1173095Srwatson/*-
2189797Srwatson * Copyright (c) 2007-2009 Robert N. M. Watson
3173095Srwatson * All rights reserved.
4173095Srwatson *
5173095Srwatson * This software was developed by Robert Watson for the TrustedBSD Project.
6173095Srwatson *
7189797Srwatson * This software was developed at the University of Cambridge Computer
8189797Srwatson * Laboratory with support from a grant from Google, Inc.
9189797Srwatson *
10173095Srwatson * Redistribution and use in source and binary forms, with or without
11173095Srwatson * modification, are permitted provided that the following conditions
12173095Srwatson * are met:
13173095Srwatson * 1. Redistributions of source code must retain the above copyright
14173095Srwatson *    notice, this list of conditions and the following disclaimer.
15173095Srwatson * 2. Redistributions in binary form must reproduce the above copyright
16173095Srwatson *    notice, this list of conditions and the following disclaimer in the
17173095Srwatson *    documentation and/or other materials provided with the distribution.
18173095Srwatson *
19173095Srwatson * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
20173095Srwatson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21173095Srwatson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22173095Srwatson * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
23173095Srwatson * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24173095Srwatson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25173095Srwatson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26173095Srwatson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27173095Srwatson * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28173095Srwatson * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29173095Srwatson * SUCH DAMAGE.
30173095Srwatson */
31173095Srwatson
32173095Srwatson#include <sys/cdefs.h>
33173095Srwatson__FBSDID("$FreeBSD$");
34173095Srwatson
35173095Srwatson#include "opt_mac.h"
36173095Srwatson
37173095Srwatson#include <sys/param.h>
38173095Srwatson#include <sys/kernel.h>
39173095Srwatson#include <sys/lock.h>
40173095Srwatson#include <sys/malloc.h>
41173095Srwatson#include <sys/mutex.h>
42173095Srwatson#include <sys/sbuf.h>
43173095Srwatson#include <sys/systm.h>
44173095Srwatson#include <sys/mount.h>
45173095Srwatson#include <sys/file.h>
46173095Srwatson#include <sys/namei.h>
47173095Srwatson#include <sys/protosw.h>
48173095Srwatson#include <sys/socket.h>
49173095Srwatson#include <sys/socketvar.h>
50173095Srwatson#include <sys/sysctl.h>
51173095Srwatson
52173095Srwatson#include <net/if.h>
53173095Srwatson#include <net/if_var.h>
54173095Srwatson
55184307Srwatson#include <netinet/in.h>
56184307Srwatson#include <netinet/ip6.h>
57184307Srwatson#include <netinet6/ip6_var.h>
58184307Srwatson
59173095Srwatson#include <security/mac/mac_framework.h>
60173095Srwatson#include <security/mac/mac_internal.h>
61173095Srwatson#include <security/mac/mac_policy.h>
62173095Srwatson
63184307Srwatsonstatic struct label *
64184307Srwatsonmac_ip6q_label_alloc(int flag)
65184307Srwatson{
66184307Srwatson	struct label *label;
67184307Srwatson	int error;
68184307Srwatson
69184307Srwatson	label = mac_labelzone_alloc(flag);
70184307Srwatson	if (label == NULL)
71184307Srwatson		return (NULL);
72184307Srwatson
73189797Srwatson	if (flag & M_WAITOK)
74191731Srwatson		MAC_POLICY_CHECK(ip6q_init_label, label, flag);
75189797Srwatson	else
76191731Srwatson		MAC_POLICY_CHECK_NOSLEEP(ip6q_init_label, label, flag);
77184307Srwatson	if (error) {
78191731Srwatson		MAC_POLICY_PERFORM_NOSLEEP(ip6q_destroy_label, label);
79184307Srwatson		mac_labelzone_free(label);
