Introduce a MAC label reference in 'struct inpcb', which caches - src

diff options


context:
space:
mode:

author	Robert Watson <rwatson@FreeBSD.org>	2003-11-18 00:39:07 +0000
committer	Robert Watson <rwatson@FreeBSD.org>	2003-11-18 00:39:07 +0000
commit	a557af222b70694470f63e2a0f1bf58c9dcc73fd (patch)
tree	9ae16c9f3cb9780bbad2d9f596380ed1094d201c /sys/netinet
parent	b17f40bbda6fee5e88662d68a7d8d372929f4986 (diff)

Notes

Diffstat (limited to 'sys/netinet')

-rw-r--r--

sys/netinet/in_pcb.c

-rw-r--r--

sys/netinet/in_pcb.h

-rw-r--r--

sys/netinet/ip_divert.c

-rw-r--r--

sys/netinet/raw_ip.c

-rw-r--r--

sys/netinet/tcp_input.c

-rw-r--r--

sys/netinet/tcp_reass.c

-rw-r--r--

sys/netinet/tcp_usrreq.c

-rw-r--r--

sys/netinet/udp_usrreq.c

8 files changed, 54 insertions, 18 deletions

diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c
index 480c50eae6b7..11735ec38156 100644
--- a/sys/netinet/in_pcb.c
+++ b/sys/netinet/in_pcb.c

@@ -36,10 +36,12 @@

#include "opt_ipsec.h"

#include "opt_inet6.h"

+#include "opt_mac.h"

#include <sys/param.h>

#include <sys/systm.h>

#include <sys/limits.h>

+#include <sys/mac.h>

#include <sys/malloc.h>

#include <sys/mbuf.h>

#include <sys/domain.h>

@@ -161,26 +163,30 @@ in_pcballoc(so, pcbinfo, td)

struct thread *td;

{

-#if defined(IPSEC) || defined(FAST_IPSEC)

int error;

-#endif

INP_INFO_WLOCK_ASSERT(pcbinfo);

+ error = 0;

inp = uma_zalloc(pcbinfo->ipi_zone, M_NOWAIT | M_ZERO);

if (inp == NULL)

return (ENOBUFS);

inp->inp_gencnt = ++pcbinfo->ipi_gencnt;

inp->inp_pcbinfo = pcbinfo;

inp->inp_socket = so;

+#ifdef MAC

+ error = mac_init_inpcb(inp, M_NOWAIT);

+ if (error != 0)

+ goto out;

+ mac_create_inpcb_from_socket(so, inp);

+#endif

#if defined(IPSEC) || defined(FAST_IPSEC)

#ifdef FAST_IPSEC

error = ipsec_init_policy(so, &inp->inp_sp);

#else

error = ipsec_init_pcbpolicy(so, &inp->inp_sp);

#endif

- if (error != 0) {

- uma_zfree(pcbinfo->ipi_zone, inp);

- return error;

- }

+ if (error != 0)

+ goto out;

#endif /*IPSEC*/

#if defined(INET6)

if (INP_SOCKAF(so) == AF_INET6) {

@@ -197,7 +203,12 @@ in_pcballoc(so, pcbinfo, td)

if (ip6_auto_flowlabel)

inp->inp_flags |= IN6P_AUTOFLOWLABEL;

#endif

- return (0);

+#if defined(IPSEC) || defined(FAST_IPSEC) || defined(MAC)

+out:

+ if (error != 0)

+ uma_zfree(pcbinfo->ipi_zone, inp);

+#endif

+ return (error);

}

int

@@ -700,6 +711,9 @@ in_pcbdetach(inp)

ip_freemoptions(inp->inp_moptions);

inp->inp_vflag = 0;

INP_LOCK_DESTROY(inp);

+#ifdef MAC

+ mac_destroy_inpcb(inp);

+#endif

uma_zfree(ipi->ipi_zone, inp);

}

@@ -1218,6 +1232,25 @@ in_pcbremlists(inp)

pcbinfo->ipi_count--;

}

+/*

+ * A set label operation has occurred at the socket layer, propagate the

+ * label change into the in_pcb for the socket.

+ */

+void

+in_pcbsosetlabel(so)

+ struct socket *so;

+#ifdef MAC

+ struct inpcb *inp;

+ /* XXX: Will assert socket lock when we have them. */

+ inp = (struct inpcb *)so->so_pcb;

+ INP_LOCK(inp);

+ mac_inpcb_sosetlabel(so, inp);

+ INP_UNLOCK(inp);

+#endif

int

prison_xinpcb(struct thread *td, struct inpcb *inp)

{

diff --git a/sys/netinet/in_pcb.h b/sys/netinet/in_pcb.h
index 19786b59b568..8a6717cd6b09 100644
--- a/sys/netinet/in_pcb.h
+++ b/sys/netinet/in_pcb.h

@@ -134,6 +134,7 @@ struct inpcb {

struct inpcbinfo *inp_pcbinfo; /* PCB list info */

struct socket *inp_socket; /* back pointer to socket */

/* list for this PCB's local port */

+ struct label *inp_label; /* MAC label */

int inp_flags; /* generic IP/datagram flags */

struct inpcbpolicy *inp_sp; /* for IPSEC */

@@ -369,10 +370,12 @@ struct inpcb *

void in_pcbnotifyall(struct inpcbinfo *pcbinfo, struct in_addr,

int, struct inpcb *(*)(struct inpcb *, int));

void in_pcbrehash(struct inpcb *);

