From ec272d87087357b0e91eedfea07f814690f0a00a Mon Sep 17 00:00:00 2001
From: Robert Watson <rwatson@FreeBSD.org>
Date: Wed, 31 Jul 2002 16:11:32 +0000
Subject: [PATCH] Introduce support for Mandatory Access Control and extensible
 kernel access control.

Invoke a MAC framework entry point to authorize reception of an
incoming mbuf by the BPF descriptor, permitting MAC policies to
limit the visibility of packets delivered to particular BPF
descriptors.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
---
 sys/net/bpf.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/sys/net/bpf.c b/sys/net/bpf.c
index a7d49da6b66..1751e038375 100644
--- a/sys/net/bpf.c
+++ b/sys/net/bpf.c
@@ -1074,8 +1074,12 @@ bpf_tap(ifp, pkt, pktlen)
 		BPFD_LOCK(d);
 		++d->bd_rcount;
 		slen = bpf_filter(d->bd_filter, pkt, pktlen, pktlen);
-		if (slen != 0)
-			catchpacket(d, pkt, pktlen, slen, bcopy);
+		if (slen != 0) {
+#ifdef MAC
+			if (mac_check_bpfdesc_receive(d, ifp) == 0)
+#endif
+				catchpacket(d, pkt, pktlen, slen, bcopy);
+		}
 		BPFD_UNLOCK(d);
 	}
 	BPFIF_UNLOCK(bp);