diff options
Diffstat (limited to 'sys/security')
-rw-r--r-- | sys/security/mac/mac_framework.h | 10 | ||||
-rw-r--r-- | sys/security/mac/mac_inet6.c | 100 | ||||
-rw-r--r-- | sys/security/mac/mac_policy.h | 22 |
3 files changed, 129 insertions, 3 deletions
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index c09088b..790b921 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002, 2007 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * Copyright (c) 2005-2006 SPARTA, Inc. * All rights reserved. @@ -60,6 +60,7 @@ struct ifnet; struct ifreq; struct image_params; struct inpcb; +struct ip6q; struct ipq; struct ksem; struct label; @@ -138,6 +139,13 @@ void mac_inpcb_destroy(struct inpcb *); int mac_inpcb_init(struct inpcb *, int); void mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp); +void mac_ip6q_create(struct mbuf *m, struct ip6q *q6); +void mac_ip6q_destroy(struct ip6q *q6); +int mac_ip6q_init(struct ip6q *q6, int); +int mac_ip6q_match(struct mbuf *m, struct ip6q *q6); +void mac_ip6q_reassemble(struct ip6q *q6, struct mbuf *m); +void mac_ip6q_update(struct mbuf *m, struct ip6q *q6); + void mac_ipq_create(struct mbuf *m, struct ipq *q); void mac_ipq_destroy(struct ipq *q); int mac_ipq_init(struct ipq *q, int); diff --git a/sys/security/mac/mac_inet6.c b/sys/security/mac/mac_inet6.c index 65a93e1..068455b 100644 --- a/sys/security/mac/mac_inet6.c +++ b/sys/security/mac/mac_inet6.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2007 Robert N. M. Watson + * Copyright (c) 2007-2008 Robert N. M. Watson * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -49,10 +49,108 @@ __FBSDID("$FreeBSD$"); #include <net/if.h> #include <net/if_var.h> +#include <netinet/in.h> +#include <netinet/ip6.h> +#include <netinet6/ip6_var.h> + #include <security/mac/mac_framework.h> #include <security/mac/mac_internal.h> #include <security/mac/mac_policy.h> +static struct label * +mac_ip6q_label_alloc(int flag) +{ + struct label *label; + int error; + + label = mac_labelzone_alloc(flag); + if (label == NULL) + return (NULL); + + MAC_CHECK(ip6q_init_label, label, flag); + if (error) { + MAC_PERFORM(ip6q_destroy_label, label); + mac_labelzone_free(label); + return (NULL); + } + return (label); +} + +int +mac_ip6q_init(struct ip6q *q6, int flag) +{ + + if (mac_labeled & MPC_OBJECT_IPQ) { + q6->ip6q_label = mac_ip6q_label_alloc(flag); + if (q6->ip6q_label == NULL) + return (ENOMEM); + } else + q6->ip6q_label = NULL; + return (0); +} + +static void +mac_ip6q_label_free(struct label *label) +{ + + MAC_PERFORM(ip6q_destroy_label, label); + mac_labelzone_free(label); +} + +void +mac_ip6q_destroy(struct ip6q *q6) +{ + + if (q6->ip6q_label != NULL) { + mac_ip6q_label_free(q6->ip6q_label); + q6->ip6q_label = NULL; + } +} + +void +mac_ip6q_reassemble(struct ip6q *q6, struct mbuf *m) +{ + struct label *label; + + label = mac_mbuf_to_label(m); + + MAC_PERFORM(ip6q_reassemble, q6, q6->ip6q_label, m, label); +} + +void +mac_ip6q_create(struct mbuf *m, struct ip6q *q6) +{ + struct label *label; + + label = mac_mbuf_to_label(m); + + MAC_PERFORM(ip6q_create, m, label, q6, q6->ip6q_label); +} + +int +mac_ip6q_match(struct mbuf *m, struct ip6q *q6) +{ + struct label *label; + int result; + + label = mac_mbuf_to_label(m); + + result = 1; + MAC_BOOLEAN(ip6q_match, &&, m, label, q6, q6->ip6q_label); + + return (result); +} + +void +mac_ip6q_update(struct mbuf *m, struct ip6q *q6) +{ + struct label *label; + + label = mac_mbuf_to_label(m); + + MAC_PERFORM(ip6q_update, m, label, q6, q6->ip6q_label); +} + void mac_netinet6_nd6_send(struct ifnet *ifp, struct mbuf *m) { diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 63ba829..8a2f9f2 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002, 2007 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * Copyright (c) 2005-2006 SPARTA, Inc. * Copyright (c) 2008 Apple Inc. @@ -72,6 +72,7 @@ struct devfs_dirent; struct ifnet; struct image_params; struct inpcb; +struct ip6q; struct ipq; struct ksem; struct label; @@ -201,6 +202,17 @@ typedef void (*mpo_inpcb_sosetlabel_t)(struct socket *so, struct label *label, struct inpcb *inp, struct label *inplabel); +typedef void (*mpo_ip6q_create_t)(struct mbuf *m, struct label *mlabel, + struct ip6q *q6, struct label *q6label); +typedef void (*mpo_ip6q_destroy_label_t)(struct label *label); +typedef int (*mpo_ip6q_init_label_t)(struct label *label, int flag); +typedef int (*mpo_ip6q_match_t)(struct mbuf *m, struct label *mlabel, + struct ip6q *q6, struct label *q6label); +typedef void (*mpo_ip6q_reassemble)(struct ip6q *q6, struct label *q6label, + struct mbuf *m, struct label *mlabel); +typedef void (*mpo_ip6q_update_t)(struct mbuf *m, struct label *mlabel, + struct ip6q *q6, struct label *q6label); + typedef void (*mpo_ipq_create_t)(struct mbuf *m, struct label *mlabel, struct ipq *q, struct label *qlabel); typedef void (*mpo_ipq_destroy_label_t)(struct label *label); @@ -698,6 +710,13 @@ struct mac_policy_ops { mpo_inpcb_init_label_t mpo_inpcb_init_label; mpo_inpcb_sosetlabel_t mpo_inpcb_sosetlabel; + mpo_ip6q_create_t mpo_ip6q_create; + mpo_ip6q_destroy_label_t mpo_ip6q_destroy_label; + mpo_ip6q_init_label_t mpo_ip6q_init_label; + mpo_ip6q_match_t mpo_ip6q_match; + mpo_ip6q_reassemble mpo_ip6q_reassemble; + mpo_ip6q_update_t mpo_ip6q_update; + mpo_ipq_create_t mpo_ipq_create; mpo_ipq_destroy_label_t mpo_ipq_destroy_label; mpo_ipq_init_label_t mpo_ipq_init_label; @@ -970,6 +989,7 @@ struct mac_policy_conf { #define MPC_OBJECT_SYSVSEM 0x0000000000010000 #define MPC_OBJECT_SYSVSHM 0x0000000000020000 #define MPC_OBJECT_SYNCACHE 0x0000000000040000 +#define MPC_OBJECT_IP6Q 0x0000000000080000 /*- * The TrustedBSD MAC Framework has a major version number, MAC_VERSION, |