c optional mac inet +security/mac/mac_inet6.c optional mac inet6 security/mac/mac_label.c optional mac security/mac/mac_net.c optional mac security/mac/mac_pipe.c optional mac diff --git a/sys/netatalk/aarp.c b/sys/netatalk/aarp.c index c34e4b7..f85adfe 100644 --- a/sys/netatalk/aarp.c +++ b/sys/netatalk/aarp.c @@ -177,7 +177,7 @@ aarpwhohas(struct ifnet *ifp, struct sockaddr_at *sat) if (m == NULL) return; #ifdef MAC - mac_mbuf_create_linklayer(ifp, m); + mac_netatalk_aarp_send(ifp, m); #endif m->m_len = sizeof(*ea); m->m_pkthdr.len = sizeof(*ea); @@ -602,7 +602,7 @@ aarpprobe(void *arg) if (m == NULL) return; #ifdef MAC - mac_mbuf_create_linklayer(ifp, m); + mac_netatalk_aarp_send(ifp, m); #endif m->m_len = sizeof(*ea); m->m_pkthdr.len = sizeof(*ea); diff --git a/sys/netinet/if_ether.c b/sys/netinet/if_ether.c index df09752..627d56b 100644 --- a/sys/netinet/if_ether.c +++ b/sys/netinet/if_ether.c @@ -323,7 +323,7 @@ arprequest(struct ifnet *ifp, struct in_addr *sip, struct in_addr *tip, ah = mtod(m, struct arphdr *); bzero((caddr_t)ah, m->m_len); #ifdef MAC - mac_mbuf_create_linklayer(ifp, m); + mac_netinet_arp_send(ifp, m); #endif ah->ar_pro = htons(ETHERTYPE_IP); ah->ar_hln = ifp->if_addrlen; /* hardware address length */ diff --git a/sys/netinet/igmp.c b/sys/netinet/igmp.c index b623a41..811307c 100644 --- a/sys/netinet/igmp.c +++ b/sys/netinet/igmp.c @@ -471,7 +471,7 @@ igmp_sendpkt(struct in_multi *inm, int type, unsigned long addr) m->m_pkthdr.rcvif = loif; #ifdef MAC - mac_mbuf_create_linklayer(inm->inm_ifp, m); + mac_netinet_igmp_send(inm->inm_ifp, m); #endif m->m_pkthdr.len = sizeof(struct ip) + IGMP_MINLEN; MH_ALIGN(m, IGMP_MINLEN + sizeof(struct ip)); diff --git a/sys/netinet6/nd6.c b/sys/netinet6/nd6.c index 6d0f413..d1fcd4f 100644 --- a/sys/netinet6/nd6.c +++ b/sys/netinet6/nd6.c @@ -2114,7 +2114,7 @@ again: } #ifdef MAC - mac_mbuf_create_linklayer(ifp, m); + mac_netinet6_nd6_send(ifp, m); #endif if ((ifp->if_flags & IFF_LOOPBACK) != 0) { return ((*ifp->if_output)(origifp, m, (struct sockaddr *)dst, diff --git a/sys/security/mac/mac_atalk.c b/sys/security/mac/mac_atalk.c new file mode 100644 index 0000000..0992ee5 --- /dev/null +++ b/sys/security/mac/mac_atalk.c @@ -0,0 +1,66 @@ +/*- + * Copyright (c) 2007 Robert N. M. Watson + * All rights reserved. + * + * This software was developed by Robert Watson for the TrustedBSD Project. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include "opt_mac.h" + +#include <sys/param.h> +#include <sys/kernel.h> +#include <sys/lock.h> +#include <sys/malloc.h> +#include <sys/mutex.h> +#include <sys/sbuf.h> +#include <sys/systm.h> +#include <sys/mount.h> +#include <sys/file.h> +#include <sys/namei.h> +#include <sys/protosw.h> +#include <sys/socket.h> +#include <sys/socketvar.h> +#include <sys/sysctl.h> + +#include <net/if.h> +#include <net/if_var.h> + +#include <security/mac/mac_framework.h> +#include <security/mac/mac_internal.h> +#include <security/mac/mac_policy.h> + +void +mac_netatalk_aarp_send(struct ifnet *ifp, struct mbuf *m) +{ + struct label *mlabel; + + mlabel = mac_mbuf_to_label(m); + + MAC_IFNET_LOCK(ifp); + MAC_PERFORM(netatalk_aarp_send, ifp, ifp->if_label, m, mlabel); + MAC_IFNET_UNLOCK(ifp); +} diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 