6 messages in org.freebsd.trustedbsd-discussMAC Framework has confict with IP fir...| From | Sent On | Attachments |
|---|---|---|
| zhouyi zhou | Mar 27, 2006 10:49 am | |
| Max Laier | Jun 17, 2006 9:59 pm | |
| Max Laier | Jun 17, 2006 10:08 pm | |
| zhouyi zhou | Jun 18, 2006 1:45 am | |
| Max Laier | Jun 18, 2006 2:08 am | |
| Max Laier | Jun 19, 2006 10:31 pm |
| Subject: | MAC Framework has confict with IP firewall | |
|---|---|---|
| From: | zhouyi zhou (zhou...@ios.cn) | |
| Date: | Jun 18, 2006 1:45:24 am | |
| List: | org.freebsd.trustedbsd-discuss | |
Thanks for the modification!!! I have three small suggestions, maybe inapproprieate :-)
1) would you think in static void mac_mls_firewall_tcpproxy(struct mbuf *m, struct label *mbuflabel) and so on assigning a mls/low label to the generated mbuf is better, as I have known in BLP kind systems, mls/low is the default label for the system software and system behaviour.
2) I add ethernet address matching for PF in FreeBSD like that in OpenBSD by simplify mantein a chain for which MAC address to insert which tag: //net/if_ethersubr.c static void ether_input(struct ifnet *ifp, struct mbuf *m) { struct ether_header *eh; u_short etype;
.......
#ifdef DEV_PF
PF_TAG_MBUF(m);
#endif
//contrib/pf/pf_ioctl.c
void pf_tag_mbuf(struct mbuf *mbuf)
{
struct ether_header *eh;
struct pfmac_rule_element * rule_iterator = pfmac_rule_chain;
struct ether_header zero_header;
bzero(&zero_header.ether_dhost,6);
bzero(&zero_header.ether_shost,6);
eh = mtod(mbuf, struct ether_header *);
while (rule_iterator){
if ((!memcmp(eh->ether_shost,
rule_iterator->pfmac_rule->ether_header.ether_shost,
6)||!memcmp(zero_header\.ether_shost,
rule_iterator->pfmac_rule->ether_header.ether_shost, 6))&&
(!memcmp(eh->ether_dhost,
rule_iterator->pfmac_rule->ether_header.ether_dhost,
6)||!memcmp(zero_header\.ether_dhost,
rule_iterator->pfmac_rule->ether_header.ether_dhost, 6)))
break;
rule_iterator = rule_iterator->next;
}
if (rule_iterator != NULL)
pf_tag_packet(mbuf, NULL, pf_tagname2tag(rule_iterator->pfmac_rule->tag));
}
3) MAC Framework has conflicts with NFS, I work it around by: //security/mac/mac_vfs.c int mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; ... /*added by Zhouyi Zhou*/ if (cred->cr_label == NULL) { mac_init_cred(cred); mac_copy_cred(curthread->td_ucred, cred); } /*added by Zhouyi Zhou*/ ... MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_fslabel, dvp, dvp->v_label, vp, vp->v_label, cnp); //////////////// It would also can have vp or dvp's label assigned to the cred.
Sincerely yours Zhouyi Zhou