diff options
| author | Robert Watson <rwatson@FreeBSD.org> | 2003-08-21 18:21:22 +0000 |
|---|---|---|
| committer | Robert Watson <rwatson@FreeBSD.org> | 2003-08-21 18:21:22 +0000 |
| commit | eb8c7f999290d0cd203ab601aa1ebe613a7822ff (patch) | |
| tree | 269bdd075acbd16f8db9b0379a3518d07ca3cd76 /sys | |
| parent | 69d1b638df93b52d502ff77a5a5318b4e024188e (diff) | |
| download | src-eb8c7f999290d0cd203ab601aa1ebe613a7822ff.tar.gz src-eb8c7f999290d0cd203ab601aa1ebe613a7822ff.zip | |
Introduce two new MAC Framework and MAC policy entry points:
mac_reflect_mbuf_icmp()
mac_reflect_mbuf_tcp()
These entry points permit MAC policies to do "update in place"
changes to the labels on ICMP and TCP mbuf headers when an ICMP or
TCP response is generated to a packet outside of the context of
an existing socket. For example, in respond to a ping or a RST
packet to a SYN on a closed port.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes
Notes:
svn path=/head/; revision=119244
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/kern/kern_mac.c | 19 | ||||
| -rw-r--r-- | sys/security/mac/mac_framework.c | 19 | ||||
| -rw-r--r-- | sys/security/mac/mac_framework.h | 2 | ||||
| -rw-r--r-- | sys/security/mac/mac_internal.h | 19 | ||||
| -rw-r--r-- | sys/security/mac/mac_net.c | 19 | ||||
| -rw-r--r-- | sys/security/mac/mac_pipe.c | 19 | ||||
| -rw-r--r-- | sys/security/mac/mac_policy.h | 3 | ||||
| -rw-r--r-- | sys/security/mac/mac_process.c | 19 | ||||
| -rw-r--r-- | sys/security/mac/mac_syscalls.c | 19 | ||||
| -rw-r--r-- | sys/security/mac/mac_system.c | 19 | ||||
| -rw-r--r-- | sys/security/mac/mac_vfs.c | 19 | ||||
| -rw-r--r-- | sys/sys/mac.h | 2 | ||||
| -rw-r--r-- | sys/sys/mac_policy.h | 3 |
13 files changed, 181 insertions, 0 deletions
diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c index dcd883151556..490b492f1b86 100644 --- a/sys/kern/kern_mac.c +++ b/sys/kern/kern_mac.c @@ -2398,6 +2398,25 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) } void +mac_reflect_mbuf_icmp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_icmp, m, label); +} +void +mac_reflect_mbuf_tcp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_tcp, m, label); +} + +void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) { struct label *label; diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index dcd883151556..490b492f1b86 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -2398,6 +2398,25 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) } void +mac_reflect_mbuf_icmp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_icmp, m, label); +} +void +mac_reflect_mbuf_tcp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_tcp, m, label); +} + +void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) { struct label *label; diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 046c2fc099cc..b0d882985b07 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -210,6 +210,8 @@ void mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet, struct mbuf *newmbuf); void mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf); int mac_fragment_match(struct mbuf *fragment, struct ipq *ipq); +void mac_reflect_mbuf_icmp(struct mbuf *m); +void mac_reflect_mbuf_tcp(struct mbuf *m); void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq); /* diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index dcd883151556..490b492f1b86 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -2398,6 +2398,25 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) } void +mac_reflect_mbuf_icmp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_icmp, m, label); +} +void +mac_reflect_mbuf_tcp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_tcp, m, label); +} + +void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) { struct label *label; diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index dcd883151556..490b492f1b86 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -2398,6 +2398,25 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) } void +mac_reflect_mbuf_icmp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_icmp, m, label); +} +void +mac_reflect_mbuf_tcp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_tcp, m, label); +} + +void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) { struct label *label; diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index dcd883151556..490b492f1b86 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -2398,6 +2398,25 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) } void +mac_reflect_mbuf_icmp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_icmp, m, label); +} +void +mac_reflect_mbuf_tcp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_tcp, m, label); +} + +void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) { struct label *label; diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index d38efe423dd7..005d6c7704d2 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -241,6 +241,9 @@ struct mac_policy_ops { int (*mpo_fragment_match)(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel); + void (*mpo_reflect_mbuf_icmp)(struct mbuf *m, + struct label *mlabel); + void (*mpo_reflect_mbuf_tcp)(struct mbuf *m, struct label *mlabel); void (*mpo_relabel_ifnet)(struct ucred *cred, struct ifnet *ifnet, struct label *ifnetlabel, struct label *newlabel); void (*mpo_update_ipq)(struct mbuf *fragment, diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index dcd883151556..490b492f1b86 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -2398,6 +2398,25 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) } void +mac_reflect_mbuf_icmp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_icmp, m, label); +} +void +mac_reflect_mbuf_tcp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_tcp, m, label); +} + +void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) { struct label *label; diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index dcd883151556..490b492f1b86 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -2398,6 +2398,25 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) } void +mac_reflect_mbuf_icmp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_icmp, m, label); +} +void +mac_reflect_mbuf_tcp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_tcp, m, label); +} + +void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) { struct label *label; diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index dcd883151556..490b492f1b86 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -2398,6 +2398,25 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) } void +mac_reflect_mbuf_icmp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_icmp, m, label); +} +void +mac_reflect_mbuf_tcp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_tcp, m, label); +} + +void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) { struct label *label; diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index dcd883151556..490b492f1b86 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -2398,6 +2398,25 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) } void +mac_reflect_mbuf_icmp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_icmp, m, label); +} +void +mac_reflect_mbuf_tcp(struct mbuf *m) +{ + struct label *label; + + label = mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_tcp, m, label); +} + +void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) { struct label *label; diff --git a/sys/sys/mac.h b/sys/sys/mac.h index 046c2fc099cc..b0d882985b07 100644 --- a/sys/sys/mac.h +++ b/sys/sys/mac.h @@ -210,6 +210,8 @@ void mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet, struct mbuf *newmbuf); void mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf); int mac_fragment_match(struct mbuf *fragment, struct ipq *ipq); +void mac_reflect_mbuf_icmp(struct mbuf *m); +void mac_reflect_mbuf_tcp(struct mbuf *m); void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq); /* diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h index d38efe423dd7..005d6c7704d2 100644 --- a/sys/sys/mac_policy.h +++ b/sys/sys/mac_policy.h @@ -241,6 +241,9 @@ struct mac_policy_ops { int (*mpo_fragment_match)(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel); + void (*mpo_reflect_mbuf_icmp)(struct mbuf *m, + struct label *mlabel); + void (*mpo_reflect_mbuf_tcp)(struct mbuf *m, struct label *mlabel); void (*mpo_relabel_ifnet)(struct ucred *cred, struct ifnet *ifnet, struct label *ifnetlabel, struct label *newlabel); void (*mpo_update_ipq)(struct mbuf *fragment, |