Date: Mon, 22 Jan 2007 15:55:30 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 113338 for review Message-ID: <200701221555.l0MFtUvT024307@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=113338 Change 113338 by millert@millert_macbook on 2007/01/22 15:54:30 Add IP fragment queue labeling; adapted from FreeBSD. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_input.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_var.h#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#34 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_inet.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#43 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#67 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_input.c#4 (text+ko) ==== @@ -1000,6 +1000,9 @@ if (ip->ip_id == fp->ipq_id && ip->ip_src.s_addr == fp->ipq_src.s_addr && ip->ip_dst.s_addr == fp->ipq_dst.s_addr && +#ifdef MAC + mac_ipq_label_compare(m, fp) && +#endif ip->ip_p == fp->ipq_p) goto found; @@ -1222,6 +1225,14 @@ if ((t = m_get(M_DONTWAIT, MT_FTABLE)) == NULL) goto dropfrag; fp = mtod(t, struct ipq *); +#ifdef MAC + if (mac_ipq_label_init(fp, M_NOWAIT) != 0) { + m_free(t); + fp = NULL; + goto dropfrag; + } + mac_ipq_label_associate(m, fp); +#endif insque((void*)fp, (void*)where); nipq++; fp->ipq_nfrags = 1; @@ -1244,6 +1255,9 @@ goto inserted; } else { fp->ipq_nfrags++; +#ifdef MAC + mac_ipq_label_update(m, fp); +#endif } #define GETIP(m) ((struct ip*)((m)->m_pkthdr.header)) @@ -1398,6 +1412,10 @@ *divcookie = fp->ipq_div_cookie; #endif +#ifdef MAC + mac_mbuf_label_associate_ipq(fp, m); + mac_ipq_label_destroy(fp); +#endif /* * Create header for new ip packet by * modifying header of first packet; ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_var.h#3 (text+ko) ==== @@ -102,6 +102,9 @@ #endif u_int16_t ipq_div_cookie; /* ipfw divert cookie */ #endif +#ifdef MAC + struct label *ipq_label; /* MAC label */ +#endif }; /* ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#34 (text+ko) ==== @@ -52,38 +52,39 @@ #ifdef MAC +struct attrlist; struct auditinfo; -struct attrlist; struct bpf_d; struct componentname; struct devnode; struct fdescnode; struct fileglob; struct ifnet; +struct ifreq; struct inpcb; -struct ifreq; +struct ipq; struct lctx; +struct m_tag; struct mac; struct mac_module_data; +struct mbuf; struct mount; +struct pipe; +struct proc; struct pseminfo; struct pshminfo; -struct proc; struct semid_kernel; struct shmid_kernel; +struct sockaddr; +struct socket; +struct task; struct thread; struct timespec; struct ucred; struct uio; +struct vnode; struct vnode_attr; -struct vnode; -struct socket; -struct sockaddr; -struct mbuf; -struct m_tag; struct vop_setlabel_args; -struct pipe; -struct task; /*@ macros */ #define VNODE_LABEL_CREATE 1 @@ -167,6 +168,11 @@ int mac_inpcb_label_init(struct inpcb *inp, int flag); void mac_inpcb_label_recycle(struct inpcb *inp); void mac_inpcb_label_update(struct socket *so); +void mac_ipq_label_associate(struct mbuf *fragment, struct ipq *ipq); +int mac_ipq_label_compare(struct mbuf *fragment, struct ipq *ipq); +void mac_ipq_label_destroy(struct ipq *ipq); +int mac_ipq_label_init(struct ipq *ipq, int flag); +void mac_ipq_label_update(struct mbuf *fragment, struct ipq *ipq); struct label *mac_lctx_label_alloc(void); void mac_lctx_label_free(struct label *label); void mac_lctx_label_update(struct lctx *l, struct label *newlabel); @@ -176,6 +182,7 @@ void mac_mbuf_label_associate_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m); void mac_mbuf_label_associate_ifnet(struct ifnet *ifp, struct mbuf *m); void mac_mbuf_label_associate_inpcb(struct inpcb *inp, struct mbuf *m); +void mac_mbuf_label_associate_ipq(struct ipq *ipq, struct mbuf *mbuf); void mac_mbuf_label_associate_linklayer(struct