From 40d00aeb4470ce0386d8e7919cdecd7dc4cc604a Mon Sep 17 00:00:00 2001
From: rwatson <rwatson@FreeBSD.org>
Date: Wed, 31 Jul 2002 01:51:34 +0000
Subject: [PATCH] Introduce support for Mandatory Access Control and extensible
 kernel access control.

Invoke additional MAC entry points when an mbuf packet header is
copied to another mbuf: release the old label if any, reinitialize
the new header, and ask the MAC framework to copy the header label
data.  Note that this requires a potential allocation operation,
but m_copy_pkthdr() is not permitted to fail, so we must block.
Since we now use interrupt threads, this is possible, but not
desirable.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
---
 sys/kern/uipc_mbuf.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/sys/kern/uipc_mbuf.c b/sys/kern/uipc_mbuf.c
index e8a679ed8d8..4d66465b7c4 100644
--- a/sys/kern/uipc_mbuf.c
+++ b/sys/kern/uipc_mbuf.c
@@ -34,12 +34,15 @@
  * $FreeBSD$
  */
 
+#include "opt_mac.h"
 #include "opt_param.h"
+
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/kernel.h>
 #include <sys/lock.h>
 #include <sys/malloc.h>
+#include <sys/mac.h>
 #include <sys/mbuf.h>
 #include <sys/sysctl.h>
 #include <sys/domain.h>
@@ -74,10 +77,18 @@ m_copy_pkthdr(struct mbuf *to, struct mbuf *from)
 #if 0
 	KASSERT(to->m_flags & M_PKTHDR,
 	    ("m_copy_pkthdr() called on non-header"));
+#endif
+#ifdef MAC
+	if (to->m_flags & M_PKTHDR)
+		mac_destroy_mbuf(to);
 #endif
 	to->m_data = to->m_pktdat;
 	to->m_flags = from->m_flags & M_COPYFLAGS;
 	to->m_pkthdr = from->m_pkthdr;
+#ifdef MAC
+	mac_init_mbuf(to, 1);			/* XXXMAC no way to fail */
+	mac_create_mbuf_from_mbuf(from, to);
+#endif
 	from->m_pkthdr.aux = NULL;
 }
 
@@ -98,6 +109,9 @@ m_prepend(struct mbuf *m, int len, int how)
 	}
 	if (m->m_flags & M_PKTHDR) {
 		M_COPY_PKTHDR(mn, m);
+#ifdef MAC
+		mac_destroy_mbuf(m);
+#endif
 		m->m_flags &= ~M_PKTHDR;
 	}
 	mn->m_next = m;
-- 
2.45.2