From 369fd04f480478bfb9d2cb1566ec0189185a020e Mon Sep 17 00:00:00 2001 From: rwatson Date: Sun, 28 Oct 2007 17:12:48 +0000 Subject: Continue to move from generic network entry points in the TrustedBSD MAC Framework by moving from mac_mbuf_create_netlayer() to more specific entry points for specific network services: - mac_netinet_firewall_reply() to be used when replying to in-bound TCP segments in pf and ipfw (etc). - Rename mac_netinet_icmp_reply() to mac_netinet_icmp_replyinplace() and add mac_netinet_icmp_reply(), reflecting that in some cases we overwrite a label in place, but in others we apply the label to a new mbuf. Obtained from: TrustedBSD Project --- sys/security/mac_mls/mac_mls.c | 39 ++++++++++++++++++++++++++------------- 1 file changed, 26 insertions(+), 13 deletions(-) (limited to 'sys/security/mac_mls') diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index 46deacf..701eb6d 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -1226,18 +1226,6 @@ mls_mbuf_create_multicast_encap(struct mbuf *m, struct label *mlabel, mls_copy_effective(source, dest); } -static void -mls_mbuf_create_netlayer(struct mbuf *m, struct label *mlabel, - struct mbuf *mnew, struct label *mnewlabel) -{ - struct mac_mls *source, *dest; - - source = SLOT(mlabel); - dest = SLOT(mnewlabel); - - mls_copy_effective(source, dest); -} - static int mls_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) @@ -1305,6 +1293,18 @@ mls_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel, } static void +mls_netinet_firewall_reply(struct mbuf *mrecv, struct label *mrecvlabel, + struct mbuf *msend, struct label *msendlabel) +{ + struct mac_mls *source, *dest; + + source = SLOT(mrecvlabel); + dest = SLOT(msendlabel); + + mls_copy_effective(source, dest); +} + +static void mls_netinet_firewall_send(struct mbuf *m, struct label *mlabel) { struct mac_mls *dest; @@ -1316,6 +1316,18 @@ mls_netinet_firewall_send(struct mbuf *m, struct label *mlabel) } static void +mls_netinet_icmp_reply(struct mbuf *mrecv, struct label *mrecvlabel, + struct mbuf *msend, struct label *msendlabel) +{ + struct mac_mls *source, *dest; + + source = SLOT(mrecvlabel); + dest = SLOT(msendlabel); + + mls_copy_effective(source, dest); +} + +static void mls_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { @@ -2983,7 +2995,6 @@ static struct mac_policy_ops mls_ops = .mpo_bpfdesc_create_mbuf = mls_bpfdesc_create_mbuf, .mpo_ifnet_create_mbuf = mls_ifnet_create_mbuf, .mpo_mbuf_create_multicast_encap = mls_mbuf_create_multicast_encap, - .mpo_mbuf_create_netlayer = mls_mbuf_create_netlayer, .mpo_ipq_match = mls_ipq_match, .mpo_ifnet_relabel = mls_ifnet_relabel, .mpo_ipq_update = mls_ipq_update, @@ -3069,7 +3080,9 @@ static struct mac_policy_ops mls_ops = .mpo_vnode_check_write = mls_vnode_check_write, .mpo_netatalk_aarp_send = mls_netatalk_aarp_send, .mpo_netinet_arp_send = mls_netinet_arp_send, + .mpo_netinet_firewall_reply = mls_netinet_firewall_reply, .mpo_netinet_firewall_send = mls_netinet_firewall_send, + .mpo_netinet_icmp_reply = mls_netinet_icmp_reply, .mpo_netinet_igmp_send = mls_netinet_igmp_send, .mpo_netinet6_nd6_send = mls_netinet6_nd6_send, }; -- cgit v1.1