From 63e89c05d2dd3463fdb87ade28334a74d7c6e6f0 Mon Sep 17 00:00:00 2001 From: csjp Date: Tue, 12 Sep 2006 04:25:13 +0000 Subject: Introduce a new entry point, mac_create_mbuf_from_firewall. This entry point exists to allow the mandatory access control policy to properly initialize mbufs generated by the firewall. An example where this might happen is keep alive packets, or ICMP error packets in response to other packets. This takes care of kernel panics associated with un-initialize mbuf labels when the firewall generates packets. [1] I modified this patch from it's original version, the initial patch introduced a number of entry points which were programmatically equivalent. So I introduced only one. Instead, we should leverage mac_create_mbuf_netlayer() which is used for similar situations, an example being icmp_error() This will minimize the impact associated with the MFC Submitted by: mlaier [1] MFC after: 1 week This is a RELENG_6 candidate --- sys/security/mac_lomac/mac_lomac.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'sys/security/mac_lomac/mac_lomac.c') diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c index b68fd25..8ae03e0 100644 --- a/sys/security/mac_lomac/mac_lomac.c +++ b/sys/security/mac_lomac/mac_lomac.c @@ -1446,6 +1446,17 @@ mac_lomac_inpcb_sosetlabel(struct socket *so, struct label *solabel, mac_lomac_copy_single(source, dest); } +static void +mac_lomac_create_mbuf_from_firewall(struct mbuf *m, struct label *label) +{ + struct mac_lomac *dest; + + dest = SLOT(label); + + /* XXX: where is the label for the firewall really comming from? */ + mac_lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0); +} + /* * Labeling event operations: processes. */ @@ -2685,6 +2696,7 @@ static struct mac_policy_ops mac_lomac_ops = .mpo_check_vnode_setutimes = mac_lomac_check_vnode_setutimes, .mpo_check_vnode_write = mac_lomac_check_vnode_write, .mpo_thread_userret = mac_lomac_thread_userret, + .mpo_create_mbuf_from_firewall = mac_lomac_create_mbuf_from_firewall, }; MAC_POLICY_SET(&mac_lomac_ops, mac_lomac, "TrustedBSD MAC/LOMAC", -- cgit v1.1