80b8b33..5605a66 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * Copyright (c) 2005-2006 SPARTA, Inc. * All rights reserved. @@ -152,7 +152,6 @@ int mac_kld_check_load(struct ucred *cred, struct vnode *vp); int mac_kld_check_stat(struct ucred *cred); void mac_mbuf_copy(struct mbuf *, struct mbuf *); -void mac_mbuf_create_linklayer(struct ifnet *ifp, struct mbuf *m); void mac_mbuf_create_multicast_encap(struct mbuf *m, struct ifnet *ifp, struct mbuf *mnew); void mac_mbuf_create_netlayer(struct mbuf *m, struct mbuf *mnew); @@ -167,11 +166,17 @@ void mac_mount_create(struct ucred *cred, struct mount *mp); void mac_mount_destroy(struct mount *); void mac_mount_init(struct mount *); +void mac_netatalk_aarp_send(struct ifnet *ifp, struct mbuf *m); + +void mac_netinet_arp_send(struct ifnet *ifp, struct mbuf *m); void mac_netinet_firewall_send(struct mbuf *m); void mac_netinet_fragment(struct mbuf *m, struct mbuf *frag); void mac_netinet_icmp_reply(struct mbuf *m); +void mac_netinet_igmp_send(struct ifnet *ifp, struct mbuf *m); void mac_netinet_tcp_reply(struct mbuf *m); +void mac_netinet6_nd6_send(struct ifnet *ifp, struct mbuf *m); + int mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, unsigned long cmd, void *data); int mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp); diff --git a/sys/security/mac/mac_inet.c b/sys/security/mac/mac_inet.c index ae160a5..22c134f 100644 --- a/sys/security/mac/mac_inet.c +++ b/sys/security/mac/mac_inet.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2004 Networks Associates Technology, Inc. * Copyright (c) 2006 SPARTA, Inc. @@ -222,6 +222,18 @@ mac_ipq_match(struct mbuf *m, struct ipq *ipq) } void +mac_netinet_arp_send(struct ifnet *ifp, struct mbuf *m) +{ + struct label *mlabel; + + mlabel = mac_mbuf_to_label(m); + + MAC_IFNET_LOCK(ifp); + MAC_PERFORM(netinet_arp_send, ifp, ifp->if_label, m, mlabel); + MAC_IFNET_UNLOCK(ifp); +} + +void mac_netinet_icmp_reply(struct mbuf *m) { struct label *label; @@ -232,6 +244,18 @@ mac_netinet_icmp_reply(struct mbuf *m) } void +mac_netinet_igmp_send(struct ifnet *ifp, struct mbuf *m) +{ + struct label *mlabel; + + mlabel = mac_mbuf_to_label(m); + + MAC_IFNET_LOCK(ifp); + MAC_PERFORM(netinet_igmp_send, ifp, ifp->if_label, m, mlabel); + MAC_IFNET_UNLOCK(ifp); +} + +void mac_netinet_tcp_reply(struct mbuf *m) { struct label *label; diff --git a/sys/security/mac/mac_inet6.c b/sys/security/mac/mac_inet6.c new file mode 100644 index 0000000..65a93e1 --- /dev/null +++ b/sys/security/mac/mac_inet6.c @@ -0,0 +1,64 @@ +/*- + * Copyright (c) 2007 Robert N. M. Watson + * All rights reserved. + * + * This software was developed by Robert Watson for the TrustedBSD Project. