Give users the ability to load a mac_bsdextended(4) ruleset on boot (defaults

to NO of course).  Provide a basic ruleset file, rc.bsdextended, but allow
the filename to be overridden through rc.conf.

Discussed with:	rwatson (awhile ago)

2 files changed, 53 insertions, 1 deletions

diff --git a/etc/rc.d/Makefile b/etc/rc.d/Makefile
index 61bc3e8..2d6f59d 100755
--- a/etc/rc.d/Makefile
+++ b/etc/rc.d/Makefile
@@ -34,7 +34,7 @@ FILES=	DAEMON LOGIN NETWORKING SERVERS \
 	serial sppp sshd swap1 \
 	syscons sysctl syslogd \
 	timed tmp \
-	usbd \
+	ugidfw usbd \
 	var vinum virecover \
 	watchdogd \
 	ypbind yppasswdd ypserv \
diff --git a/etc/rc.d/ugidfw b/etc/rc.d/ugidfw
new file mode 100644
index 0000000..7e033c8
--- /dev/null
+++ b/etc/rc.d/ugidfw
@@ -0,0 +1,52 @@
+#!/bin/sh
+#
+# $FreeBSD$
+
+# PROVIDE: ugidfw
+# REQUIRE:
+# BEFORE: LOGIN
+# KEYWORD: FreeBSD nojail
+
+. /etc/rc.subr
+
+name="ugidfw"
+rcvar="ugidfw_enable"
+start_cmd="ugidfw_start"
+start_precmd="ugidfw_precmd"
+stop_cmd="ugidfw_stop"
+
+ugidfw_precmd()
+{
+	if ! sysctl security.mac.bsdextended
+          then kldload mac_bsdextended
+	    if [ "$?" -ne "0" ]
+	      then warn Unable to load the mac_bsdextended module.
+	      return 1
+	else
+	  return 0
+	  fi
+	fi
+	return 0
+}
+
+ugidfw_start()
+{
+	# set the default policy script if none was specified
+	[ -z "${bsdextended_script}" ] && bsdextended_script=/etc/rc.bsdextended
+
+	if [ -r "${bsdextended_script}" ]; then
+		. "${bsdextended_script}"
+		echo -n 'MAC bsdextended rules loaded sucessfully.'
+	fi
+	echo '.'
+}
+
+ugidfw_stop()
+{
+	# Disable the policy
+	#
+	kldunload mac_bsdextended
+}
+
+load_rc_config $name
+run_rc_command "$1"