Date: Sun, 18 Jun 2006 09:43:12 +0800 From: zhouyi zhou <zhouyi04@ios.cn> To: Max Laier <max@love2party.net> Cc: trustedbsd-discuss@freebsd.org Subject: Re: MAC Framework has confict with IP firewall Message-ID: <20060618094312.7fec4f77.zhouyi04@ios.cn> In-Reply-To: <200606180008.53676.max@love2party.net> References: <20060327184133.5a35b20f.zhouyi04@ios.cn> <200606172359.13019.max@love2party.net> <200606180008.53676.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for the modification!!!
I have three small suggestions, maybe inapproprieate :-)
1)
would you think in
static void
mac_mls_firewall_tcpproxy(struct mbuf *m, struct label *mbuflabel)
and so on assigning a mls/low label to the generated mbuf is better,
as I have known in BLP kind systems, mls/low is the default label for the system
software and system behaviour.
2)
I add ethernet address matching for PF in FreeBSD like that in OpenBSD
by simplify mantein a chain for which MAC address to insert which tag:
//net/if_ethersubr.c
static void
ether_input(struct ifnet *ifp, struct mbuf *m)
{
struct ether_header *eh;
u_short etype;
.......
#ifdef DEV_PF
PF_TAG_MBUF(m);
#endif
//contrib/pf/pf_ioctl.c
void pf_tag_mbuf(struct mbuf *mbuf)
{
struct ether_header *eh;
struct pfmac_rule_element * rule_iterator = pfmac_rule_chain;
struct ether_header zero_header;
bzero(&zero_header.ether_dhost,6);
bzero(&zero_header.ether_shost,6);
eh = mtod(mbuf, struct ether_header *);
while (rule_iterator){
if ((!memcmp(eh->ether_shost, rule_iterator->pfmac_rule->ether_header.ether_shost, 6)||!memcmp(zero_header\.ether_shost, rule_iterator->pfmac_rule->ether_header.ether_shost, 6))&&
(!memcmp(eh->ether_dhost, rule_iterator->pfmac_rule->ether_header.ether_dhost, 6)||!memcmp(zero_header\.ether_dhost, rule_iterator->pfmac_rule->ether_header.ether_dhost, 6)))
break;
rule_iterator = rule_iterator->next;
}
if (rule_iterator != NULL)
pf_tag_packet(mbuf, NULL, pf_tagname2tag(rule_iterator->pfmac_rule->tag));
}
3) MAC Framework has conflicts with NFS, I work it around by:
//security/mac/mac_vfs.c
int
mac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
struct vnode *dvp, struct vnode *vp, struct componentname *cnp)
{
int error;
...
/*added by Zhouyi Zhou*/
if (cred->cr_label == NULL)
{
mac_init_cred(cred);
mac_copy_cred(curthread->td_ucred, cred);
}
/*added by Zhouyi Zhou*/
...
MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_fslabel,
dvp, dvp->v_label, vp, vp->v_label, cnp);
////////////////
It would also can have vp or dvp's label assigned to the cred.
Sincerely yours
Zhouyi Zhou
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060618094312.7fec4f77.zhouyi04>