1 files changed, 46 insertions, 0 deletions

diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index 202aeed..abb817d 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -2304,6 +2304,50 @@ mac_biba_check_system_acct(struct ucred *cred, struct vnode *vp,
 }
 
 static int
+mac_biba_check_system_auditctl(struct ucred *cred, struct vnode *vp,
+    struct label *vplabel)
+{
+	struct mac_biba *subj, *obj;
+	int error;
+
+	if (!mac_biba_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+
+	error = mac_biba_subject_privileged(subj);
+	if (error)
+		return (error);
+
+	if (vplabel == NULL)
+		return (0);
+
+	obj = SLOT(vplabel);
+	if (!mac_biba_high_effective(obj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+mac_biba_check_system_auditon(struct ucred *cred, int cmd)
+{
+	struct mac_biba *subj;
+	int error;
+
+	if (!mac_biba_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+
+	error = mac_biba_subject_privileged(subj);
+	if (error)
+		return (error);
+
+	return (0);
+}
+
+static int
 mac_biba_check_system_settime(struct ucred *cred)
 {
 	struct mac_biba *subj;
@@ -3204,6 +3248,8 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_check_socket_visible = mac_biba_check_socket_visible,
 	.mpo_check_sysarch_ioperm = mac_biba_check_sysarch_ioperm,
 	.mpo_check_system_acct = mac_biba_check_system_acct,
+	.mpo_check_system_auditctl = mac_biba_check_system_auditctl,
+	.mpo_check_system_auditon = mac_biba_check_system_auditon,
 	.mpo_check_system_settime = mac_biba_check_system_settime,
 	.mpo_check_system_swapon = mac_biba_check_system_swapon,
 	.mpo_check_system_swapoff = mac_biba_check_system_swapoff,