diff options
author | rwatson <rwatson@FreeBSD.org> | 2002-07-31 16:09:38 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2002-07-31 16:09:38 +0000 |
commit | 21c15b42716cabb0a413cdb890410b5d8d76f0ad (patch) | |
tree | 7149b64e5f0bfa88c9415e5aab9c520b81a87a09 /sys/net/bpf.c | |
parent | 85e0975519abd61123c3e4cf457e5da492cb4eb1 (diff) | |
download | FreeBSD-src-21c15b42716cabb0a413cdb890410b5d8d76f0ad.zip FreeBSD-src-21c15b42716cabb0a413cdb890410b5d8d76f0ad.tar.gz |
Introduce support for Mandatory Access Control and extensible
kernel access control.
Instrument BPF so that MAC labels are properly maintained on BPF
descriptors. MAC framework entry points are invoked at BPF
instantiation and allocation, permitting the MAC framework to
derive the BPF descriptor label from the credential authorizing
the device open. Also enter the MAC framework to label mbufs
created using the BPF device.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
Diffstat (limited to 'sys/net/bpf.c')
-rw-r--r-- | sys/net/bpf.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/sys/net/bpf.c b/sys/net/bpf.c index 1476498..a7d49da 100644 --- a/sys/net/bpf.c +++ b/sys/net/bpf.c @@ -41,11 +41,13 @@ */ #include "opt_bpf.h" +#include "opt_mac.h" #include "opt_netgraph.h" #include <sys/param.h> #include <sys/systm.h> #include <sys/conf.h> +#include <sys/mac.h> #include <sys/malloc.h> #include <sys/mbuf.h> #include <sys/time.h> @@ -343,6 +345,10 @@ bpfopen(dev, flags, fmt, td) d->bd_bufsize = bpf_bufsize; d->bd_sig = SIGIO; d->bd_seesent = 1; +#ifdef MAC + mac_init_bpfdesc(d); + mac_create_bpfdesc(td->td_ucred, d); +#endif mtx_init(&d->bd_mtx, devtoname(dev), "bpf cdev lock", MTX_DEF); callout_init(&d->bd_callout, 1); @@ -373,6 +379,9 @@ bpfclose(dev, flags, fmt, td) if (d->bd_bif) bpf_detachd(d); mtx_unlock(&bpf_mtx); +#ifdef MAC + mac_destroy_bpfdesc(d); +#endif /* MAC */ bpf_freed(d); dev->si_drv1 = 0; free(d, M_BPF); @@ -563,6 +572,9 @@ bpfwrite(dev, uio, ioflag) dst.sa_family = pseudo_AF_HDRCMPLT; mtx_lock(&Giant); +#ifdef MAC + mac_create_mbuf_from_bpfdesc(d, m); +#endif error = (*ifp->if_output)(ifp, m, &dst, (struct rtentry *)0); mtx_unlock(&Giant); /* |