From b53ba9c2dc024539e0a0bb8fafea6ec37a0cd6fc Mon Sep 17 00:00:00 2001
From: rwatson <rwatson@FreeBSD.org>
Date: Wed, 31 Jul 2002 16:23:42 +0000
Subject: Introduce support for Mandatory Access Control and extensible kernel
 access control.

Label mbufs received via kernel tunnel device interfaces by invoking
appropriate MAC framework entry points.

Perform access control checks on out-going mbufs delivered via tunnel
interfaces by invoking appropriate MAC entry points:

NOTE: Currently the label for a tunnel interface is not derived from
the label of the process that opened the tunnel interface.  It
probably should be.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
---
 sys/net/if_tun.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'sys/net/if_tun.c')

diff --git a/sys/net/if_tun.c b/sys/net/if_tun.c
index 18435fd..b4015d7 100644
--- a/sys/net/if_tun.c
+++ b/sys/net/if_tun.c
@@ -17,10 +17,12 @@
  */
 
 #include "opt_inet.h"
+#include "opt_mac.h"
 
 #include <sys/param.h>
 #include <sys/proc.h>
 #include <sys/systm.h>
+#include <sys/mac.h>
 #include <sys/mbuf.h>
 #include <sys/module.h>
 #include <sys/socket.h>
@@ -436,9 +438,20 @@ tunoutput(
 	struct rtentry *rt)
 {
 	struct tun_softc *tp = ifp->if_softc;
+#ifdef MAC
+	int error;
+#endif
 
 	TUNDEBUG ("%s%d: tunoutput\n", ifp->if_name, ifp->if_unit);
 
+#ifdef MAC
+	error = mac_check_ifnet_transmit(ifp, m0);
+	if (error) {
+		m_freem(m0);
+		return (error);
+	}
+#endif
+
 	if ((tp->tun_flags & TUN_READY) != TUN_READY) {
 		TUNDEBUG ("%s%d: not ready 0%o\n", ifp->if_name,
 			  ifp->if_unit, tp->tun_flags);
@@ -735,6 +748,9 @@ tunwrite(dev_t dev, struct uio *uio, int flag)
 
 	top->m_pkthdr.len = tlen;
 	top->m_pkthdr.rcvif = ifp;
+#ifdef MAC
+	mac_create_mbuf_from_ifnet(ifp, top);
+#endif
 
 	if (ifp->if_bpf) {
 		if (tp->tun_flags & TUN_IFHEAD) {
-- 
cgit v1.1