3 files changed, 68 insertions, 0 deletions

diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index a895cfe..c8c41c2 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -210,6 +210,10 @@ void	mac_update_ipq(struct mbuf *fragment, struct ipq *ipq);
 void	mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp);
 
 void	mac_create_mbuf_from_firewall(struct mbuf *m);
+void	mac_destroy_syncache(struct label **label);
+int	mac_init_syncache(struct label **label);
+void	mac_init_syncache_from_inpcb(struct label *label, struct inpcb *inp);
+void	mac_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m);
 /*
  * Labeling event operations: processes.
  */
diff --git a/sys/security/mac/mac_inet.c b/sys/security/mac/mac_inet.c
index 0d35e48..7896332 100644
--- a/sys/security/mac/mac_inet.c
+++ b/sys/security/mac/mac_inet.c
@@ -288,3 +288,57 @@ mac_create_mbuf_from_firewall(struct mbuf *m)
 	label = mac_mbuf_to_label(m);
 	MAC_PERFORM(create_mbuf_from_firewall, m, label);
 }
+
+/*
+ * These functions really should be referencing the syncache structure instead
+ * of the label.  However, due to some of the complexities associated with
+ * exposing this syncache structure we operate directly on it's label pointer.
+ * This should be OK since we aren't making any access control decisions within
+ * this code directly, we are merely allocating and copying label storage so
+ * we can properly initialize mbuf labels for any packets the syncache code
+ * might create.
+ */
+void
+mac_destroy_syncache(struct label **label)
+{
+
+	MAC_PERFORM(destroy_syncache_label, *label);
+	mac_labelzone_free(*label);
+	*label = NULL;
+}
+
+int
+mac_init_syncache(struct label **label)
+{
+	int error;
+
+	*label = mac_labelzone_alloc(M_NOWAIT);
+	if (*label == NULL)
+		return (ENOMEM);
+	/*
+	 * Since we are holding the inpcb locks the policy can not allocate
+	 * policy specific label storage using M_WAITOK.  So we need to do a
+	 * MAC_CHECK instead of the typical MAC_PERFORM so we can propagate
+	 * allocation failures back to the syncache code.
+	 */
+	MAC_CHECK(init_syncache_label, *label, M_NOWAIT);
+	return (error);
+}
+
+void
+mac_init_syncache_from_inpcb(struct label *label, struct inpcb *inp)
+{
+
+	INP_LOCK_ASSERT(inp);
+	MAC_PERFORM(init_syncache_from_inpcb, label, inp);
+}
+
+void
+mac_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m)
+{
+	struct label *mbuf_label;
+
+	M_ASSERTPKTHDR(m);
+	mbuf_label = mac_mbuf_to_label(m);
+	MAC_PERFORM(create_mbuf_from_syncache, sc_label, m, mbuf_label);
+}
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index f7c5670..e75a1e3 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -331,6 +331,12 @@ typedef void	(*mpo_inpcb_sosetlabel_t)(struct socket *so,
 
 typedef	void	(*mpo_create_mbuf_from_firewall_t)(struct mbuf *m,
 		    struct label *label);
+typedef void	(*mpo_destroy_syncache_label_t)(struct label *label);
+typedef int	(*mpo_init_syncache_label_t)(struct label *label, int flag);
+typedef void	(*mpo_init_syncache_from_inpcb_t)(struct label *label,
+		    struct inpcb *inp);
+typedef void	(*mpo_create_mbuf_from_syncache_t)(struct label *sc_label,
+		    struct mbuf *m, struct label *mbuf_label);
 /*
  * Labeling event operations: processes.
  */
@@ -888,6 +894,10 @@ struct mac_policy_ops {
 	mpo_check_vnode_write_t			mpo_check_vnode_write;
 	mpo_associate_nfsd_label_t		mpo_associate_nfsd_label;
 	mpo_create_mbuf_from_firewall_t		mpo_create_mbuf_from_firewall;
+	mpo_init_syncache_label_t		mpo_init_syncache_label;
+	mpo_destroy_syncache_label_t		mpo_destroy_syncache_label;
+	mpo_init_syncache_from_inpcb_t		mpo_init_syncache_from_inpcb;
+	mpo_create_mbuf_from_syncache_t		mpo_create_mbuf_from_syncache;
 	mpo_priv_check_t			mpo_priv_check;
 	mpo_priv_grant_t			mpo_priv_grant;
 };