80184307Srwatson		return (NULL);
81184307Srwatson	}
82184307Srwatson	return (label);
83184307Srwatson}
84184307Srwatson
85184307Srwatsonint
86184307Srwatsonmac_ip6q_init(struct ip6q *q6, int flag)
87184307Srwatson{
88184307Srwatson
89187014Srwatson	if (mac_labeled & MPC_OBJECT_IP6Q) {
90184307Srwatson		q6->ip6q_label = mac_ip6q_label_alloc(flag);
91184307Srwatson		if (q6->ip6q_label == NULL)
92184307Srwatson			return (ENOMEM);
93184307Srwatson	} else
94184307Srwatson		q6->ip6q_label = NULL;
95184307Srwatson	return (0);
96184307Srwatson}
97184307Srwatson
98184307Srwatsonstatic void
99184307Srwatsonmac_ip6q_label_free(struct label *label)
100184307Srwatson{
101184307Srwatson
102191731Srwatson	MAC_POLICY_PERFORM_NOSLEEP(ip6q_destroy_label, label);
103184307Srwatson	mac_labelzone_free(label);
104184307Srwatson}
105184307Srwatson
106173095Srwatsonvoid
107184307Srwatsonmac_ip6q_destroy(struct ip6q *q6)
108184307Srwatson{
109184307Srwatson
110184307Srwatson	if (q6->ip6q_label != NULL) {
111184307Srwatson		mac_ip6q_label_free(q6->ip6q_label);
112184307Srwatson		q6->ip6q_label = NULL;
113184307Srwatson	}
114184307Srwatson}
115184307Srwatson
116184307Srwatsonvoid
117184307Srwatsonmac_ip6q_reassemble(struct ip6q *q6, struct mbuf *m)
118184307Srwatson{
119184307Srwatson	struct label *label;
120184307Srwatson
121193391Srwatson	if (mac_policy_count == 0)
122193391Srwatson		return;
123193391Srwatson
124184307Srwatson	label = mac_mbuf_to_label(m);
125184307Srwatson
126191731Srwatson	MAC_POLICY_PERFORM_NOSLEEP(ip6q_reassemble, q6, q6->ip6q_label, m,
127191731Srwatson	    label);
128184307Srwatson}
129184307Srwatson
130184307Srwatsonvoid
131184307Srwatsonmac_ip6q_create(struct mbuf *m, struct ip6q *q6)
132184307Srwatson{
133184307Srwatson	struct label *label;
134184307Srwatson
135193391Srwatson	if (mac_policy_count == 0)
136193391Srwatson		return;
137193391Srwatson
138184307Srwatson	label = mac_mbuf_to_label(m);
139184307Srwatson
140191731Srwatson	MAC_POLICY_PERFORM_NOSLEEP(ip6q_create, m, label, q6,
141191731Srwatson	    q6->ip6q_label);
142184307Srwatson}
143184307Srwatson
144184307Srwatsonint
145184307Srwatsonmac_ip6q_match(struct mbuf *m, struct ip6q *q6)
146184307Srwatson{
147184307Srwatson	struct label *label;
148184307Srwatson	int result;
149184307Srwatson
150193391Srwatson	if (mac_policy_count == 0)
151193391Srwatson		return (1);
152193391Srwatson
153184307Srwatson	label = mac_mbuf_to_label(m);
154184307Srwatson
155184307Srwatson	result = 1;
156191731Srwatson	MAC_POLICY_BOOLEAN_NOSLEEP(ip6q_match, &&, m, label, q6,
157191731Srwatson	    q6->ip6q_label);
158184307Srwatson
159184307Srwatson	return (result);
160184307Srwatson}
161184307Srwatson
162184307Srwatsonvoid
163184307Srwatsonmac_ip6q_update(struct mbuf *m, struct ip6q *q6)
164184307Srwatson{
165184307Srwatson	struct label *label;
166184307Srwatson
167193391Srwatson	if (mac_policy_count == 0)
168193391Srwatson		return;
169193391Srwatson
170184307Srwatson	label = mac_mbuf_to_label(m);
171184307Srwatson
172191731Srwatson	MAC_POLICY_PERFORM_NOSLEEP(ip6q_update, m, label, q6,
173191731Srwatson	    q6->ip6q_label);
174184307Srwatson}
175184307Srwatson
176184307Srwatsonvoid
177173095Srwatsonmac_netinet6_nd6_send(struct ifnet *ifp, struct mbuf *m)
178173095Srwatson{
179173095Srwatson	struct label *mlabel;
180173095Srwatson
181193391Srwatson	if (mac_policy_count == 0)
182193391Srwatson		return;
183193391Srwatson
184173095Srwatson	mlabel = mac_mbuf_to_label(m);
185173095Srwatson
186191731Srwatson	MAC_POLICY_PERFORM_NOSLEEP(netinet6_nd6_send, ifp, ifp->if_label, m,
187189797Srwatson	    mlabel);
188173095Srwatson}
189