diff options
| author | Robert Watson <rwatson@FreeBSD.org> | 2002-07-31 18:30:34 +0000 |
|---|---|---|
| committer | Robert Watson <rwatson@FreeBSD.org> | 2002-07-31 18:30:34 +0000 |
| commit | 4ea889c66633ebf6cda02091ac07ae30369e7f8c (patch) | |
| tree | d317b11acafac64bf47e74cf758bfef8bfbde253 /sys/netinet/raw_ip.c | |
| parent | c4d86885afa137d30db0a37bf4669723d9d293cc (diff) | |
| download | src-4ea889c66633ebf6cda02091ac07ae30369e7f8c.tar.gz src-4ea889c66633ebf6cda02091ac07ae30369e7f8c.zip | |
Introduce support for Mandatory Access Control and extensible
kernel access control.
Instrument the raw IP socket code for packet generation and delivery:
label outgoing mbufs with the label of the socket, and check the
socket and mbuf labels before permitting delivery to a socket,
permitting MAC policies to selectively allow delivery of raw IP mbufs
to various raw IP sockets that may be open. Restructure the policy
checking code to compose IPsec and MAC results in a more readable
manner.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
Notes
Notes:
svn path=/head/; revision=101103
Diffstat (limited to 'sys/netinet/raw_ip.c')
| -rw-r--r-- | sys/netinet/raw_ip.c | 58 |
1 files changed, 41 insertions, 17 deletions
diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index f104cfc1c385..2ea6a1a870a6 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -36,6 +36,7 @@ #include "opt_inet6.h" #include "opt_ipsec.h" +#include "opt_mac.h" #include "opt_random_ip_id.h" #include <sys/param.h> @@ -144,16 +145,27 @@ rip_input(m, off) continue; if (last) { struct mbuf *n = m_copy(m, 0, (int)M_COPYALL); - -#ifdef IPSEC - /* check AH/ESP integrity. */ - if (n && ipsec4_in_reject_so(n, last->inp_socket)) { - m_freem(n); - ipsecstat.in_polvio++; - /* do not inject data to pcb */ - } else + int policyfail = 0; + + if (n != NULL) { +#ifdef IPSSEC + /* check AH/ESP integrity. */ + if (ipsec4_in_reject_so(n, last->inp_socket)) { + policyfail = 1; + ipsecstat.in_polvio++; + /* do not inject data to pcb */ + } #endif /*IPSEC*/ - if (n) { +#ifdef MAC + if (policyfail == 0 && + mac_check_socket_receive(last->inp_socket, + n) != 0) + policyfail = 1; +#endif + } + if (policyfail) + m_freem(n); + else if (n) { if (last->inp_flags & INP_CONTROLOPTS || last->inp_socket->so_options & SO_TIMESTAMP) ip_savecontrol(last, &opts, ip, n); @@ -171,16 +183,24 @@ rip_input(m, off) } last = inp; } + if (last) { #ifdef IPSEC - /* check AH/ESP integrity. */ - if (last && ipsec4_in_reject_so(m, last->inp_socket)) { - m_freem(m); - ipsecstat.in_polvio++; - ipstat.ips_delivered--; - /* do not inject data to pcb */ - } else + /* check AH/ESP integrity. */ + if (ipsec4_in_reject_so(m, last->inp_socket)) { + m_freem(m); + ipsecstat.in_polvio++; + ipstat.ips_delivered--; + /* do not inject data to pcb */ + return; + } #endif /*IPSEC*/ - if (last) { +#ifdef MAC + if (mac_check_socket_receive(last->inp_socket, m) != 0) { + m_freem(m); + ipstat.ips_delivered--; + return; + } +#endif if (last->inp_flags & INP_CONTROLOPTS || last->inp_socket->so_options & SO_TIMESTAMP) ip_savecontrol(last, &opts, ip, m); @@ -212,6 +232,10 @@ rip_output(m, so, dst) register struct inpcb *inp = sotoinpcb(so); int flags = (so->so_options & SO_DONTROUTE) | IP_ALLOWBROADCAST; +#ifdef MAC + mac_create_mbuf_from_socket(so, m); +#endif + /* * If the user handed us a complete IP packet, use it. * Otherwise, allocate an mbuf for a header and fill it in. |