2 files changed, 25 insertions, 0 deletions

diff --git a/sys/kern/sys_socket.c b/sys/kern/sys_socket.c
index b12809f..7c352be 100644
--- a/sys/kern/sys_socket.c
+++ b/sys/kern/sys_socket.c
@@ -234,6 +234,15 @@ soo_poll(fp, events, active_cred, td)
 	int error;
 
 	NET_LOCK_GIANT();
+#ifdef MAC
+	SOCK_LOCK(so);
+	error = mac_check_socket_poll(active_cred, so);
+	SOCK_UNLOCK(so);
+	if (error) {
+		NET_UNLOCK_GIANT();
+		return (error);
+	}
+#endif
 	error = (so->so_proto->pr_usrreqs->pru_sopoll)
 	    (so, events, fp->f_cred, td);
 	NET_UNLOCK_GIANT();
@@ -254,6 +263,15 @@ soo_stat(fp, ub, active_cred, td)
 	bzero((caddr_t)ub, sizeof (*ub));
 	ub->st_mode = S_IFSOCK;
 	NET_LOCK_GIANT();
+#ifdef MAC
+	SOCK_LOCK(so);
+	error = mac_check_socket_stat(active_cred, so);
+	SOCK_UNLOCK(so);
+	if (error) {
+		NET_UNLOCK_GIANT();
+		return (error);
+	}
+#endif
 	/*
 	 * If SBS_CANTRCVMORE is set, but there's still data left in the
 	 * receive buffer, the socket is still readable.
diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c
index 34d83ee..f4a4b16 100644
--- a/sys/kern/uipc_syscalls.c
+++ b/sys/kern/uipc_syscalls.c
@@ -315,6 +315,13 @@ accept1(td, uap, compat)
 		error = EINVAL;
 		goto done;
 	}
+#ifdef MAC
+	SOCK_LOCK(head);
+	error = mac_check_socket_accept(td->td_ucred, head);
+	SOCK_UNLOCK(head);
+	if (error != 0)
+		goto done;
+#endif
 	error = falloc(td, &nfp, &fd);
 	if (error)
 		goto done;