From c0a8cee3712455df85d5bad158fa6ea1c361eeca Mon Sep 17 00:00:00 2001
From: Robert Watson <rwatson@FreeBSD.org>
Date: Sat, 20 Jun 2009 23:38:21 +0000
Subject: [PATCH] Implement socket delivery MAC checks for IPX/SPX.

Obtained from:	TrustedBSD Project
MFC after:	3 days
---
 sys/netipx/ipx_usrreq.c | 6 ++++++
 sys/netipx/spx_usrreq.c | 5 +++++
 2 files changed, 11 insertions(+)

diff --git a/sys/netipx/ipx_usrreq.c b/sys/netipx/ipx_usrreq.c
index ef9c1ad3d64..5fcfa3645c4 100644
--- a/sys/netipx/ipx_usrreq.c
+++ b/sys/netipx/ipx_usrreq.c
@@ -187,6 +187,12 @@ ipx_input(struct mbuf *m, struct ipxpcb *ipxp)
 		m->m_pkthdr.len -= sizeof(struct ipx);
 		m->m_data += sizeof(struct ipx);
 	}
+#ifdef MAC
+	if (mac_socket_check_deliver(ipxp->ipxp_socket, m) != 0) {
+		m_freem(m);
+		return;
+	}
+#endif
 	if (sbappendaddr(&ipxp->ipxp_socket->so_rcv,
 	    (struct sockaddr *)&ipx_ipx, m, NULL) == 0)
 		m_freem(m);
diff --git a/sys/netipx/spx_usrreq.c b/sys/netipx/spx_usrreq.c
index f6b63e2434e..2b1828855bc 100644
--- a/sys/netipx/spx_usrreq.c
+++ b/sys/netipx/spx_usrreq.c
@@ -225,6 +225,11 @@ spx_input(struct mbuf *m, struct ipxpcb *ipxp)
 	so = ipxp->ipxp_socket;
 	KASSERT(so != NULL, ("spx_input: so == NULL"));
 
+#ifdef MAC
+	if (mac_socket_check_deliver(so, m) != 0)
+		goto drop;
+#endif
+
 	if (so->so_options & SO_DEBUG || traceallspxs) {
 		ostate = cb->s_state;
 		spx_savesi = *si;