From owner-trustedbsd-cvs@FreeBSD.ORG Mon Jan 22 16:23:25 2007 Return-Path: X-Original-To: trustedbsd-cvs@freebsd.org Delivered-To: trustedbsd-cvs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 663B716A406 for ; Mon, 22 Jan 2007 16:23:25 +0000 (UTC) (envelope-from owner-perforce@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id 60A7313C428 for ; Mon, 22 Jan 2007 16:23:23 +0000 (UTC) (envelope-from owner-perforce@freebsd.org) Received: from mx2.freebsd.org (mx2.freebsd.org [69.147.83.53]) by cyrus.watson.org (Postfix) with ESMTP id 3E55748D5D for ; Mon, 22 Jan 2007 11:23:21 -0500 (EST) Received: from hub.freebsd.org (hub.freebsd.org [69.147.83.54]) by mx2.freebsd.org (Postfix) with ESMTP id DDBEFCFB62; Mon, 22 Jan 2007 16:23:18 +0000 (GMT) (envelope-from owner-perforce@freebsd.org) Received: by hub.freebsd.org (Postfix, from userid 32767) id D43FC16A40D; Mon, 22 Jan 2007 16:23:18 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9A31016A409 for ; Mon, 22 Jan 2007 16:23:18 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [69.147.83.41]) by mx1.freebsd.org (Postfix) with ESMTP id 88CA413C471 for ; Mon, 22 Jan 2007 16:23:18 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id l0MGNIJx031244 for ; Mon, 22 Jan 2007 16:23:18 GMT (envelope-from millert@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id l0MGNIl9031240 for perforce@freebsd.org; Mon, 22 Jan 2007 16:23:18 GMT (envelope-from millert@freebsd.org) Date: Mon, 22 Jan 2007 16:23:18 GMT Message-Id: <200701221623.l0MGNIl9031240@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to millert@freebsd.org using -f From: Todd Miller To: Perforce Change Reviews Cc: Subject: PERFORCE change 113362 for review X-BeenThere: trustedbsd-cvs@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD CVS and Perforce commit message list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Jan 2007 16:23:25 -0000 http://perforce.freebsd.org/chv.cgi?CH=113362 Change 113362 by millert@millert_macbook on 2007/01/22 16:22:40 Add address family and socket type to mac_ifnet_check_transmit() and mac_inpcb_check_deliver() so we have the info sedarwin needs to make policy decisions for ifnets. This requires a hack to find the socket type of an mbuf for mac_ifnet_check_transmit(). A better solution may be possible by changing where the entrypoint is called. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/net/dlil.c#7 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/raw_ip.c#8 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/tcp_input.c#8 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/udp_usrreq.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#38 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_inet.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_net.c#13 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#46 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/net/dlil.c#7 (text+ko) ==== @@ -1023,6 +1023,47 @@ return result; } +#ifdef MAC +#include +#include +static int dlil_get_socket_type(struct mbuf **mp, int family, int raw) +{ + struct mbuf *m; + struct ip *ip; + struct ip6_hdr *ip6; + int type = SOCK_RAW; + + if (!raw) { + switch (family) { + case PF_INET: + m = m_pullup(*mp, sizeof(struct ip)); + if (m == NULL) + break; + *mp = m; + ip = mtod(m, struct ip *); + if (ip->ip_p == IPPROTO_TCP) + type = SOCK_STREAM; + else if (ip->ip_p == IPPROTO_UDP) + type = SOCK_DGRAM; + break; + case PF_INET6: + m = m_pullup(*mp, sizeof(struct ip6_hdr)); + if (m == NULL) + break; + *mp = m; + ip6 = mtod(m, struct ip6_hdr *); + if (ip6->ip6_nxt == IPPROTO_TCP) + type = SOCK_STREAM; + else if (ip6->ip6_nxt == IPPROTO_UDP) + type = SOCK_DGRAM; + break; + } + } + + return (type); +} +#endif + int dlil_output_list( struct ifnet* ifp, @@ -1094,7 +1135,8 @@ do { #ifdef MAC - retval = mac_ifnet_check_transmit(ifp, m); + retval = mac_ifnet_check_transmit(ifp, m, proto_family, + dlil_get_socket_type(&m, proto_family, raw)); if (retval) { m_freem(m); goto cleanup; @@ -1227,7 +1269,8 @@ } #ifdef MAC - retval = mac_ifnet_check_transmit(ifp, m); + retval = mac_ifnet_check_transmit(ifp, m, proto_family, + dlil_get_socket_type(&m, proto_family, raw)); if (retval) { m_freem(m); goto cleanup; ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/raw_ip.c#8 (text+ko) ==== @@ -228,7 +228,8 @@ #endif /*IPSEC*/ #ifdef MAC if (n && skipit == 0) { - if (mac_inpcb_check_deliver(last, n) != 0) + if (mac_inpcb_check_deliver(last, n, AF_INET, + SOCK_RAW) != 0) skipit = 1; } #endif @@ -277,7 +278,7 @@ #endif /*IPSEC*/ #ifdef MAC if (last && skipit == 0) { - if (mac_inpcb_check_deliver(last, m) != 0) + if (mac_inpcb_check_deliver(last, m, AF_INET, SOCK_RAW) != 0) skipit = 1; } #endif ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/tcp_input.c#8 (text+ko) ==== @@ -911,7 +911,7 @@ tiwin = th->th_win; #ifdef MAC - if (mac_inpcb_check_deliver(inp, m)) + if (mac_inpcb_check_deliver(inp, m, AF_INET, SOCK_STREAM)) goto drop; #endif ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/udp_usrreq.c#4 (text+ko) ==== @@ -697,7 +697,7 @@ struct mbuf *opts = 0; #ifdef MAC - if (mac_inpcb_check_deliver(last, n) != 0) { + if (mac_inpcb_check_deliver(last, n, AF_INET, SOCK_DGRAM) != 0) { m_freem(n); return; } ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#38 (text+ko) ==== @@ -154,7 +154,8 @@ void mac_file_label_associate(struct ucred *cred, struct fileglob *fg); void mac_file_label_destroy(struct fileglob *fg); void mac_file_label_init(struct fileglob *fg); -int mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *mbuf); +int mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *mbuf, + int family, int type); void mac_ifnet_label_associate(struct ifnet *ifp); void mac_ifnet_label_destroy(struct ifnet *ifp); int mac_ifnet_label_get(struct ucred *cred, struct ifreq *ifr, @@ -163,7 +164,8 @@ void mac_ifnet_label_recycle(struct ifnet *ifp); int mac_ifnet_label_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp); -int mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *mbuf); +int mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *mbuf, + int family, int type); void mac_inpcb_label_associate(struct socket *so, struct inpcb *inp); void mac_inpcb_label_destroy(struct inpcb *inp); int mac_inpcb_label_init(struct inpcb *inp, int flag); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_inet.c#4 (text+ko) ==== @@ -246,7 +246,7 @@ } int -mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m) +mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m, int family, int type) { struct label *label; int error; @@ -256,7 +256,8 @@ label = mac_mbuf_to_label(m); - MAC_CHECK(inpcb_check_deliver, inp, inp->inp_label, m, label); + MAC_CHECK(inpcb_check_deliver, inp, inp->inp_label, m, label, + family, type); return (error); } ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_net.c#13 (text+ko) ==== @@ -377,7 +377,8 @@ } int -mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *mbuf) +mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *mbuf, int family, + int type) { struct label *label; int error; @@ -385,7 +386,8 @@ label = mac_mbuf_to_label(mbuf); ifnet_lock_shared(ifp); - MAC_CHECK(ifnet_check_transmit, ifp, ifp->if_label, mbuf, label); + MAC_CHECK(ifnet_check_transmit, ifp, ifp->if_label, mbuf, label, + family, type); ifnet_lock_done(ifp); return (error); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#46 (text+ko) ==== @@ -900,6 +900,8 @@ @param ifnetlabel Label of the network interfaces @param m The mbuf to be transmitted @param mbuflabel Label of the mbuf to be transmitted + @param family Address Family, AF_* + @param type Type of socket, SOCK_{STREAM,DGRAM,RAW} Determine whether the mbuf with label mbuflabel may be transmitted through the network interface represented by ifp that has the @@ -912,7 +914,9 @@ struct ifnet *ifp, struct label *ifnetlabel, struct mbuf *m, - struct label *mbuflabel + struct label *mbuflabel, + int family, + int type ); /** @brief Create a network interface label @@ -1036,6 +1040,8 @@ @param inplabel Label of the inpcb @param m The mbuf being received @param mbuflabel Label of the mbuf being received + @param family Address family, AF_* + @param type Type of socket, SOCK_{STREAM,DGRAM,RAW} Determine whether the mbuf with label mbuflabel may be received by the socket associated with inpcb that has the label inplabel. @@ -1047,7 +1053,9 @@ struct inpcb *inp, struct label *inplabel, struct mbuf *m, - struct label *mbuflabel + struct label *mbuflabel, + int family, + int type ); /** @brief Create an inpcb label