Add MAC checks for various kenv() operations: dump, get, set, unset,

permitting MAC policies to limit access to the kernel environment.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories

1 files changed, 52 insertions, 0 deletions

diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c
index 4882c0f..f4cfa8a 100644
--- a/sys/security/mac/mac_system.c
+++ b/sys/security/mac/mac_system.c
@@ -2170,6 +2170,58 @@ mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf)
 }
 
 int
+mac_check_kenv_dump(struct ucred *cred)
+{
+	int error;
+
+	if (!mac_enforce_system)
+		return (0);
+
+	MAC_CHECK(check_kenv_dump, cred);
+
+	return (error);
+}
+
+int
+mac_check_kenv_get(struct ucred *cred, char *name)
+{
+	int error;
+
+	if (!mac_enforce_system)
+		return (0);
+
+	MAC_CHECK(check_kenv_get, cred, name);
+
+	return (error);
+}
+
+int
+mac_check_kenv_set(struct ucred *cred, char *name, char *value)
+{
+	int error;
+
+	if (!mac_enforce_system)
+		return (0);
+
+	MAC_CHECK(check_kenv_set, cred, name, value);
+
+	return (error);
+}
+
+int
+mac_check_kenv_unset(struct ucred *cred, char *name)
+{
+	int error;
+
+	if (!mac_enforce_system)
+		return (0);
+
+	MAC_CHECK(check_kenv_unset, cred, name);
+
+	return (error);
+}
+
+int
 mac_check_mount_stat(struct ucred *cred, struct mount *mount)
 {
 	int error;