From 32ed1a62a81fa74b7ba72050f7fcc471b032f95c Mon Sep 17 00:00:00 2001 From: rwatson Date: Thu, 21 Aug 2003 18:21:22 +0000 Subject: Introduce two new MAC Framework and MAC policy entry points: mac_reflect_mbuf_icmp() mac_reflect_mbuf_tcp() These entry points permit MAC policies to do "update in place" changes to the labels on ICMP and TCP mbuf headers when an ICMP or TCP response is generated to a packet outside of the context of an existing socket. For example, in respond to a ping or a RST packet to a SYN on a closed port. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories --- sys/kern/kern_mac.c | 19 +++++++++++++++++++ sys/security/mac/mac_framework.c | 19 +++++++++++++++++++ sys/security/mac/mac_framework.h | 2 ++ sys/security/mac/mac_internal.h | 19 +++++++++++++++++++ sys/security/mac/mac_net.c | 19 +++++++++++++++++++ sys/security/mac/mac_pipe.c | 19 +++++++++++++++++++ sys/security/mac/mac_policy.h | 3 +++ sys/security/mac/mac_process.c | 19 +++++++++++++++++++ sys/security/mac/mac_syscalls.c | 19 +++++++++++++++++++ sys/security/mac/mac_system.c | 19 +++++++++++++++++++ sys/security/mac/mac_vfs.c | 19 +++++++++++++++++++ sys/sys/mac.h | 2 ++ sys/sys/mac_policy.h | 3 +++ 13 files changed, 181 insertions(+) (limited to 'sys') diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c index dcd8831..490b492 100644 --- a/sys/kern/kern_mac.c +++ b/sys/kern/kern_mac.c @@ -2398,6 +2398,25 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) } void +mac_reflect_mbuf_icmp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_icmp, m, label); +} +void +mac_reflect_mbuf_tcp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_tcp, m, label); +} + +void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) { struct label *label; diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index dcd8831..490b492 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -2398,6 +2398,25 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) } void +mac_reflect_mbuf_icmp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_icmp, m, label); +} +void +mac_reflect_mbuf_tcp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_tcp, m, label); +} + +void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) { struct label *label; diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 046c2fc..b0d8829 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -210,6 +210,8 @@ void mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet, struct mbuf *newmbuf); void mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf); int mac_fragment_match(struct mbuf *fragment, struct ipq *ipq); +void mac_reflect_mbuf_icmp(struct mbuf *m); +void mac_reflect_mbuf_tcp(struct mbuf *m); void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq); /* diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index dcd8831..490b492 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -2398,6 +2398,25 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) } void +mac_reflect_mbuf_icmp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_icmp, m, label); +} +void +mac_reflect_mbuf_tcp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_tcp, m, label); +} + +void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) { struct label *label; diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index dcd8831..490b492 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -2398,6 +2398,25 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) } void +mac_reflect_mbuf_icmp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_icmp, m, label); +} +void +mac_reflect_mbuf_tcp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_tcp, m, label); +} + +void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) { struct label *label; diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index dcd8831..490b492 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -2398,6 +2398,25 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) } void +mac_reflect_mbuf_icmp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_icmp, m, label); +} +void +mac_reflect_mbuf_tcp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_tcp, m, label); +} + +void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) { struct label *label; diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index d38efe4..005d6c7 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -241,6 +241,9 @@ struct mac_policy_ops { int (*mpo_fragment_match)(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel); + void (*mpo_reflect_mbuf_icmp)(struct mbuf *m, + struct label *mlabel); + void (*mpo_reflect_mbuf_tcp)(struct mbuf *m, struct label *mlabel); void (*mpo_relabel_ifnet)(struct ucred *cred, struct ifnet *ifnet, struct label *ifnetlabel, struct label *newlabel); void (*mpo_update_ipq)(struct mbuf *fragment, diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index dcd8831..490b492 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -2398,6 +2398,25 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) } void +mac_reflect_mbuf_icmp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_icmp, m, label); +} +void +mac_reflect_mbuf_tcp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_tcp, m, label); +} + +void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) { struct label *label; diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index dcd8831..490b492 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -2398,6 +2398,25 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) } void +mac_reflect_mbuf_icmp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_icmp, m, label); +} +void +mac_reflect_mbuf_tcp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_tcp, m, label); +} + +void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) { struct label *label; diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index dcd8831..490b492 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -2398,6 +2398,25 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) } void +mac_reflect_mbuf_icmp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_icmp, m, label); +} +void +mac_reflect_mbuf_tcp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_tcp, m, label); +} + +void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) { struct label *label; diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index dcd8831..490b492 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -2398,6 +2398,25 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) } void +mac_reflect_mbuf_icmp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_icmp, m, label); +} +void +mac_reflect_mbuf_tcp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_tcp, m, label); +} + +void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) { struct label *label; diff --git a/sys/sys/mac.h b/sys/sys/mac.h index 046c2fc..b0d8829 100644 --- a/sys/sys/mac.h +++ b/sys/sys/mac.h @@ -210,6 +210,8 @@ void mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet, struct mbuf *newmbuf); void mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf); int mac_fragment_match(struct mbuf *fragment, struct ipq *ipq); +void mac_reflect_mbuf_icmp(struct mbuf *m); +void mac_reflect_mbuf_tcp(struct mbuf *m); void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq); /* diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h index d38efe4..005d6c7 100644 --- a/sys/sys/mac_policy.h +++ b/sys/sys/mac_policy.h @@ -241,6 +241,9 @@ struct mac_policy_ops { int (*mpo_fragment_match)(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel); + void (*mpo_reflect_mbuf_icmp)(struct mbuf *m, + struct label *mlabel); + void (*mpo_reflect_mbuf_tcp)(struct mbuf *m, struct label *mlabel); void (*mpo_relabel_ifnet)(struct ucred *cred, struct ifnet *ifnet, struct label *ifnetlabel, struct label *newlabel); void (*mpo_update_ipq)(struct mbuf *fragment, -- cgit v1.1