diff options
Diffstat (limited to 'sys/security/mac/mac_net.c')
-rw-r--r-- | sys/security/mac/mac_net.c | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index 82eded8..bf6c999 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -125,6 +125,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); +static int mac_enforce_kld = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_kld, CTLFLAG_RW, + &mac_enforce_kld, 0, "Enforce MAC policy on kld operations"); +TUNABLE_INT("security.mac.enforce_kld", &mac_enforce_kld); + static int mac_enforce_network = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, &mac_enforce_network, 0, "Enforce MAC policy on network packets"); @@ -2293,6 +2298,47 @@ mac_check_kenv_unset(struct ucred *cred, char *name) } int +mac_check_kld_load(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_kld_load"); + + if (!mac_enforce_kld) + return (0); + + MAC_CHECK(check_kld_load, cred, vp, &vp->v_label); + + return (error); +} + +int +mac_check_kld_stat(struct ucred *cred) +{ + int error; + + if (!mac_enforce_kld) + return (0); + + MAC_CHECK(check_kld_stat, cred); + + return (error); +} + +int +mac_check_kld_unload(struct ucred *cred) +{ + int error; + + if (!mac_enforce_kld) + return (0); + + MAC_CHECK(check_kld_unload, cred); + + return (error); +} + +int mac_check_mount_stat(struct ucred *cred, struct mount *mount) { int error; |