diff options
Diffstat (limited to 'sys/security/mac/mac_inet.c')
-rw-r--r-- | sys/security/mac/mac_inet.c | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/sys/security/mac/mac_inet.c b/sys/security/mac/mac_inet.c index 0d35e48..7896332 100644 --- a/sys/security/mac/mac_inet.c +++ b/sys/security/mac/mac_inet.c @@ -288,3 +288,57 @@ mac_create_mbuf_from_firewall(struct mbuf *m) label = mac_mbuf_to_label(m); MAC_PERFORM(create_mbuf_from_firewall, m, label); } + +/* + * These functions really should be referencing the syncache structure instead + * of the label. However, due to some of the complexities associated with + * exposing this syncache structure we operate directly on it's label pointer. + * This should be OK since we aren't making any access control decisions within + * this code directly, we are merely allocating and copying label storage so + * we can properly initialize mbuf labels for any packets the syncache code + * might create. + */ +void +mac_destroy_syncache(struct label **label) +{ + + MAC_PERFORM(destroy_syncache_label, *label); + mac_labelzone_free(*label); + *label = NULL; +} + +int +mac_init_syncache(struct label **label) +{ + int error; + + *label = mac_labelzone_alloc(M_NOWAIT); + if (*label == NULL) + return (ENOMEM); + /* + * Since we are holding the inpcb locks the policy can not allocate + * policy specific label storage using M_WAITOK. So we need to do a + * MAC_CHECK instead of the typical MAC_PERFORM so we can propagate + * allocation failures back to the syncache code. + */ + MAC_CHECK(init_syncache_label, *label, M_NOWAIT); + return (error); +} + +void +mac_init_syncache_from_inpcb(struct label *label, struct inpcb *inp) +{ + + INP_LOCK_ASSERT(inp); + MAC_PERFORM(init_syncache_from_inpcb, label, inp); +} + +void +mac_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m) +{ + struct label *mbuf_label; + + M_ASSERTPKTHDR(m); + mbuf_label = mac_mbuf_to_label(m); + MAC_PERFORM(create_mbuf_from_syncache, sc_label, m, mbuf_label); +} |