From owner-svn-src-head@FreeBSD.ORG  Sun Oct 26 22:45:18 2008
Return-Path: <owner-svn-src-head@FreeBSD.ORG>
Delivered-To: svn-src-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 99E461065672;
	Sun, 26 Oct 2008 22:45:18 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 862F58FC0C;
	Sun, 26 Oct 2008 22:45:18 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id m9QMjIW0099569;
	Sun, 26 Oct 2008 22:45:18 GMT (envelope-from rwatson@svn.freebsd.org)
Received: (from rwatson@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id m9QMjITE099564;
	Sun, 26 Oct 2008 22:45:18 GMT (envelope-from rwatson@svn.freebsd.org)
Message-Id: <200810262245.m9QMjITE099564@svn.freebsd.org>
From: Robert Watson <rwatson@FreeBSD.org>
Date: Sun, 26 Oct 2008 22:45:18 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-head@freebsd.org
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r184307 - in head/sys: netinet6 security/mac
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
	<svn-src-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
	<mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
	<mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Oct 2008 22:45:18 -0000

Author: rwatson
Date: Sun Oct 26 22:45:18 2008
New Revision: 184307
URL: http://svn.freebsd.org/changeset/base/184307

Log:
  Add a MAC label, MAC Framework, and MAC policy entry points for IPv6
  fragment reassembly queues.
  
  This allows policies to label reassembly queues, perform access
  control checks when matching fragments to a queue, update a queue
  label when fragments are matched, and label the resulting
  reassembled datagram.
  
  Obtained from:	TrustedBSD Project

Modified:
  head/sys/netinet6/frag6.c
  head/sys/netinet6/ip6_var.h
  head/sys/security/mac/mac_framework.h
  head/sys/security/mac/mac_inet6.c
  head/sys/security/mac/mac_policy.h

Modified: head/sys/netinet6/frag6.c
==============================================================================
--- head/sys/netinet6/frag6.c	Sun Oct 26 22:11:31 2008	(r184306)
+++ head/sys/netinet6/frag6.c	Sun Oct 26 22:45:18 2008	(r184307)
@@ -32,6 +32,8 @@
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");
 
+#include "opt_mac.h"
+
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/malloc.h>
@@ -56,6 +58,8 @@ __FBSDID("$FreeBSD$");
 #include <netinet/in_systm.h>	/* for ECN definitions */
 #include <netinet/ip.h>		/* for ECN definitions */
 
+#include <security/mac/mac_framework.h>
+
 /*
  * Define it to get a correct behavior on per-interface statistics.
  * You will need to perform an extra routing table lookup, per fragment,
@@ -228,7 +232,11 @@ frag6_input(struct mbuf **mp, int *offp,
 	for (q6 = V_ip6q.ip6q_next; q6 != &V_ip6q; q6 = q6->ip6q_next)
 		if (ip6f->ip6f_ident == q6->ip6q_ident &&
 		    IN6_ARE_ADDR_EQUAL(&ip6->ip6_src, &q6->ip6q_src) &&
-		    IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &q6->ip6q_dst))
+		    IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &q6->ip6q_dst)
+#ifdef MAC
+		    && mac_ip6q_match(m, q6)
+#endif
+		    )
 			break;
 
 	if (q6 == &V_ip6q) {
@@ -254,7 +262,13 @@ frag6_input(struct mbuf **mp, int *offp,
 		if (q6 == NULL)
 			goto dropfrag;
 		bzero(q6, sizeof(*q6));
-
+#ifdef MAC
+		if (mac_ip6q_init(q6, M_NOWAIT) != 0) {
+			free(q6, M_FTABLE);
+			goto dropfrag;
+		}
+		mac_ip6q_create(m, q6);
+#endif
 		frag6_insque(q6, &V_ip6q);
 
 		/* ip6q_nxt will be filled afterwards, from 1st fragment */
@@ -461,6 +475,10 @@ frag6_input(struct mbuf **mp, int *offp,
 #endif
 
 insert:
+#ifdef MAC
+	if (!first_frag)
+		mac_ip6q_update(m, q6);
+#endif
 
 	/*
 	 * Stick new segment in its place;
@@ -533,6 +551,9 @@ insert:
 		if ((t = m_split(m, offset, M_DONTWAIT)) == NULL) {
 			frag6_remque(q6);
 			V_frag6_nfrags -= q6->ip6q_nfrag;
+#ifdef MAC
+			mac_ip6q_destroy(q6);
+#endif
 			free(q6, M_FTABLE);
 			V_frag6_nfragpackets--;
 			goto dropfrag;
@@ -551,6 +572,10 @@ insert:
 
 	frag6_remque(q6);
 	V_frag6_nfrags -= q6->ip6q_nfrag;
+#ifdef MAC
+	mac_ip6q_reassemble(q6, m);
+	mac_ip6q_destroy(q6);
+#endif
 	free(q6, M_FTABLE);
 	V_frag6_nfragpackets--;
 
