From 2d92ec985899529837a43f559d8ed6e0da7854fe Mon Sep 17 00:00:00 2001 From: Robert Watson Date: Wed, 17 Dec 2003 14:55:11 +0000 Subject: [PATCH] Switch TCP over to using the inpcb label when responding in timed wait, rather than the socket label. This avoids reaching up to the socket layer during connection close, which requires locking changes. To do this, introduce MAC Framework entry point mac_create_mbuf_from_inpcb(), which is called from tcp_twrespond() instead of calling mac_create_mbuf_from_socket() or mac_create_mbuf_netlayer(). Introduce MAC Policy entry point mpo_create_mbuf_from_inpcb(), and implementations for various policies, which generally just copy label data from the inpcb to the mbuf. Assert the inpcb lock in the entry point since we require consistency for the inpcb label reference. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories --- sys/netinet/tcp_subr.c | 5 +---- sys/netinet/tcp_timewait.c | 5 +---- sys/security/mac/mac_framework.h | 1 + sys/security/mac/mac_net.c | 11 +++++++++++ sys/security/mac/mac_policy.h | 3 +++ sys/security/mac_biba/mac_biba.c | 13 +++++++++++++ sys/security/mac_lomac/mac_lomac.c | 13 +++++++++++++ sys/security/mac_mls/mac_mls.c | 13 +++++++++++++ sys/security/mac_stub/mac_stub.c | 8 ++++++++ sys/security/mac_test/mac_test.c | 10 ++++++++++ sys/sys/mac.h | 1 + sys/sys/mac_policy.h | 3 +++ 12 files changed, 78 insertions(+), 8 deletions(-) diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index 926d547703e..12394eb3a4a 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -1662,10 +1662,7 @@ tcp_twrespond(struct tcptw *tw, struct socket *so, struct mbuf *msrc, m->m_data += max_linkhdr; #ifdef MAC - if (so != NULL) - mac_create_mbuf_from_socket(so, m); - else - mac_create_mbuf_netlayer(msrc, m); + mac_create_mbuf_from_inpcb(inp, m); #endif #ifdef INET6 diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c index 926d547703e..12394eb3a4a 100644 --- a/sys/netinet/tcp_timewait.c +++ b/sys/netinet/tcp_timewait.c @@ -1662,10 +1662,7 @@ tcp_twrespond(struct tcptw *tw, struct socket *so, struct mbuf *msrc, m->m_data += max_linkhdr; #ifdef MAC - if (so != NULL) - mac_create_mbuf_from_socket(so, m); - else - mac_create_mbuf_netlayer(msrc, m); + mac_create_mbuf_from_inpcb(inp, m); #endif #ifdef INET6 diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 098a2bde828..ed04abd39da 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -213,6 +213,7 @@ void mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp); void mac_create_ipq(struct mbuf *fragment, struct ipq *ipq); void mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram); void mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment); +void mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m); void mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf); void mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *m); void mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m); diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index 8337a19b7cd..9e5cfe56a97 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -588,6 +588,17 @@ mac_create_ipq(struct mbuf *fragment, struct ipq *ipq) MAC_PERFORM(create_ipq, fragment, label, ipq, ipq->ipq_label); } +void +mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m) +{ + struct label *mlabel; + + INP_LOCK_ASSERT(inp); + mlabel = mbuf_to_label(m); + + MAC_PERFORM(create_mbuf_from_inpcb, inp, inp->inp_label, m, mlabel); +} + void mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf) { diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index be432535c7a..55ed7fb47dc 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -229,6 +229,9 @@ struct mac_policy_ops { void (*mpo_create_fragment)(struct mbuf *datagram, struct label *datagramlabel, struct mbuf *fragment, struct label *fragmentlabel); + void (*mpo_create_mbuf_from_inpcb)(struct inpcb *inp, + struct label *inplabel, struct mbuf *m, + struct label *mlabel); void (*mpo_create_mbuf_from_mbuf)(struct mbuf *oldmbuf, struct label *oldlabel, struct mbuf *newmbuf, struct label *newlabel); diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 12392207664..a813b9b4281 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -1199,6 +1199,18 @@ mac_biba_create_fragment(struct mbuf *datagram, struct label *datagramlabel, mac_biba_copy_single(source, dest); } +static void +mac_biba_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, + struct mbuf *m, struct label *mlabel) +{ + struct mac_biba *source, *dest; + + source = SLOT(inplabel); + dest = SLOT(mlabel); + + mac_biba_copy_single(source, dest); +} + static void mac_biba_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct mbuf *newmbuf, @@ -2698,6 +2710,7 @@ static struct mac_policy_ops mac_biba_ops = .mpo_create_ifnet = mac_biba_create_ifnet, .mpo_create_inpcb_from_socket = mac_biba_create_inpcb_from_socket, .mpo_create_ipq = mac_biba_create_ipq, + .mpo_create_mbuf_from_inpcb = mac_biba_create_mbuf_from_inpcb, .mpo_create_mbuf_from_mbuf = mac_biba_create_mbuf_from_mbuf, .mpo_create_mbuf_linklayer = mac_biba_create_mbuf_linklayer, .mpo_create_mbuf_from_bpfdesc = mac_biba_create_mbuf_from_bpfdesc, diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c