Date: Sat, 7 Jun 2003 22:06:48 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 32788 for review Message-ID: <200306080506.h5856mAt022663@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=32788 Change 32788 by rwatson@rwatson_tislabs on 2003/06/07 22:05:57 Add new MAC entry point to facilitate the processing of CIPSO labels: mac_update_mbuf_from_cipso, which accepts an mbuf pointer and a pointer to the IP CIPSO option, as well as letting the MAC framework return an ICMP error code if the call fails in some form. Invoke the entry point from ip_dooptions() in the input path. Add a new MAC policy entry point, mpo_update_mbuf_from_cipso, with similar arguments (added ifnet, mbuf label, and ifnet label arguments). These calls will likely be revised as support for CIPSO evolves. Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#390 edit .. //depot/projects/trustedbsd/mac/sys/netinet/ip_input.c#34 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#237 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#190 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#390 (text+ko) ==== @@ -2443,6 +2443,25 @@ MAC_PERFORM(update_ipq, fragment, label, ipq, &ipq->ipq_label); } +int +mac_update_mbuf_from_cipso(struct mbuf *m, char *cp, int *code) +{ + struct label *label, *ifnetlabel; + int error; + + label = mbuf_to_label(m); + + if (m->m_pkthdr.rcvif != NULL) + ifnetlabel = &m->m_pkthdr.rcvif->if_label; + else + ifnetlabel = NULL; + + MAC_CHECK(update_mbuf_from_cipso, m, label, m->m_pkthdr.rcvif, + ifnetlabel, cp, code); + + return (error); +} + void mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf) { ==== //depot/projects/trustedbsd/mac/sys/netinet/ip_input.c#34 (text+ko) ==== @@ -1288,6 +1288,9 @@ struct in_addr *sin, dst; n_time ntime; struct sockaddr_in ipaddr = { sizeof(ipaddr), AF_INET }; +#ifdef MAC + int error; +#endif dst = ip->ip_dst; cp = (u_char *)(ip + 1); @@ -1527,6 +1530,15 @@ ntime = iptime(); (void)memcpy(cp + off, &ntime, sizeof(n_time)); cp[IPOPT_OFFSET] += sizeof(n_time); + break; + + case IPOPT_CIPSO: +#ifdef MAC + error = mac_update_mbuf_from_cipso(m, cp, &code); + if (error) + goto bad; +#endif + break; } } if (forward && ipforwarding) { ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#237 (text+ko) ==== @@ -214,6 +214,7 @@ void mac_reflect_mbuf_icmp(struct mbuf *m); void mac_reflect_mbuf_tcp(struct mbuf *m); void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq); +int mac_update_mbuf_from_cipso(struct mbuf *m, char *cp, int *code); /* * Labeling event operations: processes. ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#190 (text+ko) ==== @@ -238,6 +238,9 @@ void (*mpo_update_ipq)(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel); + int (*mpo_update_mbuf_from_cipso)(struct mbuf *m, + struct label *mlabel, struct ifnet *ifnet, + struct label *ifnetlabel, char *cp, int *code); /* * Labeling event operations: processes.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200306080506.h5856mAt022663>