Introduce support for Mandatory Access Control and extensible

kernel access control.

Instrument the interface management code so that MAC labels are
properly maintained on network interfaces (struct ifnet).  In
particular, invoke entry points when interfaces are created and
removed.  MAC policies may initialized the label interface based
on a variety of factors, including the interface name.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs

1 files changed, 11 insertions, 0 deletions

diff --git a/sys/net/if.c b/sys/net/if.c
index d737bb2..e34aecc 100644
--- a/sys/net/if.c
+++ b/sys/net/if.c
@@ -37,9 +37,11 @@
 #include "opt_compat.h"
 #include "opt_inet6.h"
 #include "opt_inet.h"
+#include "opt_mac.h"
 
 #include <sys/param.h>
 #include <sys/conf.h>
+#include <sys/mac.h>
 #include <sys/malloc.h>
 #include <sys/bus.h>
 #include <sys/mbuf.h>
@@ -386,6 +388,12 @@ if_attach(ifp)
 	TAILQ_INIT(&ifp->if_multiaddrs);
 	SLIST_INIT(&ifp->if_klist);
 	getmicrotime(&ifp->if_lastchange);
+
+#ifdef MAC
+	mac_init_ifnet(ifp);
+	mac_create_ifnet(ifp);
+#endif
+
 	ifp->if_index = if_findindex(ifp);
 	if (ifp->if_index > if_index)
 		if_index = ifp->if_index;
@@ -522,6 +530,9 @@ if_detach(ifp)
 	/* Announce that the interface is gone. */
 	rt_ifannouncemsg(ifp, IFAN_DEPARTURE);
 
+#ifdef MAC
+	mac_destroy_ifnet(ifp);
+#endif /* MAC */
 	KNOTE(&ifp->if_klist, NOTE_EXIT);
 	TAILQ_REMOVE(&ifnet, ifp, if_link);
 	mtx_destroy(&ifp->if_snd.ifq_mtx);