6 messages in org.freebsd.trustedbsd-discussMAC Framework has confict with IP fir...| From | Sent On | Attachments |
|---|---|---|
| zhouyi zhou | Mar 27, 2006 10:49 am | |
| Max Laier | Jun 17, 2006 9:59 pm | |
| Max Laier | Jun 17, 2006 10:08 pm | |
| zhouyi zhou | Jun 18, 2006 1:45 am | |
| Max Laier | Jun 18, 2006 2:08 am | |
| Max Laier | Jun 19, 2006 10:31 pm |
| Subject: | MAC Framework has confict with IP firewall | |
|---|---|---|
| From: | Max Laier (ma...@love2party.net) | |
| Date: | Jun 18, 2006 2:08:54 am | |
| List: | org.freebsd.trustedbsd-discuss | |
On Sunday 18 June 2006 03:43, zhouyi zhou wrote:
1) would you think in static void mac_mls_firewall_tcpproxy(struct mbuf *m, struct label *mbuflabel) and so on assigning a mls/low label to the generated mbuf is better, as I have known in BLP kind systems, mls/low is the default label for the system software and system behaviour.
I'm not really happy with setting any static label in there at all. I was merely copying from mac_mls_create_mbuf_linklayer() which also creates a mbuf "out of thin air" (i.e. unprovoked, from the system software). I don't say there are no better ways to do this, but a clean solution involves keeping a label in the firewall state that later creates the packet. I am working on patches for that as well, but it might be some time before that gets somewhere as I try to keep it reasonably generic to use with pf and ipfw at the same time ... which right now looks like a good way to Waterloo :-\
2) I add ethernet address matching for PF in FreeBSD like that in OpenBSD by simplify mantein a chain for which MAC address to insert which tag: //net/if_ethersubr.c static void ether_input(struct ifnet *ifp, struct mbuf *m) {
We hope to place a pfil(9) hook in ether_input and related functions in if_bridge(4) some time soon in order to enable a generic way to do L2 filtering. Once that is done (I should probably just do it myself finally) I will provide a tagging mechanism along the lines of what OpenBSD provides.
3) MAC Framework has conflicts with NFS, I work it around by: //security/mac/mac_vfs.c
I'll let somebody else tackle this ;)
int mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; ... /*added by Zhouyi Zhou*/ if (cred->cr_label == NULL) { mac_init_cred(cred); mac_copy_cred(curthread->td_ucred, cred); } /*added by Zhouyi Zhou*/ ... MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_fslabel, dvp, dvp->v_label, vp, vp->v_label, cnp); //////////////// It would also can have vp or dvp's label assigned to the cred.
-- /"\ Best regards, | mla...@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News