Introduce support for Mandatory Access Control and extensible

kernel access control.

Label mbufs received via kernel tunnel device interfaces by invoking
appropriate MAC framework entry points.

Perform access control checks on out-going mbufs delivered via tunnel
interfaces by invoking appropriate MAC entry points:

NOTE: Currently the label for a tunnel interface is not derived from
the label of the process that opened the tunnel interface.  It
probably should be.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs

1 files changed, 16 insertions, 0 deletions

diff --git a/sys/net/if_tun.c b/sys/net/if_tun.c
index 18435fd..b4015d7 100644
--- a/sys/net/if_tun.c
+++ b/sys/net/if_tun.c
@@ -17,10 +17,12 @@
  */
 
 #include "opt_inet.h"
+#include "opt_mac.h"
 
 #include <sys/param.h>
 #include <sys/proc.h>
 #include <sys/systm.h>
+#include <sys/mac.h>
 #include <sys/mbuf.h>
 #include <sys/module.h>
 #include <sys/socket.h>
@@ -436,9 +438,20 @@ tunoutput(
 	struct rtentry *rt)
 {
 	struct tun_softc *tp = ifp->if_softc;
+#ifdef MAC
+	int error;
+#endif
 
 	TUNDEBUG ("%s%d: tunoutput\n", ifp->if_name, ifp->if_unit);
 
+#ifdef MAC
+	error = mac_check_ifnet_transmit(ifp, m0);
+	if (error) {
+		m_freem(m0);
+		return (error);
+	}
+#endif
+
 	if ((tp->tun_flags & TUN_READY) != TUN_READY) {
 		TUNDEBUG ("%s%d: not ready 0%o\n", ifp->if_name,
 			  ifp->if_unit, tp->tun_flags);
@@ -735,6 +748,9 @@ tunwrite(dev_t dev, struct uio *uio, int flag)
 
 	top->m_pkthdr.len = tlen;
 	top->m_pkthdr.rcvif = ifp;
+#ifdef MAC
+	mac_create_mbuf_from_ifnet(ifp, top);
+#endif
 
 	if (ifp->if_bpf) {
 		if (tp->tun_flags & TUN_IFHEAD) {