PERFORCE change 36619 for review

Thu Aug 21 11:45:20 PDT 2003

http://perforce.freebsd.org/chv.cgi?CH=36619

Change 36619 by rwatson at rwatson_tislabs on 2003/08/21 11:44:46

	Loop-back integration of ICMP and TCP "reflect" MAC entry points
	from FreeBSD main tree to TrustedBSD base branch.

Affected files ...

.. //depot/projects/trustedbsd/base/sys/kern/kern_mac.c#47 integrate
.. //depot/projects/trustedbsd/base/sys/netinet/ip_icmp.c#15 integrate
.. //depot/projects/trustedbsd/base/sys/netinet/tcp_subr.c#26 integrate
.. //depot/projects/trustedbsd/base/sys/sys/mac.h#30 integrate
.. //depot/projects/trustedbsd/base/sys/sys/mac_policy.h#30 integrate

Differences ...

==== //depot/projects/trustedbsd/base/sys/kern/kern_mac.c#47 (text+ko) ====

@@ -40,7 +40,7 @@
  */
 
 #include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/sys/kern/kern_mac.c,v 1.96 2003/08/21 13:52:59 rwatson Exp $");
+__FBSDID("$FreeBSD: src/sys/kern/kern_mac.c,v 1.97 2003/08/21 18:21:22 rwatson Exp $");
 
 #include "opt_mac.h"
 #include "opt_devfs.h"
@@ -2398,6 +2398,25 @@
 }
 
 void
+mac_reflect_mbuf_icmp(struct mbuf *m)
+{
+	struct label *label;
+
+	label = mbuf_to_label(m);
+
+	MAC_PERFORM(reflect_mbuf_icmp, m, label);
+}
+void
+mac_reflect_mbuf_tcp(struct mbuf *m)
+{
+	struct label *label;
+
+	label = mbuf_to_label(m);
+
+	MAC_PERFORM(reflect_mbuf_tcp, m, label);
+}
+
+void
 mac_update_ipq(struct mbuf *fragment, struct ipq *ipq)
 {
 	struct label *label;

==== //depot/projects/trustedbsd/base/sys/netinet/ip_icmp.c#15 (text+ko) ====

@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)ip_icmp.c	8.2 (Berkeley) 1/4/94
- * $FreeBSD: src/sys/netinet/ip_icmp.c,v 1.78 2003/03/21 15:43:06 mdodd Exp $
+ * $FreeBSD: src/sys/netinet/ip_icmp.c,v 1.79 2003/08/21 18:39:15 rwatson Exp $
  */
 
 #include "opt_ipsec.h"
@@ -648,6 +648,9 @@
 		goto done;
 	}
 match:
+#ifdef MAC
+	mac_reflect_mbuf_icmp(m);
+#endif
 	t = IA_SIN(ia)->sin_addr;
 	ip->ip_src = t;
 	ip->ip_ttl = ip_defttl;

==== //depot/projects/trustedbsd/base/sys/netinet/tcp_subr.c#26 (text+ko) ====

@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)tcp_subr.c	8.2 (Berkeley) 5/24/95
- * $FreeBSD: src/sys/netinet/tcp_subr.c,v 1.160 2003/05/07 05:26:27 rwatson Exp $
+ * $FreeBSD: src/sys/netinet/tcp_subr.c,v 1.161 2003/08/21 18:39:16 rwatson Exp $
  */
 
 #include "opt_compat.h"
@@ -488,10 +488,10 @@
 		mac_create_mbuf_from_socket(tp->t_inpcb->inp_socket, m);
 	} else {
 		/*
-		 * XXXMAC: This will need to call a mac function that
-		 * modifies the mbuf label in place for TCP datagrams
-		 * not associated with a PCB.
+		 * Packet is not associated with a socket, so possibly
+		 * update the label in place.
 		 */
+		mac_reflect_mbuf_tcp(m);
 	}
 #endif
 	nth->th_seq = htonl(seq);

==== //depot/projects/trustedbsd/base/sys/sys/mac.h#30 (text+ko) ====

@@ -31,7 +31,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $FreeBSD: src/sys/sys/mac.h,v 1.41 2003/08/21 13:52:59 rwatson Exp $
+ * $FreeBSD: src/sys/sys/mac.h,v 1.42 2003/08/21 18:21:22 rwatson Exp $
  */
 /*
  * Userland/kernel interface for Mandatory Access Control.
@@ -210,6 +210,8 @@
 	    struct ifnet *ifnet, struct mbuf *newmbuf);
 void	mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf);
 int	mac_fragment_match(struct mbuf *fragment, struct ipq *ipq);
+void	mac_reflect_mbuf_icmp(struct mbuf *m);
+void	mac_reflect_mbuf_tcp(struct mbuf *m);
 void	mac_update_ipq(struct mbuf *fragment, struct ipq *ipq);
 
 /*

==== //depot/projects/trustedbsd/base/sys/sys/mac_policy.h#30 (text+ko) ====

@@ -31,7 +31,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $FreeBSD: src/sys/sys/mac_policy.h,v 1.42 2003/08/21 13:52:59 rwatson Exp $
+ * $FreeBSD: src/sys/sys/mac_policy.h,v 1.43 2003/08/21 18:21:22 rwatson Exp $
  */
 /*
  * Kernel interface for MAC policy modules.
@@ -241,6 +241,9 @@
 	int	(*mpo_fragment_match)(struct mbuf *fragment,
 		    struct label *fragmentlabel, struct ipq *ipq,
 		    struct label *ipqlabel);
+	void	(*mpo_reflect_mbuf_icmp)(struct mbuf *m,
+		    struct label *mlabel);
+	void	(*mpo_reflect_mbuf_tcp)(struct mbuf *m, struct label *mlabel);
 	void	(*mpo_relabel_ifnet)(struct ucred *cred, struct ifnet *ifnet,
 		    struct label *ifnetlabel, struct label *newlabel);
 	void	(*mpo_update_ipq)(struct mbuf *fragment,
