--- a/usr/src/uts/common/inet/ipclassifier.h Mon Nov 02 15:57:35 2009 -0700
+++ b/usr/src/uts/common/inet/ipclassifier.h Mon Nov 02 15:39:20 2009 -0800
@@ -165,6 +165,21 @@
} ip_helper_stream_info_t;
/*
+ * Mandatory Access Control mode, in conn_t's conn_mac_mode field.
+ * CONN_MAC_DEFAULT: strict enforcement of MAC.
+ * CONN_MAC_AWARE: allows communications between unlabeled systems
+ * and privileged daemons
+ * CONN_MAC_IMPLICIT: allows communications without explicit labels
+ * on the wire with privileged daemons.
+ *
+ * CONN_MAC_IMPLICIT is intended specifically for labeled IPsec key management
+ * in networks which don't pass CIPSO-labeled packets.
+ */
+#define CONN_MAC_DEFAULT 0
+#define CONN_MAC_AWARE 1
+#define CONN_MAC_IMPLICIT 2
+
+/*
* The initial fields in the conn_t are setup by the kmem_cache constructor,
* and are preserved when it is freed. Fields after that are bzero'ed when
* the conn_t is freed.
@@ -329,7 +344,7 @@
conn_anon_mlp : 1, /* user wants anon MLP */
conn_anon_port : 1, /* user bound anonymously */
- conn_mac_exempt : 1, /* unlabeled with loose MAC */
+ conn_mac_mode : 2, /* normal/loose/implicit MAC */
conn_spare : 26;
boolean_t conn_flow_cntrld;
@@ -421,6 +436,22 @@
((zoneid) == ALL_ZONES) || \
(connp)->conn_zoneid == (zoneid))
+/*
+ * On a labeled system, we must treat bindings to ports
+ * on shared IP addresses by sockets with MAC exemption
+ * privilege as being in all zones, as there's
+ * otherwise no way to identify the right receiver.
+ */
+
+#define IPCL_CONNS_MAC(conn1, conn2) \
+ (((conn1)->conn_mac_mode != CONN_MAC_DEFAULT) || \
+ ((conn2)->conn_mac_mode != CONN_MAC_DEFAULT))
+
+#define IPCL_BIND_ZONE_MATCH(conn1, conn2) \
+ (IPCL_CONNS_MAC(conn1, conn2) || \
+ IPCL_ZONE_MATCH(conn1, conn2->conn_zoneid) || \
+ IPCL_ZONE_MATCH(conn2, conn1->conn_zoneid))
+
#define _IPCL_V4_MATCH(v6addr, v4addr) \
(V4_PART_OF_V6((v6addr)) == (v4addr) && IN6_IS_ADDR_V4MAPPED(&(v6addr)))