1 files changed, 28 insertions, 0 deletions

diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c
index 00ecd04..c9ec6a1 100644
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@@ -151,6 +151,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
     &mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
 TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket);
 
+static int	mac_enforce_sysctl = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysctl, CTLFLAG_RW,
+    &mac_enforce_sysctl, 0, "Enforce MAC policy on sysctl operations");
+TUNABLE_INT("security.mac.enforce_sysctl", &mac_enforce_sysctl);
+
 static int     mac_enforce_vm = 1;
 SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW,
     &mac_enforce_vm, 0, "Enforce MAC policy on vm operations");
@@ -912,6 +917,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
 			mpc->mpc_ops->mpo_check_system_swapon =
 			    mpe->mpe_function;
 			break;
+		case MAC_CHECK_SYSTEM_SYSCTL:
+			mpc->mpc_ops->mpo_check_system_sysctl =
+			    mpe->mpe_function;
+			break;
 		case MAC_CHECK_VNODE_ACCESS:
 			mpc->mpc_ops->mpo_check_vnode_access =
 			    mpe->mpe_function;
@@ -3034,6 +3043,25 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
 }
 
 int
+mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
+    void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)
+{
+	int error;
+
+	/*
+	 * XXXMAC: We're very much like to assert the SYSCTL_LOCK here,
+	 * but since it's not exported from kern_sysctl.c, we can't.
+	 */
+	if (!mac_enforce_sysctl)
+		return (0);
+
+	MAC_CHECK(check_system_sysctl, cred, name, namelen, old, oldlenp,
+	    inkernel, new, newlen);
+
+	return (error);
+}
+
+int
 mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
     struct ifnet *ifnet)
 {