summaryrefslogtreecommitdiffstats
path: root/sys/security/mac/mac_net.c
diff options
context:
space:
mode:
Diffstat (limited to 'sys/security/mac/mac_net.c')
-rw-r--r--sys/security/mac/mac_net.c46
1 files changed, 46 insertions, 0 deletions
diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c
index 82eded8..bf6c999 100644
--- a/sys/security/mac/mac_net.c
+++ b/sys/security/mac/mac_net.c
@@ -125,6 +125,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW,
&mac_enforce_fs, 0, "Enforce MAC policy on file system objects");
TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs);
+static int mac_enforce_kld = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, enforce_kld, CTLFLAG_RW,
+ &mac_enforce_kld, 0, "Enforce MAC policy on kld operations");
+TUNABLE_INT("security.mac.enforce_kld", &mac_enforce_kld);
+
static int mac_enforce_network = 1;
SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW,
&mac_enforce_network, 0, "Enforce MAC policy on network packets");
@@ -2293,6 +2298,47 @@ mac_check_kenv_unset(struct ucred *cred, char *name)
}
int
+mac_check_kld_load(struct ucred *cred, struct vnode *vp)
+{
+ int error;
+
+ ASSERT_VOP_LOCKED(vp, "mac_check_kld_load");
+
+ if (!mac_enforce_kld)
+ return (0);
+
+ MAC_CHECK(check_kld_load, cred, vp, &vp->v_label);
+
+ return (error);
+}
+
+int
+mac_check_kld_stat(struct ucred *cred)
+{
+ int error;
+
+ if (!mac_enforce_kld)
+ return (0);
+
+ MAC_CHECK(check_kld_stat, cred);
+
+ return (error);
+}
+
+int
+mac_check_kld_unload(struct ucred *cred)
+{
+ int error;
+
+ if (!mac_enforce_kld)
+ return (0);
+
+ MAC_CHECK(check_kld_unload, cred);
+
+ return (error);
+}
+
+int
mac_check_mount_stat(struct ucred *cred, struct mount *mount)
{
int error;
OpenPOWER on IntegriCloud