From d3990b06e1fe14d61dd43b2a093689cea5d362d8 Mon Sep 17 00:00:00 2001
From: Robert Watson <rwatson@FreeBSD.org>
Date: Wed, 31 Jul 2002 16:42:47 +0000
Subject: [PATCH] Introduce support for Mandatory Access Control and extensible
 kernel access control.

Invoke the MAC framework to label mbuf created using divert sockets.
These labels may later be used for access control on delivery to
another socket, or to an interface.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI LAbs
---
 sys/netinet/ip_divert.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/sys/netinet/ip_divert.c b/sys/netinet/ip_divert.c
index 50e939be3f39..ff246f9a1ea7 100644
--- a/sys/netinet/ip_divert.c
+++ b/sys/netinet/ip_divert.c
@@ -37,6 +37,7 @@
 #include "opt_ipfw.h"
 #include "opt_ipdivert.h"
 #include "opt_ipsec.h"
+#include "opt_mac.h"
 
 #ifndef INET
 #error "IPDIVERT requires INET."
@@ -46,6 +47,7 @@
 #include <sys/kernel.h>
 #include <sys/lock.h>
 #include <sys/malloc.h>
+#include <sys/mac.h>
 #include <sys/mbuf.h>
 #include <sys/proc.h>
 #include <sys/protosw.h>
@@ -264,6 +266,10 @@ div_output(struct socket *so, struct mbuf *m,
 	divert_tag.mh_data = 0;		/* the matching rule # */
 	m->m_pkthdr.rcvif = NULL;	/* XXX is it necessary ? */
 
+#ifdef MAC
+	mac_create_mbuf_from_socket(so, m);
+#endif
+
 	if (control)
 		m_freem(control);		/* XXX */