ifnet *ifp, struct mbuf *m); void mac_mbuf_label_associate_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_inet.c#3 (text+ko) ==== @@ -82,7 +82,6 @@ return (0); } -#ifdef notyet static struct label * mac_ipq_label_alloc(int flag) { @@ -111,7 +110,6 @@ return (ENOMEM); return (0); } -#endif static void mac_inpcb_label_free(struct label *label) @@ -136,7 +134,6 @@ MAC_PERFORM(inpcb_label_recycle, inp->inp_label); } -#ifdef notyet static void mac_ipq_label_free(struct label *label) { @@ -146,13 +143,12 @@ } void -mac_ipq_destroy(struct ipq *ipq) +mac_ipq_label_destroy(struct ipq *ipq) { mac_ipq_label_free(ipq->ipq_label); ipq->ipq_label = NULL; } -#endif void mac_inpcb_label_associate(struct socket *so, struct inpcb *inp) @@ -162,18 +158,15 @@ inp->inp_label); } -#ifdef notyet -/* XXXMAC - rename these */ void -mac_ipq_reassemble(struct ipq *ipq, struct mbuf *datagram) +mac_mbuf_label_associate_ipq(struct ipq *ipq, struct mbuf *m) { struct label *label; - label = mac_mbuf_to_label(datagram); + label = mac_mbuf_to_label(m); - MAC_PERFORM(ipq_reassemble, ipq, ipq->ipq_label, datagram, label); + MAC_PERFORM(mbuf_label_associate_ipq, ipq, ipq->ipq_label, m, label); } -#endif void mac_netinet_fragment(struct mbuf *datagram, struct mbuf *fragment) @@ -187,7 +180,6 @@ fragmentlabel); } -#ifdef notyet void mac_ipq_label_associate(struct mbuf *fragment, struct ipq *ipq) { @@ -197,7 +189,6 @@ MAC_PERFORM(ipq_label_associate, fragment, label, ipq, ipq->ipq_label); } -#endif void mac_mbuf_label_associate_inpcb(struct inpcb *inp, struct mbuf *m) @@ -210,9 +201,8 @@ MAC_PERFORM(mbuf_label_associate_inpcb, inp, inp->inp_label, m, mlabel); } -#ifdef notyet int -mac_ipq_match(struct mbuf *fragment, struct ipq *ipq) +mac_ipq_label_compare(struct mbuf *fragment, struct ipq *ipq) { struct label *label; int result; @@ -220,11 +210,10 @@ label = mac_mbuf_to_label(fragment); result = 1; - MAC_BOOLEAN(ipq_match, &&, fragment, label, ipq, ipq->ipq_label); + MAC_BOOLEAN(ipq_label_compare, &&, fragment, label, ipq, ipq->ipq_label); return (result); } -#endif void mac_netinet_icmp_reply(struct mbuf *m) @@ -246,17 +235,15 @@ MAC_PERFORM(netinet_tcp_reply, m, label); } -#ifdef notyet void -mac_ipq_update(struct mbuf *fragment, struct ipq *ipq) +mac_ipq_label_update(struct mbuf *fragment, struct ipq *ipq) { struct label *label; label = mac_mbuf_to_label(fragment); - MAC_PERFORM(ipq_update, fragment, label, ipq, ipq->ipq_label); + MAC_PERFORM(ipq_label_update, fragment, label, ipq, ipq->ipq_label); } -#endif int mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m) ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#43 (text+ko) ==== @@ -62,6 +62,7 @@ struct fileglob; struct ifnet; struct inpcb; +struct ipq; struct label; struct lctx; struct mac_module_data; @@ -857,6 +858,10 @@ /** @brief Destroy file label @param label The label to be destroyed + + Destroy the label on a file descriptor. In this entry point, a + policy module should free any internal storage associated with + label so that it may be destroyed. */ typedef void mpo_file_label_destroy_t( struct label *label @@ -935,6 +940,10 @@ /** @brief Destroy ifnet label @param label The label to be destroyed + + Destroy the label on an ifnet label. In this entry point, a + policy module should free any internal storage associated with + label so that it may be destroyed. */ typedef void mpo_ifnet_label_destroy_t( struct label *label @@ -1059,6 +1068,10 @@ /** @brief Destroy inpcb label @param label The label to be destroyed + + Destroy the label on an inpcb label. In this entry point, a + policy module should free any internal storage associated with + label so that it may be destroyed. */ typedef void mpo_inpcb_label_destroy_t( struct label *label @@ -1125,6 +1138,91 @@ struct mac_module_data *mdata ); /** + @brief Create an IP reassembly queue label + @param fragment First received IP fragment + @param fragmentlabel Policy label for fragment + @param ipq IP reassembly queue to be labeled + @param ipqlabel Policy label to be filled in for ipq + + Set the label on a newly created IP reassembly queue from + the mbuf header of the first received fragment. +*/ +typedef void mpo_ipq_label_associate_t( + struct mbuf *fragment, + struct label *fragmentlabel, + struct ipq *ipq, + struct label *ipqlabel +); +/** + @brief Compare an mbuf header label to an ipq label + @param fragment IP datagram fragment + @param fragmentlabel Policy label for fragment + @param ipq IP fragment reassembly queue + @param ipqlabel Policy label for ipq + + Compare the label of the mbuf header containing an IP datagram + (fragment) fragment with the label of the passed IP fragment + reassembly queue (ipq). Return (1) for a successful match, or (0) + for no match. This call is made when the IP stack attempts to + find an existing fragment reassembly queue for a newly received + fragment; if this fails, a new fragment reassembly queue may be + instantiated for the fragment. Policies may use this entry point + to prevent the reassembly of otherwise matching IP fragments if + policy does not permit them to be reassembled based on the label + or other information. +*/ +typedef int mpo_ipq_label_compare_t( + struct mbuf *fragment, + struct label *fragmentlabel, + struct ipq *ipq, + struct label *ipqlabel +); +/** + @brief Destroy IP reassembly queue label + @param label The label to be destroyed + + Destroy the label on an IP fragment queue. In this entry point, a + policy module should free any internal storage associated with + label so that it may be destroyed. +*/ +typedef void mpo_ipq_label_destroy_t( + struct label *label +); +/** + @brief Initialize IP reassembly queue label + @param label New label to initialize + @param flag M_WAITOK or M_NOWAIT + + Initialize the label on a newly instantiated IP fragment reassembly + queue. The flag field may be one of M_WAITOK and M_NOWAIT, and + should be employed to avoid performing a sleeping malloc(9) during + this initialization call. IP fragment reassembly queue allocation + frequently occurs in performance sensitive environments, and the + implementation should be careful to avoid sleeping or long-lived + operations. This entry point is permitted to fail resulting in + the failure to allocate the IP fragment reassembly queue. +*/ +typedef int mpo_ipq_label_init_t( + struct label *label, + int flag +); +/** + @brief Update the label on an IP fragment reassembly queue + @param fragment IP fragment + @param fragmentlabel Policy label for fragment + @param ipq IP fragment reassembly queue + @param ipqlabel Policy label to be updated for ipq + + Update the label on an IP fragment reassembly queue (ipq) based + on the acceptance of the passed IP fragment mbuf header (fragment). +*/ +typedef void mpo_ipq_label_update_t( + struct mbuf *fragment, + struct label *fragmentlabel, + struct ipq *ipq, + struct label *ipqlabel +); +/** @brief Access control check for relabelling Login Context @param l Subject credential @param newlabel New label to apply to the Login Context @@ -1310,6 +1408,22 @@ struct label *m_label ); /** + @brief Set the label on a newly reassembled IP datagram + @param ipq IP fragment reassembly queue + @param ipqlabel Policy label for ipq + @param mbuf IP datagram to be labeled + @param mbuflabel Policy label to be filled in for mbuf + + Set the label on a newly reassembled IP datagram (mbuf) from the IP + fragment reassembly queue (ipq) from which it was generated. +*/ +typedef void mpo_mbuf_label_associate_ipq_t( + struct