diff --git a/sys/net/if.c b/sys/net/if.c --- a/sys/net/if.c +++ b/sys/net/if.c @@ -4809,6 +4809,18 @@ ifp->if_debugnet_methods = m; } +struct label * +if_getmaclabel(if_t ifp) +{ + return (ifp->if_label); +} + +void +if_setmaclabel(if_t ifp, struct label *label) +{ + ifp->if_label = label; +} + int if_gettype(if_t ifp) { diff --git a/sys/net/if_var.h b/sys/net/if_var.h --- a/sys/net/if_var.h +++ b/sys/net/if_var.h @@ -627,6 +627,8 @@ void if_vlancap(if_t ifp); int if_transmit(if_t ifp, struct mbuf *m); int if_init(if_t ifp, void *ctx); +struct label *if_getmaclabel(if_t ifp); +void if_setmaclabel(if_t ifp, struct label *label); /* * Traversing through interface address lists. diff --git a/sys/security/mac/mac_inet.c b/sys/security/mac/mac_inet.c --- a/sys/security/mac/mac_inet.c +++ b/sys/security/mac/mac_inet.c @@ -274,8 +274,8 @@ mlabel = mac_mbuf_to_label(m); MAC_IFNET_LOCK(ifp, locked); - MAC_POLICY_PERFORM_NOSLEEP(netinet_arp_send, ifp, ifp->if_label, m, - mlabel); + MAC_POLICY_PERFORM_NOSLEEP(netinet_arp_send, ifp, if_getmaclabel(ifp), + m, mlabel); MAC_IFNET_UNLOCK(ifp, locked); } @@ -319,8 +319,8 @@ mlabel = mac_mbuf_to_label(m); MAC_IFNET_LOCK(ifp, locked); - MAC_POLICY_PERFORM_NOSLEEP(netinet_igmp_send, ifp, ifp->if_label, m, - mlabel); + MAC_POLICY_PERFORM_NOSLEEP(netinet_igmp_send, ifp, if_getmaclabel(ifp), + m, mlabel); MAC_IFNET_UNLOCK(ifp, locked); } diff --git a/sys/security/mac/mac_inet6.c b/sys/security/mac/mac_inet6.c --- a/sys/security/mac/mac_inet6.c +++ b/sys/security/mac/mac_inet6.c @@ -183,6 +183,6 @@ mlabel = mac_mbuf_to_label(m); - MAC_POLICY_PERFORM_NOSLEEP(netinet6_nd6_send, ifp, ifp->if_label, m, + MAC_POLICY_PERFORM_NOSLEEP(netinet6_nd6_send, ifp, if_getmaclabel(ifp), m, mlabel); } diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -143,9 +143,9 @@ { if (mac_labeled & MPC_OBJECT_IFNET) - ifp->if_label = mac_ifnet_label_alloc(); + if_setmaclabel(ifp, mac_ifnet_label_alloc()); else - ifp->if_label = NULL; + if_setmaclabel(ifp, NULL); } int @@ -220,10 +220,10 @@ void mac_ifnet_destroy(struct ifnet *ifp) { - - if (ifp->if_label != NULL) { - mac_ifnet_label_free(ifp->if_label); - ifp->if_label = NULL; + struct label *label = if_getmaclabel(ifp); + if (label != NULL) { + mac_ifnet_label_free(label); + if_setmaclabel(ifp, NULL); } } @@ -308,7 +308,7 @@ return; MAC_IFNET_LOCK(ifp, locked); - MAC_POLICY_PERFORM_NOSLEEP(ifnet_create, ifp, ifp->if_label); + MAC_POLICY_PERFORM_NOSLEEP(ifnet_create, ifp, if_getmaclabel(ifp)); MAC_IFNET_UNLOCK(ifp, locked); } @@ -345,7 +345,7 @@ label = mac_mbuf_to_label(m); MAC_IFNET_LOCK(ifp, locked); - MAC_POLICY_PERFORM_NOSLEEP(ifnet_create_mbuf, ifp, ifp->if_label, m, + MAC_POLICY_PERFORM_NOSLEEP(ifnet_create_mbuf, ifp, if_getmaclabel(ifp), m, label); MAC_IFNET_UNLOCK(ifp, locked); } @@ -366,7 +366,7 @@ MAC_IFNET_LOCK(ifp, locked); MAC_POLICY_CHECK_NOSLEEP(bpfdesc_check_receive, d, d->bd_label, ifp, - ifp->if_label); + if_getmaclabel(ifp)); MAC_CHECK_PROBE2(bpfdesc_check_receive, error, d, ifp); MAC_IFNET_UNLOCK(ifp, locked); @@ -387,7 +387,7 @@ label = mac_mbuf_to_label(m); MAC_IFNET_LOCK(ifp, locked); - MAC_POLICY_CHECK_NOSLEEP(ifnet_check_transmit, ifp, ifp->if_label, m, + MAC_POLICY_CHECK_NOSLEEP(ifnet_check_transmit, ifp, if_getmaclabel(ifp), m, label); MAC_CHECK_PROBE2(ifnet_check_transmit, error, ifp, m); MAC_IFNET_UNLOCK(ifp, locked); @@ -425,7 +425,7 @@ buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); intlabel = mac_ifnet_label_alloc(); MAC_IFNET_LOCK(ifp, locked); - mac_ifnet_copy_label(ifp->if_label, intlabel); + mac_ifnet_copy_label(if_getmaclabel(ifp), intlabel); MAC_IFNET_UNLOCK(ifp, locked); error = mac_ifnet_externalize_label(intlabel, elements, buffer, mac.m_buflen); @@ -486,14 +486,14 @@ MAC_IFNET_LOCK(ifp, locked); MAC_POLICY_CHECK_NOSLEEP(ifnet_check_relabel, cred, ifp, - ifp->if_label, intlabel); + if_getmaclabel(ifp), intlabel); if (error) { MAC_IFNET_UNLOCK(ifp, locked); mac_ifnet_label_free(intlabel); return (error); } - MAC_POLICY_PERFORM_NOSLEEP(ifnet_relabel, cred, ifp, ifp->if_label, + MAC_POLICY_PERFORM_NOSLEEP(ifnet_relabel, cred, ifp, if_getmaclabel(ifp), intlabel); MAC_IFNET_UNLOCK(ifp, locked); diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -1064,7 +1064,7 @@ dest = SLOT(ifplabel); - if (ifp->if_type == IFT_LOOP || interfaces_equal != 0) { + if (if_gettype(ifp) == IFT_LOOP || interfaces_equal != 0) { type = MAC_BIBA_TYPE_EQUAL; goto set; } @@ -1091,7 +1091,7 @@ if (len < IFNAMSIZ) { bzero(tifname, sizeof(tifname)); bcopy(q, tifname, len); - if (strcmp(tifname, ifp->if_xname) == 0) { + if (strcmp(tifname, if_name(ifp)) == 0) { type = MAC_BIBA_TYPE_HIGH; break; } diff --git a/sys/security/mac_ifoff/mac_ifoff.c b/sys/security/mac_ifoff/mac_ifoff.c --- a/sys/security/mac_ifoff/mac_ifoff.c +++ b/sys/security/mac_ifoff/mac_ifoff.c @@ -90,10 +90,10 @@ if (!ifoff_enabled) return (0); - if (ifoff_lo_enabled && ifp->if_type == IFT_LOOP) + if (ifoff_lo_enabled && if_gettype(ifp) == IFT_LOOP) return (0); - if (ifoff_other_enabled && ifp->if_type != IFT_LOOP) + if (ifoff_other_enabled && if_gettype(ifp) != IFT_LOOP) return (0); return (EPERM); @@ -105,10 +105,10 @@ if (!ifoff_enabled) return (0); - if (ifoff_lo_enabled && ifp->if_type == IFT_LOOP) + if (ifoff_lo_enabled && if_gettype(ifp) == IFT_LOOP) return (0); - if (ifoff_other_enabled && ifp->if_type != IFT_LOOP) + if (ifoff_other_enabled && if_gettype(ifp) != IFT_LOOP) return (0); if (viabpf && ifoff_bpfrecv_enabled) diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c --- a/sys/security/mac_lomac/mac_lomac.c +++ b/sys/security/mac_lomac/mac_lomac.c @@ -1188,7 +1188,7 @@ dest = SLOT(ifplabel); - if (ifp->if_type == IFT_LOOP) { + if (if_gettype(ifp) == IFT_LOOP) { grade = MAC_LOMAC_TYPE_EQUAL; goto set; } @@ -1215,7 +1215,7 @@ if (len < IFNAMSIZ) { bzero(tifname, sizeof(tifname)); bcopy(q, tifname, len); - if (strcmp(tifname, ifp->if_xname) == 0) { + if (strcmp(tifname, if_name(ifp)) == 0) { grade = MAC_LOMAC_TYPE_HIGH; break; } diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -1024,7 +1024,7 @@ dest = SLOT(ifplabel); - if (ifp->if_type == IFT_LOOP) + if (if_gettype(ifp) == IFT_LOOP) type = MAC_MLS_TYPE_EQUAL; else type = MAC_MLS_TYPE_LOW;