From 9ab1b809a699a946549597ae9770a70675b2c5a0 Mon Sep 17 00:00:00 2001
From: rwatson <rwatson@FreeBSD.org>
Date: Wed, 31 Jul 2002 18:30:34 +0000
Subject: Introduce support for Mandatory Access Control and extensible kernel
 access control.

Instrument the raw IP socket code for packet generation and delivery:
label outgoing mbufs with the label of the socket, and check the
socket and mbuf labels before permitting delivery to a socket,
permitting MAC policies to selectively allow delivery of raw IP mbufs
to various raw IP sockets that may be open.  Restructure the policy
checking code to compose IPsec and MAC results in a more readable
manner.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
---
 sys/netinet/raw_ip.c | 58 +++++++++++++++++++++++++++++++++++++---------------
 1 file changed, 41 insertions(+), 17 deletions(-)

(limited to 'sys/netinet/raw_ip.c')

diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
index f104cfc..2ea6a1a 100644
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@@ -36,6 +36,7 @@
 
 #include "opt_inet6.h"
 #include "opt_ipsec.h"
+#include "opt_mac.h"
 #include "opt_random_ip_id.h"
 
 #include <sys/param.h>
@@ -144,16 +145,27 @@ rip_input(m, off)
 			continue;
 		if (last) {
 			struct mbuf *n = m_copy(m, 0, (int)M_COPYALL);
-
-#ifdef IPSEC
-			/* check AH/ESP integrity. */
-			if (n && ipsec4_in_reject_so(n, last->inp_socket)) {
-				m_freem(n);
-				ipsecstat.in_polvio++;
-				/* do not inject data to pcb */
-			} else
+			int policyfail = 0;
+
+			if (n != NULL) {
+#ifdef IPSSEC
+				/* check AH/ESP integrity. */
+				if (ipsec4_in_reject_so(n, last->inp_socket)) {
+					policyfail = 1;
+					ipsecstat.in_polvio++;
+					/* do not inject data to pcb */
+				}
 #endif /*IPSEC*/
-			if (n) {
+#ifdef MAC
+				if (policyfail == 0 &&
+				    mac_check_socket_receive(last->inp_socket,
+				    n) != 0)
+					policyfail = 1;
+#endif
+			}
+			if (policyfail)
+				m_freem(n);
+			else if (n) {
 				if (last->inp_flags & INP_CONTROLOPTS ||
 				    last->inp_socket->so_options & SO_TIMESTAMP)
 				    ip_savecontrol(last, &opts, ip, n);
@@ -171,16 +183,24 @@ rip_input(m, off)
 		}
 		last = inp;
 	}
+	if (last) {
 #ifdef IPSEC
-	/* check AH/ESP integrity. */
-	if (last && ipsec4_in_reject_so(m, last->inp_socket)) {
-		m_freem(m);
-		ipsecstat.in_polvio++;
-		ipstat.ips_delivered--;
-		/* do not inject data to pcb */
-	} else
+		/* check AH/ESP integrity. */
+		if (ipsec4_in_reject_so(m, last->inp_socket)) {
+			m_freem(m);
+			ipsecstat.in_polvio++;
+			ipstat.ips_delivered--;
+			/* do not inject data to pcb */
+			return;
+		}
 #endif /*IPSEC*/
-	if (last) {
+#ifdef MAC
+		if (mac_check_socket_receive(last->inp_socket, m) != 0) {
+			m_freem(m);
+			ipstat.ips_delivered--;
+			return;
+		}
+#endif
 		if (last->inp_flags & INP_CONTROLOPTS ||
 		    last->inp_socket->so_options & SO_TIMESTAMP)
 			ip_savecontrol(last, &opts, ip, m);
@@ -212,6 +232,10 @@ rip_output(m, so, dst)
 	register struct inpcb *inp = sotoinpcb(so);
 	int flags = (so->so_options & SO_DONTROUTE) | IP_ALLOWBROADCAST;
 
+#ifdef MAC
+	mac_create_mbuf_from_socket(so, m);
+#endif
+
 	/*
 	 * If the user handed us a complete IP packet, use it.
 	 * Otherwise, allocate an mbuf for a header and fill it in.
-- 
cgit v1.1