From owner-trustedbsd-discuss@FreeBSD.ORG Sun Jun 18 02:09:15 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B6F8816A47A for ; Sun, 18 Jun 2006 02:09:15 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1060643D46 for ; Sun, 18 Jun 2006 02:09:14 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.185.155] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis), id 0ML25U-1Frmip3XD7-0002FI; Sun, 18 Jun 2006 04:09:10 +0200 From: Max Laier Organization: FreeBSD To: zhouyi zhou Date: Sun, 18 Jun 2006 04:09:00 +0200 User-Agent: KMail/1.9.1 References: <20060327184133.5a35b20f.zhouyi04@ios.cn> <200606180008.53676.max@love2party.net> <20060618094312.7fec4f77.zhouyi04@ios.cn> In-Reply-To: <20060618094312.7fec4f77.zhouyi04@ios.cn> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1172575.PxHO3y5ZhD"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200606180409.06966.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: trustedbsd-discuss@freebsd.org Subject: Re: MAC Framework has confict with IP firewall X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jun 2006 02:09:15 -0000 --nextPart1172575.PxHO3y5ZhD Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 18 June 2006 03:43, zhouyi zhou wrote: > 1) > would you think in > static void > mac_mls_firewall_tcpproxy(struct mbuf *m, struct label *mbuflabel) > and so on assigning a mls/low label to the generated mbuf is better, > as I have known in BLP kind systems, mls/low is the default label for the > system software and system behaviour. I'm not really happy with setting any static label in there at all. I was= =20 merely copying from mac_mls_create_mbuf_linklayer() which also creates a mb= uf=20 "out of thin air" (i.e. unprovoked, from the system software). I don't say= =20 there are no better ways to do this, but a clean solution involves keeping = a=20 label in the firewall state that later creates the packet. I am working on= =20 patches for that as well, but it might be some time before that gets=20 somewhere as I try to keep it reasonably generic to use with pf and ipfw at= =20 the same time ... which right now looks like a good way to Waterloo :-\ > 2) > I add ethernet address matching for PF in FreeBSD like that in OpenBSD > by simplify mantein a chain for which MAC address to insert which tag: > //net/if_ethersubr.c > static void > ether_input(struct ifnet *ifp, struct mbuf *m) > { We hope to place a pfil(9) hook in ether_input and related functions in=20 if_bridge(4) some time soon in order to enable a generic way to do L2=20 filtering. Once that is done (I should probably just do it myself finally)= I=20 will provide a tagging mechanism along the lines of what OpenBSD provides. > 3) MAC Framework has conflicts with NFS, I work it around by: > //security/mac/mac_vfs.c I'll let somebody else tackle this ;) > int > mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, > struct vnode *dvp, struct vnode *vp, struct componentname *cnp) > { > int error; > ... > /*added by Zhouyi Zhou*/ > if (cred->cr_label =3D=3D NULL) > { > mac_init_cred(cred); > mac_copy_cred(curthread->td_ucred, cred); > } > /*added by Zhouyi Zhou*/ > ... > MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_fslabel, > dvp, dvp->v_label, vp, vp->v_label, cnp); > //////////////// > It would also can have vp or dvp's label assigned to the cred. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1172575.PxHO3y5ZhD Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBElLXCXyyEoT62BG0RAvFKAJ4hRKMxc4S9ohZBysBWxmjWi/n3EgCeJXL6 WblfvY3qn5rsrSMZ6+PrRGQ= =evBU -----END PGP SIGNATURE----- --nextPart1172575.PxHO3y5ZhD--