Use mac_biba_label_copy() and mac_mls_label_copy() to implement the

mpo_copy_mbuf_label() entry point for Biba and MLS, respectively. Otherwise, labels in m_tags may not be properly propagated across some classes of mbuf operations. This problem caused these policies to fail-stop the system with a panic. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2026-05-28 04:12:45 -04:00 · 2003-06-02 17:21:38 +00:00 · 2003-06-02 17:21:38 +00:00 · f32bb0529b
commit f32bb0529b
parent 71c5a90130
2 changed files with 2 additions and 0 deletions
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@ -2630,6 +2630,7 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_destroy_socket_label = mac_biba_destroy_label,
 	.mpo_destroy_socket_peer_label = mac_biba_destroy_label,
 	.mpo_destroy_vnode_label = mac_biba_destroy_label,
+	.mpo_copy_mbuf_label = mac_biba_copy_label,
 	.mpo_copy_pipe_label = mac_biba_copy_label,
 	.mpo_copy_vnode_label = mac_biba_copy_label,
 	.mpo_externalize_cred_label = mac_biba_externalize_label,
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c
@ -2393,6 +2393,7 @@ static struct mac_policy_ops mac_mls_ops =
 	.mpo_destroy_socket_label = mac_mls_destroy_label,
 	.mpo_destroy_socket_peer_label = mac_mls_destroy_label,
 	.mpo_destroy_vnode_label = mac_mls_destroy_label,
+	.mpo_copy_mbuf_label = mac_mls_copy_label,
 	.mpo_copy_pipe_label = mac_mls_copy_label,
 	.mpo_copy_vnode_label = mac_mls_copy_label,
 	.mpo_externalize_cred_label = mac_mls_externalize_label,