Introduce support for Mandatory Access Control and extensible

kernel access control. Invoke a MAC framework entry point to authorize reception of an incoming mbuf by the BPF descriptor, permitting MAC policies to limit the visibility of packets delivered to particular BPF descriptors. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
author: rwatson <rwatson@FreeBSD.org> 2002-07-31 16:11:32 +0000
committer: rwatson <rwatson@FreeBSD.org> 2002-07-31 16:11:32 +0000
commit: 7a94e47d73842b2ec4cd04f5a48dd0902cfddd0c (patch)
tree: 4189583b0b1aaa4fe4fc0004fbe21d29aec58b0c /sys/net/bpf.c
parent: 21c15b42716cabb0a413cdb890410b5d8d76f0ad (diff)
download: FreeBSD-src-7a94e47d73842b2ec4cd04f5a48dd0902cfddd0c.zip
FreeBSD-src-7a94e47d73842b2ec4cd04f5a48dd0902cfddd0c.tar.gz
1 files changed, 6 insertions, 2 deletions
diff --git a/sys/net/bpf.c b/sys/net/bpf.c
index a7d49da..1751e03 100644
--- a/sys/net/bpf.c
+++ b/sys/net/bpf.c
@@ -1074,8 +1074,12 @@ bpf_tap(ifp, pkt, pktlen)
 		BPFD_LOCK(d);
 		++d->bd_rcount;
 		slen = bpf_filter(d->bd_filter, pkt, pktlen, pktlen);
-		if (slen != 0)
-			catchpacket(d, pkt, pktlen, slen, bcopy);
+		if (slen != 0) {
+#ifdef MAC
+			if (mac_check_bpfdesc_receive(d, ifp) == 0)
+#endif
+				catchpacket(d, pkt, pktlen, slen, bcopy);
+		}
 		BPFD_UNLOCK(d);
 	}
 	BPFIF_UNLOCK(bp);
author	rwatson <rwatson@FreeBSD.org>	2002-07-31 16:11:32 +0000
committer	rwatson <rwatson@FreeBSD.org>	2002-07-31 16:11:32 +0000
commit	7a94e47d73842b2ec4cd04f5a48dd0902cfddd0c (patch)
tree	4189583b0b1aaa4fe4fc0004fbe21d29aec58b0c /sys/net/bpf.c
parent	21c15b42716cabb0a413cdb890410b5d8d76f0ad (diff)
download	FreeBSD-src-7a94e47d73842b2ec4cd04f5a48dd0902cfddd0c.zip FreeBSD-src-7a94e47d73842b2ec4cd04f5a48dd0902cfddd0c.tar.gz