Introduce support for Mandatory Access Control and extensible

kernel access control.

Label mbufs received via ethernet-based interfaces by invoking
appropriate MAC framework entry points.

Perform access control checks on out-going mbufs delivered via
ethernet-based interfaces by invoking appropriate MAC entry
points.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs

1 files changed, 12 insertions, 0 deletions

diff --git a/sys/net/if_ethersubr.c b/sys/net/if_ethersubr.c
index 6a1a85d..693f184 100644
--- a/sys/net/if_ethersubr.c
+++ b/sys/net/if_ethersubr.c
@@ -39,11 +39,13 @@
 #include "opt_inet6.h"
 #include "opt_ipx.h"
 #include "opt_bdg.h"
+#include "opt_mac.h"
 #include "opt_netgraph.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/kernel.h>
+#include <sys/mac.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/random.h>
@@ -154,6 +156,12 @@ ether_output(ifp, m, dst, rt0)
 	int hlen;	/* link layer header lenght */
 	struct arpcom *ac = IFP2AC(ifp);
 
+#ifdef MAC
+	error = mac_check_ifnet_transmit(ifp, m);
+	if (error)
+		senderr(error);
+#endif
+
 	if ((ifp->if_flags & (IFF_UP|IFF_RUNNING)) != (IFF_UP|IFF_RUNNING))
 		senderr(ENETDOWN);
 	rt = rt0;
@@ -551,6 +559,10 @@ ether_input(ifp, eh, m)
 {
 	struct ether_header save_eh;
 
+#ifdef MAC
+	mac_create_mbuf_from_ifnet(ifp, m);
+#endif
+
 	/* Check for a BPF tap */
 	if (ifp->if_bpf != NULL) {
 		struct m_hdr mh;