Introduce support for Mandatory Access Control and extensible

kernel access control. Invoke a MAC framework entry point to authorize reception of an incoming mbuf by the BPF descriptor, permitting MAC policies to limit the visibility of packets delivered to particular BPF descriptors. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
svn path=/head/; revision=101075
2002-07-31 16:11:32 +00:00 · 2002-07-31 16:11:32 +00:00 · ec272d8708 · 2020-12-20 02:59:44 +00:00
commit ec272d8708
parent 82f4445d4c
1 changed files with 6 additions and 2 deletions
--- a/sys/net/bpf.c
+++ b/sys/net/bpf.c
@ -1074,8 +1074,12 @@ bpf_tap(ifp, pkt, pktlen)
 		BPFD_LOCK(d);
 		++d->bd_rcount;
 		slen = bpf_filter(d->bd_filter, pkt, pktlen, pktlen);
-		if (slen != 0)
-			catchpacket(d, pkt, pktlen, slen, bcopy);
+		if (slen != 0) {
+#ifdef MAC
+			if (mac_check_bpfdesc_receive(d, ifp) == 0)
+#endif
+				catchpacket(d, pkt, pktlen, slen, bcopy);
+		}
 		BPFD_UNLOCK(d);
 	}
 	BPFIF_UNLOCK(bp);