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include "opt_mac.h" + +#include <sys/param.h> +#include <sys/kernel.h> +#include <sys/lock.h> +#include <sys/malloc.h> +#include <sys/mutex.h> +#include <sys/sbuf.h> +#include <sys/systm.h> +#include <sys/mount.h> +#include <sys/file.h> +#include <sys/namei.h> +#include <sys/protosw.h> +#include <sys/socket.h> +#include <sys/socketvar.h> +#include <sys/sysctl.h> + +#include <net/if.h> +#include <net/if_var.h> + +#include <security/mac/mac_framework.h> +#include <security/mac/mac_internal.h> +#include <security/mac/mac_policy.h> + +void +mac_netinet6_nd6_send(struct ifnet *ifp, struct mbuf *m) +{ + struct label *mlabel; + + mlabel = mac_mbuf_to_label(m); + + MAC_PERFORM(netinet6_nd6_send, ifp, ifp->if_label, m, mlabel); +} diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index 2cdc006..2ed3dfb 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -91,6 +91,7 @@ extern struct mac_policy_list_head mac_static_policy_list; #ifndef MAC_ALWAYS_LABEL_MBUF extern int mac_labelmbufs; #endif +extern struct mtx mac_ifnet_mtx; /* * MAC Framework infrastructure functions. @@ -113,6 +114,9 @@ void mac_destroy_label(struct label *label); int mac_check_structmac_consistent(struct mac *mac); int mac_allocate_slot(void); +#define MAC_IFNET_LOCK(ifp) mtx_lock(&mac_ifnet_mtx) +#define MAC_IFNET_UNLOCK(ifp) mtx_unlock(&mac_ifnet_mtx) + /* * MAC Framework per-object type functions. It's not yet clear how the * namespaces, etc, should work for these, so for now, sort by object type. diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index 5d8aea1..af05875 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -73,10 +73,8 @@ __FBSDID("$FreeBSD$"); * our own global mutex for struct ifnet. Non-ideal, but should help in the * SMP environment. */ -static struct mtx mac_ifnet_mtx; +struct mtx mac_ifnet_mtx; MTX_SYSINIT(mac_ifnet_mtx, &mac_ifnet_mtx, "mac_ifnet", MTX_DEF); -#define MAC_IFNET_LOCK(ifp) mtx_lock(&mac_ifnet_mtx) -#define MAC_IFNET_UNLOCK(ifp) mtx_unlock(&mac_ifnet_mtx) /* * Retrieve the label associated with an mbuf by searching for the tag. @@ -310,18 +308,6 @@ mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m) } void -mac_mbuf_create_linklayer(struct ifnet *ifp, struct mbuf *m) -{ - struct label *label; - - label = mac_mbuf_to_label(m); - - MAC_IFNET_LOCK(ifp); - MAC_PERFORM(mbuf_create_linklayer, ifp, ifp->if_label, m, label); - MAC_IFNET_UNLOCK(ifp); -} - -void mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m) { struct label *label; diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 8dbe9ea..7b606b5 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * Copyright (c) 2005-2006 SPARTA, Inc. * All rights reserved. @@ -221,9 +221,6 @@ typedef int (*mpo_kld_check_stat_t)(struct ucred *cred); typedef void (*mpo_mbuf_copy_label_t)(struct label *src, struct label *dest); -typedef void (*mpo_mbuf_create_linklayer_t)(struct ifnet *ifp, - struct label *ifplabel, struct mbuf *m, - struct label *mlabel); typedef void (*mpo_mbuf_create_multicast_encap_t)(struct mbuf *m, struct label *mlabel, struct ifnet *ifp, struct label *ifplabel, struct mbuf *mnew, @@ -241,6 +238,13 @@ typedef void (*mpo_mount_create_t)(struct ucred *cred, struct mount *mp, typedef void (*mpo_mount_destroy_label_t)(struct label *label); typedef void (*mpo_mount_init_label_t)(struct label *label); +typedef void (*mpo_netatalk_aarp_send_t)(struct ifnet *ifp, + struct label *ifplabel, struct mbuf *m, + struct label *mlabel); + +typedef void (*mpo_netinet_arp_send_t)(struct ifnet *ifp, + struct label *ifplabel, struct mbuf *m, + struct label *mlabel); typedef void (*mpo_netinet_firewall_send_t)(struct mbuf *m, struct label *mlabel); typedef void (*mpo_netinet_fragment_t)(struct mbuf *m, @@ -248,9 +252,16 @@ typedef void (*mpo_netinet_fragment_t)(struct mbuf *m, struct label *fraglabel); typedef void (*mpo_netinet_icmp_reply_t)(struct mbuf *m, struct label *mlabel); +typedef void (*mpo_netinet_igmp_send_t)(struct ifnet *ifp, + struct label *ifplabel, struct mbuf *m, + struct label *mlabel); typedef void (*mpo_netinet_tcp_reply_t)(struct mbuf *m, struct label *mlabel); +typedef void (*mpo_netinet6_nd6_send_t)(struct ifnet *ifp, + struct label *ifplabel, struct mbuf *m, + struct label *mlabel); + typedef int (*mpo_pipe_check_ioctl_t)(struct ucred *cred, struct pipepair *pp, struct label *pplabel, unsigned long cmd, void *data); @@ -678,7 +689,6 @@ struct mac_policy_ops { mpo_kld_check_stat_t mpo_kld_check_stat; mpo_mbuf_copy_label_t mpo_mbuf_copy_label; - mpo_mbuf_create_linklayer_t mpo_mbuf_create_linklayer; mpo_mbuf_create_multicast_encap_t mpo_mbuf_create_multicast_encap; mpo_mbuf_create_netlayer_t mpo_mbuf_create_netlayer; mpo_mbuf_destroy_label_t mpo_mbuf_destroy_label; @@ -689,11 +699,17 @@ struct mac_policy_ops { mpo_mount_destroy_label_t mpo_mount_destroy_label; mpo_mount_init_label_t mpo_mount_init_label; + mpo_netatalk_aarp_send_t mpo_netatalk_aarp_send; + + mpo_netinet_arp_send_t mpo_netinet_arp_send; mpo_netinet_firewall_send_t mpo_netinet_firewall_send; mpo_netinet_fragment_t mpo_netinet_fragment; mpo_netinet_icmp_reply_t mpo_netinet_icmp_reply; + mpo_netinet_igmp_send_t mpo_netinet_igmp_send; mpo_netinet_tcp_reply_t mpo_netinet_tcp_reply; + mpo_netinet6_nd6_send_t mpo_netinet6_nd6_send; + mpo_pipe_check_ioctl_t mpo_pipe_check_ioctl; mpo_pipe_check_poll_t mpo_pipe_check_poll; mpo_pipe_check_read_t mpo_pipe_check_read; diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index fc2baa9..d96c4e1 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -1268,17 +1268,6 @@ biba_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel, } static void -biba_mbuf_create_linklayer(struct ifnet *ifp, struct label *ifplabel, - struct mbuf *m, struct label *mlabel) -{ - struct mac_biba *dest; - - dest = SLOT(mlabel); - - biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); -} - -static void biba_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel, struct mbuf *m, struct label *mlabel) { @@ -1372,6 +1361,28 @@ biba_inpcb_sosetlabel(struct socket *so, struct label *solabel, } static void +biba_netatalk_aarp_send(struct ifnet *ifp, struct label *ifplabel, + struct mbuf *m, struct label *mlabel) +{ + struct mac_biba *dest; + + dest = SLOT(mlabel); + + biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); +} + +static void +biba_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel, + struct mbuf *m, struct label *mlabel) +{ + struct mac_biba *dest; + + dest = SLOT(mlabel); + + biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); +} + +static void biba_netinet_firewall_send(struct mbuf *m, struct label *mlabel) { struct mac_biba *dest; @@ -1382,6 +1393,28 @@ biba_netinet_firewall_send(struct mbuf *m, struct label *mlabel) biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); } +static void +biba_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel, + struct