Add mac_inpcb_check_visible MAC Framework entry point, which is similar

to mac_socket_check_visible but operates on the inpcb.

Reviewed by:	rwatson
MFC after:	3 months (set timer, decide then)

sys/security/mac/mac_framework.h

@@ -131,6 +131,7 @@ int	mac_ifnet_ioctl_set(struct ucred *cred, struct ifreq *ifr,
 	    struct ifnet *ifp);
 
 int	mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m);
+int	mac_inpcb_check_visible(struct ucred *cred, struct inpcb *inp);
 void	mac_inpcb_create(struct socket *so, struct inpcb *inp);
 void	mac_inpcb_create_mbuf(struct inpcb *inp, struct mbuf *m);
 void	mac_inpcb_destroy(struct inpcb *);

sys/security/mac/mac_inet.c

@@ -313,6 +313,18 @@ mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m)
 	return (error);
 }
 
+int
+mac_inpcb_check_visible(struct ucred *cred, struct inpcb *inp)
+{
+	int error;
+
+	INP_LOCK_ASSERT(inp);
+
+	MAC_CHECK(inpcb_check_visible, cred, inp, inp->inp_label);
+
+	return (error);
+}
+
 void
 mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp)
 {

sys/security/mac/mac_policy.h

@@ -187,6 +187,8 @@ typedef void	(*mpo_ifnet_relabel_t)(struct ucred *cred, struct ifnet *ifp,
 typedef int	(*mpo_inpcb_check_deliver_t)(struct inpcb *inp,
 		    struct label *inplabel, struct mbuf *m,
 		    struct label *mlabel);
+typedef int	(*mpo_inpcb_check_visible_t)(struct ucred *cred,
+		    struct inpcb *inp, struct label *inplabel);
 typedef void	(*mpo_inpcb_create_t)(struct socket *so,
 		    struct label *solabel, struct inpcb *inp,
 		    struct label *inplabel);
@@ -689,6 +691,7 @@ struct mac_policy_ops {
 	mpo_ifnet_relabel_t			mpo_ifnet_relabel;
 
 	mpo_inpcb_check_deliver_t		mpo_inpcb_check_deliver;
+	mpo_inpcb_check_visible_t		mpo_inpcb_check_visible;
 	mpo_inpcb_create_t			mpo_inpcb_create;
 	mpo_inpcb_create_mbuf_t			mpo_inpcb_create_mbuf;
 	mpo_inpcb_destroy_label_t		mpo_inpcb_destroy_label;