From 32ed1a62a81fa74b7ba72050f7fcc471b032f95c Mon Sep 17 00:00:00 2001
From: rwatson <rwatson@FreeBSD.org>
Date: Thu, 21 Aug 2003 18:21:22 +0000
Subject: Introduce two new MAC Framework and MAC policy entry points:

  mac_reflect_mbuf_icmp()
  mac_reflect_mbuf_tcp()

These entry points permit MAC policies to do "update in place"
changes to the labels on ICMP and TCP mbuf headers when an ICMP or
TCP response is generated to a packet outside of the context of
an existing socket.  For example, in respond to a ping or a RST
packet to a SYN on a closed port.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
---
 sys/security/mac/mac_syscalls.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

(limited to 'sys/security/mac/mac_syscalls.c')

diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c
index dcd8831..490b492 100644
--- a/sys/security/mac/mac_syscalls.c
+++ b/sys/security/mac/mac_syscalls.c
@@ -2398,6 +2398,25 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq)
 }
 
 void
+mac_reflect_mbuf_icmp(struct mbuf *m)
+{
+	struct label *label;
+
+	label = mbuf_to_label(m);
+
+	MAC_PERFORM(reflect_mbuf_icmp, m, label);
+}
+void
+mac_reflect_mbuf_tcp(struct mbuf *m)
+{
+	struct label *label;
+
+	label = mbuf_to_label(m);
+
+	MAC_PERFORM(reflect_mbuf_tcp, m, label);
+}
+
+void
 mac_update_ipq(struct mbuf *fragment, struct ipq *ipq)
 {
 	struct label *label;
-- 
cgit v1.1