svn commit: r187039 - head/sys/net

Robert Watson rwatson at FreeBSD.org
Sat Jan 10 15:50:23 PST 2009


Author: rwatson
Date: Sat Jan 10 23:50:23 2009
New Revision: 187039
URL: http://svn.freebsd.org/changeset/base/187039

Log:
  Do invoke mac_ifnet_check_transmit() and mac_ifnet_create_mbuf()
  in the loopback and synthetic loopback code so that packets are
  access control checked and relabeled.  Previously, the MAC
  Framework enforced that packets sent over the loopback weren't
  relabeled, but this will allow policies to make explicit choices
  about how and whether to relabel packets on the loopback.  Also,
  for SIMPLEX devices, this produces more consistent behavior for
  looped back packets to the local MAC address by labeling those
  packets as coming from the interface.
  
  Discussed with:	csjp
  Obtained from:	TrustedBSD Project

Modified:
  head/sys/net/if_loop.c

Modified: head/sys/net/if_loop.c
==============================================================================
--- head/sys/net/if_loop.c	Sat Jan 10 22:49:02 2009	(r187038)
+++ head/sys/net/if_loop.c	Sat Jan 10 23:50:23 2009	(r187039)
@@ -38,6 +38,7 @@
 #include "opt_inet.h"
 #include "opt_inet6.h"
 #include "opt_ipx.h"
+#include "opt_mac.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -82,6 +83,8 @@
 #include <netatalk/at_var.h>
 #endif
 
+#include <security/mac/mac_framework.h>
+
 #ifdef TINY_LOMTU
 #define	LOMTU	(1024+512)
 #elif defined(LARGE_LOMTU)
@@ -176,9 +179,20 @@ looutput(struct ifnet *ifp, struct mbuf 
     struct rtentry *rt)
 {
 	u_int32_t af;
+#ifdef MAC
+	int error;
+#endif
 
 	M_ASSERTPKTHDR(m); /* check if we have the packet header */
 
+#ifdef MAC
+	error = mac_ifnet_check_transmit(ifp, m);
+	if (error) {
+		m_freem(m);
+		return (error);
+	}
+#endif
+
 	if (rt && rt->rt_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
 		m_freem(m);
 		return (rt->rt_flags & RTF_BLACKHOLE ? 0 :
@@ -230,6 +244,10 @@ if_simloop(struct ifnet *ifp, struct mbu
 	m_tag_delete_nonpersistent(m);
 	m->m_pkthdr.rcvif = ifp;
 
+#ifdef MAC
+	mac_ifnet_create_mbuf(ifp, m);
+#endif
+
 	/*
 	 * Let BPF see incoming packet in the following manner:
 	 *  - Emulated packet loopback for a simplex interface


More information about the svn-src-all mailing list