Introduce support for Mandatory Access Control and extensible

kernel access control. Label mbufs received via ethernet-based interfaces by invoking appropriate MAC framework entry points. Perform access control checks on out-going mbufs delivered via ethernet-based interfaces by invoking appropriate MAC entry points. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-31 16:22:02 +00:00 · 2002-07-31 16:22:02 +00:00 · 3597c60ec8
commit 3597c60ec8
parent afe9331e20
1 changed files with 12 additions and 0 deletions
--- a/sys/net/if_ethersubr.c
+++ b/sys/net/if_ethersubr.c
@ -39,11 +39,13 @@
 #include "opt_inet6.h"
 #include "opt_ipx.h"
 #include "opt_bdg.h"
+#include "opt_mac.h"
 #include "opt_netgraph.h"

 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/kernel.h>
+#include <sys/mac.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/random.h>
@ -154,6 +156,12 @@ ether_output(ifp, m, dst, rt0)
 	int hlen;	/* link layer header lenght */
 	struct arpcom *ac = IFP2AC(ifp);

+#ifdef MAC
+	error = mac_check_ifnet_transmit(ifp, m);
+	if (error)
+		senderr(error);
+#endif
+
 	if ((ifp->if_flags & (IFF_UP|IFF_RUNNING)) != (IFF_UP|IFF_RUNNING))
 		senderr(ENETDOWN);
 	rt = rt0;
@ -551,6 +559,10 @@ ether_input(ifp, eh, m)
 {
 	struct ether_header save_eh;

+#ifdef MAC
+	mac_create_mbuf_from_ifnet(ifp, m);
+#endif
+
 	/* Check for a BPF tap */
 	if (ifp->if_bpf != NULL) {
 		struct m_hdr mh;