+void in_pcbsetsolabel(struct socket *so);

int in_setpeeraddr(struct socket *so, struct sockaddr **nam, struct inpcbinfo *pcbinfo);

int in_setsockaddr(struct socket *so, struct sockaddr **nam, struct inpcbinfo *pcbinfo);;

struct sockaddr *

in_sockaddr(in_port_t port, struct in_addr *addr);

+void in_pcbsosetlabel(struct socket *so);

void in_pcbremlists(struct inpcb *inp);

int prison_xinpcb(struct thread *td, struct inpcb *inp);

#endif /* _KERNEL */

diff --git a/sys/netinet/ip_divert.c b/sys/netinet/ip_divert.c
index 7e939e35da58..172021b5b017 100644
--- a/sys/netinet/ip_divert.c
+++ b/sys/netinet/ip_divert.c

@@ -652,5 +652,5 @@ struct pr_usrreqs div_usrreqs = {

pru_connect_notsupp, pru_connect2_notsupp, in_control, div_detach,

div_disconnect, pru_listen_notsupp, div_peeraddr, pru_rcvd_notsupp,

pru_rcvoob_notsupp, div_send, pru_sense_null, div_shutdown,

- div_sockaddr, sosend, soreceive, sopoll

+ div_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel

};

diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
index 8e02e41923da..632e00a17285 100644
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c

@@ -161,7 +161,7 @@ raw_append(struct inpcb *last, struct ip *ip, struct mbuf *n)

}

#endif /*FAST_IPSEC*/

#ifdef MAC

- if (!policyfail && mac_check_socket_deliver(last->inp_socket, n) != 0)

+ if (!policyfail && mac_check_inpcb_deliver(last, n) != 0)

policyfail = 1;

#endif

if (!policyfail) {

@@ -840,5 +840,5 @@ struct pr_usrreqs rip_usrreqs = {

pru_connect2_notsupp, in_control, rip_detach, rip_disconnect,

pru_listen_notsupp, rip_peeraddr, pru_rcvd_notsupp,

pru_rcvoob_notsupp, rip_send, pru_sense_null, rip_shutdown,

- rip_sockaddr, sosend, soreceive, sopoll

+ rip_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel

};

diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 4df4a99d0f10..a24713843420 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c

@@ -683,11 +683,11 @@ findpcb:

else

tiwin = th->th_win;

- so = inp->inp_socket;

#ifdef MAC

- if (mac_check_socket_deliver(so, m))

+ if (mac_check_inpcb_deliver(inp, m))

goto drop;

#endif

+ so = inp->inp_socket;

#ifdef TCPDEBUG

if (so->so_options & SO_DEBUG) {

ostate = tp->t_state;

diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c
index 4df4a99d0f10..a24713843420 100644
--- a/sys/netinet/tcp_reass.c
+++ b/sys/netinet/tcp_reass.c

@@ -683,11 +683,11 @@ findpcb:

else

tiwin = th->th_win;

- so = inp->inp_socket;

#ifdef MAC

- if (mac_check_socket_deliver(so, m))

+ if (mac_check_inpcb_deliver(inp, m))

goto drop;

#endif

+ so = inp->inp_socket;

#ifdef TCPDEBUG

if (so->so_options & SO_DEBUG) {

ostate = tp->t_state;

diff --git a/sys/netinet/tcp_usrreq.c b/sys/netinet/tcp_usrreq.c
index 805a4fbd1416..7035227f1a24 100644
--- a/sys/netinet/tcp_usrreq.c
+++ b/sys/netinet/tcp_usrreq.c

@@ -816,7 +816,7 @@ struct pr_usrreqs tcp_usrreqs = {

tcp_usr_connect, pru_connect2_notsupp, in_control, tcp_usr_detach,

tcp_usr_disconnect, tcp_usr_listen, tcp_peeraddr, tcp_usr_rcvd,

tcp_usr_rcvoob, tcp_usr_send, pru_sense_null, tcp_usr_shutdown,

- tcp_sockaddr, sosend, soreceive, sopoll

+ tcp_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel

};

#ifdef INET6

@@ -825,7 +825,7 @@ struct pr_usrreqs tcp6_usrreqs = {

tcp6_usr_connect, pru_connect2_notsupp, in6_control, tcp_usr_detach,

tcp_usr_disconnect, tcp6_usr_listen, in6_mapped_peeraddr, tcp_usr_rcvd,

tcp_usr_rcvoob, tcp_usr_send, pru_sense_null, tcp_usr_shutdown,

- in6_mapped_sockaddr, sosend, soreceive, sopoll

+ in6_mapped_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel

};

#endif /* INET6 */

diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index 4b755af01778..60ec82bc8d4a 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c

@@ -469,7 +469,7 @@ udp_append(last, ip, n, off)

}

#endif /*FAST_IPSEC*/

#ifdef MAC

- if (mac_check_socket_deliver(last->inp_socket, n) != 0) {

+ if (mac_check_inpcb_deliver(last, n) != 0) {

m_freem(n);

return;

}

@@ -1119,5 +1119,5 @@ struct pr_usrreqs udp_usrreqs = {

pru_connect2_notsupp, in_control, udp_detach, udp_disconnect,

pru_listen_notsupp, udp_peeraddr, pru_rcvd_notsupp,

pru_rcvoob_notsupp, udp_send, pru_sense_null, udp_shutdown,

- udp_sockaddr, sosend, soreceive, sopoll

+ udp_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel

};