From 7a94e47d73842b2ec4cd04f5a48dd0902cfddd0c Mon Sep 17 00:00:00 2001
From: rwatson <rwatson@FreeBSD.org>
Date: Wed, 31 Jul 2002 16:11:32 +0000
Subject: Introduce support for Mandatory Access Control and extensible kernel
 access control.

Invoke a MAC framework entry point to authorize reception of an
incoming mbuf by the BPF descriptor, permitting MAC policies to
limit the visibility of packets delivered to particular BPF
descriptors.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
---
 sys/net/bpf.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'sys')

diff --git a/sys/net/bpf.c b/sys/net/bpf.c
index a7d49da..1751e03 100644
--- a/sys/net/bpf.c
+++ b/sys/net/bpf.c
@@ -1074,8 +1074,12 @@ bpf_tap(ifp, pkt, pktlen)
 		BPFD_LOCK(d);
 		++d->bd_rcount;
 		slen = bpf_filter(d->bd_filter, pkt, pktlen, pktlen);
-		if (slen != 0)
-			catchpacket(d, pkt, pktlen, slen, bcopy);
+		if (slen != 0) {
+#ifdef MAC
+			if (mac_check_bpfdesc_receive(d, ifp) == 0)
+#endif
+				catchpacket(d, pkt, pktlen, slen, bcopy);
+		}
 		BPFD_UNLOCK(d);
 	}
 	BPFIF_UNLOCK(bp);
-- 
cgit v1.1