@@ -623,6 +648,9 @@ frag6_freef(struct ip6q *q6)
 	}
 	frag6_remque(q6);
 	V_frag6_nfrags -= q6->ip6q_nfrag;
+#ifdef MAC
+	mac_ip6q_destroy(q6);
+#endif
 	free(q6, M_FTABLE);
 	V_frag6_nfragpackets--;
 }

Modified: head/sys/netinet6/ip6_var.h
==============================================================================
--- head/sys/netinet6/ip6_var.h	Sun Oct 26 22:11:31 2008	(r184306)
+++ head/sys/netinet6/ip6_var.h	Sun Oct 26 22:45:18 2008	(r184307)
@@ -83,6 +83,7 @@ struct	ip6q {
 	u_char		*ip6q_nxtp;
 #endif
 	int		ip6q_nfrag;	/* # of fragments */
+	struct label	*ip6q_label;
 };
 
 struct	ip6asfrag {

Modified: head/sys/security/mac/mac_framework.h
==============================================================================
--- head/sys/security/mac/mac_framework.h	Sun Oct 26 22:11:31 2008	(r184306)
+++ head/sys/security/mac/mac_framework.h	Sun Oct 26 22:45:18 2008	(r184307)
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
  * Copyright (c) 2005-2006 SPARTA, Inc.
  * All rights reserved.
@@ -60,6 +60,7 @@ struct ifnet;
 struct ifreq;
 struct image_params;
 struct inpcb;
+struct ip6q;
 struct ipq;
 struct ksem;
 struct label;
@@ -138,6 +139,13 @@ void	mac_inpcb_destroy(struct inpcb *);
 int	mac_inpcb_init(struct inpcb *, int);
 void	mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp);
 
+void	mac_ip6q_create(struct mbuf *m, struct ip6q *q6);
+void	mac_ip6q_destroy(struct ip6q *q6);
+int	mac_ip6q_init(struct ip6q *q6, int);
+int	mac_ip6q_match(struct mbuf *m, struct ip6q *q6);
+void	mac_ip6q_reassemble(struct ip6q *q6, struct mbuf *m);
+void	mac_ip6q_update(struct mbuf *m, struct ip6q *q6);
+
 void	mac_ipq_create(struct mbuf *m, struct ipq *q);
 void	mac_ipq_destroy(struct ipq *q);
 int	mac_ipq_init(struct ipq *q, int);

Modified: head/sys/security/mac/mac_inet6.c
==============================================================================
--- head/sys/security/mac/mac_inet6.c	Sun Oct 26 22:11:31 2008	(r184306)
+++ head/sys/security/mac/mac_inet6.c	Sun Oct 26 22:45:18 2008	(r184307)
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2007 Robert N. M. Watson
+ * Copyright (c) 2007-2008 Robert N. M. Watson
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
@@ -49,10 +49,108 @@ __FBSDID("$FreeBSD$");
 #include <net/if.h>
 #include <net/if_var.h>
 
+#include <netinet/in.h>
+#include <netinet/ip6.h>
+#include <netinet6/ip6_var.h>
+
 #include <security/mac/mac_framework.h>
 #include <security/mac/mac_internal.h>
 #include <security/mac/mac_policy.h>
 