ipq *ipq, + struct label *ipqlabel, + struct mbuf *mbuf, + struct label *mbuflabel +); +/** @brief Assign a label to a new mbuf @param ifp Subject; network interface @param i_label Existing label of ifp @@ -5431,6 +5545,11 @@ mpo_inpcb_label_recycle_t *mpo_inpcb_label_recycle; mpo_inpcb_label_update_t *mpo_inpcb_label_update; mpo_iokit_check_device_t *mpo_iokit_check_device; + mpo_ipq_label_associate_t *mpo_ipq_label_associate; + mpo_ipq_label_compare_t *mpo_ipq_label_compare; + mpo_ipq_label_destroy_t *mpo_ipq_label_destroy; + mpo_ipq_label_init_t *mpo_ipq_label_init; + mpo_ipq_label_update_t *mpo_ipq_label_update; mpo_lctx_check_label_update_t *mpo_lctx_check_label_update; mpo_lctx_label_destroy_t *mpo_lctx_label_destroy; mpo_lctx_label_externalize_t *mpo_lctx_label_externalize; @@ -5443,6 +5562,7 @@ mpo_mbuf_label_associate_bpfdesc_t *mpo_mbuf_label_associate_bpfdesc; mpo_mbuf_label_associate_ifnet_t *mpo_mbuf_label_associate_ifnet; mpo_mbuf_label_associate_inpcb_t *mpo_mbuf_label_associate_inpcb; + mpo_mbuf_label_associate_ipq_t *mpo_mbuf_label_associate_ipq; mpo_mbuf_label_associate_linklayer_t *mpo_mbuf_label_associate_linklayer; mpo_mbuf_label_associate_netlayer_t *mpo_mbuf_label_associate_netlayer; mpo_mbuf_label_associate_socket_t *mpo_mbuf_label_associate_socket; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#67 (text+ko) ==== @@ -1,6 +1,6 @@ -/*- +/* * Copyright (c) 2002, 2003 Networks Associates Technology, Inc. - * Copyright (c) 2005-2006 SPARTA, Inc. + * Copyright (c) 2005-2007 SPARTA, Inc. * All rights reserved. * * This software was developed for the FreeBSD Project by NAI Labs, the @@ -950,6 +950,14 @@ } static void +sebsd_mbuf_label_associate_ipq(struct ipq *ipq, struct label *ipqlabel, + struct mbuf *mbuf, struct label *mbuflabel) +{ + + sebsd_label_copy(ipqlabel, mbuflabel); +} + +static void sebsd_posixsem_label_associate(struct ucred *cred, struct pseminfo *psem, struct label *psemlabel, const char *name) { @@ -3143,6 +3151,34 @@ } static void +sebsd_ipq_label_associate(struct mbuf *fragment, struct label *fragmentlabel, + struct ipq *ipq, struct label *ipqlabel) +{ + + sebsd_label_copy(fragmentlabel, ipqlabel); +} + +static int +sebsd_ipq_label_compare(struct mbuf *fragment, struct label *fragmentlabel, + struct ipq *ipq, struct label *ipqlabel) +{ + struct network_security_struct *fragsec, *ipqsec; + + fragsec = SLOT(fragmentlabel); + ipqsec = SLOT(ipqlabel); + + return (fragsec->sid == ipqsec->sid); +} + +static void +sebsd_ipq_label_update(struct mbuf *fragment, struct label *fragmentlabel, + struct ipq *ipq, struct label *ipqlabel) +{ + + sebsd_label_copy(fragmentlabel, ipqlabel); +} + +static void sebsd_netinet_fragment(struct mbuf *mbuf, struct label *mlabel, struct mbuf *frag, struct label *flabel) { @@ -3542,9 +3578,15 @@ .mpo_inpcb_label_init = sebsd_label_init2, .mpo_inpcb_label_recycle = sebsd_label_recycle, .mpo_inpcb_label_update = sebsd_inpcb_label_update, + .mpo_ipq_label_associate = sebsd_ipq_label_associate, + .mpo_ipq_label_compare = sebsd_ipq_label_compare, + .mpo_ipq_label_destroy = sebsd_label_destroy, + .mpo_ipq_label_init = sebsd_label_init2, + .mpo_ipq_label_update = sebsd_ipq_label_update, .mpo_mbuf_label_associate_bpfdesc = sebsd_mbuf_label_associate_bpfdesc, .mpo_mbuf_label_associate_ifnet = sebsd_mbuf_label_associate_ifnet, .mpo_mbuf_label_associate_inpcb = sebsd_mbuf_label_associate_inpcb, + .mpo_mbuf_label_associate_ipq = sebsd_mbuf_label_associate_ipq, .mpo_mbuf_label_associate_linklayer = sebsd_mbuf_label_associate_ifnet, .mpo_mbuf_label_associate_netlayer = sebsd_mbuf_label_associate_netlayer, .mpo_mbuf_label_associate_socket = sebsd_mbuf_label_associate_socket,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701221555.l0MFtUvT024307>