mbuf *m, struct label *mlabel) +{ + struct mac_biba *dest; + + dest = SLOT(mlabel); + + biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); +} + +static void +biba_netinet6_nd6_send(struct ifnet *ifp, struct label *ifplabel, + struct mbuf *m, struct label *mlabel) +{ + struct mac_biba *dest; + + dest = SLOT(mlabel); + + biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); +} + /* * Labeling event operations: processes. */ @@ -3320,7 +3353,6 @@ static struct mac_policy_ops mac_biba_ops = .mpo_sysvshm_create = biba_sysvshm_create, .mpo_ipq_create = biba_ipq_create, .mpo_inpcb_create_mbuf = biba_inpcb_create_mbuf, - .mpo_mbuf_create_linklayer = biba_mbuf_create_linklayer, .mpo_bpfdesc_create_mbuf = biba_bpfdesc_create_mbuf, .mpo_ifnet_create_mbuf = biba_ifnet_create_mbuf, .mpo_mbuf_create_multicast_encap = biba_mbuf_create_multicast_encap, @@ -3412,7 +3444,11 @@ static struct mac_policy_ops mac_biba_ops = .mpo_vnode_check_stat = biba_vnode_check_stat, .mpo_vnode_check_unlink = biba_vnode_check_unlink, .mpo_vnode_check_write = biba_vnode_check_write, + .mpo_netatalk_aarp_send = biba_netatalk_aarp_send, + .mpo_netinet_arp_send = biba_netinet_arp_send, .mpo_netinet_firewall_send = biba_netinet_firewall_send, + .mpo_netinet_igmp_send = biba_netinet_igmp_send, + .mpo_netinet6_nd6_send = biba_netinet6_nd6_send, .mpo_priv_check = biba_priv_check, }; diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c index 8eb2067..d670d19 100644 --- a/sys/security/mac_lomac/mac_lomac.c +++ b/sys/security/mac_lomac/mac_lomac.c @@ -1332,17 +1332,6 @@ lomac_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel, } static void -lomac_mbuf_create_linklayer(struct ifnet *ifp, struct label *ifplabel, - struct mbuf *m, struct label *mlabel) -{ - struct mac_lomac *dest; - - dest = SLOT(mlabel); - - lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0); -} - -static void lomac_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel, struct mbuf *m, struct label *mlabel) { @@ -1457,6 +1446,28 @@ lomac_syncache_create_mbuf(struct label *sc_label, struct mbuf *m, } static void +lomac_netatalk_aarp_send(struct ifnet *ifp, struct label *ifplabel, + struct mbuf *m, struct label *mlabel) +{ + struct mac_lomac *dest; + + dest = SLOT(mlabel); + + lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0); +} + +static void +lomac_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel, + struct mbuf *m, struct label *mlabel) +{ + struct mac_lomac *dest; + + dest = SLOT(mlabel); + + lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0); +} + +static void lomac_netinet_firewall_send(struct mbuf *m, struct label *mlabel) { struct mac_lomac *dest; @@ -1467,6 +1478,28 @@ lomac_netinet_firewall_send(struct mbuf *m, struct label *mlabel) lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0); } +static void +lomac_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel, + struct mbuf *m, struct label *mlabel) +{ + struct mac_lomac *dest; + + dest = SLOT(mlabel); + + lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0); +} + +static void +lomac_netinet6_nd6_send(struct ifnet *ifp, struct label *ifplabel, + struct mbuf *m, struct label *mlabel) +{ + struct mac_lomac *dest; + + dest = SLOT(mlabel); + + lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0); +} + /* * Labeling event operations: processes. */ @@ -2878,7 +2911,6 @@ static struct mac_policy_ops lomac_ops = .mpo_inpcb_create = lomac_inpcb_create, .mpo_ipq_create = lomac_ipq_create, .mpo_inpcb_create_mbuf = lomac_inpcb_create_mbuf, - .mpo_mbuf_create_linklayer = lomac_mbuf_create_linklayer, .mpo_bpfdesc_create_mbuf = lomac_bpfdesc_create_mbuf, .mpo_ifnet_create_mbuf = lomac_ifnet_create_mbuf, .mpo_mbuf_create_multicast_encap = lomac_mbuf_create_multicast_encap, @@ -2936,10 +2968,13 @@ static struct mac_policy_ops lomac_ops = .mpo_vnode_check_unlink = lomac_vnode_check_unlink, .mpo_vnode_check_write = lomac_vnode_check_write, .mpo_thread_userret = lomac_thread_userret, + .mpo_netatalk_aarp_send = lomac_netatalk_aarp_send, + .mpo_netinet_arp_send = lomac_netinet_arp_send, .mpo_netinet_firewall_send = lomac_netinet_firewall_send, + .mpo_netinet_igmp_send = lomac_netinet_igmp_send, + .mpo_netinet6_nd6_send = lomac_netinet6_nd6_send, .mpo_priv_check = lomac_priv_check, }; MAC_POLICY_SET(&lomac_ops, mac_lomac, "TrustedBSD MAC/LOMAC", - MPC_LOADTIME_FLAG_NOTLATE | MPC_LOADTIME_FLAG_LABELMBUFS, - &lomac_slot); + MPC_LOADTIME_FLAG_NOTLATE | MPC_LOADTIME_FLAG_LABELMBUFS, &lomac_slot); diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index ce7fae9..46deacf 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2005 McAfee, Inc. * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. @@ -1190,17 +1190,6 @@ mls_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel, } static void -mls_mbuf_create_linklayer(struct ifnet *ifp, struct label *ifplabel, - struct mbuf *m, struct label *mlabel) -{ - struct mac_mls *dest; - - dest = SLOT(mlabel); - - mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); -} - -static void mls_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel, struct mbuf *m, struct label *mlabel) { @@ -1294,6 +1283,28 @@ mls_inpcb_sosetlabel(struct socket *so, struct label *solabel, } static void +mls_netatalk_aarp_send(struct ifnet *ifp, struct label *ifplabel, + struct mbuf *m, struct label *mlabel) +{ + struct mac_mls *dest; + + dest = SLOT(mlabel); + + mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); +} + +static void +mls_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel, + struct mbuf *m, struct label *mlabel) +{ + struct mac_mls *dest; + + dest = SLOT(mlabel); + + mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); +} + +static void mls_netinet_firewall_send(struct mbuf *m, struct label *mlabel) { struct mac_mls *dest; @@ -1305,6 +1316,28 @@ mls_netinet_firewall_send(struct mbuf *m, struct label *mlabel) } static void +mls_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel, + struct mbuf *m, struct label *mlabel) +{ + struct mac_mls *dest; + + dest = SLOT(mlabel); + + mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); +} + +static void +mls_netinet6_nd6_send(struct ifnet *ifp, struct label *ifplabel, + struct mbuf *m, struct label *mlabel) +{ + struct mac_mls *dest; + + dest = SLOT(mlabel); + + mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); +} + +static void mls_syncache_create(struct label *label, struct inpcb *inp) { struct