From 369fd04f480478bfb9d2cb1566ec0189185a020e Mon Sep 17 00:00:00 2001 From: rwatson Date: Sun, 28 Oct 2007 17:12:48 +0000 Subject: Continue to move from generic network entry points in the TrustedBSD MAC Framework by moving from mac_mbuf_create_netlayer() to more specific entry points for specific network services: - mac_netinet_firewall_reply() to be used when replying to in-bound TCP segments in pf and ipfw (etc). - Rename mac_netinet_icmp_reply() to mac_netinet_icmp_replyinplace() and add mac_netinet_icmp_reply(), reflecting that in some cases we overwrite a label in place, but in others we apply the label to a new mbuf. Obtained from: TrustedBSD Project --- sys/security/mac_test/mac_test.c | 29 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 15 deletions(-) (limited to 'sys/security/mac_test') diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index 69b5c27..b0d4ea8 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -1050,18 +1050,6 @@ test_mbuf_create_multicast_encap(struct mbuf *oldmbuf, COUNTER_INC(mbuf_create_multicast_encap); } -COUNTER_DECL(mbuf_create_netlayer); -static void -test_mbuf_create_netlayer(struct mbuf *oldmbuf, - struct label *oldmbuflabel, struct mbuf *newmbuf, - struct label *newmbuflabel) -{ - - LABEL_CHECK(oldmbuflabel, MAGIC_MBUF); - LABEL_CHECK(newmbuflabel, MAGIC_MBUF); - COUNTER_INC(mbuf_create_netlayer); -} - COUNTER_DECL(ipq_match); static int test_ipq_match(struct mbuf *fragment, struct label *fragmentlabel, @@ -1099,13 +1087,24 @@ test_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel, COUNTER_DECL(netinet_icmp_reply); static void -test_netinet_icmp_reply(struct mbuf *m, struct label *mlabel) +test_netinet_icmp_reply(struct mbuf *mrecv, struct label *mrecvlabel, + struct mbuf *msend, struct label *msendlabel) { - LABEL_CHECK(mlabel, MAGIC_MBUF); + LABEL_CHECK(mrecvlabel, MAGIC_MBUF); + LABEL_CHECK(msendlabel, MAGIC_MBUF); COUNTER_INC(netinet_icmp_reply); } +COUNTER_DECL(netinet_icmp_replyinplace); +static void +test_netinet_icmp_replyinplace(struct mbuf *m, struct label *mlabel) +{ + + LABEL_CHECK(mlabel, MAGIC_MBUF); + COUNTER_INC(netinet_icmp_replyinplace); +} + COUNTER_DECL(netinet_igmp_send); static void test_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel, @@ -2722,11 +2721,11 @@ static struct mac_policy_ops test_ops = .mpo_bpfdesc_create_mbuf = test_bpfdesc_create_mbuf, .mpo_ifnet_create_mbuf = test_ifnet_create_mbuf, .mpo_mbuf_create_multicast_encap = test_mbuf_create_multicast_encap, - .mpo_mbuf_create_netlayer = test_mbuf_create_netlayer, .mpo_ipq_match = test_ipq_match, .mpo_netatalk_aarp_send = test_netatalk_aarp_send, .mpo_netinet_arp_send = test_netinet_arp_send, .mpo_netinet_icmp_reply = test_netinet_icmp_reply, + .mpo_netinet_icmp_replyinplace = test_netinet_icmp_replyinplace, .mpo_netinet_igmp_send = test_netinet_igmp_send, .mpo_netinet_tcp_reply = test_netinet_tcp_reply, .mpo_netinet6_nd6_send = test_netinet6_nd6_send, -- cgit v1.1