From a3abeda755f494d9f0236844fec1767fb49794cb Mon Sep 17 00:00:00 2001
From: Robert Watson <rwatson@FreeBSD.org>
Date: Wed, 31 Jul 2002 01:42:19 +0000
Subject: [PATCH] Introduce support for Mandatory Access Control and extensible
 kernel access control.

Invoke the necessary MAC entry points to maintain labels on header
mbufs.  In particular, invoke entry points during the two mbuf
header allocation cases, and the mbuf freeing case.  Pass the "how"
argument at allocation time to the MAC framework so that it can
determine if it is permitted to block (as with policy modules),
and permit the initialization entry point to fail if it needs to
allocate memory but is not permitted to, failing the mbuf
allocation.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
---
 sys/kern/subr_mbuf.c | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/sys/kern/subr_mbuf.c b/sys/kern/subr_mbuf.c
index 4c70ee8f8a56..7d8c1f51d51a 100644
--- a/sys/kern/subr_mbuf.c
+++ b/sys/kern/subr_mbuf.c
@@ -28,10 +28,13 @@
  * $FreeBSD$
  */
 
+#include "opt_mac.h"
 #include "opt_param.h"
+
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/malloc.h>
+#include <sys/mac.h>
 #include <sys/mbuf.h>
 #include <sys/lock.h>
 #include <sys/mutex.h>
@@ -802,6 +805,11 @@ mb_free(struct mb_lstmngr *mb_list, void *m, short type, short persist,
 	struct mb_bucket *bucket;
 	u_int owner;
 
+#ifdef MAC
+	if (type != MT_NOTMBUF && ((struct mbuf *)m)->m_flags & M_PKTHDR)
+		mac_destroy_mbuf((struct mbuf *)m);
+#endif
+
 	bucket = mb_list->ml_btable[MB_BUCKET_INDX(m, mb_list)];
 
 	/*
@@ -1254,8 +1262,15 @@ m_gethdr(int how, short type)
 	struct mbuf *mb;
 
 	mb = (struct mbuf *)mb_alloc(&mb_list_mbuf, how, type, 0, NULL);
-	if (mb != NULL)
+	if (mb != NULL) {
 		_mbhdr_setup(mb, type);
+#ifdef MAC
+		if (mac_init_mbuf(mb, how) != 0) {
+			mb_free(&mb_list_mbuf, mb, type, 0, NULL);
+			return (NULL);
+		}
+#endif
+	}
 	return (mb);
 }
 
@@ -1298,6 +1313,12 @@ m_gethdr_clrd(int how, short type)
 	mb = (struct mbuf *)mb_alloc(&mb_list_mbuf, how, type, 0, NULL);
 	if (mb != NULL) {
 		_mbhdr_setup(mb, type);
+#ifdef MAC
+		if (mac_init_mbuf(mb, how) != 0) {
+			mb_free(&mb_list_mbuf, mb, type, 0, NULL);
+			return (NULL);
+		}
+#endif
 		bzero(mtod(mb, caddr_t), MHLEN);
 	}
 	return (mb);