+static struct label *
+mac_ip6q_label_alloc(int flag)
+{
+	struct label *label;
+	int error;
+
+	label = mac_labelzone_alloc(flag);
+	if (label == NULL)
+		return (NULL);
+
+	MAC_CHECK(ip6q_init_label, label, flag);
+	if (error) {
+		MAC_PERFORM(ip6q_destroy_label, label);
+		mac_labelzone_free(label);
+		return (NULL);
+	}
+	return (label);
+}
+
+int
+mac_ip6q_init(struct ip6q *q6, int flag)
+{
+
+	if (mac_labeled & MPC_OBJECT_IPQ) {
+		q6->ip6q_label = mac_ip6q_label_alloc(flag);
+		if (q6->ip6q_label == NULL)
+			return (ENOMEM);
+	} else
+		q6->ip6q_label = NULL;
+	return (0);
+}
+
+static void
+mac_ip6q_label_free(struct label *label)
+{
+
+	MAC_PERFORM(ip6q_destroy_label, label);
+	mac_labelzone_free(label);
+}
+
+void
+mac_ip6q_destroy(struct ip6q *q6)
+{
+
+	if (q6->ip6q_label != NULL) {
+		mac_ip6q_label_free(q6->ip6q_label);
+		q6->ip6q_label = NULL;
+	}
+}
+
+void
+mac_ip6q_reassemble(struct ip6q *q6, struct mbuf *m)
+{
+	struct label *label;
+
+	label = mac_mbuf_to_label(m);
+
+	MAC_PERFORM(ip6q_reassemble, q6, q6->ip6q_label, m, label);
+}
+
+void
+mac_ip6q_create(struct mbuf *m, struct ip6q *q6)
+{
+	struct label *label;
+
+	label = mac_mbuf_to_label(m);
+
+	MAC_PERFORM(ip6q_create, m, label, q6, q6->ip6q_label);
+}
+
+int
+mac_ip6q_match(struct mbuf *m, struct ip6q *q6)
+{
+	struct label *label;
+	int result;
+
+	label = mac_mbuf_to_label(m);
+
+	result = 1;
+	MAC_BOOLEAN(ip6q_match, &&, m, label, q6, q6->ip6q_label);
+
+	return (result);
+}
+
+void
+mac_ip6q_update(struct mbuf *m, struct ip6q *q6)
+{
+	struct label *label;
+
+	label = mac_mbuf_to_label(m);
+
+	MAC_PERFORM(ip6q_update, m, label, q6, q6->ip6q_label);
+}
+
 void
 mac_netinet6_nd6_send(struct ifnet *ifp, struct mbuf *m)
 {

Modified: head/sys/security/mac/mac_policy.h
==============================================================================
--- head/sys/security/mac/mac_policy.h	Sun Oct 26 22:11:31 2008	(r184306)
+++ head/sys/security/mac/mac_policy.h	Sun Oct 26 22:45:18 2008	(r184307)
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
  * Copyright (c) 2005-2006 SPARTA, Inc.
  * Copyright (c) 2008 Apple Inc.
@@ -72,6 +72,7 @@ struct devfs_dirent;
 struct ifnet;
 struct image_params;
 struct inpcb;
+struct ip6q;
 struct ipq;
 struct ksem;
 struct label;
@@ -201,6 +202,17 @@ typedef void	(*mpo_inpcb_sosetlabel_t)(s
 		    struct label *label, struct inpcb *inp,
 		    struct label *inplabel);
 
+typedef void	(*mpo_ip6q_create_t)(struct mbuf *m, struct label *mlabel,
+		    struct ip6q *q6, struct label *q6label);
+typedef void	(*mpo_ip6q_destroy_label_t)(struct label *label);
+typedef int	(*mpo_ip6q_init_label_t)(struct label *label, int flag);
+typedef int	(*mpo_ip6q_match_t)(struct mbuf *m, struct label *mlabel,
+		    struct ip6q *q6, struct label *q6label);
+typedef void	(*mpo_ip6q_reassemble)(struct ip6q *q6, struct label *q6label,
+		    struct mbuf *m, struct label *mlabel);
+typedef void	(*mpo_ip6q_update_t)(struct mbuf *m, struct label *mlabel,
+		    struct ip6q *q6, struct label *q6label);
+
 typedef void	(*mpo_ipq_create_t)(struct mbuf *m, struct label *mlabel,
 		    struct ipq *q, struct label *qlabel);
 typedef void	(*mpo_ipq_destroy_label_t)(struct label *label);
@@ -698,6 +710,13 @@ struct mac_policy_ops {
 	mpo_inpcb_init_label_t			mpo_inpcb_init_label;
 	mpo_inpcb_sosetlabel_t			mpo_inpcb_sosetlabel;
 
+	mpo_ip6q_create_t			mpo_ip6q_create;
+	mpo_ip6q_destroy_label_t		mpo_ip6q_destroy_label;
+	mpo_ip6q_init_label_t			mpo_ip6q_init_label;
+	mpo_ip6q_match_t			mpo_ip6q_match;
+	mpo_ip6q_reassemble			mpo_ip6q_reassemble;
+	mpo_ip6q_update_t			mpo_ip6q_update;
+
 	mpo_ipq_create_t			mpo_ipq_create;
 	mpo_ipq_destroy_label_t			mpo_ipq_destroy_label;
 	mpo_ipq_init_label_t			mpo_ipq_init_label;
@@ -970,6 +989,7 @@ struct mac_policy_conf {
 #define	MPC_OBJECT_SYSVSEM		0x0000000000010000
 #define	MPC_OBJECT_SYSVSHM		0x0000000000020000
 #define	MPC_OBJECT_SYNCACHE		0x0000000000040000
+#define	MPC_OBJECT_IP6Q			0x0000000000080000
 
 /*-
  * The TrustedBSD MAC Framework has a major version number, MAC_VERSION,