index a8a4a988d32..10608d10b8c 100644 --- a/sys/security/mac_lomac/mac_lomac.c +++ b/sys/security/mac_lomac/mac_lomac.c @@ -1339,6 +1339,18 @@ mac_lomac_create_fragment(struct mbuf *datagram, struct label *datagramlabel, mac_lomac_copy_single(source, dest); } +static void +mac_lomac_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, + struct mbuf *m, struct label *mlabel) +{ + struct mac_lomac *source, *dest; + + source = SLOT(inplabel); + dest = SLOT(mlabel); + + mac_lomac_copy_single(source, dest); +} + static void mac_lomac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct mbuf *newmbuf, @@ -2680,6 +2692,7 @@ static struct mac_policy_ops mac_lomac_ops = .mpo_create_ifnet = mac_lomac_create_ifnet, .mpo_create_inpcb_from_socket = mac_lomac_create_inpcb_from_socket, .mpo_create_ipq = mac_lomac_create_ipq, + .mpo_create_mbuf_from_inpcb = mac_lomac_create_mbuf_from_inpcb, .mpo_create_mbuf_from_mbuf = mac_lomac_create_mbuf_from_mbuf, .mpo_create_mbuf_linklayer = mac_lomac_create_mbuf_linklayer, .mpo_create_mbuf_from_bpfdesc = mac_lomac_create_mbuf_from_bpfdesc, diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index 3a7346785fa..96016cef2d0 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -1129,6 +1129,18 @@ mac_mls_create_fragment(struct mbuf *datagram, struct label *datagramlabel, mac_mls_copy_single(source, dest); } +static void +mac_mls_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, + struct mbuf *m, struct label *mlabel) +{ + struct mac_mls *source, *dest; + + source = SLOT(inplabel); + dest = SLOT(mlabel); + + mac_mls_copy_single(source, dest); +} + static void mac_mls_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct mbuf *newmbuf, @@ -2470,6 +2482,7 @@ static struct mac_policy_ops mac_mls_ops = .mpo_create_ifnet = mac_mls_create_ifnet, .mpo_create_inpcb_from_socket = mac_mls_create_inpcb_from_socket, .mpo_create_ipq = mac_mls_create_ipq, + .mpo_create_mbuf_from_inpcb = mac_mls_create_mbuf_from_inpcb, .mpo_create_mbuf_from_mbuf = mac_mls_create_mbuf_from_mbuf, .mpo_create_mbuf_linklayer = mac_mls_create_mbuf_linklayer, .mpo_create_mbuf_from_bpfdesc = mac_mls_create_mbuf_from_bpfdesc, diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index ccf3583301a..2ef6f5bfc10 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -350,6 +350,13 @@ stub_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, } +static void +stub_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, + struct mbuf *m, struct label *mlabel) +{ + +} + static void stub_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct mbuf *newmbuf, @@ -1092,6 +1099,7 @@ static struct mac_policy_ops mac_stub_ops = .mpo_create_datagram_from_ipq = stub_create_datagram_from_ipq, .mpo_create_fragment = stub_create_fragment, .mpo_create_ipq = stub_create_ipq, + .mpo_create_mbuf_from_inpcb = stub_create_mbuf_from_inpcb, .mpo_create_mbuf_from_mbuf = stub_create_mbuf_from_mbuf, .mpo_create_mbuf_linklayer = stub_create_mbuf_linklayer, .mpo_create_mbuf_from_bpfdesc = stub_create_mbuf_from_bpfdesc, diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index 05f0e8c85a4..0d5fdf3a138 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -914,6 +914,15 @@ mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, ASSERT_IPQ_LABEL(ipqlabel); } +static void +mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, + struct mbuf *m, struct label *mlabel) +{ + + ASSERT_INPCB_LABEL(inplabel); + ASSERT_MBUF_LABEL(mlabel); +} + static void mac_test_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct mbuf *newmbuf, @@ -1923,6 +1932,7 @@ static struct mac_policy_ops mac_test_ops = .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq, .mpo_create_fragment = mac_test_create_fragment, .mpo_create_ipq = mac_test_create_ipq, + .mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb, .mpo_create_mbuf_from_mbuf = mac_test_create_mbuf_from_mbuf, .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer, .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc, diff --git a/sys/sys/mac.h b/sys/sys/mac.h index 098a2bde828..ed04abd39da 100644 --- a/sys/sys/mac.h +++ b/sys/sys/mac.h @@ -213,6 +213,7 @@ void mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp); void mac_create_ipq(struct mbuf *fragment, struct ipq *ipq); void mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram); void mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment); +void mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m); void mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf); void mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *m); void mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m); diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h index be432535c7a..55ed7fb47dc 100644 --- a/sys/sys/mac_policy.h +++ b/sys/sys/mac_policy.h @@ -229,6 +229,9 @@ struct mac_policy_ops { void (*mpo_create_fragment)(struct mbuf *datagram, struct label *datagramlabel, struct mbuf *fragment, struct label *fragmentlabel); + void (*mpo_create_mbuf_from_inpcb)(struct inpcb *inp, + struct label *inplabel, struct mbuf *m, + struct label *mlabel); void (*mpo_create_mbuf_from_mbuf)(struct mbuf *oldmbuf, struct label *oldlabel, struct mbuf *newmbuf, struct label *newlabel);