mac_mls *source, *dest; @@ -2947,7 +2980,6 @@ static struct mac_policy_ops mls_ops = .mpo_sysvsem_create = mls_sysvsem_create, .mpo_sysvshm_create = mls_sysvshm_create, .mpo_inpcb_create_mbuf = mls_inpcb_create_mbuf, - .mpo_mbuf_create_linklayer = mls_mbuf_create_linklayer, .mpo_bpfdesc_create_mbuf = mls_bpfdesc_create_mbuf, .mpo_ifnet_create_mbuf = mls_ifnet_create_mbuf, .mpo_mbuf_create_multicast_encap = mls_mbuf_create_multicast_encap, @@ -3035,7 +3067,11 @@ static struct mac_policy_ops mls_ops = .mpo_vnode_check_stat = mls_vnode_check_stat, .mpo_vnode_check_unlink = mls_vnode_check_unlink, .mpo_vnode_check_write = mls_vnode_check_write, + .mpo_netatalk_aarp_send = mls_netatalk_aarp_send, + .mpo_netinet_arp_send = mls_netinet_arp_send, .mpo_netinet_firewall_send = mls_netinet_firewall_send, + .mpo_netinet_igmp_send = mls_netinet_igmp_send, + .mpo_netinet6_nd6_send = mls_netinet6_nd6_send, }; MAC_POLICY_SET(&mls_ops, mac_mls, "TrustedBSD MAC/MLS", diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index 6c3ac33..71c175b 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -405,13 +405,6 @@ stub_syncache_create_mbuf(struct label *sc_label, struct mbuf *m, } static void -stub_mbuf_create_linklayer(struct ifnet *ifp, struct label *iflpabel, - struct mbuf *m, struct label *mlabel) -{ - -} - -static void stub_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel, struct mbuf *m, struct label *mlabel) { @@ -441,11 +434,39 @@ stub_mbuf_create_netlayer(struct mbuf *m, struct label *mlabel, } static void +stub_netatalk_aarp_send(struct ifnet *ifp, struct label *iflpabel, + struct mbuf *m, struct label *mlabel) +{ + +} + +static void +stub_netinet_arp_send(struct ifnet *ifp, struct label *iflpabel, + struct mbuf *m, struct label *mlabel) +{ + +} + +static void stub_netinet_firewall_send(struct mbuf *m, struct label *mlabel) { } +static void +stub_netinet_igmp_send(struct ifnet *ifp, struct label *iflpabel, + struct mbuf *m, struct label *mlabel) +{ + +} + +static void +stub_netinet6_nd6_send(struct ifnet *ifp, struct label *iflpabel, + struct mbuf *m, struct label *mlabel) +{ + +} + static int stub_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) @@ -1521,12 +1542,15 @@ static struct mac_policy_ops stub_ops = .mpo_ipq_reassemble = stub_ipq_reassemble, .mpo_netinet_fragment = stub_netinet_fragment, .mpo_inpcb_create_mbuf = stub_inpcb_create_mbuf, - .mpo_mbuf_create_linklayer = stub_mbuf_create_linklayer, .mpo_bpfdesc_create_mbuf = stub_bpfdesc_create_mbuf, .mpo_ifnet_create_mbuf = stub_ifnet_create_mbuf, .mpo_mbuf_create_multicast_encap = stub_mbuf_create_multicast_encap, .mpo_mbuf_create_netlayer = stub_mbuf_create_netlayer, + .mpo_netatalk_aarp_send = stub_netatalk_aarp_send, + .mpo_netinet_arp_send = stub_netinet_arp_send, .mpo_netinet_firewall_send = stub_netinet_firewall_send, + .mpo_netinet_igmp_send = stub_netinet_igmp_send, + .mpo_netinet6_nd6_send = stub_netinet6_nd6_send, .mpo_ipq_match = stub_ipq_match, .mpo_netinet_icmp_reply = stub_netinet_icmp_reply, .mpo_netinet_tcp_reply = stub_netinet_tcp_reply, diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index 6c88010..69b5c27 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -1015,17 +1015,6 @@ test_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel, COUNTER_INC(inpcb_create_mbuf); } -COUNTER_DECL(mbuf_create_linklayer); -static void -test_mbuf_create_linklayer(struct ifnet *ifp, struct label *ifplabel, - struct mbuf *mbuf, struct label *mbuflabel) -{ - - LABEL_CHECK(ifplabel, MAGIC_IFNET); - LABEL_CHECK(mbuflabel, MAGIC_MBUF); - COUNTER_INC(mbuf_create_linklayer); -} - COUNTER_DECL(bpfdesc_create_mbuf); static void test_bpfdesc_create_mbuf(struct bpf_d *bpf_d, struct label *bpflabel, @@ -1086,6 +1075,28 @@ test_ipq_match(struct mbuf *fragment, struct label *fragmentlabel, return (1); } +COUNTER_DECL(netatalk_aarp_send); +static void +test_netatalk_aarp_send(struct ifnet *ifp, struct label *ifplabel, + struct mbuf *mbuf, struct label *mbuflabel) +{ + + LABEL_CHECK(ifplabel, MAGIC_IFNET); + LABEL_CHECK(mbuflabel, MAGIC_MBUF); + COUNTER_INC(netatalk_aarp_send); +} + +COUNTER_DECL(netinet_arp_send); +static void +test_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel, + struct mbuf *mbuf, struct label *mbuflabel) +{ + + LABEL_CHECK(ifplabel, MAGIC_IFNET); + LABEL_CHECK(mbuflabel, MAGIC_MBUF); + COUNTER_INC(netinet_arp_send); +} + COUNTER_DECL(netinet_icmp_reply); static void test_netinet_icmp_reply(struct mbuf *m, struct label *mlabel) @@ -1095,6 +1106,17 @@ test_netinet_icmp_reply(struct mbuf *m, struct label *mlabel) COUNTER_INC(netinet_icmp_reply); } +COUNTER_DECL(netinet_igmp_send); +static void +test_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel, + struct mbuf *mbuf, struct label *mbuflabel) +{ + + LABEL_CHECK(ifplabel, MAGIC_IFNET); + LABEL_CHECK(mbuflabel, MAGIC_MBUF); + COUNTER_INC(netinet_igmp_send); +} + COUNTER_DECL(netinet_tcp_reply); static void test_netinet_tcp_reply(struct mbuf *m, struct label *mlabel) @@ -1104,6 +1126,17 @@ test_netinet_tcp_reply(struct mbuf *m, struct label *mlabel) COUNTER_INC(netinet_tcp_reply); } +COUNTER_DECL(netinet6_nd6_send); +static void +test_netinet6_nd6_send(struct ifnet *ifp, struct label *ifplabel, + struct mbuf *mbuf, struct label *mbuflabel) +{ + + LABEL_CHECK(ifplabel, MAGIC_IFNET); + LABEL_CHECK(mbuflabel, MAGIC_MBUF); + COUNTER_INC(netinet6_nd6_send); +} + COUNTER_DECL(ifnet_relabel); static void test_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, @@ -2686,14 +2719,17 @@ static struct mac_policy_ops test_ops = .mpo_netinet_fragment = test_netinet_fragment, .mpo_ipq_create = test_ipq_create, .mpo_inpcb_create_mbuf = test_inpcb_create_mbuf, - .mpo_mbuf_create_linklayer = test_mbuf_create_linklayer, .mpo_bpfdesc_create_mbuf = test_bpfdesc_create_mbuf, .mpo_ifnet_create_mbuf = test_ifnet_create_mbuf, .mpo_mbuf_create_multicast_encap = test_mbuf_create_multicast_encap, .mpo_mbuf_create_netlayer = test_mbuf_create_netlayer, .mpo_ipq_match = test_ipq_match, + .mpo_netatalk_aarp_send = test_netatalk_aarp_send, + .mpo_netinet_arp_send = test_netinet_arp_send, .mpo_netinet_icmp_reply = test_netinet_icmp_reply, + .mpo_netinet_igmp_send = test_netinet_igmp_send, .mpo_netinet_tcp_reply = test_netinet_tcp_reply, + .mpo_netinet6_nd6_send = test_netinet6_nd6_send, .mpo_ifnet_relabel = test_ifnet_relabel, .mpo_ipq_update = test_ipq_update, .mpo_inpcb_sosetlabel = test_inpcb_sosetlabel, |