PERFORCE change 113342 for review

Todd Miller millert at FreeBSD.org
Mon Jan 22 16:01:48 UTC 2007


http://perforce.freebsd.org/chv.cgi?CH=113342

Change 113342 by millert at millert_macbook on 2007/01/22 16:01:13

	Use security_netif_sid() to get the sid for a network
	interface based on its name.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#68 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd_labels.h#7 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#68 (text+ko) ====

@@ -72,6 +72,8 @@
 #include <sys/event.h>
 #include <sys/wait.h>
 
+#include <net/kpi_interface.h>
+
 #include <libkern/OSByteOrder.h>
 #include <libkern/OSAtomic.h>
 #include <miscfs/devfs/devfs.h>
@@ -933,6 +935,14 @@
 }
 
 static void
+sebsd_mbuf_label_associate_linklayer(struct ifnet *ifn, struct label *ilabel,
+    struct mbuf *m, struct label *mlabel)
+{
+
+	sebsd_label_copy(ilabel, mlabel);
+}
+
+static void
 sebsd_mbuf_label_associate_netlayer(struct mbuf *oldmbuf,
     struct label *oldmbuflabel, struct mbuf *newmbuf,
     struct label *newmbuflabel)
@@ -3061,14 +3071,13 @@
 sebsd_ifnet_label_associate(struct ifnet *ifp, struct label *ifnetlabel)
 {
 	struct network_security_struct *nsec;
+	u_int32_t msg_sid;
 
-	/*
-	 * We just set the label to a default value and require that
-	 * the system set a more specific value at ifconfig time.
-	 */
 	nsec = SLOT(ifnetlabel);
+	/* XXX - should not need NULL check */
 	if (nsec != NULL) {
-		nsec->sid = SECINITSID_NETIF;
+		/* NOTE: msg_sid has been deprecated and is unused. */
+		security_netif_sid(ifnet_name(ifp), &nsec->sid, &msg_sid);
 		nsec->sclass = SECCLASS_NETIF;
 	}
 }
@@ -3587,7 +3596,7 @@
 	.mpo_mbuf_label_associate_ifnet = sebsd_mbuf_label_associate_ifnet,
 	.mpo_mbuf_label_associate_inpcb = sebsd_mbuf_label_associate_inpcb,
 	.mpo_mbuf_label_associate_ipq = sebsd_mbuf_label_associate_ipq,
-	.mpo_mbuf_label_associate_linklayer = sebsd_mbuf_label_associate_ifnet,
+	.mpo_mbuf_label_associate_linklayer = sebsd_mbuf_label_associate_linklayer,
 	.mpo_mbuf_label_associate_netlayer = sebsd_mbuf_label_associate_netlayer,
 	.mpo_mbuf_label_associate_socket = sebsd_mbuf_label_associate_socket,
 	.mpo_mbuf_label_copy = sebsd_label_copy,

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd_labels.h#7 (text+ko) ====

@@ -47,8 +47,9 @@
 	u_int16_t sclass;
 	u_int16_t behavior;	/* only used for mount */
 };
-#define	task_sid	osid	/* XXX - need to be separate if polymorphic */
+#define	task_sid	osid
 
+/* Subsystem-specific label structs are used for improved readability */
 #define	task_security_struct	sebsd_label
 #define	file_security_struct	sebsd_label
 #define	vnode_security_struct	sebsd_label


More information about the trustedbsd-cvs mailing list