Do invoke mac_ifnet_check_transmit() and mac_ifnet_create_mbuf()

in the loopback and synthetic loopback code so that packets are
access control checked and relabeled.  Previously, the MAC
Framework enforced that packets sent over the loopback weren't
relabeled, but this will allow policies to make explicit choices
about how and whether to relabel packets on the loopback.  Also,
for SIMPLEX devices, this produces more consistent behavior for
looped back packets to the local MAC address by labeling those
packets as coming from the interface.

Discussed with:	csjp
Obtained from:	TrustedBSD Project

1 files changed, 18 insertions, 0 deletions

diff --git a/sys/net/if_loop.c b/sys/net/if_loop.c
index 4b42527..6ba0aff 100644
--- a/sys/net/if_loop.c
+++ b/sys/net/if_loop.c
@@ -38,6 +38,7 @@
 #include "opt_inet.h"
 #include "opt_inet6.h"
 #include "opt_ipx.h"
+#include "opt_mac.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -82,6 +83,8 @@
 #include <netatalk/at_var.h>
 #endif
 
+#include <security/mac/mac_framework.h>
+
 #ifdef TINY_LOMTU
 #define	LOMTU	(1024+512)
 #elif defined(LARGE_LOMTU)
@@ -176,9 +179,20 @@ looutput(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
     struct rtentry *rt)
 {
 	u_int32_t af;
+#ifdef MAC
+	int error;
+#endif
 
 	M_ASSERTPKTHDR(m); /* check if we have the packet header */
 
+#ifdef MAC
+	error = mac_ifnet_check_transmit(ifp, m);
+	if (error) {
+		m_freem(m);
+		return (error);
+	}
+#endif
+
 	if (rt && rt->rt_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
 		m_freem(m);
 		return (rt->rt_flags & RTF_BLACKHOLE ? 0 :
@@ -230,6 +244,10 @@ if_simloop(struct ifnet *ifp, struct mbuf *m, int af, int hlen)
 	m_tag_delete_nonpersistent(m);
 	m->m_pkthdr.rcvif = ifp;
 
+#ifdef MAC
+	mac_ifnet_create_mbuf(ifp, m);
+#endif
+
 	/*
 	 * Let BPF see incoming packet in the following manner:
 	 *  - Emulated packet loopback for a simplex interface