Merge kld access control checks from the MAC tree: these access control

checks permit policy modules to augment the system policy for permitting
kld operations.  This permits policies to limit access to kld operations
based on credential (and other) properties, as well as to perform checks
on the kld being loaded (integrity, etc).

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories

1 files changed, 46 insertions, 0 deletions

diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c
index 82eded8..bf6c999 100644
--- a/sys/security/mac/mac_pipe.c
+++ b/sys/security/mac/mac_pipe.c
@@ -125,6 +125,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW,
     &mac_enforce_fs, 0, "Enforce MAC policy on file system objects");
 TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs);
 
+static int	mac_enforce_kld = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, enforce_kld, CTLFLAG_RW,
+    &mac_enforce_kld, 0, "Enforce MAC policy on kld operations");
+TUNABLE_INT("security.mac.enforce_kld", &mac_enforce_kld);
+
 static int	mac_enforce_network = 1;
 SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW,
     &mac_enforce_network, 0, "Enforce MAC policy on network packets");
@@ -2293,6 +2298,47 @@ mac_check_kenv_unset(struct ucred *cred, char *name)
 }
 
 int
+mac_check_kld_load(struct ucred *cred, struct vnode *vp)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_kld_load");
+
+	if (!mac_enforce_kld)
+		return (0);
+
+	MAC_CHECK(check_kld_load, cred, vp, &vp->v_label);
+
+	return (error);
+}
+
+int
+mac_check_kld_stat(struct ucred *cred)
+{
+	int error;
+
+	if (!mac_enforce_kld)
+		return (0);
+
+	MAC_CHECK(check_kld_stat, cred);
+
+	return (error);
+}
+
+int
+mac_check_kld_unload(struct ucred *cred)
+{
+	int error;
+
+	if (!mac_enforce_kld)
+		return (0);
+
+	MAC_CHECK(check_kld_unload, cred);
+
+	return (error);
+}
+
+int
 mac_check_mount_stat(struct ucred *cred, struct mount *mount)
 {
 	int error;